Hacking Automotive Systems

alphadogg writes "University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low." Here is the researchers' site, and an image that could stand as a summary of the work.

Re:Manual Override

[ickleberry]

Or just get one of the few modern cars still left that doesn't come with all these unnecessary automated sales gimmicks like the Ariel Atom

G-dammit!

[BLKMGK]

The auto industry ALREADY encrypts the daylights out of most of their code! Which makes modifying it for performance reasons a PITA. I have to pay some guy a pile of cash to "flash" my current ECU because only a few guys have managed to figure out the code for it unlike with other cars. Duh, it's a computer and it controls things so yes it can be messed with.But the auto industry already encrypts it and makes this difficult. So long as the auto dealers are able to modify things like speedometers and other things this will always be a "threat" so stop running around like Chicken Little. Sheesh! What they should turn off the OBD-II standard codes so no one but a dealer can diagnose and make minor changes to cars? See how SEMA will like that and all of the independent garages and shade tree mechanics. then they will bitch that it's too locked down. Make up your minds and stop being so short sighted...

Re:So what?

[germansausage]

Wrong method, it leaves obvious evidence. Clip some vicegrips on the flex hoses going to the front wheel cylinders. You've just eliminated 60% of the cars braking power. The pedal feels normal, or even a bit firmer than usual. Do it right and the vicegrips will come off when the car hits whatever it hits when the brakes (mostly) fail.

Re:The only concern...

[drinkypoo]

You'd have to reflash the PCM (ECU is an OBD-I term; this kind of stuff is only possible with OBD-II, which actually mandates the term "PCM" — if you want to be accurate, stop calling it an ECU in this context) entirely. I imagine that this sort of functionality is available on all modern cars; possibly not all OBD-II cars, but probably anything new enough to have CAN. Most OBD-II cars on the road do not use CAN anywhere, though today a car might have three or four CAN buses; PCM to OBD-II DLC (diagnostic link connector), PCM to transmission computer, PCM to BCM (body control module) and possibly even BCM to stereo. And other models exist but I personally think buying a car with a CAN bus shared between more than two components is asking for a foot in your ass.

I happen to like my mechanical diesels, which achieve efficiencies very near to modern systems. It's only too bad International-Navistar lacked the foresight to implement the engine as a full-mechanical design, as Mercedes did; your battery can explode and the engine keeps running until you shut it off, because the shutoff is a vacuum switch on the back of the ignition lock. I've had my alternator fail completely and my battery down to about 4V in my 300SD, still made it to work. Nobody will be tampering with my DLC :D

Re:This isn't a bad thing

[je ne sais quoi]

After I wrote that I found this [samarins.com] web-site that explains how to use the device and what's going on. I still think that the dealer has some codes that are not OBDII certified that they use though. Incidentally, according to that web-site I linked to, the code machine is $200, but in this [priuschat.com] thread the person says the dealer is charging them $100 just to read the codes. Wow, expensive.

Re:I DONT WANT FSCKING DRM ON MY CAR!!!!

[ledow]

Sorry, but I think we'd all much rather have a car where the ABS (or, indeed, the brake-pedal) can't be disabled entirely, where brakes can't be activate entirely by software, where you can't play with mileometer just by sticking a box on the OBD port, or where the car cannot lock everybody inside if it crashes (the software, not the car!).

It's not a question of software freedom - it's a question of not having that capability automated in the first damn place. In every car I've ever owned, when I press the brake the wheels are slowed by huge hydraulic pressure whether or not the ECU / ABS is working. Sure, I wouldn't do without the ABS either but if it stops working, I can still bring the car safely to a halt. What we're discussing here are cars with computers that *DO* have control over what the brake pedal does - from nothing no matter how hard you press it, to full brakes no matter how you release it - and not the driver.

Some of the other things mentioned on the researcher's FAQ include the bonnet(hood)-latch behind software controlled. One software crash = one real crash. That's a sort of DRM you *don't* want anyway - where your entire ability to use the product is under the control of a computer that could crash at any minute, with serious consequences. Especially not when you're doing 70 mph.

It's the design that's stupid, not OBD, ECU's or being able to tune your car using it if you really want to. They are separate issues. Why, why, why on earth would anyone *EVER* want to legitimately activate a mode on their car where the brake function no longer corresponds to the brake pedal position?

Sensationalism at it's finest.

[Lumpy]

I've been "HACKING" car computers for a decade now. and a lot of other people have as well. Most hot-rodders from import tuners to vette performance guys have been hacking ECM's. Many of the honda hackers even go as far as opening up the ECM and desoldering chips to hack them. Changing the ignition timing table, fuel tables, Disable the Rev limiter, Disable Passkey for engine swaps (I do this with the GM 3800sc and it's ecm from the Buicks) add features, change a Standard ECM program to a program that understand boost for a turbo install... etc.....

Heck a friend of mine is hacking the computer that controls the new power steering system in cars so we can retrofit power steering to vehicles that dont have it.

I guess us car ECM hackers are the new "EVIL DOERS"

Re:The only concern...

[mrchaotica]

I happen to like my mechanical diesels, which achieve efficiencies very near to modern systems.

The only problem is that the mechanical diesels don't achieve emissions very near to modern systems.

Of course, I have the same attitude you do (that the older cars are better), except I complain about failure-prone and biodiesel-incompatible diesel particulate filters while praising my rotary-injection TDI.

I guess "researchers" have not met any modders?

[netsavior]

As a car modder, who has been doing this kind of stuff (not malicious) since the early 1990s, wow welcome to the future guys.

Just an example: When my throttle position is above 90% depressed, my A/C compressor disengages(or rather the A/C Clutch engages), giving me that little bit of horsepower and theoretically saving my compressor from 7500 RPM (engine speed, not compressor speed) redline. I did this in an afternoon using only software.

The ECU has a lot of control over the car, especially in drive by wire cars... My car happens to have a cable accelerator, and I vastly prefer that because of throttle response time (a physical link is better most of the time than a software one, assuming both are properly maintained).

If they were really trying to be malicious without being deadly, you could change the air/fuel ratio to be really lean and burn up the valve train the first time they hit the gas pedal, there is no physical override for that, not like brake pedals (which if you turn it off it merely removes the power assist and only prevents you from stopping the car if you aren't strong enough to push the pedal down.)

Re:Sensationalism at it's finest.

[Lumpy]

It's still doable. Most of the information is available on websites OUTSIDE the USA to protect the authors from being sent to jail for 60 years. I've got the info on decoding the GM canbus communications so I can actually change the shift points on the Transmission in the new 6 speed automatics. Tweaking the performance mode and being able to add an economy mode has made a difference.

All that has happened is that all the people that are the best and brightest in automotive are fleeing the country, or hiding behind pseudonym and publishing to a website outside the usa.

One thing super impressive is the guys that are getting the 7730 ECM from the 90's to do things that the current ones are not. That hacking is legal because that ECM was not crippled with raging retardation and stupidity on the car makers part.

You missed another point - aftermarket installers

[name_already_taken]

OBD II is all well and good for basic emissions/driveability/MIL diagnostics, but adding security to the other functions, such as the door locks, windows, etc. could basically kill the aftermarket alarm/remote start business.

On many (if not most) cars these days, many of the basic functions such as door locks are controlled via a CAN bus (a 2-wire twisted pair network) and more and more functions are migrating to network control rather than having dedicated wiring. In my car, everything other than the lights and the radio is run over CAN (even the seat adjustments and the rear window defogger).

Take, for example, installing an aftermarket stereo: Many new cars don't have a wire that supplies 12V when you turn the key on to turn on the radio, the radio is always powered and listens to the CAN bus for the command from the car's BCM (body control module) to turn itself on. On these cars, a separate aftermarket module has to be installed to turn the radio on (or the installer has to dig around in the car to find something else that only turns on with the key, like a power outlet). There are also aftermarket modules that can translate the CAN bus commands from the car's factory steering wheel controls to control an aftermarket stereo.

Adding a layer of security (presumably encryption or authentication) could cripple these abilities with aftermarket equipment.

Don't believe me, well take the example of remote start on my current car a 1999 (yes, 12 model years old now) Mercedes Benz. I have installed 3 remote start systems on various cars (a Subaru, a Honda, and a Mazda) which were what I'd call conventionally-wired cars, having accessible wires to turn the ignition and engine computer on and start the car. Easy. Cost, under $100 for all the parts including extra relays to turn on accessories and such.

On my '99 M-B, the engine computer will not allow the engine to run unless it can maintain a constant 2-way conversation over a separate CAN bus between itself and the EIS. What's the EIS? It's the Electronic Ignition Switch. Here's where things get complicated. M-B cars don't use conventional keys any more, the use a "SmartKey", which is an electronic key fob thing that inserts like a key, but has an infrared emitter-receiver in the end. The EIS supplies power to the SmartKey via an inductive coil around the key opening. The EIS and the SmartKey then engage via infrared in a continuous encrypted conversation which authorized the EIS to tell the engine computer to let the engine run. Because you need to have the SmartKey in place, it has been impossible to install a remote start system.

Recently, a remote start system became available for my car (sold new 12 model years ago, remember), which will simulate the EIS' conversation with the SmartKey and allow the factory remote's Panic alarm button to be repurposed to start the car (the SmartKey is also the remote, but don't worry about that, it's actually two devices in one package). Cost: $1000. That's over ten times the cost of a remote start system for a regular car. And it took 12 years to develop.

All because of a single encrypted function. Admittedly, a really well designed one that makes the car impossible to hotwire, but you can see what problems might face the aftermarket if things like door lock controls became encrypted.

All in all, this research exercise is just stupid. Of course you can make a complicated system do silly things if you have physical access to it. I don't see the point of adding encryption to it when the aftermarket will have to figure out how to bypass it eventually anyway.

Off topic, but in case anyone's interested, you can have up to 24 SmartKeys issued for an M-B vehicle, but I think only eight can be active at one time. The service information talks about having three ranks of eight keys. Once you need to replace the key for the 24th time, you need to replace the EIS, the engine computer and a couple of other items. SmartKeys can only be ordered at a dealer and you h

Re:This just reaffirms...

[Anonymous Coward]

Swing axle was not dangerous mister Nader. Asshats who can't drive or think a stock swing axle volkswagen is a slalom car don't belong in the driver's seat of one. My '68 based (yes, swing axle) speedster, on the other hand, handles better than most modern vehicles but it's got 4wheel disc brakes, suspension limiters, modern shocks, and 50 series tires. No wheel tuck, low center of gravity - purpose built car. Purpose of a vw beetle- cheap, reliable, slow transportation. Just use the original traction control system- your hands, feet, brain, and seat of the pants. Worked for many years. People these days don't drive cars, they just ride in them. Also, just fyi: '68 swing axle is a one off in axle length/track. i.e. all earlier ones were also swing axle but in different lengths.

Re:I'm not worried about those hacks

[dubbreak]

In this case they are talking about the OBD-II port, a physical port inside the vehicle (often in the driver's foot well). You can get a OBD-II connectors that are bluetooth (thought that would be short range) and wifi connectors (such as the OT-2 [ot-2.com]). So as far as you can connect via wifi you could send commands onto the shared command bus.

This "hack" really isn't surprising at all. There are plenty of vehicles you can flash or change settings via the OBD port (such as Subarus). Scan tools only use read commands on the port, but the port itself doesn't stop you from issuing other commands on it and even if there were some chip checking what commands were issued you'd just have to tap into the shared bus elsewhere.

Re:Yeah...

[Anonymous Coward]

Just wait for the car makers to decide that climbing into a car to attach to a wired diagnostic port is old school and add wireless access. This feature will be great, because when you drive onto the dealer's lot they can already start diagnosing your car!

BTW, don't the OnStar type systems connect to the ECU?

OBDII via wireless? Here ya go!

[King_TJ]

http://www.carpartslights.com/elm327-bluetooth-obdii-obd2-scanner-vagcom-can-elm-327-p-28.html [carpartslights.com]

(Now you know what to look for at least, when checking to see what the crazy ex-g/f might have put in there....)

re: ECM hacking

[King_TJ]

Actually, a whole bunch of us REALLY wish one of you experts at ECM hacking would figure out the Delphi branded ECU found in the Hyundai Genesis Coupe 3.8 V6!

It's a great little sports car at a reasonable price-point, but so far, it seems like its engine is held back from its full potential because the ECU can't be directly reprogrammed.
(Apparently, some folks in Korea have already cracked its ECU and done some custom tuning so they could add things like superchargers or turbos ... but here in the USA, we can't seem to get our hands on any of that info. I suspect part of it is purposeful on their part. I think the Korean tuning community rather enjoys keeping a lead over people in the USA for as long as possible, so they can keep taunting us with YouTube videos of their accomplishments, etc.)

A company called Road Race Motorsports released a couple different "piggyback" boxes that claimed to add as much as 20HP or so by plugging-in between the ECU connector and one of the sensors on the car -- but everyone on the car forums testing them out has seen negligible results, and sometimes dyno tests show power LOSSES with these things. As best as we can determine, the boxes are functioning like they're supposed to, but modifying the data coming from just one sensor (such as the mass airflow sensor) isn't enough to really trick the ECU into advancing timing or changing air/fuel ratios. Apparently, it sees unchanged readings from other sensors on the car and assumes the input is flawed, and starts disregarding it or acting on it in unexpected ways.

We've done it on race cars for years

[slacklinejoe]

A lot of us car nuts have been hacking our car computers for years. There's systems that go light years beyond the factory systems. 10 years ago, I was able to use my Palm Pilot II to modify my fuel trims while driving, monitor horsepower and adjust an electronically controlled boost controller for my turbo. That was all on a 1990 Talon AWD so it didn't even had ODBII yet. My new model actually fully replaced the EEPROM chips in the ECU and has bluetooth capabilities to be controlled from my smartphone, controls the doorlocks, radio, moonroof etc. In theory, it would be a trival bluetooth hack to not only cause the engine to stop but to detonate the engine (destroy - not actually cause an explosion) by pulling the fuel trims too lean. The bluetooth module was a snap on vampire chip with a tiny lead to a receiver. The whole system looked 100% factory and was tiny. It would be a trival system to integrate a remote kill and unless they were specifically looking for a technology related problem, investigators would likely never realize that it had been installed.

Re:I guess "researchers" have not met any modders?

[toxonix]

Every new car I've driven in the last two years has a fully electronic throttle. I can't stand the things. If I blip the throttle to downshift, nothing happens. The computer ignores little throttle blips. You have to hold the throttle down much longer to get it to rev, and then the non-linear variable throttle curves make it difficult to hit the right engine speed. This is all dumbed down for your average human potato, which is no fun for everyone else. An F1 car is completely electronic, yet the throttle response is accurate and instantaneous. The mechanics can play songs on the engines by running through a sequence of throttle positions. Do you still have to send the ECU in to be de-soldered and re-soldered with a new EPROM? I believe there are aftermarket ECUS for BMW,Audi, Mercedes which provide almost complete control of the electronics systems for tuning. They have remotes for setting different levels of tune so that your valet driver can't get the thing into race mode or rev the engine beyond 2500 rpm etc. As for the electronic control of brakes, just switching off the power assist is not really the danger. The computer can pulse the ABS solenoids, making it impossible to brake at all. When this happens the brake pedal is useless even standing on it with both feet. I had an Audi which developed a problem like this due to bad wheel speed sensors. The sensors sometimes told the computer that the car was sliding when it slowed to around 10mph under light braking. The solenoids start pulsing and you better have plenty of stopping room, because it basically feels like you suddenly hit an ice patch. I don't recommend that particular vehicle to anyone. Configurable tuning chips are the way to go, but it would be nice if I could just hook up a PC and configure the factory ECU.

Re:I'm not worried about those hacks

[ncttrnl]

You haven't worked on a late model car before. You can turn systems on an off to troubleshoot them. Before, you could do this mechanically. Now, you have to use a computer. Setting the speedometer is pretty common when a tire size is changed. Setting the odometer can usually only be done once each time you replace the instrument cluster. All I know, as someone that still likes to turn their own wrenches, is that I don't want more security on the only way I can still work on my own car. If they lock me out of the diagnostics port, I won't buy the car.

Re:Alarmist talk will get you locked out

[BitZtream]

ODB-II (And I to a lesser extent before it was superceded) exists for that exact reason.

Every manufacture used to do their own random proprietary crap. Governments who wanted to access the computer for emmisions controls started requiring them to standardize so they didn't have to buy new crap and codes every time the manfucature decided to change things just to make it so you have to buy stuff from them.

The government basically stepped in and stopped the DRM up front, which is why these ports are actually useful in the first place.

Um, how about firing the airbags?

[jafac]

My Jetta's VCDS software and port (as well as the printed Bentley shop manual) come with big fat user warnings about taking precautions against accidentally setting off the airbags. In fact, with multi-stage systems, if you're sitting in the front-seat, not buckled, maybe with a laptop on your lap, maybe scooted forward a tad, not resting back, you could probably end up with some serious ow-age.

(I know this, because my controller module has failed; and I'm debating whether to just remove it and live without airbags, or if I should have it re-flashed and deal with the risk of accidental discharge in the reinstallation process.)