Software experts attack cars, to release code as hackers meet

Security researcher Charlie Miller holds two automobile electronic control module circuit boards while posing in his home-office in Wildwood, Missouri, April 30, 2013. REUTERS/Sarah Conard
Security researcher Charlie Miller holds two automobile electronic control module circuit boards in his home office in Missouri. Credit: Reuters

Car hacking is not a new field, but its secrets have long been closely guarded. That is about to change, thanks to two well-known computer software hackers who got bored finding bugs in software from Microsoft and Apple.

Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government.

The two “white hats” — hackers who try to uncover software vulnerabilities before criminals can exploit them — will also release the software they built for hacking the cars at the Def Con hacking convention in Las Vegas this week.

They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

“Imagine what would happen if you were near a crowd,” said Valasek, director of security intelligence at consulting firm IOActive, known for finding bugs in Microsoft Corp’s Windows software.

But it is not as scary as it may sound at first blush.

They were sitting inside the cars using laptops connected directly to the vehicles’ computer networks when they did their work. So they will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack.

The two say they hope the data they publish will encourage other white-hat hackers to uncover more security flaws in autos so they can be fixed.

“I trust the eyes of 100 security researchers more than the eyes that are in Ford and Toyota,” said Miller, a Twitter security engineer known for his research on hacking Apple Inc’s App Store.

Toyota Motor Corp spokesman John Hanson said the company was reviewing the work. He said the carmaker had invested heavily in electronic security, but that bugs remained — as they do in cars of other manufacturers.

“It’s entirely possible to do,” Hanson said, referring to the newly exposed hacks. “Absolutely we take it seriously.”

Ford Motor Co. spokesman Craig Daitch said the company takes seriously the electronic security of its vehicles. He said the fact that Miller’s and Valasek’s hacking methods required them to be inside the vehicle they were trying to manipulate mitigated the risk.

“This particular attack was not performed remotely over the air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers and any mass level,” Daitch said.

‘Time to shore up defenses’

Miller and Valasek said they did not research remote attacks because that had already been done.

A group of academics described ways to infect cars using Bluetooth systems and wireless networks in 2011. But unlike Miller and Valasek, the academics have kept the details of their work a closely guarded secret, refusing even to identify the make of the car they hacked.

Their work got the attention of the U.S. government. The National Highway Traffic Safety Administration has begun an auto cybersecurity research program.

“While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities,” the agency said in a statement. It said it knew of no consumer incident where a vehicle was hacked.

Still, some experts believe malicious hackers may already have the ability to launch attacks.

“It’s time to shore up the defenses,” said Tiffany Strauchs Rad, a researcher with Kaspersky Lab, who previously worked for an auto security research center.

A group of European computer scientists had been scheduled to present research on hacking the locks of luxury vehicles, including Porsches, Audis, Bentleys and Lamborghinis, at a conference in Washington in mid-August.

But Volkswagen AG obtained a restraining order from a British high court prohibiting discussion of the research by Flavio D. Garcia of the University of Birmingham, and Roel Verdult and Baris Ege of Radboud University Nijmegen in the Netherlands.

A spokeswoman for the three scientists said they would pull out of the prestigious Usenix conference because of the restraining order. Both universities said they would hold off on publishing the paper, pending the resolution of litigation.

Volkswagen declined to comment.



News
Entertainment
Sports
Lifestyle
Local

Protesters say new Met Opera is anti-Semitic

Protesters, including a former mayor and governor, gathered outside of the Metropolitan Opera on Monday afternoon to protest the opening of “The Death of Klinghoffer.”

Local

Brooklyn girl's death ruled a homicide

The New York City Medical Examiner has ruled the death of a Brooklyn toddler a homicide. Jeida Torres, 3, was found bruised and unresponsive Saturday…

Local

New York City continues to prepare for Ebola…

New York City continues to prepare for the possibility of Ebola. There have been numerous scares, but no confirmed cases. Representatives from about 150 unions…

Local

NYPD nabs alleged serial bank robber

  The NYPD has arrested a man they say is responsible for multiple Manhattan bank robberies this month. Police have arrested a Brooklyn man they…

Entertainment

We the Economy: Morgan Spurlock's new crusade

If Morgan Spurlock gets his way, you won't be able to avoid We the Economy, the series of 20 shorts films curated by the "Super…

Arts

3 Parody plays lampoon your childhood, adulthood and…

Whether you loved the source material or you're going in blind, these parody plays have something for every audience member. We rate three of NYC's hottest satirical shows.

Gossip

Who has more power: Harry Styles or Amal…

Amal Clooney comes in fourth on The Evening Standard's Most Influential Londoners list.

Music

#AskPaul McCartney reveals his love of American pop…

For an Englishman, Paul McCartney's pop culture tastes would fit right in stateside. The former Beatle (@PaulMcCartney) revealed that he has a real thing for…

NFL

John Idzik: 'We did a ton of background'…

Given John Idzik spent the previous five years with the Seahawks before he joined the Jets last January, there is a comfort level for the organization.

NFL

Jets add sizzle to struggling passing game with…

The Jets’ trade for Percy Harvin may have an air of desperation on the surface, but at 1-6 this season is hanging only by a thread.

NFL

Jason Pierre-Paul: 'We've got to regroup' during bye…

“We’ve got to regroup and figure out what went wrong,” said defensive end Jason Pierre-Paul. “When we come back, we want to be a great team.”

NFL

Breno Giacomini: Media blowing up Golden Tate-Percy Harvin…

According to Breno Giacomini, the fight between Golden Tate and Percy Harvin during Super Bowl week was over by the time the lineman turned around.

Education

Is a 'gap year' after high school for…

It’s a familiar script that millions of students follow each year: Graduate high school and then immediately start college. But more and more students are…

Parenting

New news about Kate Middleton's pregnancy

The Palace released a statement about Kate Middleton's pregnancy.

Parenting

Cool book for kids: 'The Princess In Black'

"The Princess In Black" will change the way girls view princesses.

Wellbeing

Gabby Bernstein: The 3 questions I always get

For the last decade, I’ve been writing self-help books and preaching the Gospel of Gabby to audiences throughout the world. And no matter what country…