How hackers can take control of your car

July 10, 2013 // By Junko Yoshida
You might have seen that frightening episode of the CBS series, Person of Interest, in which a fictional social media company's billionaire founder loses control of his car. From the street, the driver appears to be either a total nutcase (well, in this case, he is) or heavily intoxicated. His car weaves through traffic left and right, crossing lanes willy-nilly and clipping other cars. But inside the car, the driver is helpless. Any control he tries, especially the brakes, is overridden, apparently by the car itself. Unbeknownst to the driver, of course, the car is under remote control.

Inevitably, the car blows up (creating an exciting visual). However, the software genius escapes in the nick of time.

This, of course, is TV drama. It's fiction. A remotely compromised car is a scenario that makes a good thriller and scares the bejesus out of viewers. But possible in real life? No way.

Well, wait a minute.

Way.

In March 2011, a team of scholars at the University of Washington joined with colleagues from the University of California-San Diego, in a technical paper entitled "Comprehensive Experimental Analyses of Automotive Attack Surfaces." They prepared it for the National Academy of Sciences (NAS) committee on electronic vehicle controls and unintended acceleration.

Dirk Besenbruch, engineer, group leader of Systems & Applications, Automotive, at NXP Semiconductors, recalls the paper as a wakeup call. "It triggered our work at NXP" on automotive security, he said in a recent phone conversation with EE Times.

The academics' point was to debunk automotive industry skepticism about the hackability of on-board electronics. The industry's conventional wisdom was that "to implement an attack, the attacker would need to physically connect attack hardware to the car's internal computer network."

That got the university researchers going. They ran "a systematic and empirical analysis of the remote attack surface of late model mass-production sedan," according to the authors.

The researchers were aware, as they conducted their study, that no serious security automotive security breach -- like the one on the TV show -- has ever compromised the safety of cars and drivers in the real world. The paper's author pointed out, "Traditionally automobiles have not been network-connected and thus manufacturers have not had to anticipate the actions of an external adversary."

In the paper, however, they cautioned: "Our automotive systems now have broad connectivity; millions of cars on the road today can be directly addressed via cellular phones and via Internet."

Source: Technical paper -- "Comprehensive Experimental Analyses of Automotive Attack Surfaces"

CAN