Modern Car Data Systems Lack Security

Tomorrow a team of researchers will present their paper on Experimental Security Analysis of a Modern Automobile (PDF) at the IEEE Symposium on Security & Privacy. Much like the racing simulators we’ve seen they’re exploiting the ODB-II port to get at the vehicle’s Controller-area network, or CAN-bus. We’re not surprised at all that they can display custom text on the dashboard display or read sensor data from the car. What does surprise us is their exposé on how truly unsecured the system is. It seems that access to any device on the CAN-bus gives them unobstructed control of the car’s systems. Any device can send commands to any other device. They’ve even found a way to write malicious code to the car’s computer which can be programmed to erase itself in the event of a crash.

Much like RFID the security risks here are basically nill for the vast majority of consumers. We just find it a bit surprising that there’s apparently been little thought put into fortifying the communications between the safety systems such as the brakes on the vehicle. For instance, team experimented with sending random packets over the CAN-bus and stumbled across a way to lock the brake on just one wheel. To us it’s conceivable that a malfunctioning device on the network could start sending out damaged packets and cause a dangerous malfunction like this one.

The 14-page PDF linked above is a page-turner, check it out on your hacked ereader during lunch.

Driving The Car Without Going Anywhere


This video game controller is a factory fresh VW. Much like the racing simulator from earlier in the week, the video game data is being displayed on the instrument panel. This takes us to a much higher level now because control for the game is taken from the car’s CANbus using and ODB-II connector. If you don’t speak in automotive jargon, that means that the sensor readings from the steering wheel, shifter, and pedals are being picked up and exported as joystick commands to the PC running the driving game. The only place the experience uses a substitute for the real thing is the sound, which is being played through speakers instead of emanating from under the hood. Looks like you just need to add a projector and screen to your garage in order to turn it into the hottest new gaming device.