Last week I attended Defcon21, where in addition to hanging out with my most excellent co-workers, I had the opportunity to see the complete presentation given by Charlie Miller and Chris Valasek, that I had written about here.
This research demonstrates that a vehicle could be "hacked" into and made to perform in such a way as to endanger the life of the operator and occupants.
Picture courtesy of http://www.cso.com.au
They went in much greater depth than their teaser interview with Andy Greenberg's article.
They covered how the vulnerabilities were discovered in great detail, demonstrated the various attacks that could be executed, and released all their research, so that the rest of the security community could build upon it.
We saw how these vulnerabilities, when exploited, caused the early demise of Charlie’s lawn mower, the destruction of the back of his garage, and ultimately the premature death of Chris Valasek's Toyota Prius.
I feel a great deal of sympathy towards the Toyota service technicians, who scratched their heads on the numerous occasions where they were delivered the broken test Prius. Apparently they had never seen these kinds of failures before.
The official stance from Ford, in response to the to the NBC Today Show segment, where the car hacks were also featured was:
"This particular attack was not performed remotely over-the-air, but as a highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers."
And Toyota issued this statement, also in response to the Today segment:
“This requires a physical presence inside the vehicle, partial disassembly of the instrument panel … as well as a hard-wired connection, all of which would be obvious”.
What I am hearing is that according to the car manufacturers, these are theoretical attacks.
If you have two well known security researchers, in the back of your car, with laptops, cables wired to the ECU, laughing maniacally, that should be your most pressing concern…
What they are failing to grasp is that the original research that was referred to in this talk, had already explored the feasibility of remote exploitation. It can be found here.
As was pointed out in the presentation, the original paper went to great lengths to demonstrate that remote access was possible, while simultaneously providing precious little information. The original researchers “have purposely omitted crucial details from our papers that would be required to replicate our work”. We will not discuss responsible disclosure, but they did state that they wanted their research to be a "wake up call" for the automotive industry. This was research published in August of 2011.
I am really disappointed to see the manufacturers' response to these vulnerabilities. The research that was conducted this time around specifically did not focus on remote execution, as this has been already proven to be feasible.
This was a post-exploitation demonstration. The holy grail of compromise, persistence, was shown to be feasible.
We could gain access to the vehicle by hacking the locking mechanisms used in the key fobs as reported here, or just by using a watch, or when this research is eventually allowed to be published, or when these thieves' unknown technique is explained. I could just keep going on, but I think we're seeing a pattern here. Contrary to what car manufacturers would like us to believe, physical access to vehicles isn't all that difficult.
What if rather than stealing your pocket change, or your suction cupped GPS, malicious actors plug into the ODB2 port, and instruct your car to slam your brakes and crank the wheel full left the next time you hit 90 miles per hour?
While this may seem far-fetched, there are some who theorize such attacks have happened already. I am hoping that car manufacturers will start taking this threat more seriously. I do not want to wait until we see a real life example of a car hack, before they implement greater security in their automobiles' computer systems.