back to article Charlie Miller to tell Vegas punters how to hack your car

An eagerly anticipated talk by Charlie Miller on car hacking, rejected by organisers of the Black Hat security conference, will get an airing in Las Vegas this summer after all. Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at IOActive, are due to present a talk on …


This topic is closed for new posts.
  1. Grease Monkey Silver badge

    Yet another one of those "vulnerabilities" that requires a direct physical connection then.

    So if you connect some electronic kit to a car you can affect the way it works? He guess what, with much cheaper tools (like a spanner or even a hammer) I can REALLY affect the way your car works.

    1. John H Woods Silver badge

      True but ...

      If I understand it correctly, this would enable you to fix equipment to a car that would stay undetected for an arbitrary period and later allow an attacker to remotely take control of a vehicle on a high speed road, disable the breaking, accelerate to full speed and then deliberately crash. Difficult to do that with a spanner.

      1. Anonymous Coward
        Anonymous Coward

        Re: True but ...

        So is this what happened to Michael Hastings?

        Hours before dying in a fiery car crash, award-winning journalist Michael Hastings sent an email to his colleagues, warning that federal authorities were interviewing his friends and that he needed to go "off the rada[r]" for a bit.

        The email was sent around 1 p.m. on Monday, June 17. At 4:20 a.m. the following morning, Hastings died when his Mercedes, traveling at high speeds, smashed into a tree and caught on fire. He was 33.

        Rumors that the FBI was investigating Hastings began the day after his death, with a couple of mysterious WikiLeaks tweets.

        In a rare move, the FBI issued a statement denying that Hastings was under investigation. The Los Angeles Police Department also said it had found no evidence of any foul play in his death.

        Hastings, an accomplished war correspondent and sharp political reporter, was best known for writing a critical Rolling Stone profile of General Stanley McChrystal that led to his resignation.

        It's unclear what "big story" Hastings was working on prior to his death, but it might have to do with yet another military bigwig, this time retired general David Petraeus.

        The LA Times reported that Hastings was researching a story about a privacy lawsuit brought by Jill Kelley, the Florida socialite who took center stage in the Petraeus cheating scandal, against the Department of Defense and the FBI. According to a person close to Kelley, the paper said, Hastings had plans to meet a representative of hers to discuss the case next week.

    2. trashbat

      Would you even notice if an OBD-2 Bluetooth dongle was fitted to your car?

      1. Down not across

        Yes. The connector is under the dash below the steering wheel. I'd probably kick it loose getting into the car.

        That of course is not to say that in some cars it might not be conveniently tucked into center console or glovebox, or that someone didn't just splice into the OBD connector wires so there would be nothing plugged into the OBD connector.

        1. trashbat

          Telematics companies don't seem to have much of a job hiding their kit away. Once hooked up, there's no other indication that a device is connected. How you get it there is an issue, but the recent BMW theft saga was a good example of how you can get to the OBD system without a lot of trouble (in that case, to program a new key)

          That a standard production car can or ever should be steered, braked or accelerated by OBD commands is ridiculous.

        2. Euripides Pants

          "alternate" OBD II locations

          The OBD II connector must be located under the steering column so mechanics don't have to look for it when they need to hook their analyzers to it.

          1. Neoc

            Re: "alternate" OBD II locations

            "The OBD II connector must be located under the steering column so mechanics don't have to look for it when they need to hook their analyzers to it."

            I beg to differ - I have two cars; the Jeep has it under the column, the Holden has it under a panel in the centre console.

            I will grant that perhaps you meant "In the USA the OBD II connector must be located under the steering column" but kindly remember that the USofA is *not* the whole of the world.

            1. Euripides Pants

              Re: "alternate" OBD II locations

              "kindly remember that the USofA is *not* the whole of the world"


      2. Grease Monkey Silver badge

        @trashbat I might not notice, but I'd be deeply impressed if somebody could connect one to my car. You're welcome to pop round and see if you can connect such a thing to my old Volvo.

    3. bonkers

      read on

      The OBD~II connector is a good starting point to probe the in-car system, that bit of it that you are attacking, directly. There are several papers that document how to move such an attack onto a corrupted music file, and then on to a fully wireless exploit through inevitable flaws in Bluetooth stacks. The killer is that once you can send CAN packets around you can entirely reprogram most things in the car - assuming you can get through the "hobbyist" grade security.

      Try googling and reading the document titled: cars-usenixsec2011.pdf

      "We modified a WMA audio file such that, when burned onto a CD, plays perfectly on a PC but sends arbitrary CAN packets of our choosing when played by our car’s media player".

      They went on from there to a number of wireless attacks, the time-to-break depends on a number of factors, mentioned in the paper and hey, not a single hammer was used in the whole exercise.

    4. Anonymous Coward
      Anonymous Coward

      For that you need to look at some older papers

      This is old hat. If you combine the work a few universities did a few years back you can probably take control of a car using bluetooth, and have the ECU wipe the evidence when it's done.

      The university with most control looked at what they could do with a few seconds access to an ODB2 port. It turns out they could do rather a lot, including injecting code into the control unit RAM to issue commands according to some programmatic trigger (say when the car reached 50mph) then perform a reset to remove all traces of itself other than a log that the unit had rebooted for some reason. The party piece was to lock the doors, apply full brakes on one side only, and display 'Game over' on the display when the car reached a predetermined speed. They identified 5 wireless interfaces on the car but didn't try to break any of them.

      Another found a vulnerable Bluetooth stack that would allow them to run arbitrary code on a device with an ODB2 connection. Mix and match, and you've got remote control of the car. Spoofing the tyre pressure readings (another wireless interface) is mild in comparison. I don't know if anyone's poked the GSM, keyfob or other interfaces.

      1. Down not across

        Re: For that you need to look at some older papers

        "The party piece was to lock the doors, apply full brakes on one side only, and display 'Game over' on the display when the car reached a predetermined speed. They identified 5 wireless interfaces on the car but didn't try to break any of them."

        Citation required.

        Why? Well, since were talking "few years" back, I am sceptical about the ability of OBD/CANbus control off applying brakes to one side. Brakes tend to be hydraulically assisted and the most the CAN bus could do is spoof ABS sensors, which wouldn't help lock the brakes, but quite the opposite.

        1. trashbat

          Re: For that you need to look at some older papers

          Stability control systems brake individual wheels, even uncommanded by the driver, and of course ABS releases them. Why those things wouldn't be a sole and closed responsibility of the system-specific control unit, I don't know, but from the sounds of the story the whole system is badly thought through.

        2. Gene Cash Silver badge

          Re: For that you need to look at some older papers

          Sure, it can, even in my crappy old '92 Camaro. Applying full brakes on one side only. was a failure mode of the ABS system I experienced. Another one was fully releasing the brakes at 25mph despite full foot on the pedal, then coasting down to 22mph and locking all 4 wheels despite no foot on the pedal. It was apparently a joyous interaction between failed ABS sensors and a confused power brakes controller.

          It was one of the first years of ABS, none of the independent shops had the equipment and the dealer was a moron that wouldn't replace the wheel sensor when the computer told him to.

          Can't decide between the stop, go, or fail icons, just like my car.

        3. Grease Monkey Silver badge

          Re: For that you need to look at some older papers

          "Brakes tend to be hydraulically assisted and the most the CAN bus could do is spoof ABS sensors, which wouldn't help lock the brakes, but quite the opposite."

          AFAIR in the UK at least brakes must be a purely mechanical system that would work without any electronic assistance. So an electronically activated system would not pass C&U. The only sort of car I can see that you could lock the brakes on would be one of those systems where traction control is applied through the brakes, such as some 4WD Porsches. Stupid system anyway, just destroys pads and discs much more quickly than would otherwise be the case.

      2. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Attention all idiots

          If you would like people to read your post and consider reasonably your comments, please learn to spell the word brakes.

  2. FutureShock999

    The danger here is that an attacker can easily gain entry into your engine compartment, attach a device to the bus, and crash your car at high speed. And unfortunately, most police would have no idea what to look for in the wreckage, especially if you smear a little dirt and oil on your box to weather it like the rest of the engine. In the case of a bomb, police KNOW it was suspect, but a crash? So, undetectable crashes, with no evidence to speak of, that most likely would be missed because the police would treat it as a accident not a crime.

    And they wondered why BlackHat didn't want them to present?

    1. Anonymous Coward
      Anonymous Coward

      "Crash your car"

      I postulate this is unlikely.

      There are several ways of overriding the engine if it is misbehaving - turn off ignition, select neutral, etc.

      The steering and braking systems are required by safety regulations to be operated by mechanical means. i.e. your brake pedal is mechanically linked to the calipers by means of hydraulic fluid; your steering wheel is mechanically linked to the steering gear by means of the steering rack.

      The computer cannot prevent you from applying the brakes or steering the vehicle.

      Even the new snazzy self-parking systems that require a motor to turn the steering wheel, can be easily overcome by the strength of a healthy person's arm.

      1. trashbat

        Re: "Crash your car"

        It's true that steer or brake by wire aren't in mainstream existence, yet. However, the attack isn't about taking away your input - it's about providing an extra one. Supposing an attacker could actuate an EPAS motor, I don't fancy my chances trying to fight or rather recover it. It might be physically easy to overcome in theory, but at any speed you'd better be quick about it.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Aren't in mainstream existence, yet"

          No, as I said in my original post, as mechanical linkage is mandated by relevant safety standards such as Euro NCAP, it will stay like this for the foreseeable future.

          1. trashbat

            Re: "Aren't in mainstream existence, yet"

            I understood your post perfectly well, thank you. However I wouldn't be so sure about the timeline for pure drive-by-wire.

            We're already happy with throttle-by-wire, with no override except gearbox neutral or engine off, themselves sometimes computer controlled. In circumstances that induce sufficient brake fade, failure could result in an unstoppable car.

            We're happy with ABS, which if it desires will release the brakes, no matter how hard you push the pedal.

            We're also quite happy with modern aviation.

            NCAP responds to the state of the art as much as it dictates it, and the state of the art responds to manufacturing costs. If early implementations like Sensotronic in the Mercedes E class hadn't made a mess of confidence in it, we might be some way closer now. Let's just hope they sort the security by then.

      2. FutureShock999

        Re: "Crash your car"

        If you can write that, then it is obvious that you did not watch the video in the article - they showed the hackers using a PC to DIRECTLY use the bus to control the steering wheel (and wheels) of a Ford SUV. Both left and right turns, and straight, on their command.

        Yes, you may be powerful enough to re-centre it, but if you are travelling at 70 mph and your wheel flips hard right, your car will be rolling before you can probably react. Most people do NOT maintain a death grip on the wheel when driving on motorways, nor would they expect their wheel to suddenly flip out like that - in most cases, it would likely slip through their hands.

        At highway/motorway speeds, the wheel only has to deflect very, very briefly before you are into the barriers or off the road, especially if heading into a curve.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Slip through their hands"

          Two points:

          A "death grip" is not necessary but if you are holding the steering wheel properly with two hands like you should, then that can't happen.

          The proportion of cars on the road that are actually fitted with these motors (for expensive self-parking option) is minuscule.

          Let's not reduce ourselves to chicken licken behaviour, is my point..

          That said, I would definitely approve of a proportional, measured response to improving security where appropriate in fringe cases such as this.

          1. trashbat

            RE: miniscule number of cars

            Many if not most recent car models have EPAS, which is primarily there for fuel efficiency reasons rather than self-park.

  3. Bob Dunlop

    The bit the motor manufactures won't like is punters being able to disable the forced dealer service revenue stream.

    1. Anonymous Coward
      Anonymous Coward


      You can usually reset the service indicator by performing a car version of the three-finger salute.

      There is also very good smartphone software and OBD2-Bluetooth adaptors available which can be had for less than £15 total.

  4. Jess--

    with the bus being used for more and more things it would be possible to attach a device to it without needing to gain access to the engine compartment, a few possibilities that spring to mind...

    ABS Wheel sensor

    Rear light cluster

    pretty much any sensor on the transmission

    suspension sensors (on cars with active suspension)

    towbar electrics? (not sure on this one)

    1. Anonymous Coward
      Anonymous Coward

      OBDII Port

      The socket must be located in the passenger compartment, within easy reach of the driving position.

      None of the things in your list provide an ODBII connection on the outboard side.

  5. Fink-Nottle

    Another round? Why not ... my laptop's driving home tonight!

  6. JaitcH

    More NSA/FBI secrets revealed?

    With the increasing covert presence of American security agencies in our lives, could it be the revelations these guys want to announce are yet another exposure of a hitherto secret monitoring scheme collecting only metadata, of course, of American citizens?

    Of course, the UK Plod have their number plate snapping scheme - a few eons of technology behind,

  7. frank ly

    Old SCADA development engineers

    The car industry gave them a place to stay.

  8. Anonymous Coward
    Anonymous Coward


    So nothing suspicious about this incident then:

    But seriously, let's not get too paranoid - yet.

  9. John Smith 19 Gold badge

    Short version. Car mfgs hang *everything* off canbus with *minimal* internal security.

    Which in theory was OK because you could only access the network through the connector (well you could pull out one of the CANbus connected devices on the outside and spoof it if you know enough about its details, like its internal serial number. But outside an episode of "Burn Notice".... ) and that's inside the car. So if your smart enough to break into a modern car to begin with (figure the mfgs) you're smart enough to steal it and they are off the hook and all bets are off.

    Then they included the Bluetooth interface and the in car entertainment gizmos on the network.

    Can you say "Standardized attack vectors with multiple known exploit tools?"

    Does anyone recall the words of Mr Scott that "The more advanced the system, the easier it is to screw it up" ?

    1. Anonymous Coward
      Anonymous Coward

      There is no 'g' in "manufacturer"

      See title

  10. Anonymous Coward
    Anonymous Coward

    Memo to self

    "Upgrade" to an EMP proof vehicle with my own, vacuum tube based engine controller.

    Lets see you hack that.

    Also worth mentioning to the e-bike owning gym bunnies, the controllers on most e-bikes do NOT like EMP.

    So in the event of unfortunate events, you will be relying on pedal power for a loooooong time unless your controller happens to use vacuum tubes a la "BTTF III" and has good old fashioned lead acids that can last for decades if well treated and never run below 50% SOC.

    Interestingly, you can get away with a very primitive ECU if the program commands are stored in a linear array based on sonic delays, this worked back in the '60s and you could store something like 2KBits in a single beermat sized crystal with Epoxied on piezo squeekers.

    The actual CPU might work with less than 20 instructions so thats what, 40 valves if you go high tech and use nuvistors or those oh-so-useful VFDs that there will be about a million of down your local tip.

    Good luck getting this to run Quake3 though.

    AC/DC 6EQUJ5

    1. Anonymous Coward
      Anonymous Coward

      Re: "vacuum tube-based engine controller"

      Good luck with that 40 tonne clean room on wheels that will break down every fifteen minutes!

  11. JamesPond

    OBDII Port

    Yes the OBDII port is internal to the car and therefore as secure as the locks on the car. However, most OEMs already have OBDII-wifi connectors that are no bigger than a SCART plug.

    A number of OEMs are also looking at over-the-air remote diagnostics. So you are driving around and have a misfire. The onboard diagnostics register a problem and send the data via GSM direct to the OEM. The OEM reviews and diagnoses the problem. They either then phone you and ask you to take your car to the dealer for a physical vix, or whilst your car is on the driveway, they upload an ECU fix to you car (e.g. to limit turbo boost pressure) and you are none the wiser. Hopefully these systems will be encrypted!

This topic is closed for new posts.