Testing Out Cell-Phone Viruses on a Prius

Mikko Hypponen writes "Couple of months ago there were rumours floating around that Bluetooth viruses could infect the on-board computers of some Lexus cars, or at least cause some visible effects on them. We took a Toyota Prius to an underground bunker and tested various Bluetooth mobile phone viruses and assorted Bluetooth attacks against the onboard computer. Results were somewhat surprising. It came as no surprise that we could not infect the car, but the Prius performed in the test even better than expected. No matter what we did the car did not react to the Bluetooth traffic at all. Cabir tried to send itself to the car and the car just did not allow the Bluetooth OBEX transfer to happen. Then, the whole car crashed (but not because of a virus)... Full story with pictures in our weblog."

Not Suprising, But still interesting

[Xeroc]

After all, the cell phones use Symbian OS, and the Prius (and Lexus) both do not use it, so it isn't very suprising that the virus wouldn't work. After all, you don't hear very often that a MS-Windows virus infects a Macintosh.

Also, I liked the apparent security features in the car, that it didn't react to the bluetooth traffic, but then again, this is probably just due to an inconpatiblility - i.e. the car won't except any type of data but a specific type, like a valid VCARD phone book.

Re:Serious Question

[douglips]

You do realize that these people (F-Secure) are virus fighters? They intentionally infect all kinds of things all day long, so they can figure out how to cure them.

Crazy

[XFilesFMDS1013]

Reading the article, they're talking about going undergound in order to not effect any other cellphones in the area, and it stuck me as to how much is the same between a computer virus and a "physical" virus. I mean, scientists who work with e.g. bubonic plague, have to take the same cautions, i.e. not letting the virus out into the "wild", where it can spread. I suppose in a few years, many viruses will be tested like this, taking them into a underground bunker, putting them on a computer that has absolutly no connection to the outside world, and trying to find a cure for it. Then the geeks shall hold the true power.

Re:Still At Risk

[Fishstick]

I've always preferred removing the valve stems with a pair of cutting pliers, myself.

Yeah, it makes a nice whistling sound, but that is kinda the attraction too -- somewhere in the parking garage there are four whistles gradually becoming lower, quieter...

The victim walks out, sees four flats with no apparent damage *WTF*

Nothing as serious as having to buy 4x$120 tires, just aggravating to have to have someone come and repair the wheels onsite (esp in a parking garage where clearance will not permit a rollback trailer)

Re:Virus that pummels users into submission

[krbvroc1]

Firefox will do this too. I'll visit a site that says the security certificate is invalid, so I click 'deny'. The another certificate request pops up, ad-infinitum is seems. Since its a modal dialog you can't even close the web browser or close the 'tab' I'm browsing in. I end up either answering yes after examining the cert or kill via the task manager which closes not only that one site, but all all my open tabs.

Re:Still At Risk

[Samari711]

a better way to do this is to buy a valve tool at the local auto parts store. rather than do any permenant damage just loosen every tire's stem. Even if the owner could figure out why their tires are flat, they most likely won't have the tool on hand to fix it. even if they have a pump, the tires won't inflate and they'll be very confused. Also note that some car (especially those abominations known as Hummers) have tires that automatically inflate themselves, so doing this to one of them would result in a car with 4 flats and a dead battery :)

Re:Rebooting the car...

[taniwha]

well given that the Prius doesn't have a traditional key, just a key-fob that identofies you and an 'on' button it is a lot like rebooting a PC - to be fair they probably didn't push 'reset' (there isn't one) just turned it off then on again

Not terribly meaningful

[subStance]

I'm no professional scientist, but it was my understanding that in order to prove something was not true, you have to demonstrate why it can never happen, not that it doesn't happen on a single car that you test it on.

There must be hundreds of different versions of the car's software that have varying levels of resilience to the virus.

I can't wait to see the follow up ... "Why Windows never crashes: we tested and it didn't so it never crashes okay ?" No trouble getting funding for that study from Redmond.

Re:Still At Risk

[kamileon]

I've actually watched someone DOS a car... A car alarm was going off every few minutes as trucks drove by during the middle of wedding preparations in a San Francisco park. The sensitivity was cranked way up on the alarm. So the best man walked up to the car and tapped his class ring on the window to set the alarm off, and then kept tapping the window every time the alarm stopped. Drained the battery in about 15-20 minutes, in plenty of time for a peaceful wedding. :) Keep this in mind the next time your neighbor's car alarm goes off at 2 AM. Sure, it takes 20 minutes, but then you get a whole night of blissfully uninterrupted sleep. :)

Data stream capture

[rgcustodio]

They should've at least used a Bluetooth packet analyzer and captured the data stream to and from the phone/car. It should be a good read. And a better disection could be performed.