The hacking of connected cars is often discussed, but details regarding actual successful attacks, if ever made public, are non-comprehensive at best, according to two security experts who plan to show how it's done.
Security researchers Charlie Miller and Chris Vlasek announced a plan to wirelessly hack the digital network of a car or truck at the Black Hat and Defcon security conferences in August.
The network known as the CAN bus is the connected system of computers that affects everything from the vehicle's horn and seat belts to its steering and brakes. According to Wired, their upcoming public demonstrations may be the most definitive proof yet of cars' vulnerability to remote attacks, the result of more than two years of work since Miller, a security engineer at Twitter, and Valasek, director of Vehicle Security Research at IOActive, first received a DARPA grant to investigate cars' security in 2013.
"The ambiguous nature of automotive security leads to narratives that are polar opposites: either we're all going to die or our cars are perfectly safe," the researchers said in a post on the Black Hat site. "In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle."
The demonstration is designed to show the reality and limitations of remote car attacks. Black Hat 2015 will be Aug. 1-6 in Las Vegas.
The researchers did not name the vehicle they're testing and declined Wired's request to comment further on their research so far ahead of the event.
The publication notes that Valasek and Miller's work already has led to serious pressure on automakers to tighten vehicle security. Congressman Ed Markey (D-Mass.) cited their research in a letter to 20 automakers following their 2013 presentation, demanding to know more information on their security measures.
In the responses to that letter, all of the auto companies said their vehicles did have wireless points of access. Only seven of them said they used third-party auditors to test their vehicles' security, and only two said they had active measures in place to counteract a potential digital attack on braking and steering systems, according to Wired.
Last year, researchers at the University of Michigan hacked into a live, networked traffic-signal system. According to a paper written by the group, several vulnerabilities in the system's wireless network and its traffic-light controller enabled the researchers to alter the state of traffic lights on command.
Altogether, the Michigan researchers hacked into nearly 100 wirelessly networked traffic lights and were able to alter their timing or even turn all the lights red.
The researchers identified three major weaknesses in the traffic-infrastructure deployment: The network was accessible to attackers because of lack of encryption; devices on the network lacked secure authentication because of the use of default usernames and passwords; and the traffic controller was vulnerable to known exploits.
- see this Wired story
Hacked traffic lights highlight perils within the Internet of Things
Tripwire researcher takes on Wi-Fi Pineapples, security weaknesses
GSMA: Every new car will be a 'connected car' in 2025