Sunday, June 30, 2013

Can your automobile be remotely hacked? Part II

In my further research, I noticed this Gizmag article http://www.gizmag.com/vehicle-computer-systems-hacks/15156/. Apparently, the vulnerability of modern vehicle on-board computer to hacking has been well known for some times. In the experiments conducted by the joint research team of University of Washington and University of California San Diego, the researchers uploaded malicious instructions/codes through physical connection to the vehicle diagnostic port. But in reality, it is technically possible to plug a transceiver device onto the input ports, such as the vehicle diagnostic port, and then inject the external instructions/codes through the ubiquitous wireless netowork into the on-board computer. It is similar to a USB Wi-Fi adapter plugged into the USB of your home computer, which relays data between the remote Wi-Fi access point and your computer.

Such vehicle on-board computer wireless communication adapter, if you will, would allow data to be sent to  remote receivers and at the same time instructions to be received from remote devices.Now the question is what kind of security mechanism has been implemented in the on-board vehicle computer systems, or specifically whether the security protocol allows the instructions/codes issued by the remote devices to disrupt the normal operating process of the vehicle, or even to override the manual command, such as pressed brake-pedal.

We know that, in the vehicle Cruise Control system, manually applying the pressure on brake-pedal should override the previously established cruising speed settings. That is what most people would think vehicle on-board system should work: the driver's manual inputs should supersede all other forms of instructions in the system.

If Machael Hastings' car was indeed remotely hacked so that he had no control of his vehicle at all shortly before it crashed. then we need to start to pay attention to the security of on-board vehicle computer system. We need to ask the car manufacturers the following questions:

(1) In designing the vehicle on-board computer system, what kind of security features/protocols have they put into place to prevent external hacking attempt?

(2) Can an external device attached to the computer system, such as a GPS tracking device, both read and write data to and from the computer system? What kind of restrictions are put into place to limit its access to READ only? ( In my earlier story, the suspected GPS tracker presumably read data from the Transmission Control Unit (TCU) in order to identify whether I shifted the gear from "P" to "D" and "D" to "P". I did not see any sign that the tracker could WRITE to the TCU or other part of the system, but I could not rule it out.)

(3) On some critical operations such as braking, etc., does the action of the driver, i.e. manual input, override all other type of computer instructions/codes, as it should, or are there higher privileged users, such as Superuser, etc., who would be able to override even the manual operations conducted by the car drivers?

I urge you, especially those who are journalists, to investigate this matter further so that the general public could be made aware of this risk. We need to be informed what the car manufacturers have done to counter the increasing risk.
Thank you,
JitL

1 comment:

Morgaine D'Clegg said...

They have done nothing to protect us. When Subaru service found a code in my computer that did not belong there, and did not know what it was, i shared and they refused to touch it. That was after a Homeland Security suv pulled up next to me and parked. Dark windows, and nobody got out. Yes, they can control the car remotely and allow perps entrance.