Proof-of-Concept CarShark Software Hacks Car Computers, Shutting Down Brakes, Engines, and More

Using homemade software and a standard computer port, a team of scientists has figured out exactly how easy it is to hack into a modern car — scary news for motorists already wary of faulty brake and accelerator systems.

The research team wrote code that allows them to turn off the brakes in a moving car, change the speedometer reading, blast hot air or music on the radio, and lock passengers inside the car, PCWorld reports.

The team, led by Stefan Savage, an associate professor with the University of California-San Diego, and Tadayoshi Kohno of the University of Washington, will report on their findings in
a paper to be presented at a security conference next week.

While hacking modern-day autos is nothing new, the team’s work is meant to encourage the auto industry to highlight security as it develops new computer systems. As the researchers note, many computer systems were designed to increase security — think anti-lock brakes.
“It is not clear whether vehicle manufacturers have anticipated in their designs the
possibility of an adversary,” the paper says.

The team didn’t identify which cars they used, not wanting to single out a particular automaker. But all cars share the apparent Achilles heel: the Controller Area Network (CAN) system, required as a diagnostic tool on all US cars built since 2008. The team wrote software called CarShark that listened to CAN traffic, and then added their own network packets.

They used a shotgun approach, called “fuzzing,” in which they sent a large number of random info packets to see what happened. The results were sometimes surprising — brakes that didn’t work, no matter how hard the driver smashed the pedal; popped trunks and engine hoods; and others.

Some attacks were deceptively simple. One attack called “self-destruct” required less than 200 lines of code to start a 60-second countdown on the dashboard, accompanied by a clicking noise. The horn honks in the final seconds, and as the clock strikes zero, the car’s engine shuts off and the doors are locked. Most of that code was devoted to keeping time, PCWorld notes.

Still, the researchers say hacks like these aren’t easy. A would-be criminal would have to have some serious computer skills, not to mention access to the car’s physical computer in order to launch the attacks. So motorists shouldn’t be worried.