Charlie Miller Releases Open Source "Car Sabotage Toolkit"
September 5, 2013 9:09 AM
comment(s) - last by
New how-to guide allows even layman hackers to carry out attacks similar to suspected government efforts
During a presentation at
Def Con 21
last month, famed Apple, Inc. (
works at Twitter
) and Chris Valasek, director of security intelligence at IOActive, revealed an interesting side project. The presentation showed how to
affordably attack a vehicle's CAN bus
with malicious messages, causing the vehicle to brake, refuse to break, or even steer into a wall. The presentation shows how such attacks could be carried out -- even by relatively unskilled hackers.
I. CAN -- Useful, but Not Very Secure
Cars over time have grappled with increasing use of electronic control units (ECUs) and at times conflicting standards. CAN (the Controller Area Network) was an industry wide effort to simplify and improve in-car communications. While implementations vary slightly, CAN is governed by a set of published standards from the International Standards Organization (ISO) including
(ISO-TP) (sending) and
A part of a broader set of standards to make vehicle diagnosis easier (the so called On Board Diagnosis II (OBD-II) standard), CAN has been required on all light vehicles in the U.S. since 1996 and in the EU since 2001 (petrol vehicles) / 2004 (diesels). But it turns out that as the vehicles are becoming more connected and ECU count continues to rise, fundamental security flaws in the standard and its implementation in current vehicles are showing through.
There's many routes that you can use to attack the CAN bus. [Image Source: AutoSec]
The issue first received serious consideration in 2010 when
Professor Tadayoshi Kohno
University of Washington
Professor Stefan Savage
University of California, San Diego
(UCSD) published a paper entitled "
Experimental Security Analysis of a Modern Automobile
" [PDF], in which they tested self-erasing attack codes for ECUs which targeted the CAN bus.
Once (temporarily) installed on a target ECU these codes were capable of sudden braking, brake failure, or acceleration, via sending malicious signals to various other onboard ECUs. Amazingly, the authors found that many ECUs would even allow themselves to be reflashed (reprogrammed) while driving, with the proper CAN message encouragement.
The vehicle in these tests was rumored to be an OnStar equipped model from General Motors Comp. (
In 2011 UW/UCSD researchers showed hackers could remotely attack vehicles via smartphones or Bluetooth. [Image Source: TomTom]
The UW/UCSD teams followed up that critical work with another paper, "
Comprehensive Experimental Analyses of Automotive Attack Surfaces
" which found that malicious attack codes
could be transferred by Bluetooth
-- or even into a CAN-connected CD player unit via a special CD or even remotely via malware on smartphones connected to your infotainment system.
However, while these kinds of claims were alarming, an open set of libraries to control CAN I/O was not available until at the time. In other words, unless you were someone with a lot of resources -- e.g. a government -- or an automotive expert with a lot of time on your hands, you likely wouldn't have the knowledge or means to do these kinds of CAN based attacks. That meant that cars enjoyed a modicum of security from your average script-writing internet hacker masses.
II. "Car Hacking for Dummies"
But that relatively safety appears to be coming to an end. Funded by
the Defense Advanced Research Projects Agency
Mr. Miller and Mr. Valasek have baked a set of libraries to make writing code to study CAN signals and craft attacks much easier. Dubbed
[zip], the attack library builds on the barebones
[PDF], which is distributed by EControls, a maker of CAN-interface USB devices.
The only difficulty is that EControl's ECOM can't easily plug into the ODB-II port, a CAN input commonly located near the passenger's seat. But if you have basic cable-making skills, you can fashion a connector using
the ODB-II connector shell
, which ODB Diagnostics, Inc. sells.
Beyond that all you need are that typical assets of an internet hacker -- basic coding knowledge, time, and a target.
With a custom ECOM-to-ODB connector built from off-the-shelf parts (left), an EControls ECOM test cable (right), and a laptop, you can test car attacks like a pro. [Image Source: Def Con]
In their work, the authors use the APIs they developed to identify and attack various control signals in a 2010 Prius from Toyota Motor Corp. (
) and a 2010 Escape from Ford Motor Comp. (
). The authors showed how the APIs could be used to accomplish attacks similar to those the UW/UCSD team carried out on the brakes or throttle. They also demonstrated how cars with automatic parking features (e.g. the Prius) could be used to even malicious steer the vehicle, as the car can now take control of the steering wheel with the right signals (typically a driver could override this if they firmly gripped and twisted the wheel, but not all drivers would know how to respond -- particularly given the surprise of the attack).
III. Danger is Rising
Again, the key difference between the UCSD/UW effort and the recent Def Con talk is that the UCSD/UW team did not release their attack software and kept their descriptions of the attack's finer details to a higher level. By contrast the recent presentation not only comes with an open library of "helpful" attack software, but also explicit descriptions of how to buy/build an interface device and detailed examples of attacks on specific ECUs in terms even a layman with basic programming skills could understand.
Charlie Miller [Image Source: ZDNet]
With the Def Con presentation, what was once a purely academic attack is creeping closer to general use.
Thus, even if you don't buy into plausible conspiracy theories like those surrounding Mr. Hastings death, and aren't afraid of your government, you still now have something to actually worry about, since the Pandora’s box of "CAN hacking for dummies" has been open by these pro-disclosure researchers.
Soon deadly sabotage attacks may be common on older vehicles. [Image Source: Unknown]
IV. Fiery Crash of Obama Administration Critic Fuels Interest in Car Hacking
The timing of Def Con 21 was uncanny, coming at a time when
regarding the death of prominent Obama and Bush administration critic and
contributing editor Michael Hastings were peeking. Mr. Hastings -- a medical marijuana user -- allegedly had traces of both methamphetamine and marijuana in his system when his car steered off course on a deserted Highland Avenue at around 4:20 a.m. on June 18 and struck a tree prompting the Mercedes to burst into flames.
While fiery crashes and deaths are a rare, but not altogether foreign tragedy on America's highways, the reporter's adversarial relationship with the Obama administration -- and
the Obama administration's willingness to harass reporters
who dig too deeply -- has fueled theories that foul play might have been involved in the crash.
Controversy commenced when his neighbor and close friend, Jordanna Thigpen,
that Mr. Hastings feared for his life and that he was concerned his car was tampered with. At the time Mr. Hastings was
working on a major exposé
of the Obama administration and
U.S. Central Intelligence Agency
, according to a report by the local San Diego 6 News.
Electronic hacking is one of the possible methods of sabotage that some suspect was used to kill journalist Michael Hastings. [Image Source: PrisonPlanet]
Prior to President Barack Obama's election in 2008, Brennan was working at Analysis Corp. --
one of two government contracting firms
which gained unauthorized access to the then-Senator Obama's passport record. That incident has
led to speculation
that Mr. Hastings might have been unearthing evidence of Mr. Brennan's possible role in the access, tampering, or "sanitization" of the President's passport.
While many details of the crash added up (methamphetamine users often become dangerously paranoid) -- others provoked suspicion, including reports that Mr. Hastings was allegedly
visited by federal agents
on the day of his death. Former Cybersecurity Czar (formally, the U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism)
The Huffington Post
in an interview:
I'm not a conspiracy guy. In fact, I've spent most of my life knocking down conspiracy theories. But my rule has always been you don't knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can't prove it.
Whether or not his suspicions prove true, the fervor surrounding the topic of automotive hacking is arguably justified.
Anyone with basic skills, physical access to your car, and mischief or malice in their hearts can now attach a malicious device to your car -- or potentially even reprogram one of your onboard ECUs. When you start driving, the attacker's code will spring into effect, and if the author did their homework, it may erase any trace of itself after it accomplishes its objectives.
That's the bad news.
The good news is that once the public realizes this -- and once automakers realize that the public realizes this, the market will mandate they implement stiffer security into their CAN-connected components. Such security will help to protect drivers not only from the government, but also from the much more common malicious members of the masses.
And that's good news for everyone -- even if you're not paranoid.
Def Con/Charlie Miller
This article is over a month old, voting and posting comments is disabled
Great, more reason to defeat right-to-repair
9/5/2013 5:11:29 PM
CAN bus does need better access control. I am not denying that. The problem is that sensational stories like this will get public outcry and move the automotive manufacturers to a more locked down system. It serves their interests more as dealership repair is the big money maker. They can fill their pockets while claiming it is in our best interests for safety.
All this fighting for Right-To-Repair and I foresee this attack may not bring the common sense that is needed. Secure parts of it but keep the repair information open!
Remember these attacks need physical access to the port. It is not a drive-by thing.
"We shipped it on Saturday. Then on Sunday, we rested." -- Steve Jobs on the iPad launch
Obama's DOJ Caught Spying on Associated Press in Hunt for Leakers
May 14, 2013, 8:44 AM
Docs Show CIA's Mass Drone Death Strikes Killed Few al-Qaeda Leaders
April 10, 2013, 3:16 PM
Famed Apple Device Hacker Charlie Miller Enlists With Twitter
September 14, 2012, 7:47 PM
Security Researchers Try to Protect Vehicles from Computer Viruses
August 20, 2012, 9:29 AM
New Studies Warn of Cyber, Terrorist Attacks on Technologically Advanced Vehicles
January 2, 2012, 11:38 AM
Retiree Sues Apple For $7,500 for Wiping Honeymoon Photos From His iPhone
November 30, 2015, 10:23 AM
iPhone 7 May Pack 3-4 GB Memory, More Storage; 4-Inch Comeback is Rumored
November 20, 2015, 10:12 PM
OnePlus One, OnePlus 2 Will Receive Android Marshmallow in Q1 2016
November 16, 2015, 9:58 AM
Lenovo Whoa: Motorola Droid MAXX 2 and Turbo 2 Break Cover in Leaks
October 26, 2015, 3:12 PM
Leak: Apple Preps for First Real Android App Foray With New Apple Music App
October 24, 2015, 1:59 PM
Pepsi Smartphone? Empty Calories Coming Soon to the Midrange
October 12, 2015, 11:41 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information