Hacking the Car: Next-gen Vehicles at the Mercy of Cyber Attacks


The shift to an increasingly digital transportation system brings with it one of the banes of the Internet: hacking. Computer scientists at the University of Washington and University of California, San Diego, have, in a new research paper, shown what kind of havoc a sophisticated hacker could wreak on vehicles that rely heavily on in-car networks and connect to the web via wireless. The research, slated for presentation at the tech industry group IEEE’s security and privacy symposium in Oakland, Calif., next week, offers a road map of challenges that lie ahead as electric vehicles linked to communication networks and the power grid come into the picture.

Already, electric car makers including General Motors (s GM) and Nissan have unveiled smartphone apps designed to let users remotely control certain vehicle functions and battery charging for plug-in models scheduled to start rolling out as early as December. Down the road, we’ll likely see not only electricity flowing to cars from the grid, but also the flow of more and more data between cars, the grid, home energy management systems, utilities and third-party service providers.

The University of Washington and UC San Diego researchers say that through lab experiments and on-the-road trials with two vehicles and a program dubbed CarShark, they have demonstrated “the fragility of the underlying system structure” for modern cars that are “pervasively monitored and controlled by dozens of digital computers, coordinated via internal vehicular networks.” Bottom line, they say a typical car built in recent years has very little resilience against a digital attack on its internal components.

It would be possible, according to the paper, for an attacker to “adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.” Hackers could also cover their tracks, embedding malicious code in a car’s telematics unit that would “completely erase any evidence of its presence after a crash.”

Security risks associated with having a complex, interconnected array of electronic control units involved in “virtually every aspect of a car’s functioning and diagnostics,” the researchers note, can be exacerbated in vehicles with electric drive, which “require precise software control over power management and regenerative braking to achieve high efficiency.”

Part of the problem, the researchers argue, is that while the auto industry has maintained a relatively strong focus on safety when it comes to introducing new software (Toyota’s (s tm) recent software glitches notwithstanding), it’s questionable whether car makers have anticipated “the possibility of an adversary.” Vehicle systems have been designed to “fail gracefully,” as Steve Nelson, manager of global automotive marketing for Freescale Semiconductor (s fsl), put it to us in an interview recently (GigaOM Pro, subscription required). An ability to gracefully and safely tolerate attacks (as opposed to failure) has not been built into vehicles’ DNA in the same way.

In addition, the authors emphasize that addressing “the issue of vehicle security is not simply a matter of securing individual components; the car’s network is a heterogeneous environment of interfacing components, and must be viewed and secured as such.”

So while the risk that attacks like those the researchers lobbed at a pair of vehicles in their experiments will be successfully executed in a real-world setting at this point is fairly low, the vulnerabilities laid bare in this research demand attention. As Nelson told us, what’s important is “not that you have a glitch, [but] how the system responds to it.”

Image credit General Motors

Related research on GigaOM Pro (subscription required):

Why Freescale Sees Big Opportunity in Green Cars



Security has to be top priority. I was a bit worried about the security of doing mobile banking at first, but the CIBC mobile app is encrypted and guarantees security.

MTHIRTYhas just shared a widget with you on behalf of CIBC

Josie Garthwaite

The researchers looked mainly at what the consequences could be if someone with malicious intent (and some serious hacking skills) was able to gain access to a car that relies on internal networks and connects to the web via wireless. That is of course a big “if,” @Paul, but I agree with @TateJ — it’s something that should be taken into account when designing vehicles.


Interesting article and interesting comments.

While I agree that this sort of cyberattack is unlikely, its something the automakers should keep in mind. Every computer system can be hacked.


Having read more elsewhere this really is a load of BS.

They had to “wire a laptop with WiFi into the OBDII port”

So they’re basically using a full blown personal computer hardwired into the cars CAN………… HOW THE F^&K are they going to do that to some random car?

Total xenophobic BS


These guys should know that there’s no standard operating system used in the automotive industry and no standard embedded chip either. In fact each US auto makers goes out of their way to run propriety code even out of what are meant to be industry standard OBD2 diagnostic ports.

For example, the only way to re-program even a replacement ignition key in a GM vehicle is with a GM built device called a Tech2 that only GM dealerships own. With every new model of car the operating code is updated so Tech2 devices quickly become redundant without frequent updates.

The car world is nothing like running Windows on an Intel clone machine. This kind of fanning of ignorant xenophobia is just annoying.

Ed Lojko

I wonder how much an AV/Security license is going to add to the price of my next vehicle?

Comments are closed.