The Center for Automotive Embedded Systems Security (CAESS) conducted a study showing what could happen if a determined hacker went after the computer systems embedded in cars (http://www.autosec.org/pubs/cars-usenixsec2011.pdf). The researchers found that, among other things, an attacker could disable the vehicle’s brakes, stop its engine, or take control of its door locks. All the attacker needs is access to the federally mandated onboard diagnostics port– located under the dashboard in almost all cars today.
The researchers point to a recent report showing that a typical luxury sedan now contains about 100 megabytes of code that controls 50 to 70 computers inside the car, most of which communicate over a shared internal network.
The researchers say that their work shouldn’t yet be a cause for alarm, mainly because the exploits require access to the inside of a vehicle. But some of these systems can be accessed remotely, and the trend is to add even more wireless connectivity–for example, wireless automatic crash-response systems. The researchers say that other systems, such as satellite radios and remote-controlled door openers, could also become entry points.
In a matter of a few months, the researchers now have a reason to be alarmed again! It appears that mp3s can harbor hostile code that could directly attack the car’s embedded system while you listen to music (http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car).
The attack consists of something as simple as adding extra code to a digital music file and turning the burned CD into a Trojan horse. When played on the car’s stereo, the song would attack the car stereo’s firmware and then spread into other components of the car, giving hackers access to GPS data, Vehicle Identification numbers, and control over systems like locks, brakes and the engine as a whole.
What makes this attack even more dangerous is that since it is hidden in something as innocent as an .mp3 file, it can easily and swiftly spread throughout the world as people download music on file sharing websites without ever raising any suspicion.
In the not to distant future, we may be looking for the Symantec logo window sticker on our potential car buys. Talk about mobile security concerns….
About the Author: Rick Lawhorn, CISSP, CISA, CHP, CHSS has over 20 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for two Fortune 100 companies and served in information technology and security leadership roles within multiple law firms, Department of Energy and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products.