This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Wirelessly hack your enemy's car for under £15

Share this article:

Research pair to show off car computer hacking kit that costs less than US$ 20 (£12.25)

Hackers have previously targeted cars like Toyota's Prius
Hackers have previously targeted cars like Toyota's Prius

The commoditisation of hacking continues apace, with two researchers planning to reveal next month how they have built a wireless Electronic Control Unit (ECU) - using components costing under US$ 20 (£12.25) - that can hack into a car's computer network and systems.

The smartphone-sized unit, which researchers Alberto Garcia Illera and Javier Vazquez-Vidal will be showing off at next month's Black Hat Asia event in Singapore, requires physical access to the vehicle in order compromise the car's computer systems. After that, control of the car's computer systems - including steering and brakes - can be carried out wirelessly up to tens of metres away.

Illera is a Spanish pen tester while Vazquez-Vidal is a security consultant working, appropriately enough, for a company called Car-IT.

Both have revealed previous research at other security shows around the world, most notably Illera who gave a presentation entitled `How to Hack All the Transport Networks of a Country" at DEFCON 20 in 2012. Vazquez-Vidal's presentation at Black Hat USA last summer, meanwhile, was along similar lines and talked about an ECU tool for motor vehicles.

The two researchers have pooled their resources and will be revealing how their device bypasses the security of car ECUs - whether using the K-Line protocol (seen on ECUs until a few years ago) or the CAN (Control Area Network) bus system seen on most modern cars.

Plans call for the pair to discuss how the CAN bus is used to interface between the car's ECU and its transmission system, as well as controlling ancillary systems that control door locking mechanisms and AirCon plus seat systems.

Since CAN is a multi-master broadcast serial bus standard for connecting ECUs, each node on the network can exchange messages. The researchers will explain how each message consists of an ID plus signal data in a non-return-to-zero (NRZ) format and is sensed by all nodes.

Generating rogue messages on the car's network is how their device can compromise most features on the vehicle - including power steering and transmission, raising the spectre of causing a car to race to its top speed and disable the brakes, with predictable results, SCMagazineUK.com notes.

Vidal is quoted by Forbes as saying that the kit he and Javier have developed "can take five minutes or less to hook up and then walk away."

Commenting on the researcher's findings, Incoming Thought director and analyst Sarb Sembhi said the problem facing car manufacturers is that their systems consist of a great many components - many of which are supplied by third parties. As a result, he added that little thought is usually given to the security of the individual systems, let alone the car system as a whole.

"All devices are inherently hack-able, but as technology matures, there will be more and more research into the security of car-based systems," he said, adding that the arrival of in-car Android and Apple iOS-based systems also increases the risk that a programmer could hack into hardware controlled by the portable operating systems.

He says that the irony of this particular hack is that, unlike WiFi standards - which are constantly revised upwards to defend against security attacks - the components of a car are rarely upgraded.

"This is because the importance of the complete product is greater than that of the components, and vehicle manufacturers do not regard the security of components as part of their job," he said.

"Computer-based systems in cars are getting increasingly complex. My observations are that they are at a level of complexity that is similar to the technology seen in planes some 15 years ago. And the complexity is only going to increase," he warned.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

34 European banks hit by Android app security attacks

34 European banks hit by Android app security ...

Banks need to put their heads together to develop common and more secure methodologies says Sarb Sembhi, STORM Guidance, following operation Emmental.

Entrepreneur develops hacked data search engine

Entrepreneur develops hacked data search engine

A Portuguese entrepreneur is said to have developed a specialised search engine that can allow access to leaked or allegedly stolen access credentials.

Insider threat levels from ex-staffers greater than expected

Insider threat levels from ex-staffers greater than expected

A third of of ex-employees have access to company data and 9 percent have used their access privileges, says new research.