Defcon presenters preview hack that takes Prius out of driver’s control

hacking-control-of-a-prius

This one’s a treasure trove of CAN bus hacks that will scare the crap out of an unsuspecting driver — or worse. [Charlie Miller] and [Chris Valasek] are getting ready to present their findings, which were underwritten by DARPA, at this year’s Defcon. They gave a Forbes reporter a turn in the driver’s seat in order to show off.

You’ve got to see the video on this one. We haven’t had this much fun looking at potentially deadly car hacking since Waterloo Labs decided to go surfing on an Olds. The hacks shown off start as seemingly innocent data tweaks, like misrepresenting your fuel level or displaying 199 mph on the speedometer while the car is standing still. But things start to get interesting when they take that speed readout from 199 down to zero instantly, which has the effect of telling the car you’ve been in a crash (don’t worry, the airbags don’t fire). Other devilish tricks include yanking the steering wheel to one side by issuing a command telling the car to park itself when driving down the road. Worst of all is the ability to disable the brakes while the vehicle is in motion. Oh the pedal still moves, but the brake calipers don’t respond.

The purpose of the work is to highlight areas where auto manufacturers need to tighten up security. It certainly gives us an idea of what we’ll see in the next Bond film.

[Thanks Matt]

Comments

  1. Fritoeata says:

    So you’re actually telling me that the “all manual” features of my 1.0L/3cyl Metro that gets 45mpg may actually be safer? I mean I know my all cable/linkage/hydraulic/etc. is far better for failure, but why don’t they have ANYTHING akin to a similar failsafe?
    at $0.008USD/mile savings, is it worth being in control?
    …besides that, my a$$ cheeks are like iron from my commute! 8)

    • nukky says:

      I loved my Metro. Were it not for a crack in the frame, I’d still be driving it. Four years without fifth gear, and three without a speedometer, it had hit almost 300,000k and still the original engine and tranny were reliable enough for my 80km round trip daily commute. The fuel pump was repaired with a scrapped 4-pin molex from a computer PSU. You could repair it roadside with simple tools, and everything was light and accessible. It was no comfort or speed demon, but who cares? It was cheap to maintain and it sipped gas.
      I really can’t stand new cars with all the “we know better than you” computer controls. It’s just more crap to go wrong, like an Airbus, and is only there largely to drive up the price and profit margins. Give me a simple no-features car any day.
      And chicks dig iron ass cheeks.

  2. Tyler says:

    I have to say, this is why I have not been fond of the trends toward push-button ignition and transmissions that do not have mechanical connections to their controls. A car is a big, heavy, dangerous machine…and big, heavy, dangerous machines should have E-stops that do not rely on software to function. Considering how much some car manufacturers obfuscate or pseudo-encrypt bus data to make diagnostic by independent shops harder, I’m surprised they were able to manipulate this car so thoroughly. The brakes trick is what really gets me … does anyone know the mechanism behind how they are doing it? Are they continuously keying up the ABS controller or traction controller (to either disable to slam on the brakes)?

    • Koolguy007 says:

      I believe the Prius has the ability to disable the calibers so that the energy recovery system slows the car instead of the breaks when the peddle is pushed.

      • Edgeman says:

        The brakes test was done in a Ford Escape, not in the Prius that was used in the rest of the test (check the Ford logo on the steering wheel, or just read the Youtube video description).

        • Nigel says:

          You’ve never seen the Toyota logo, have you? The steering wheel clearly shows the three-oval, stylised ‘T’ of the Toyota logo, rather than the word ‘Ford’ in script enclosed in an oval, although they are both roughly the same size and shape.. Couldn’t have applied this hack to the Neale electric car though.

    • evolotion says:

      The sound is very distinctive, im 99% certain there pulsing the “vent pressure” solenoids in the abs pump, you get a very similar thing if the abs false triggers at low speeds due to faulty/cracked reluctor rings, any mechanic will recognise the sound.

      • smee says:

        I thought exactly as you did. Apparently what is really happening is they are putting the car in some sort of brake-service mode, where the calipers are moved away so the pads can be removed. Then when you still try to use them, the car thinks that they are slipping, the abs does it’s stupid thing, but fails miserably as the pads are much too far away from the disks to do anything.

        • evolotion says:

          I can only see that being possible with the parking brake but then it should still work the fronts as its split circuit, I only look after a few prius’ (fucking hatefull cars, owners shoud just buy a diesel) and the front hydraulic setup is as per usual for any car, no need for a special service mode etc. However could be wrong!

  3. truthspew says:

    The thing to keep in mind is that virtually every car out there today use a CAN or other bus to communicate among the various systems. The days of a direct wire are to say the signal lights, headlights, etc. are GONE. In essence cars are now drive by wire.

    So great fun will ensue! Especially with the proposals to let cars communicate with one another.

    • Nitori says:

      Not sure why they insist on doing this as it sounds like a good way to both drive up costs and get a big lawsuit.
      The power train systems should have what’s known as an air-gap firewall between any wireless system.
      This means no data passes under normal circumstances.

      • blade says:

        The whole point of the plan is to try to eliminate wasteful driving habits and lower the rate of accidents in areas where there is a lot of traffic on a regular basis, like rush hour in major cities. When cars can almost drive themselves, there should be less of a chance of “driver error”. The only problem is, there are a lot of people that can’t afford cars with these sort of features. I’m sure that the legal experts behind the push to increased vehicular autonomy are going to find a way to pin the blame on a driver that is not driving a “safe car” even if it’s eventually discovered that the driver blamed for it wasn’t the one at fault.

      • truthspew says:

        Yeah- the reason they do it is because it’s less expensive than running hydraulics all over the place for one. For two – it means you can locate the steering wheel, brake pedals, etc. on left or right making cars truly global.

  4. Will says:

    When hackers can do this without taking the car apart and sitting in the back seat with a laptop, then I might worry.

    • okowsc says:

      car+CAN bus+RPI+3g Modem hidden in the car wired up to the power … now that would be deadly

      on a side note,is there a car where they could fire the airbags?

      • sp00nix says:

        If a command could be sent to the system controlling the air bags, its possible to mimic a crash from the sensors.

      • Niru says:

        This is not a ridiculous speculation. Some recent models (2012 and later) are sporting packages in their On-Star system, that allow remote ECU firmware updates: 1. dial the car’s number, 2. send the proper handshakes and authentication, 3. download whatever software you have cobbled together to do whatever, theoretically, do all-of-the-above hacks in response to a live cell-phone link, remotely, in real-time.

        On-Star has permitted manufacturers (and, presumably, law enforcement) to do remote unlocks, and engine disables for quite a while – maybe 10 years or longer?

        If I had a car with any kind of remote-assistance package, (even if it was a standard model that had the equipment only-enabled for the luxury model) – I would pop the panel and physically remove the f*cking antenna/receiver.

        Remote keyless entry is a bad-enough backdoor. Cell-to-ECU connectivity is just a really horrible idea. The only saving grace is that there’s probably no reliable way to wipe any leftover code or logging, so there would never be a guarantee that an attacker could erase evidence of a hack. (so it makes a dumb tool for assassination/murder – for the tinfoil hats out there).

        • takato says:

          aifk, removing the onstar box will throw a check engine light. the method that I’ve heard for disabling the ability for onstar to mess with your car is to remove the antenna which makes the system assume that it’s in a dead zone.

        • Nitori says:

          The scary thing is average law enforcement can turn it off so can any script kiddie.

        • Greenaum says:

          Couldn’t you just reprogram the engine back the way it was? Either after the crash, assuming the relevant bits are still in one piece and connected, or perhaps a second before?

          Although even then, I doubt it matters. Buying a cellphone / modem dongle with cash then throwing it away, and securely wiping any nefarious software from your computer should do the job.

          I’ll keep my bus pass. And even that’s got RFID.

        • Greenaum says:

          I’m amazed at this! Anyone who knows anything should be reasonably terrified by it! How did this idea get as far as being implemented? Aren’t there supposed to be safety laws? Even if the existing laws don’t cover software-based attacks, you’d think HaD isn’t the only place in the world to have figured this out.

          I know PHBs make demands, but having the spectre of assassination-by-cellphone, and gods help us, car viruses, should scare the lawyers. And they’re the people that bosses listen to.

    • sp00nix says:

      CAN is like a network, if something can be stealthily installed to remotely inject commands, the driver may never know it was sabotage.

      • For that, you would need to have access to the database of the commands to send over CAN. However, not sure how long it would take to reverse engineer the CAN msgs by sniffing the bus.

        • Niru says:

          For a hacker, this is trivial. Worst-case; they take an identical-model car apart in their garage, and reverse-engineer the protocol themselves. Best-case; look-up the many fine places online where such information is freely available.

          I’ll say that – in-practice, for my particular car, (VW) – they have a proprietary version of CAN, and “trivial” does understate the problem. There’s third-party commercial software that works (Ross Tech VAG-COM), and a few individual hackers who have reverse-engineered it, including a guy about a year ago who built an arduino replacement for his ECU, and was posted on hackaday. Other manufacturers are more broadly standardized, so the task is actually easier for others.

          • Niru says:

            (. .. . a bit more on VAG-COM: some more sensitive parts of the system ARE password-protected. Airbag controller, ABS controller, etc. – So there is some rudimentary security. However – the default passwords are posted all over the place online, and of course, nobody’s ever going to change the default on an ECU – because the first time you take it in to a shop, the mechanic will be having a hard time even diagnosing problems. As for Airbag controllers: there’s a password to log into the controller – and then the controller has it’s own secret key that’s paired with the endpoint (sensors, bags, seatbelt pyros) – so – it’s not necessary to forge those secret keys to fire anything, all you need to do is to log into the controller and send the command. There are warnings in the software for technicians to not use that controller while they’re inside the car, to avoid accidental firings.)

        • Drake says:

          Or you record and repeat … flood the network while repeating the last action sounds dangerous enough

      • delete2kill says:

        they can already, read up on the OBD port that come standard on all cars since 1995
        the port is already under you dash hidden from plain sight unless you know where to look !!

    • ian says:

      We can, under the dash of most modern cars there is a port that allows you to access your can bus. they just took it apart to show where the main computer was located.
      Also by the way a group of high school and college kids did this last summer in Aberdeen MD. I would know since i was one of them who had controlled a car engine with the stereo volume knob. If you dont believe me look at this website http://www.wired.com/autopia/2012/09/camp-car-virus-squad/ ,thats me on the front cover

  5. John Fiorello says:

    Just google ‘Boston Brakes’ and laugh… or cry…

  6. sp00nix says:

    I played with some CAN hardware/software in a newer Volvo and a Saab, i was surprised with how much i could control. I could open and close windows, trip the solenoids in the ABS system, lower the suspension, honk the horn, it goes on. When messing with the ABS it displays a large warning that the car should NOT be in motion, i’m assuming messing with the ABS solenoids could disable the ability to brake. To make it more scary, the communications module was blue tooth, large and bulky, but a smaller one could be hidden in the car….

  7. Foxdie says:

    I’ve done a lot of work with late 90’s / early 00’s Mitsubishis using the old MUT-II / MUT-III protocols, you could effectively disable the brakes simply by logging the ABS system whilst the vehicle was in motion. It would constantly try to unlock the wheels and made braking useless. Scared the crap outta me the first time.

    Subsequently migrated into the GM CANBUS arena and it’s even more scary what you can do. It would be frighteningly easy for a determined hacker to trigger the ABS system and simulate WOT (wide-open throttle) with a low profile OBD-II dongle surreptitiously installed onto the diagnostic port. Wait for the vehicle to be at speed, as soon as the brake is applied it disables the brakes and aggressively accelerates the car. You try to turn the ignition off, the dongle continues to spoof the presence by flooding the network with packets to say the key is still turned “on”. Even if you managed to turn the engine off, you’re still moving faster than when you started and most likely without power-assisted brakes, either way it’s a potentially fatal situation.

    If I’m only a hobbyist grade hacker and I know all of this through tinkering around and a couple of hours research every month, what is a dedicated professional going to achieve?

    (I’d love to broaden my knowledge and find a career in the automotive industry working on communication networks and security but sadly it’s a fading market here in the UK)

    • Niru says:

      I mess with my VW too. I figured that the solution to the WOT issue was simply to take the car out of gear. (in fact; I had a problem with my turbo seal blowing, and the engine oil drained into the intake, and the engine suffered a brief runaway condition (diesel). I was only able to shut it down by upshifting and slamming on the brakes. Thank goodness for hard-manual controls – there was no damage to the engine other than I had to replace my turbo.

      Same would go for the ABS – I figure that in most cases, I could downshift to slow down. But there are situations where a downshift will redline, and blow the engine, and downshifting does not substitute for situations where you need emergency-braking. In that case; I could actually pull the e-brake lever: this physically pulls a cable, which pulls a mechanical actuator on the rear-brakes (only), which mechanically depresses the caliper – and ignores the ABS system entirely. Assuming I’m in a situation where I can react quickly enough.

      My car is modern enough (2003) to have some of these new, computerized control features. But old-school enough to have some manual override.

      As far as communication networks security being a fading market in the UK? I think with Cameron on his porn-banning binge, that industry’s about to get a nice shot in the arm. (whether you agree or disagree with the politics – it’s going to trigger an arms-race, which is good for people with these skills).

  8. Pawel says:

    Remote Control Accident …
    see also : http://www.youtube.com/watch?v=z3WW6eoLcLI

  9. HackJack says:

    I must be missing the point here. If the only way to hack a car is to open it up. There is nothing too interesting about. It is like you can get infected with virus if you allow your PC be accessed by strangers.

    Hacking a car like the way they do in the video is just a fine line apart from crazy. The drive software has been through a lot of testing by manufacturers. I would not trust anyone to tamper them.

    • chris says:

      In the article he mentioned that other researchers had already demonstrated that it was possible to get into the systems that were exploited through remote methods. These guys used a direct connection to save time.

    • Carl Hage says:

      One can also put a hole in the brake lines, cut the cable on the parking brake, change around the wiring, and all kinds of other nefarious things. No need to go to all the trouble of faking the CAN bus. Encrypting the bus modules would just mean it would be harder to get compatible replacement parts and wouldn’t really significantly reduce possible threats against a car since there are so many. I think attack qualifies in Bruce Schneier’s movie plot security theater competition. I don’t think it’s a good idea to solve this threat.

      • daler says:

        Ok, except:
        1. Sabotaging a car’s brakes usually becomes evident before dangerous speeds are reached (backing out of your driveway/parking spot and the brakes don’t work)

        2. If you’d watched the video, you’d note that the hackers talk about the work of *other hackers* in remotely downloading code via OnStar and other wireless technologies. This video is just a proof of concept in what such an attack could accomplish. Plus, such attacks could be coded to only activate given specific conditions to increase the odds injury or death.

        This is why every car needs physical backups/overrides for key systems.

        • Nitori says:

          Physical overrides probably need to be mandated by law.

        • SenorNoob says:

          Just wanted to say that brakes can be tampered with such that it isn’t immediately obvious. (Think pin-hole in one cylinder line.) Fluid level drains every time the brakes are pressed until it’s too low to work. For most people (in my area anyway) this would probably get them onto a major highway before failure.

          • daler says:

            Perhaps. Even so, the failure mode is a gradual thing — the brakes don’t “stop working” all at once. I’d hope most people would pull over when they notice their brake pedal is getting “squishier” each time they use the brake (as the resevoir drains). Every day brakelines *naturally* develop pinholes due to corrosion, yet “brake failure” resulting in a collision is rare.

    • mrz80 says:

      Ten minutes with a SlimJim and an OBD dongle in a parking garage while you’re at work and your car is now someone’s b***h. Remember, what do you call a paranoid at the end of a day in a high threat environment? Alive. :)

  10. Kris Lee says:

    While I understand the security concern then having all the components talking with each other over encrypted link makes hacking the car much harder I guess unless car comes with the key in its documents.

  11. Willis75 says:

    There are many comments suggesting that the required physical connectivity makes this a non-issue but I’d argue that the proliferation of poorly-engineered bluetooth and WiFi enabled entertainment systems will soon result in remote exploits. These entertainment systems are just hosts on the in-car network and can be stepping stones in the same way a malware-infected PC can. Imagine compromising one of these systems and then ordering it to forge messages on the CAN bus. Feeding the ABS controller false sensor data about wheel speed and yaw could cause it to engage stability control when it isn’t in fact needed. If that doesn’t sound alarming, here’s a hint: stability control systems correct a car’s trajectory by applying braking force to one wheel. When unneeded and at highway speed, I imagine this could cause a spectacular hollywood style rollover crash.

  12. Mystick says:

    Ah.. the weaknesses of “drive by wire”…

  13. Ellen says:

    Finally it pays to own a car with power-nothing and a manual transmission!

  14. Dr.Sputnik says:

    Will Never stop driving my landrover discovery for this reason, dont want silly computers to make me crash, or to break when a drop of water hits them.

  15. Hirudinea says:

    I’m getting a horse (you can only hack them with sugar cubes!)

  16. Of course the simplest override is a BRB (Big Red Button) in the middle of the dash, whose sole purpose is a hard wired cutoff that physically disconnects the power to the fuel pump and ideally the injectors.
    Sure the car will run out of control for a short time but at least when it does finally run out of fuel it will stop, guaranteed (if a petrol, diesels can autorun off the crankcase oil)

    I also looked into adding a mechanism that deactivates a 200A relay in series with the +V side of the battery so if something bad happens (ie lights get left on) at least the battery lives, with a 10K resistor across it to keep the controllers alive.
    At £80+ a battery for a £9 relay it would also make an effective anti-tamper mechanism or in case as happened with me a fix for the combination of low battery and a dying controller resulting in a case of stuck accelerator.

    • Nitori says:

      Normally that’s what the ignition key does but the push button starts does away with that.
      BTW it’s a lot easier for a thief to steal a car with a push button then one that has both a key and an electronic immobilizer.
      If it only has a key it’s easy to steal but the thief usually must damage the key lock to steal it which is something law enforcement can look for.
      A push button car can be stolen without doing any physical damage low jack won’t help you here until after you discover you car is missing since as far as the device is concerned the car has been started normally.

    • Ray Johnson says:

      Across the battery? what about the alternator output?

  17. Old-hat and still no match for the simplest sabotage – cutting brake lines. The point is, this requires a tether – there’s nothing bridged to 3G as of yet in cars. You can add a module to be sure (I make them) – but if you require physical access anyway, aren’t there easier options?

  18. Sigh says:

    Im glad these guys are having fun clowning around giggling like school girls inbetween commanding the car to try and park itsself while traveling at normal speeds on public roads. What could possibly go wrong.

  19. Nitori says:

    The Prius’s braking system looks like it’s an accident waiting to happen.
    The calipers should still engage no matter what’s going on with the electronic controls if you push the peddle hard enough.
    Most ABS systems for example fail back to simple manual brakes if there’s something wrong with the ABS system.

    Their findings might be something worth issuing a recall for.

  20. Joseph A. Bonasses says:

    Hey TOYODA, are you going to hire more engineers now? LOLOLOLOLOLOLOL

  21. Doesn’t this still require physical access to the vehicle?

  22. Jim Conforti says:

    And in other news… wheels are ROUND and water is WET.

    These same vulnerabilities have existed since at least 1996 in many different manufacturers vehicles.

    As to those who say that there is no “3G” connection to a car..

    Please explain how systems like On Star and BMW Telematics and remote service/diagnosis exist…

    There are connections between nearly every ECU and every other ECU and the outside world via gateways and GSM data.

  23. Ray Johnson says:

    My concern, and it should be that of the auto manufacturers as well, is a scenario where an auto technician accesses the CAN bus to either perform diagnostics, flash a new ECM, or even update the ECM’s firmware. Unknown to him, he is also uploading malicious code that was inserted into the program that he previously downloaded from a hacked manufacturer’s website.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 97,838 other followers