With a modest amount of expertise, computer hackers could gain remote access to someone’s car — just as they do to people’s personal computers — and take over the vehicle’s basic functions, including control of its engine, according to a report by computer scientists from UC San Diego and the University of Washington.
Although no such takeovers have been reported in the real world, the scientists were able to do exactly this in an experiment conducted on a car they bought for the purpose of trying to hack it. Their report, delivered to the National Academy of Sciences’ Transportation Research Board, described how such unauthorized intrusions could theoretically take place.
Because many of today’s cars contain cellular connections and Bluetooth wireless technology, it is possible for a hacker, working from a remote location, to take control of various features — like the car locks and brakes — as well as to track the vehicle’s location, eavesdrop on its cabin and steal vehicle data, the researchers said. They described a range of potential compromises of car security and safety.
“This report explores how hard it is to compromise a car’s computers without having any direct physical access to the car,” said Stefan Savage of UC San Diego, who is one of the leaders of the research effort.
Given that the researchers were able to do it, they are now trying to pinpoint just how hard it might be for others, he said.
“In the case of every major manufacturer, if they do not have this capacity in their mainstream products, they’re about to,” said Tadayoshi Kohno, an assistant professor at the University of Washington.
For example, services like General Motors’ OnStar system, Toyota’s Safety Connect, Lexus’ Enform, Ford’s Sync, BMW’s Assist and Mercedes Benz’s Mbrace all use a cellular connection embedded in the vehicle to provide a variety of automated and call center support services to a driver. These subscription services make it possible to track a car’s location, unlock doors remotely and control other functions.
In their remote experiment, the researchers were able to undermine the security protecting the cellular phone in the vehicle they bought and then insert malicious software. This allowed them to send commands to the car’s electronic control unit — the nerve center of a vehicle’s electronics system — which in turn made it possible to override various vehicle controls.
