The upcoming DEFCON hacking conference will have many presenters touching on a great number of subjects, including that of car hacking.
Security researcher Charlie Miller, former NSA and current Twitter employee well known for finding flaws in a variety of computer systems and programs, and Chris Valasek, Director of Security Intelligence at IOActive, are scheduled to speak about the potential security risks associated with using cars with on-board computers.
“Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcher’s point of view,” the two said in the presentation abstract.
“We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, we’ll discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile.”
Although definitely not the first ones to tackle the subject, the issue is slowly gaining prominence as more and more cars have such a system on board and are connected to the Internet.
Coincidentally, the recent tragic death of noted journalist Michael Hastings – and the (still unclear) circumstances of which have given rise to many theories about whether the death was accidental or the result of foul play – has also brought attention to the subject of car hacking.
Former U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke has shared with The Huffington Post his thoughts on whether it’s possible and likely that such an attack resulted in Hastings’ untimely death.
He thinks that publicly known details about the crash and burn of Hastings’ car are consistent with a car cyber attack, but that it’s impossible to tell whether it really happened that way.
“What has been revealed as a result of some research at universities is that it’s relatively easy to hack your way into the control system of a car, and to do such things as cause acceleration when the driver doesn’t want acceleration, to throw on the brakes when the driver doesn’t want the brakes on, to launch an air bag,” he said, but pointed out that even if the onboard computers hadn’t melted in the fire that enveloped the car that crashed into the tree, the Los Angeles Police Department likely wouldn’t have the expertise to trace such an attack.
“I think you’d probably need the very best of the U.S. government intelligence or law enforcement officials to discover it. So if there were a cyber attack on the car – and I’m not saying there was – I think whoever did it would probably get away with it,” he concluded.