Forgot your password?
typodupeerror
Transportation Security

Car Hackers Mess With Speedometers, Odometers, Alarms and Locks 159

Posted by Soulskill
from the no-mr.-bond,-i-expect-you-to-die dept.
mask.of.sanity writes "Researchers have demonstrated how controller area networks in cars can make vehicles appear to drive slower than their actual speed, manipulate brakes, wind back odometers and set off all kinds of alarms and lights from random fuzzing (video). The network weaknesses stem from a lack of authentication which they say is absent to improve performance. The researchers have also built a $25 open-source fuzzing tool to help others enter the field."
This discussion has been archived. No new comments can be posted.

Car Hackers Mess With Speedometers, Odometers, Alarms and Locks

Comments Filter:
  • by AdeBaumann (126557) on Wednesday October 30, 2013 @02:37AM (#45277511) Homepage

    How many idiots will use this in the safe knowledge that they can't be busted for speeding anymore, I wonder...

    • Re:Hmmm... (Score:5, Informative)

      by AlphaWolf_HK (692722) on Wednesday October 30, 2013 @03:15AM (#45277661)

      Just to clarify how the law works on this one, in most states (probably all, but there are 50 of them so you never know if there are variations) when you hop behind the wheel and start driving any car (whether you own it or not) you are responsible for the operation of that car, including if anything is wrong with it that causes an accident or any sort of moving violation, such as a malfunctioning safety device (and the speedometer is a safety device.)

      Now that doesn't stop you from suing a manufacturer, mechanic, or other responsible party if something has gone wrong with the car that wasn't your fault and caused any damages. But, any damages (even just a ticket) are your responsibility first, and if the cause was from a manufacturer or mechanic, it's then on you to recover your losses from them. In other words, if your brakes fail due to manufacturer defect, you can't just tell the guy you rear ended to go collect from your car manufacturer. He goes after you, and whatever he collects from you, you then have to collect from the manufacturer.

      You also still end up with a ticket and a mark on your driving record, because again you assumed responsibility for anything wrong with the car by driving it.

      • by Sun (104778)

        At least where I live (Israel), most (but not all) criminal charges require a "criminal intent" component. You cannot be charged with murder if you did not intend anyone killed (but can be charged with man slauter, as that one doesn't require criminal intent).

        As far as I know (IANAL), speeding requires criminal intent. If you show you had no reasonable way of knowing you were speeding, you cannot be charged. The reason that works is that certain types of negligence are enough to show criminal intent (so you

        • In the US, speeding is a strict liability offense; if you drive faster than the speed limit, you are liable, even if you acted with such reasonable care that you could not even be said to have acted negligently, much less recklessly, knowingly, or intentionally.

          It's not a standard that gets used a lot, but it is also known in statutory rape and some copyright infringement.

        • by number17 (952777)

          If you show you had no reasonable way of knowing you were speeding, you cannot be charged.

          When you get clocked doing 20 over and you tell the cop that your speedometer is broken let me know if their words aren't "Tell it to a judge."

          • by iamgnat (1015755)

            When you get clocked doing 20 over and you tell the cop that your speedometer is broken let me know if their words aren't "Tell it to a judge."

            By saying that to the cop you are showing that you are aware of the situation which makes you at fault since you are showing prior knowledge. That's different than getting your speedo calibrated after the ticket and finding it under reporting. Unless they can find evidence to the contrary the reasonable assumption of the later case is that you had no way to know it was broken.

          • by Tassach (137772)

            When you get clocked doing 20 over and you tell the cop that your speedometer is broken let me know if their words aren't "Tell it to a judge."

            I've been in court when I've seen judges reduce the fine based on speedometer calibration report from a mechanic.

        • by Tassach (137772)

          At least where I live (Israel), most (but not all) criminal charges require a "criminal intent" component. You cannot be charged with murder if you did not intend anyone killed (but can be charged with man slauter, as that one doesn't require criminal intent).

          US law used to recognize Mens Rae (guilty mind) as a necessary component for a criminal conviction. However, the War On Drugs has given rise to the predominance of strict liability [wikipedia.org] in criminal law (whereas it was formerly confined primarily to civil law).

      • by swb (14022)

        IANAL and I've never even had a speeding ticket in 31 years of driving, but isn't there a reasonable expectation of general accuracy in a speedometers, and also a reasonable expectation of deviation from specific accuracy?

        I don't think there is a specific requirement for me to check/verify my speedometer accuracy, there's a whole host of government regulations that require carmakers to produce vehicles to a specific standard. And as long as when I drive with the flow of traffic, I kind of have to believe

        • by zidium (2550286)

          If you haven't had a single speeding ticket in 31 years, and you're a heterosexual male and drive more than *very* rarely, then you have issues and should see a doctor, possibly about testosterone boosting.

          • It is possible to do that. I have only gotten 1 ticket in my 25 years of driving and that was for 46 in a 45 (it was a harassment stop and that was all the cop could get me on) which got thrown out in court. Then again when I want do drive like a raped ape I will go out to the track and beat on my stuff in a safe environment instead of trying to show off on the street. Other than that go with the flow of traffic and don't speed through little shitty towns
          • I am a heterosexual male, and while I do not have the experience of the GP, I have driven fast enough to make you shit your pants (one of the reasons I don't let you in my car.) I also have never received a ticket, because I go to magical places known as racetracks when I want to drive faster than the local constabulary allows.

          • by swb (14022)

            I just don't get caught.

            I've broken 100 MPH in 3 cars and on my motorcycle. When the speed limit was 55, I did Duluth to Minneapolis on my motorcycle in in 2 hours flat. My math tells me that's at least 77 MPH average. That's nothing now that the speed limit is 70, but it was kind of an accomplishment when it was 55.

            But all of that is largely behind me. I like to go fast where I can, but my interest in LEO contact is less than zero. I would rather set my distance-sensing cruise control at about 4 MPH

        • A couple of things to note...

          * Tire size changes your speedo accuracy. When I went from stock to 32" all-terrain tires on my old Jeep, my speedo under-reported - the speedometer (at least in older cars) gets its input from the transmission output gearing, not the wheels. This means a larger tire diameter gives you faster speed than a smaller one at the same driveshaft RPM. Conversely, a smaller overall tire diameter will over-report your speed for the same reasons (for those who get into the whole low-profi

      • by iamgnat (1015755)

        You also still end up with a ticket and a mark on your driving record, because again you assumed responsibility for anything wrong with the car by driving it.

        I'm in VA and had a period in my younger days where I saw far too much of the inside of my local traffic courts. As such I can say that if you came to court with certified documentation that your speedometer was under reporting most judges would let you off (especially if you also brought receipts showing it was corrected). In a few cases the judge would do the math based on your calibration report and reduce the ticket to what you "thought" you were doing. I never saw such a case where the judge stuck them

    • by thegarbz (1787294)

      Likely zero, if the laws are sane like ours. If you claim your speedo is inaccurate (+/-10% in my state) and they find you were right congratulations you were driving an unroadworthy vehicle. There's another fine on top of your speeding fine.

  • by nonsequitor (893813) on Wednesday October 30, 2013 @03:43AM (#45277769)

    In other breaking news, cutting the brake lines of cars can prevent them from operating correctly. Somebody issue a recall, quick!

    This is not news, a CAN bus is viewed by the industry in the same way as analog wiring in the car, physically vulnerable. It's an issue when the side view mirror actuators are on the CAN bus, and thieves can open the door and start the engine with this technique. However, this research is stating the obvious for anyone in the know. Next thing you know, one of these researchers will find a copy of the J1939 protocol standard used by the automotive industry and discover what the CAN messages mean without fuzzing the problem space.

    If someone found an On Star exploit that allowed a hacker to remotely accomplish these things on the CAN bus, then it would be news, this is not.

  • Not every bloody thing need authentication. To gain access to the CAN bus you need physical access to the car. If you had that you could just cut a brake line, or simply plant a bomb. Not everything needs authentication / encryption. If it all does you end up with a form of lockout.

    I saw another comment here saying that the entertainment system is also connected to the CAN bus and that offers wireless or bluetooth connections. Well why not take that leap and identify if you can somehow hack THAT entry vecto

    • by Lumpy (12016)

      No matter how badly the armchair hackers here want to sound like they know something, you cant hack the canbus via the bluetooth audio channel in the car stereo.

      A lot of them learned all they know about hacking from TV shows and movies.

    • This is bad for car manufacturers. Why? Because they have to warrant that cars live a long time and will be emissions compliant too. If people can hack around in these systems, all sorts of things can happen that will make them unable to do this. I'm all for having the systems open and being able to tinker with them myself, but from a manufacturer standpoint, this is bad.
      • This isn't "news", people have been hacking around with that stuff since there have been computers controlling the engines in cars (which has been around since the 70s). The only thing that makes this news is that hackers recently had a bright idea to make a Bluetooth dongle for remote control.

        Since the start of the OBDII Standard (which was a requirement starting for 1996 model years) There have been companies that have sold devices that let you plug into the computer and modify it's parameters, disabli
      • I'm quite certain that existing regulations regarding warranties, emissions, etc. already contain clauses that limit an automaker's liability in the event that the vehicle is tampered with. Otherwise, someone could cut out the catalytic converter from their car, sell it (for the precious metals), and have the automaker replace it under warranty. Computer-based modifications would fall under the same category.

      • by jklovanc (1603149)

        I call BS. Car manufacturers are not liable for all the cars that fail emission testing. Manufacturers are liable up until the vehicle is initially sold. After that the liability shifts to the owner.

        • The US law and EPA says otherwise [epa.gov]. It is not for the lifetime of the vehicle but is for 2years/24,000miles or 8years/80,000miles depending on the part. Now things get a bit dicey with aftermarket modifications as manufactures seem to want to blame any failure on anything not from the factory so if you go around mucking with the cars computer expect to have them say tough shit.
          • by jklovanc (1603149)

            From the quoted article;

            The test failure does not result from misuse of the vehicle or a failure to follow the manufacturers’ written maintenance instructions;

            People hacking around the system could easilly be seen as "misuse".

      • by Politburo (640618)
        If someone is hacking around in the system, the warranty is void and the liability is on the one that does the hacking.

        Legally no different than cutting off your cat.
      • by thegarbz (1787294)

        No it's not. A car manufacturer's responsibility ends when the vehicle is sold, or if the vehicle is serviced.

        As pointed out to those who think they can game a speeding fine by messing with their speedo then pleading innocence, you were behind a vehicle that fails to meet [insert criteria] which makes it unroadworthy. Here have an additional fine.

        It's no different to those putting downpipes where the exhaust pipe belongs. The manufacturer is not liable for a car that no longer meets the noise regulations, t

    • by necro81 (917438)

      To gain access to the CAN bus you need physical access to the car. If you had that you could just cut a brake line, or simply plant a bomb.

      cutting the brake line is pretty damn obvious, so is a bomb. If you wanted to be sneaky about it, you could add a module that would allow you to remotely command the car, while on the highway, to accelerate and then suddenly turn left, while also disabling the brake, traction control, and ABS. In other words, you could make it look like an accident. Depending on how

  • So if you see a hacker hiding under your dashboard you need to worry, as NON OF THIS CAN BE DONE without physical access of the vehicle from inside.

    Call me when they can hack Any car wirelessly from 300 feet away using their laptop, until then all of this is nothing but fearmongering.

    • Recent model BMWs have been hacked wireless from 30 ft away. That is enough for the thief to hide the device used for the hack near a spot where the owner would normally park the car. They would sniff/block the central locking, so they would be able to gain access to the inside of the car. They would then trigger a buffer overflow by removing and replacing certain fuses in a certain sequence and that would gain them access to the key secrets stored inside the car's computer. They would use a device to have

      • by jrumney (197329)

        All light units and the plug for the trailer hitch are connected to this bus.

        CAN enabled light bulbs? No, there is a CAN enabled relay box somewhere near the top of the engine bay (maybe reachable from the outside of the car if you use your imagination and pretend you have octopus tentacles for arms) which controls the lighting. As for trailer connections, maybe on a semi where the CAN bus is standard SAE J1939, but on cars and light trucks, the protocols are all manufacturer specific so there would be no

      • by Lumpy (12016)

        No it hasnt. stop reading into what is nothing more than a rolling code exploit.

      • by mcgrew (92797) *

        I'm fairly certain that with bigger antennas... you would be able to do this trick at 300 feet

        Radio doesn't work like that. For optimal transmitting/receiving you need the antenna to be tuned to the frequency being transmitted. Try to use a two meter antenna for wifi and you'll be lucky to get a signal at all. The antenna needs to be the same length as the frequency's wavelength (or certain multiples; I've forgotten a lot).

    • by neurovish (315867)

      So if you see a hacker hiding under your dashboard you need to worry, as NON OF THIS CAN BE DONE without physical access of the vehicle from inside.

      Call me when they can hack Any car wirelessly from 300 feet away using their laptop, until then all of this is nothing but fearmongering.

      What's your phone number?
      http://www.technologyreview.com/news/423292/taking-control-of-cars-from-afar/ [technologyreview.com]

  • by Opportunist (166417) on Wednesday October 30, 2013 @05:55AM (#45278247)

    CAN was never developed with security in mind. What for, it was supposed to be a LOCAL, WIRED bus on a closed system that should only be accessed by someone whose authority to access it has been verified by different means (i.e. he has the keys to the car in the first place). Now, we can see how CAN can be abused with local access. Well, duh. Insecure system is insecure. Film at 11. Right? Well, technically, yes, but let's look a hint further, shall we?

    The news here is that cars get more and more wireless features. It's simply more convenient for you to plug in all your nifty toys, from cellphone to iToy to navigator system without actually having to PLUG them somewhere. Now it's very tempting for the makers of said cars to stuff them onto the very same bus. CAN is already in your car, pretty much every kind of electronics can talk to it, ain't it the perfect thing to tie your toy into?

    In theory, yes. In practice, I predict that unless car makers take special care to secure those wireless entry points we'll see a lot of similar hacks in the future, only that this time they'll be done from outside the car without physical access to it.

    • by jklovanc (1603149)

      At that point they can put authentication on the wireless access points and leave the rest of the physical bus unauthenticated. Until the time that unauthenticated wireless access points are installed this is a non-story and just hype.

      • That's a tack-on solution, and I guess we should all know how well such solutions work. For reference, see the internet, its protocols and how we tried to add a "secure layer" to the mess instead of simply coming up with a solution that is intrinsically secure.

        • by jklovanc (1603149)

          It is a tack on solution to solve and issue caused by a tack on problem.

          Is there a an authentication protocol between the video card in your computer and the PCI bus, your mouse and the USB controller, your hard drive and the SATA bus? This is a similar situation. The point is that one needs to install hardware onto the bus to have access. The difference is that the internet is connected to millions of computers all over the world. A vehicle's network is self contained up until it is connected to the intern

  • I bought a used Volvo S80 about 4 years ago. I added the iPod connector for the stereo -- a factory option my car didn't come with.

    The dealer had a real problem getting it to work -- the stereo would indicate the input was there, but when you switched to it it would work for about a minute and then stop working. The description they told me was that the car's data bus was rejecting the accessory because it wasn't authenticating.

    Now, I don't know if this was an accurate assessment or not, but it took som

    • by Politburo (640618)
      That is some Apple walled garden bullshit, nothing to do with automotive buses.
      • by swb (14022)

        No, it was related to the car's data bus. The same kit that includes an iPod connector (the "old" 30 pin) also includes a USB connector for using ordinary memory sticks, and that wouldn't work, either. It wasn't an Apple issue.

  • I've noticed several comments revolving around the idea that direct access to the vehicle is needed, so there's no need for concern.

    It seems to me that while this certainly influences the application of such technology, it doesn't mean all is cool. How long would it take to come up with a purpose-built device that would attach to the relevant access port the same way illegal bank card readers attach to ATM's?

    For the sake of argument, let's say it would have WiFi or Bluetooth capability, feed off the

    • How long would it take to come up with a purpose-built device that would attach to the relevant access port the same way illegal bank card readers attach to ATM's?

      Are you busy this Sunday? We could probably hack it out.

      For the sake of argument, let's say it would have WiFi or Bluetooth capability

      If the bus controlling safety critical functions has any wireless connectivity, it's a problem. The fix is easy though.

      All it would take is one crooked mechanic at a dealership or service center

      If this is the only way a mechanic can think of to sabotage a car, then he's a lousy mechanic.

      • by hyades1 (1149581)

        You're absolutely right about the mechanic having easier ways to sabotage a car. But I was thinking more of situations where anything that happened to the car (or fleet of cars) would happen at the hacker's convenience, maybe weeks or months later. I don't know of too many modifications a mechanic could make that would work on that basis. I'm no car expert, so my opinion on that is by no means unarguable.

    • by jklovanc (1603149)

      If anything happened the box would be found and traced back to the mechanic that put it in. What stops a mechanic from installing a remotely controled valve on the brake line? It still requires phisical hardare attached to the vehicle and is very different from remote access without physical access.

    • by Politburo (640618)
      The 'relevant access port' is typically the OBDII which is under the steering wheel. So you're back to needing direct access to the vehicle.
      • by hyades1 (1149581)

        Thank you, Captain Obvious. I own a code reader. The point is that, having got access, the car could be left alone for months or years.

  • by sirwired (27582) on Wednesday October 30, 2013 @06:44AM (#45278495)

    Of course you can do all sorts of things exactly like this with the CAN bus; that is what it was designed for, that's what it's used for every day. Just about every make has software available (around for over a decade in many instances) to do every single one of those things; in most cases (except odometer rollbacks) they are replicas of the dealer tools to do the same thing. This includes speedometer adjustments (in place to account for wheel/tire diameter), diagnostic tests like cycling locks, ABS valves, various engine bits, etc.

    Exactly what "research" was required to discover this? Is it "hacking" for me to purchase a piece of commercial software and use it's well-documented functions, most of which are also detailed in the service manual they sold me for $50?

    Let me know when somebody has actually developed a Bluetooth-based attack vector and get back to me. (And plugging a Bluetooth transceiver into the OBD II port doesn't count) Until that point: snooze...

    • But now you can manipulate it from Unity.

      Imagine being able to hack your car from your laptop, tablet and phone?

      • Imagine being able to hack your car from your laptop, tablet and phone?

        You've been able to do that for years. A CAN bus adapter is hardly rocket science. You can buy them off-the-shelf.

  • Nothing people didn't already know, but shows people how simple it is.

    It has been known for years CAN bus needs authentication.

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...