Print 31 comment(s) - last by thurston2.. on Sep 9 at 10:49 AM

  (Source: BiBi)
New how-to guide allows even layman hackers to carry out attacks similar to suspected government efforts

During a presentation at Def Con 21 last month, famed Apple, Inc. (AAPL) hacker Charlie Miller (who works at Twitter) and Chris Valasek, director of security intelligence at IOActive, revealed an interesting side project. The presentation showed how to affordably attack a vehicle's CAN bus with malicious messages, causing the vehicle to brake, refuse to break, or even steer into a wall.  The presentation shows how such attacks could be carried out -- even by relatively unskilled hackers.

I. CAN -- Useful, but Not Very Secure

Cars over time have grappled with increasing use of electronic control units (ECUs) and at times conflicting standards.  CAN (the Controller Area Network) was an industry wide effort to simplify and improve in-car communications.  While implementations vary slightly, CAN is governed by a set of published standards from the International Standards Organization (ISO) including ISO 15765-2 (ISO-TP) (sending) and ISO 1422914230 (receiving).

A part of a broader set of standards to make vehicle diagnosis easier (the so called On Board Diagnosis II (OBD-II) standard), CAN has been required on all light vehicles in the U.S. since 1996 and in the EU since 2001 (petrol vehicles) / 2004 (diesels).  But it turns out that as the vehicles are becoming more connected and ECU count continues to rise, fundamental security flaws in the standard and its implementation in current vehicles are showing through.
Car attack channels
There's many routes that you can use to attack the CAN bus. [Image Source: AutoSec]

The issue first received serious consideration in 2010 when Professor Tadayoshi Kohno of the University of Washington (UW) and Professor Stefan Savage of the University of California, San Diego (UCSD) published a paper entitled "Experimental Security Analysis of a Modern Automobile" [PDF], in which they tested self-erasing attack codes for ECUs which targeted the CAN bus.  

Once (temporarily) installed on a target ECU these codes were capable of sudden braking, brake failure, or acceleration, via sending malicious signals to various other onboard ECUs.  Amazingly, the authors found that many ECUs would even allow themselves to be reflashed (reprogrammed) while driving, with the proper CAN message encouragement.

The vehicle in these tests was rumored to be an OnStar equipped model from General Motors Comp. (GM).
In 2011 UW/UCSD researchers showed hackers could remotely attack vehicles via smartphones or Bluetooth. [Image Source: TomTom]

The UW/UCSD teams followed up that critical work with another paper, "Comprehensive Experimental Analyses of Automotive Attack Surfaces" which found that malicious attack codes could be transferred by Bluetooth -- or even into a CAN-connected CD player unit via a special CD or even remotely via malware on smartphones connected to your infotainment system.

However, while these kinds of claims were alarming, an open set of libraries to control CAN I/O was not available until at the time.  In other words, unless you were someone with a lot of resources -- e.g. a government -- or an automotive expert with a lot of time on your hands, you likely wouldn't have the knowledge or means to do these kinds of CAN based attacks.  That meant that cars enjoyed a modicum of security from your average script-writing internet hacker masses.

II. "Car Hacking for Dummies"

But that relatively safety appears to be coming to an end.  Funded by a grant from the Defense Advanced Research Projects Agency Mr. Miller and Mr. Valasek have baked a set of libraries to make writing code to study CAN signals and craft attacks much easier.  Dubbed EcomCat [zip], the attack library builds on the barebones ECOM API [PDF], which is distributed by EControls, a maker of CAN-interface USB devices.

The only difficulty is that EControl's ECOM can't easily plug into the ODB-II port, a CAN input commonly located near the passenger's seat.  But if you have basic cable-making skills, you can fashion a connector using the ODB-II connector shell , which ODB Diagnostics, Inc. sells.

Beyond that all you need are that typical assets of an internet hacker -- basic coding knowledge, time, and a target.

ECOM Cable
With a custom ECOM-to-ODB connector built from off-the-shelf parts (left), an EControls ECOM test cable (right), and a laptop, you can test car attacks like a pro. [Image Source: Def Con]

In their work, the authors use the APIs they developed to identify and attack various control signals in a 2010 Prius from Toyota Motor Corp. (TYO:7203) and a 2010 Escape from Ford Motor Comp. (F).  The authors showed how the APIs could be used to accomplish attacks similar to those the UW/UCSD team carried out on the brakes or throttle.  They also demonstrated how cars with automatic parking features (e.g. the Prius) could be used to even malicious steer the vehicle, as the car can now take control of the steering wheel with the right signals (typically a driver could override this if they firmly gripped and twisted the wheel, but not all drivers would know how to respond -- particularly given the surprise of the attack).

III. Danger is Rising

Again, the key difference between the UCSD/UW effort and the recent Def Con talk is that the UCSD/UW team did not release their attack software and kept their descriptions of the attack's finer details to a higher level.  By contrast the recent presentation not only comes with an open library of "helpful" attack software, but also explicit descriptions of how to buy/build an interface device and detailed examples of attacks on specific ECUs in terms even a layman with basic programming skills could understand.

Charlie Miller
Charlie Miller [Image Source: ZDNet]

With the Def Con presentation, what was once a purely academic attack is creeping closer to general use.

Thus, even if you don't buy into plausible conspiracy theories like those surrounding Mr. Hastings death, and aren't afraid of your government, you still now have something to actually worry about, since the Pandora’s box of "CAN hacking for dummies" has been open by these pro-disclosure researchers.

Pandora's box
Soon deadly sabotage attacks may be common on older vehicles. [Image Source: Unknown]

IV. Fiery Crash of Obama Administration Critic Fuels Interest in Car Hacking

The timing of Def Con 21 was uncanny, coming at a time when conspiracy theories regarding the death of prominent Obama and Bush administration critic and Rolling Stone contributing editor Michael Hastings were peeking.  Mr. Hastings -- a medical marijuana user -- allegedly had traces of both methamphetamine and marijuana in his system when his car steered off course on a deserted Highland Avenue at around 4:20 a.m. on June 18 and struck a tree prompting the Mercedes to burst into flames.

While fiery crashes and deaths are a rare, but not altogether foreign tragedy on America's highways, the reporter's adversarial relationship with the Obama administration -- and the Obama administration's willingness to harass reporters who dig too deeply -- has fueled theories that foul play might have been involved in the crash.

Controversy commenced when his neighbor and close friend, Jordanna Thigpen, told the LA Weekly that Mr. Hastings feared for his life and that he was concerned his car was tampered with.  At the time Mr. Hastings was working on a major exposé of the Obama administration and U.S. Central Intelligence Agency (CIA) director, John Brennan, according to a report by the local San Diego 6 News. 

Michael Hastings
Electronic hacking is one of the possible methods of sabotage that some suspect was used to kill journalist Michael Hastings. [Image Source: PrisonPlanet]

Prior to President Barack Obama's election in 2008, Brennan was working at Analysis Corp. -- one of two government contracting firms which gained unauthorized access to the then-Senator Obama's passport record.  That incident has led to speculation that Mr. Hastings might have been unearthing evidence of Mr. Brennan's possible role in the access, tampering, or "sanitization" of the President's passport.

While many details of the crash added up (methamphetamine users often become dangerously paranoid) -- others provoked suspicion, including reports that Mr. Hastings was allegedly visited by federal agents on the day of his death.  Former Cybersecurity Czar (formally, the U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism) Richard Clarke told The Huffington Post in an interview:

I'm not a conspiracy guy. In fact, I've spent most of my life knocking down conspiracy theories.  But my rule has always been you don't knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can't prove it.

Whether or not his suspicions prove true, the fervor surrounding the topic of automotive hacking is arguably justified.

Anyone with basic skills, physical access to your car, and mischief or malice in their hearts can now attach a malicious device to your car -- or potentially even reprogram one of your onboard ECUs.  When you start driving, the attacker's code will spring into effect, and if the author did their homework, it may erase any trace of itself after it accomplishes its objectives.

That's the bad news.

The good news is that once the public realizes this -- and once automakers realize that the public realizes this, the market will mandate they implement stiffer security into their CAN-connected components.  Such security will help to protect drivers not only from the government, but also from the much more common malicious members of the masses.  

And that's good news for everyone -- even if you're not paranoid.

Sources: Def Con/Charlie Miller, YouTube, [1], [2]

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Zak on 9/5/2013 10:17:12 AM , Rating: 2
"what evidence is available publicly is consistent with a car cyber attack"? Hmm...As much as I mistrust the govt this dude was on meth and weed driving a car at 4am, a recipe for accident right there.

By Brandon Hill on 9/5/2013 10:21:43 AM , Rating: 3
I find it hard to find sympathy for those that have accidents while driving intoxicated. The only ones I feel sorry for are the ones they leave behind or those they injure/kill in the process.

By JasonMick on 9/5/2013 11:20:18 AM , Rating: 3
I find it hard to find sympathy for those that have accidents while driving intoxicated. The only ones I feel sorry for are the ones they leave behind or those they injure/kill in the process.
I agree, but in my recollection the coroner found "traces" of those substances in his autopsy... I don't recall reading that there was any proof that he was intoxicated.

If you're a medical marijuana patient, you probably always have "traces" of marijuana in your system, so that's not really so surprising/incriminating.

The methamphetamine is certainly more suspect.

I'd wait to see all the facts... but if you're right, I'd agree absolutely.

If I had to speculate I would say the "innocent" explanation is simply tiredness... he was driving at 4 am. I've driven at 4 or 5 before not under the influence of anything, yet found myself drifting out of my lane or towards the median out of tiredness... especially if I hadn't slept the night before. As I've gotten older I've learned common sense -- don't drive when you're drowsy. If anything I'd guess fatigue played a major role in the crash, if we assume no foul play.

By JasonMick on 9/5/2013 11:30:57 AM , Rating: 3
A toxicology screen revealed “a small amount of amphetamine” in Hastings’s blood, which was “consistent with possible intake of methamphetamine many hours before death." However, the amount detected was “unlikely to have an intoxicative effect at the time of the accident.” Additionally, “marijuana was present in the blood…indicating intake hours earlier.”
And he had admitted to smoking crack before...

Michael Hastings: "My advice to journalists: Smoke crack, Twitter occasionally"

The best line in The New Yorker post is when Packer admits to living a crack-free lifestyle. (“I haven’t used crack, either,” he writes.) Well, I have smoked crack. I recommend it for all writers to try at least once, especially to New Yorker staffers. It’s pretty good–it’s crack, after all–and down the crack pipe went my first semester at college. But torching a crack rock is very different from typing a Tweet.

For what it’s worth, I’ve always thought that blogging, not Twittering, was the media version of crack. Metaphorically speaking: I get an intense high from instantly publishing, but the minute I stop, I get a kind of an empty and anxious feeling, as if I’ve just poured part of my soul into a spiritual void. I stopped smoking crack ten years ago–it got a little out of hand– but I have come to terms with blogging. It’s healthy as long as I don’t allow it to totally consume me.
So yea, sounds like he relapsed, but was not intoxicated at the time of the crash.

Remember, though, meth can trigger psychosis if abused, and there's no real way of telling if someone was psychotic via an autopsy.

Hence I'd propose four hypotheses to explain the crash:

1. He had a psychotic break from smoking too much crack, thought the feds were "on to him", and tried to flee, lost control while speeding, crashed, and died.

2. Tired @ 4 am he fell asleep at the wheel, and his foot was on the gas pedal accelerating into the wall.

3. His car was sabotaged either electronically or physically to damage the steering and accelerate, causing it to hit the wall.

4. Some combination of 1-3.

By Flunk on 9/5/2013 12:47:58 PM , Rating: 3
Of those options #2 is by far the most common, so that's my vote.

By Adonlude on 9/5/2013 2:07:06 PM , Rating: 2
People fall asleep on meth? I thought that drug was like the opposite of sleep.

By GuyMontag on 9/5/2013 1:36:07 PM , Rating: 2
".. he had a psychotic break from smoking too much crack>"

Really? Hastings used crack 14 years ago; then he went on the wagon at age 19 (although admitted a drunken binge in 2010 and did some Adderall in 20120.

By JasonMick on 9/5/2013 1:58:44 PM , Rating: 2
Really? Hastings used crack 14 years ago; then he went on the wagon at age 19 (although admitted a drunken binge in 2010 and did some Adderall in 20120.
Err... adderall is methamphetamine salts... pretty much speed.

Adderall is legal and a useful treatment if you have certain psychological disorders but it also can be highly addictive and has a high potential for abuse.

To illustrate this point, let me share a true story...

I had a personal experience where a developer friend of mine who I used to work with weekly stopped responding to my calls for a few months and fell off the face of the Earth. Then one day I dropped him a line on Facebook and he agreed to meet up.

We met and when I got there he was raving about the government tracking him via a satellite (ironically he also had gone to the FBI the day before and filed an identity theft against a coworker).

It took me a couple of minutes (he had an odd sense of humor) to realize he wasn't fully joking, and was in fact fully psychotic. He revealed that he had been stockpiling his adderall (not using them as prescribed) and had taken them in mass and had not slept in several days.

He refused to listen to me when I told him to calm down and he ran off and sped off in his Boss Mustang... if his family had not talked him down and convinced him to go to the hospital something very similar could have happened.

Ultimately he was institutionalized and had to stop taking Adderall...

The thing that really rings a bell with my own personal experience with my friend is Mr. Hastings comment to his neighbor about government choppers watching him. It sounds an awful lot like my friend who when psychotic thought government satellites were watching him at all times.

Again, I'm not saying this is usual or what happened to Mr. Hastings, but having witnessed it personally I can say that meth psychosis (including from Adderall, which is meth salts) is real and dangerous... it happens and it is possible.

By ShaolinSoccer on 9/6/2013 12:20:05 AM , Rating: 2
Believe it or not, there are people who are not on any drug and behave the exact same way. I know, because I have met someone like that.

By thurston2 on 9/9/2013 10:33:34 AM , Rating: 2
Adderall is not methamphetamine salts it is mixed amphetamine salts there is a difference.

By GuyMontag on 9/5/2013 1:44:19 PM , Rating: 2
IF there was foul play, I'd go with #3 (the other theories floating around in the blogosphere have been debunked).

The key question still unanswered is WHY Hastings’ car was speeding. The night he died a neighbor claims he asked to borrow her car because he thought someone may have tampered with his car. Maybe Hastings had reasons to be scared (or maybe he was paranoid) and drove too fast, or maybe his car brakes/accelerator had been “hacked” or tampered with.

Unfortunately, the LAPD never tried to answer that question or investigate the crash as a potential homicide. IF this crash was an assassination, we will never know since the LAPD failed to find any evidence of foul play since they never even looked for it.

For details,see “Michael Hasting’s Fiery Car Crash: Accident or Assassination?” in my post “More Lies Borne Out by Facts, If Not the Truth” at the Feral Firefighter blog.

By Dobo on 9/5/2013 11:32:04 PM , Rating: 2
Crack is cocaine, (well it's supposed to be) methamphetamine is available on the street but also as a schedule 2 in the pharmacy(very very rarely prescribed) adderall is dextroamphetamine salts they are similar but as far as legally obtained drugs go adderall and and other speed type drugs are more common. He could've taken sudafed(levomethamphetamine) which will show as meth(dextromethamphetamine) in a drug test. Unless they use a process called chiral analysis it could be very misleading. It would be interesting to see the lab assay results untampered.

By thurston2 on 9/9/2013 10:45:50 AM , Rating: 2
Sudafed is not levomethamphetamine it is psudoephedrine. Vicks inhalers contain levomethamphetamine. Adderall also contains levoamphetamine as well as dextroamphetaimine. Sorry to be so anal but the media is often very wrong when it comes to drugs with similar names but very different effects and it just fuels people's ignorance.

By GuyMontag on 9/5/2013 1:31:49 PM , Rating: 3
"The methamphetamine is certainly more suspect."

The LAPD tested specifically for Meth & MDMA (see p. 15 of their report) but found no trace of either (nor any other “hard drug” or alcohol), although trace amounts of weed and amphetamine (consistent with Adderal or Ritalin use).

The coroner was speculating when he wrote the trace of amphetamines were "consistent with“ meth (also "consistent with" Adderal, etc.) And,the LAPD press release (not the report) incorrectly claimed that meth was found.

For details, see “The Character Assassination of Michael Hastings” in my post “More Lies Borne Out by Facts, If Not the Truth” at the Feral Firefighter blog.

By Ammohunt on 9/5/2013 1:58:32 PM , Rating: 2
The methamphetamine is certainly more suspect.

Perhaps it was Medical Methamphetamine? Obvious taking the pot wasn't working for him.

By JasonMick on 9/5/2013 5:12:05 PM , Rating: 2
Perhaps it was Medical Methamphetamine? Obvious taking the pot wasn't working for him.
Agreed -- I'd imagine since the feds didn't mention anything else, that it was legal Rx meth salts.

I meant "suspect" in the sense that it can create psychosis.

Medical meth is still meth, after all. Even if Mr. Hastings was indeed a patient and intended to take the drug responsibly/as directed, meth is highly addictive and habit forming.

Read the story above about my coder friend. He was/is an extremely smart person, but got hooked and started abusing the drug. As a result he thought the government was watching him via sattellite and that the FBI was after him (sound familiar) and then went out driving at high speeds (sound familiar) until his family talked him down and he was institutionalized.

Meth is a dangerous drug and can trigger paranoid psychotic episodes. Adderall users must be extremely careful lest they fall into abuse.

My point is that's what's really fascinating/insidious ... there's no way of knowing whether he was psychotic (a very real possibility) or they were out to get him (also a real possibility given his role in taking down Gen. McChrystal).

By thurston2 on 9/9/2013 10:49:06 AM , Rating: 2
Please quit calling adderal methamphetamine. Adderal contains no methamphetamine what so ever. Mixed amphetamine salts are not methamphetamine.

By NellyFromMA on 9/5/2013 12:50:06 PM , Rating: 2
Not that I believe in many conspiracies, but toxicology is very easy to alter as well. If this was true, the linch pin of your opinion on it (the driver's toxicology) Is frankly much easier to manipulate than the car crash itself.

By CarbonJoe on 9/5/2013 1:27:47 PM , Rating: 2
A confessed medical marijuana crashing his car at 4:20 am? What are the odds?

RE: Coincidence?
By CarbonJoe on 9/5/2013 1:28:32 PM , Rating: 2
*medical marijuana smoker*^

awesome move potential
By Captain Awesome on 9/5/2013 10:29:34 AM , Rating: 2
Think of all the great scenes in movies this can give us!! Assassins won't be limited to car bombs, now they can reflash the victim's car's computer to look at the GPS coordinates, and accelerate into a wall or off a bridge. We can even watch as the target fights with their car for a minute before figuring something out, or being rescued by Arnold in a helicopter.

By chripuck on 9/5/2013 11:22:35 AM , Rating: 2
There were brief mentions of using Bluetooth or GM's OnStar to initiate the attack, but nothing of substance. Is this one of those "scary" hacks that requires physical access to my car? Because it seems as if it is and frankly I'm not entirely worried about the casual hacker breaking into my vehicle, plugging into an available port and then implanting malicious code.

By Ammohunt on 9/5/2013 2:07:30 PM , Rating: 2
The problem with the "Sabotage the car" assassination theory is that it only works well in the movies. There are far to many variables to account for to generate a high percent of success. People bent on assassination have far better and less dramatic ways to get rid of people. Case in point the broad daylight mafia hit that was in the news over the past year. Guy walk up behind the target in front of a store shoots him in the head walks away no BS assassination.

Writer missed something
By lagomorpha on 9/5/2013 3:06:00 PM , Rating: 2
Such security will help to protect drivers not only from the government, but also from the much more common malicious members of the masses.

"Dear automakers, If you wish for future cars to meet Federal emissions and safety guidelines you must build a back door into any security implemented. Informing the public about this correspondence is prohibited by federal law. -with love, the NSA"

By chromal on 9/5/2013 3:16:53 PM , Rating: 2
Sadly, efforts to secure cars likely won't deter hackers, but they will deter DIY/shadetree and independent mechanics and generally just folks who want to mod their cars' ECUs.

I guess I would be okay with this if they're talking about securing safety systems like brakes and steering, but those aren't generally controlled by ECUs anyway-- I'd imagine the worst you could do on a few cars would be to disable anti-lock braking, which is no big deal.

By Chuckie888 on 9/5/2013 3:27:43 PM , Rating: 2
The coroner's report stated that drugs played no role in his crash or death, and yet nearly every news service spun the story to sound like the exact opposite.

Hastings had blood metabolites from Rx marijuana and Rx Adderall (which, like many Rx and OTC substances, leaves an ampethamine residue) both of which were legal (and the coroner's report said were taken hours earlier and were irrelevant to the crash).

Instead, the media made him sound like a delusion meth head who though he could fly from balconies -- quotes from his "family" which turned out not to be at all.

Plus, the media ignored Richard Clarke's comments.

Sometimes paranoia is just rational thought. And something odd happened here. And is still happening.

By daveG on 9/5/2013 5:11:29 PM , Rating: 2
CAN bus does need better access control. I am not denying that. The problem is that sensational stories like this will get public outcry and move the automotive manufacturers to a more locked down system. It serves their interests more as dealership repair is the big money maker. They can fill their pockets while claiming it is in our best interests for safety.

All this fighting for Right-To-Repair and I foresee this attack may not bring the common sense that is needed. Secure parts of it but keep the repair information open!

Remember these attacks need physical access to the port. It is not a drive-by thing.

All I want for Christmas...
By NicodemusMM on 9/5/2013 8:33:59 PM , Rating: 2
... is the ability to FORCE tailgaters to back off. Seems like Christmas came early this year. Can't tailgate when your brakes are locked up. huehuehue

I have a solution
By inperfectdarkness on 9/6/2013 2:29:12 AM , Rating: 2
I'm going to sell my car and buy a 1973 Buick Electra. No more worries about being electronicly hacked.

Good for good
By ipay on 9/7/2013 3:20:59 PM , Rating: 2
...causing the vehicle to brake, refuse to break , or even steer into a wall...
Sweet! I want a car that refuses to break.

Smoke less crack...
By Iaiken on 9/5/13, Rating: 0
"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki