Hacking Automotive Systems 360
alphadogg writes "University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results. In a paper set to be presented at a security conference in Oakland, California, next week, the researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car. The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes, and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems. Other experts describe the real-world risk of any of the described attacks as low." Here is the researchers' site, and an image that could stand as a summary of the work.
Re:More to lose than to gain (Score:2, Informative)
Its hard enough as it is for repair shops to work on engines and electronics without adding security, which would make repairs even more proprietary and expensive.
No offense intended, so please don't take this as such. Mods, please mod offtopic:
You haven't worked in a shop before, have you? Whether you have a cheap OBDII scanner [amazon.com] or a full-blown diagnostic tool [snapon.com], so long as the car uses OBDII, you can pull codes from it and subsequently replace the fouled O2 sensor, know which cylinder had a misfire, etc. The full-blown diagnostic tools are useful for crazy-hard problems to solve, but your average scanner bought at Autozone is sufficient enough for the vast majority of code-related problems you would encounter.
Also, I got news for you: electrical problems have been a bitch to deal with for literally decades. There isn't really anything that could make them more frustrating to deal with...they are already at that point due to the nature of electricity and the amount of wiring in a car.
If you take your vehicle in because your check engine light is on and you need the diagnostic code pulled, and the shop tells you it's difficult...take your car to another shop. Sure, there are some brands (BMW, for example) that have propriety connectors, but for most of the cars out on the road, their ECU can be accessed using the same tool.
Re:More to lose than to gain (Score:5, Informative)
www.obd-codes.com [obd-codes.com] is your friend.
Re:I'm not worried about those hacks (Score:3, Informative)
or changing the VIN numbers or whatever
NOOO!!!! You were doing so well, with such an awesome post...and you had to pull the ol' Vehicle Identification Number Number bit, didn't you? DIDN'T YOU?!?!?!?!
p.s. Cars only have one VIN. It isn't just in the ECU, it's also stamped on the original engine, the transmission, the frame, and on a plate on the dashboard (at least in the US)
Re:I'm not worried about those hacks (Score:2, Informative)
The problem is that there is absolutely no NEED for the speedo to be "writable" over a diagnostics cable
What if you change your tire size?
Re:So what? (Score:4, Informative)
This is true, however your target would notice their brakes didn't work before pulling out of the parking space, when they pressed them to put the car into gear. Even if the car had a standard transmission, your target wouldn't get far in the parking lot before realizing something was wrong.
Getting the brakes to fail at any time after the car is in motion would be impressive.
Automotive computer hacking... (Score:3, Informative)
...has been around since OBD-1 [tunercat.com] days, as far back as 1984 [tunerpro.net]. OBD-2 programming systems are available for anything from 1994 [eidnet.org] through 2010 [hptuners.com]. There are even scanners that allow you to enter the PIDs of your choice [scangauge.com] (obtained from monitoring the data line while performing operations with a scantool).
Since newer vehicles control nearly everything via CANbus, it's no surprise that someone has taken the time to monitor the bus and inject various commands. This sort of hacking has been around for over 20 years (despite auto manufacturers' attempts to protect their hardware with security keys and seeds). I don't see them "solving" this "problem" anytime soon...unless they come up with a way to make a "secure" bus (perhaps using fiber optics).
Re:More to lose than to gain (Score:1, Informative)
You haven't worked in a shop before, have you? Whether you have a cheap OBDII scanner [amazon.com] or a full-blown diagnostic tool [snapon.com], so long as the car uses OBDII, you can pull codes from it and subsequently replace the fouled O2 sensor, know which cylinder had a misfire, etc. The full-blown diagnostic tools are useful for crazy-hard problems to solve, but your average scanner bought at Autozone is sufficient enough for the vast majority of code-related problems you would encounter.
And you've obviously never worked with many cars that use proprietary pins on the OBDII port, which are not supported by standard scanners, in order to perform rather mundane analysis and resets. Case in point, the 2nd generation Range Rovers use an OBDII port with proprietary pin connections that are not supported on anything but the proprietary Range Rover analysis tool, in order to read out faults in the air suspension system, and worse yet, reset the ECU once the fault is corrected. The problems with the RR air suspension are not crazy-difficult to analyze, as I can figure out just about any air suspension problem WITHOUT a scanner, within minutes. (Again, case in point: finding out that your rear left air suspension is leaky, does not require a computer. As a matter of fact, the reading on the scanner will only tell you there is a pressure issue on the rear left suspension. Whether it is the actual suspension, the tubing, or a leak in the O-ring and grommet at the valve block is up to the mechanic to figure out.) And I'm not a professional mechanic, just a RR owner. BUT, I'm pretty much screwed if I want my air suspension to actually WORK again after the repair is made, due to the fact that the ECU refuses to activate the pump until the fault has been reset in the ECU, which requires the proprietary tool. (FWIW, there IS a third party tool now, that can be bought relatively cheap, which was the result of a lot of reverse engineering performed by a hobbyist that was sick and tired of needing to go to an authorized dealer, and be charged $70 or so just to get a button pressed.)
BMW is not, by any definition, a "rare case" of manufacturers using proprietary pins in order to comply with OBDII while making sure that compliance means practically nothing without the proprietary scanner/analyzer. BMW does it. Mercedes-Benz does it. Audi does it, and Land Rover does it. I'm pretty sure a lot of other common Euro cars do it as well. These manufacturers do have a point that the additional codes are added value over the bare minimum OBDII readings. However, not only do they use non-standard pins (which, for the record, are allowed in the OBDII standard) but they also keep the read and write codes secret as to make sure no other manufacturer of equipment can read the code or reset it after the repair has been completed. The added value part is a cover for making sure the majority of all owners go to an authorized dealer to get repairs done.
I'm willing to bet that you've never worked in a shop either, or at least not one that needs to deal with European vehicles. Proprietary ECU lock-up is a very real problem for non-dealer mechanics, hobbyists, and owners in general.
Re:Manual Override (Score:2, Informative)
Far superior to a hammer: http://www.copsplus.com/prodnum4497.php [copsplus.com]
Also, more handy if you catch someone tampering with your onboard computer... base of the skull punch-through carries more fatality points than hammer to temple.
Re:Cccess to unlocked car = can damage it, duh (Score:5, Informative)
Then it’s a good thing that they’ve already thought of that, I guess.
He and co-researcher Tadayoshi Kohno of the University of Washington, describe the real-world risk of any of the attacks they've worked out as extremely low. An attacker would have to have sophisticated programming abilities and also be able to physically mount some sort of computer on the victim's car to gain access to the embedded systems. But as they look at all of the wireless and Internet-enabled systems the auto industry is dreaming up for tomorrow's cars, they see some serious areas for concern.
Re:This just reaffirms... (Score:4, Informative)
Re:More to lose than to gain (Score:2, Informative)
First off, my apologies to labeling you as never worked in a shop. I stand corrected.
Unless something huge has changed in the five years since I stopped working in a shop, we were able to pull codes from European cars with no problem.
Yes, you can buy the tools. But how do you justify buying a $30,000 TestBook system (yes, that is how much it cost, and that is what it was called) that, for the most part, is only useful for resetting EAS Fault codes? That didn't happen over the last 5 years, it happened in late 1995. But this is just for the Land Rover line. Say you need to deal with BMW? Or M-B? You need more units. Even if a small independent repair shop bought all these tools (easily adding up to over $100,000 in addition to all the standard tools necessary to do repairs), they would need to recoup the costs. Land Rover authorized dealers only need to deal with ONE analyzer, so they can afford it. That's the whole point. For BMW and M-B, third party analyzers are available, but not upon the debut of the new model. And with every new model released almost these days, you either need to update the analyzer, or get a new one.
So... you were lucky that you never needed to reset a code to get something working again. That is not the norm. The whole point is to make sure that it is almost unattainable for most mechanics, while marginally avoiding regulators that would want to pound the manufacturers into obedience.
Want your cake and eat it too! (Score:3, Informative)
Didn't we just blast Toyota for having a completely closed system, that only 1 laptop in the US could access.... but now we blast everyone else for having an open system because it can be hacked?
Given physical access to any system it can be hacked.
Copy of the paper (Score:3, Informative)
The paper [autosec.org]
That link really should have been in the summary....
Re:Cccess to unlocked car = can damage it, duh (Score:3, Informative)
I would guess it's related to the Anti-lock Brake System, which needs to calculate how much force should be applied and how rapidly.
Re:So what? (Score:3, Informative)
Re: ECM hacking (Score:1, Informative)
Depending on how radical you want to get, often the fix is to adapt a known / programmable computer to your car. There are many companies who sell kits to do this. "MegaSquirt" was one of the first I had heard of; now several sell for example a GM PCM with harness to fit your car, or sometimes a connector adapter if enough sensor signals are similar. I forget the company names, but a websearch will provide them. Not a solution but hopefully a different angle and fuel for thought...
Shenanigans. (Score:4, Informative)
I'm going to call shenanigans on this post. There has never been a vehicle where you could remove the ECU and expect it to run.
A little history... The introduction of computers to vehicles has happened in many stages.
The first stage was the introduction of electronic ignition computers in the late 70s. These systems replaced the vacuum ignition advance on older cars. The signal from the distributor literally ran through the ignition computer. Removing the computer means that there is no connection between engine timing and plug coil. With the ignition computer removed, you have no spark, and the engine cannot start.
The next major step forward was the introduction of electronic fuel injection. This computer was responsible for controlling the fuel injectors. No ECU, means no fuel in the cylinders, which means no running vehicle. Power for the injectors literally comes via the ECU. Without the ECU, the injectors are literally unplugged.
Later vehicles used more computers in more components of the vehicle, to the point that a computer controls the brakes on my motorcycle.
But, there was no time where you could remove an ECU and expect the vehicle to still run.*
* Yes, it is possible to disconnect a lot of the sensors on an electronically fuel injected vehicle, and it will still run. But the ECU must still be in place.
Seriously Slashdot... You call yourself geeks, and you fall for this kind of stuff? Shame.