As connected cars get even more connected to their occupants, to other cars, to emergency services and to entertainment sources, a whole new set of worries erupts. Imagine you’re blowing by the Google bus on the 101 and suddenly someone else — someone not in the vehicle — appears to be driving your car. Not a good feeling and it could happen, in theory. That’s the kind of eventuality that noted security experts/hackers Charlie Miller and Chris Valasek of IOActive will discuss Friday at the Defcon 21 conference in Las Vegas.
The two white hats — hackers who probe for vulnerabilities and turn their results over to the affected vendors — have trained their sights on the connected car. And they have, according to this Reuters report, figured out how to force a Toyota Prius cruising at 80 mph to brake suddenly, jerk its steering wheel and accelerate. And, they maintain they can disable the brakes of a Ford Escape so that it continues to move even if the driver stands on the brake pedal. Yikes.
In these two cases, the remote control wasn’t all that remote, however. They were in the vehicles in question, working with laptops so that’s some consolation.
According to IOactive’s summary of Friday’s talk, all of this activity centers on the car’s Electronic Control Units, originally incorporated to help with fuel efficiency and emissions control. But now ECUs are the car’s central nervous system, controlling entertainment systems, safety systems and “enhanced automotive functionality.”
At Defcon, the two experts will:
“… first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, we’ll discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile.”
Car makers have to tread a fine line — they want to provide more, and more easily updated functionality to consumers which means connectivity is key — while also walling off critical systems. Ford, as GigaOM’s Kevin Fitchard reported early this year has open sourced some of the hardware design for specialized systems.
And, as car executives told attendees of GigaOM’s Roadmap conferencelast year, one key criteria of connected cars is to segregate the mission-critical systems– brakes, steering, power train — from the not-very-critical infotainment systems. I mean, who really cares if someone hacks your music stream?
What Miller and Valasek aim to show at Defcon is that such segregation may not be enough.