Hacking Cars: A Real and Growing Threat
When we think of hacking, we usually think of computers. Some people might also think about hacking Internet of Things (IoT) devices, or even people hacking. But very few people think about hacking cars. And yet for people who know about cars and the growing options to hack them, it’s a real, looming threat.
See Vehicle Hacking with Derrick Thiecke for a complete transcript of the Easy Prey podcast episode.
Derrick Thiecke has been a hobbyist and professional in the automotive industry for half a decade. He he works as a security tester, where he gets to play a sort of red team for automotive-related controllers, microcomputers, and other devices.
Though he started in corporate IT, his motorsports hobby eventually brought him into the world of automotive security and car hacking. For a while, he had a low-production motorcycle, a Buell Motorcycle. The bike had ongoing dash issues, and from talking to other Buell Motorcycle owners he learned others had the same issue. At the time, the company was having financial issues and he couldn’t purchase a new dash. So Derrick reverse-engineered the communication between the engine controller and the dash. With that information, he purchased an aftermarket dash and reprogrammed it to work on his motorcycle.
He later did a talk at a DEFCON cybersecurity convention about how he overcame the non-standard programming of recreational vehicles. After that talk, he was offered a job and relocated to the metro Detroit area. Now he works in the automotive industry pen-testing vehicle controllers.
Understanding Automotive Computers
Automotive computers and networks differ in many ways from your home network. One way they differ is that there’s many different types of in-vehicle network technologies used. In your home, you really only need one network, but in a car, there can be multiple different networks to do different things.
The main network technology that’s used in every single vehicle is called CAN bus. You may be familiar with LAN (Local Area Network) or WAN (Wide Area Network). CAN stands for Controller Area Network. “Controller” is just a fancy term for computer at its most basic form. All controllers (computers) on your car communicate over the CAN bus.
There is one other important difference between your home network and a car network. Your home network is what’s called a “routed network,” which means a router sends information to the right device so each device only sees what it needs. The CAN network is a bus network (hence the name CAN bus). On a bus network, every computer sees all the data, no matter where it’s from or which computer needs it. The individual computers are then programmed to only react to data meant for them.
If you can get access to the CAN bus, you can see and analyze the data for every computer in the car. This can be both a benefit and a problem. Derrick used this feature to connect to his bike and see everything that the computers were doing. This let him understand how it worked and replace the dash. But it can also be a great tool for hacking cars. If a hacker can get access to the CAN bus, they can see everything they need to take control.
Hacking Cars and Security Risks
Automotive cybersecurity has mostly been about physical access. When computers were first put in cars, hacking cars required a physical connection. If you couldn’t stick a physical wire into the vehicle, you couldn’t get access to the CAN bus. Nobody had to worry about someone hacking cars from a distance because there was no way to access the CAN bus without physically connecting.
Now, that has changed. We have cars with wifi, cars connected to the cellular network, and cars sending data to the cloud. We’re seeing a slow migration of vehicles and manufacturers switching to connected vehicles. This opens up so many new risks.
For decades now, the platform that the automotive industry has used for security is the physical access concept. You can’t hack a car unless you get physical access … with the age of connected cars and vehicle information being fed to the cloud, that’s changing.Derrick Thiecke
If hacking cars no longer requires a physical connection, manufacturers will have to do more. Physical access as a security protocol won’t be enough. The question now is if they can make a safe migration from relying on physical access to a new world where you don’t need physical access to hack a car.
OBD2: Easier Car Repairs … Easier Car Hacking?
In 1996, OBD2 became standard. OBD stands for On-Board Diagnostics, and OBD2 is an updated version of the original OBD1. OBD2 is a way to understand what’s going on with your car. If you’ve ever gone to an auto shop and had your car’s codes read, they plugged an OBD2 reader into your car’s OBD2 port and got a report of what your car’s computers said was wrong.
OBD2 standards and the OBD2 port were developed to solve manufacturer-specific issues. There is a set of standard codes, and any OBD2 reader can read and interpret those codes. Imagine how frustrating it would be if your check engine light came on in your car and you had to take it to the dealership because only the manufacturer knew how to understand the error codes. That’s what OBD2 is meant to overcome.
But it does have some downsides. All the vehicle network and communication protocols are typically available at OBD2 ports. Because the CAN bus is a bus network, you just have to get there and plug in to get into all the networks. Derrick owns a 2015 vehicle, and the data at his OBD2 port has no firewall or gateway of any kind. Not only can he read the data, but he could send data and the car would see it. The implementation of OBD2 standards provides more information about the vehicle and makes it easier to fix. However, it also makes hacking cars much easier.
What the CAN Bus Can Do
If you’re hacking cars, what can you actually do with access to the CAN bus? It really depends on the car and what systems the CAN bus can control. Most safety-critical features are isolated from the CAN bus. In most vehicles, for example, you can’t manipulate throttle bodies or brakes through the CAN bus.
But there are other things in the CAN bus that can make hacking cars dangerous. Derrick has yet to come across a vehicle where you couldn’t manipulate headlights through the CAN bus. A hacker could potentially turn off the lights while someone is driving. They could obstruct the view by turning on the windshield wipers or wiper fluid spray. Often, they can lock and unlock the doors.
And sometimes, those safety-critical features are accessible. At DEFCON in 2015, a demonstration on hacking cars was able to remotely connect to a Jeep and manipulate the braking system while the vehicle was in motion. It had an automated self-parking feature that car hacking could manipulate. If someone was driving while a hacker was manipulating the system, it would be very dangerous.
While typically safety-critical systems are not controlled by CAN [and accessible to hackers], it’s not 100%. The threat is always there.Derrick Thiecke
Hacking Cars for Improvements is Risky
People who are interested in better vehicle performance might consider hacking cars as a way to get more out of their own car. And there are ways to do this. One fairly popular one is changing fuel mapping to fine-tune fuel injection for better performance. In the motorcycle world, people can put Bluetooth dongles on the communication connector of their bike and get software that lets them change the fuel mapping.
This is a huge security risk. First of all, you shouldn’t change the fuel mapping unless you really know what you’re doing. The wrong fuel mapping can cause catastrophic engine failure. Uploading fuel mapping you found online is just as risky, because unless you know what you’re doing, you have no way to verify if the person online does, either.
Say you changed the fuel mapping on your motorcycle. You put your tablet in your backpack, ride down to a cafe, and take out your tablet to check your air-to-fuel ratio. There’s a threat there. You didn’t remove the Bluetooth wifi dongle from your motorcycle. And now your tablet is on public wifi in a coffee shop. Coffee shops draw people with computers, and the more people with computers there are, the higher the risk there will be someone who knows what they’re doing. Someone at the cafe could put malicious fuel mapping into your motorcycle and make the engine blow up on your way home.
The greatest way to avoid a security threat if you’re into tuning and stuff like that is really try to make it so your vehicle does not broadcast any wireless connections unless it’s needed at that point in time.Derrick Thiecke
The Automotive Industry and Software Security
In general, the automotive industry is a decade or two behind on technology. Think about the gap between when Bluetooth came out and when every car on the market had Bluetooth. It was five to ten years. And Bluetooth isn’t the only technology. Lately, we’ve seen cars with wifi and cars with cellular data. Cars are growing more connected, which makes hacking cars more of a risk.
One big reason we’re talking more about hacking cars and cybersecurity for vehicles now is because it’s getting harder. Wireless connections may not be a gateway to every computer in your car, but Derrick doesn’t know a vehicle today that doesn’t constantly broadcast Bluetooth. For decades, the security practices of the automotive industry have been focused on physical access. Now, security concern has to be on wireless that doesn’t require physical access.
Will the security be on point with the growth and popularity of wireless connectivity to vehicles?Derrick Thiecke
Hacking Cars as a Security Threat
Derrick is not sure about the likelihood of widespread car hacking. He doesn’t want to be concerned, but at the same time, he’s concerned. He keeps thinking back to the Jeep being hacked at DEFCON in 2015. That was a huge issue. But if that controller had been put into twenty more cars, it could have been catastrophic. While safety-critical features often aren’t connected to the CAN bus, sometimes they are. The threat of hacking cars is always there.
When ransomware first became a threat, people asked the same question. What’s the likelihood that a hospital computer that controls people’s hearts will be ransomed? It’s the worst possible scenario, and everyone hoped it wouldn’t happen. But at the same time, the threat was still there and very plausible. And with ransomware, we did see hospitals get attacked. The same is true for hacking cars. We hope the worst case scenario doesn’t happen, but there’s still a credible threat that it will.
The threat, I think, is real. It just looms more and more as more vehicles have those wireless connections.Derrick Thiecke
Cars Need Software Updates Too
In the 1980s, there was only one computer in the car, and it controlled the fuel injection system. Now, there are dozens. More computers means more code and a higher probability of issues. If you get a bug on your home computer, Microsoft sends an update. As much as we hate it, it’s a simple process. Just click “update” and wait for your computer to restart. But to update the software in your car, you usually have to go to a dealership.
The best think you can do to keep your vehicle safe from hacking is to get it serviced at the dealership every once in a while. While there, the dealer can update your software. We’re also seeing more OTA, or over-the-air, updates as well. If your car has cellular connection or connects to wifi, it can download and install updates just like a computer. Also, pay attention to recall notices. Most people do, but it’s good to do to prevent hacking cars as well.
Some people are afraid that there might be a bug in the update that makes things worse. But the rewards are always worth the risk. Derrick comes from corporate IT, and in his experience, the better security is always worth the risk of small bugs in the update.
There’s the fear that maybe there’s a bug in that new update. But … I am adamant about always doing the latest update.Derrick Thiecke
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Cybersecurity is a relatively young field, but businesses are embracing its importance. However, the newness of the…[Read More]
In today’s digital age, it is common for people to rely heavily on their mobile devices for…[Read More]
fter exploring the CR Security Planner, ourselves, we’ve learned the best way to use it and know...[Read More]
We all know malicious websites are out there. Scammers and fraudsters want to steal our information and…[Read More]
The average person has no idea about the data breaches that occurred in 2022 and how many…[Read More]