It seems everything can be hacked now, but researchers have discovered a method of car hacking using software embedded in a song. It might not work with all modern vehicles, but it has been done.
The culprit lies in what could be an overly complicated operating system most modern cars come equipped with. What used to be regulated with hoses and emission control fuses is now almost entirely regulated by an on-board computer. Through these controls, you can do everything from setting the temperature to checking the tire pressure, and even unlock all of the doors (including the garage) with one button.
This operating system is based on the OBD-II standard, which has been used in modern vehicles since 1996. Scanners using this standard have made it so much easier for mechanics – professional and backyard – to diagnose what’s wrong with a vehicle and fix the problem at its roots. This is a vast improvement over the trial and error, which sometimes kept even the best of mechanics guessing and often running your repair bill through the proverbial roof.
— Security Response (@threatintel) January 27, 2016
OBD-II is a form of car hacking software which has alleviated many a headache in the last 20 years. However, the Register recommends you have a remote update system to download what could probably fix an exploit found in modern operating systems.
The exploit was found to be in the entertainment system, where a CD was used to insert a code into the computer through a specially altered song. The WMA file infected the software and enabled a remote device full access to the car’s functions.
In 2015, a similar exploit was used in an experiment on a 2014 Jeep Wrangler. Andy Greenberg of Wired had volunteered to experience first-hand what happens when someone with a laptop starts controlling your vehicle from a distance. In this case, it was two guys with laptops, Charlie Miller and Chris Valasek, and the experiment started with the driver taking the vehicle onto the freeway.
Losing control of your vehicle while traveling on the freeway can be a terrifying experience, and car hacking software makes it all too possible. Thankfully, the hackers assured Greenberg that they wouldn’t try anything life-threatening. Of course, no hacker can anticipate an out-of-control drunk driver, so it’s not recommended that you try this yourself.
Stefan Savage, a computer science professor, spoke at the Usenix Enigma conference in San Francisco on Tuesday, explaining what the main problem is which enables car hacking software.
“For cars the [original equipment manufacturer] is not the developer, they are the integrator, so there are software supply chain issues. Source code is frequently not available, so code inspection does not work, since no party in the world has access to all of a car’s source code. … A firewall is not going to do it, the architecture is too complex and cost really counts to these guys – saying ‘It’s only a [five dollar] fix per car’ doesn’t cut it. That said, there could be a great tinfoil hat boutique business for hackers who want to pimp their cyber ride with a firewall.”
If you’re worried about car hackers using software to take over your vehicle’s controls, you might consider deeming the radio off limits or removing it entirely. Savage claims that the software takes less than half a minute to install from a “spiked” song.
A list of the most hackable vehicles on the market today was released on Bank Rate, and, of course, the 2014 Jeep Cherokee (the car used in the remote hacking experiment above) is among them. Also included are the 2015 Cadillac Escalade, 2014 Infiniti Q50, 2014 Toyota Prius, 2010 Toyota Prius, 2014 Ford Fusion, 2014 BMW X3, 2014 Chrysler 300, and 2014 Range Rover Evoque.
The list of cars which could be remotely hacked with malicious software may be growing, so be aware.
[Image via YouTube]