Trojan-Horse MP3s Could Let Hackers Break Into Your Car Remotely, Researchers Find

Last year we told you how hackers could someday infiltrate your car’s control systems and install malware to take things over, as long as they had some computer skills and a laptop. Now car-hacking researchers have done it remotely, using innocent tech like Bluetooth devices and even a CD.

Researchers at the University of California, San Diego, and the University of Washington are researching vulnerabilities in electronic vehicle controls, trying to warn automakers about potential security holes. Many new cars have Bluetooth wireless technology and built-in connections for cell phones and other devices, and those connections could be exploited. In one example, the researchers called the car’s cellular connection and uploaded malicious code using an audio file. In another test, they found out how to pair the car to a Bluetooth-enabled device, which they used to execute code.

Your driving tunes could put your car at risk, too — in one test, the researchers added some code to an mp3 file and turned a song into a Trojan horse. When it played on the car’s stereo, the song altered the car’s firmware, allowing hackers a doorway to the car’s main control systems, according to IDG News.

Scofflaws could conceivably use these doorways to track a car’s location, unlock the doors, disable the brakes and more.

The researchers, led by Stefan Savage, an associate professor with the University of California-San Diego, and Tadayoshi Kohno of the University of Washington, are studying these systems as part of a National Academy of Sciences project.

Most new cars have some kind of computer system that controls basic functions. Since 2008, all new U.S. cars have a Controller Area Network system, which can be used as a diagnostic tool. And many new cars also have Bluetooth networks, GPS systems, and cellular technology — like General Motors’ OnStar or Ford’s Sync, for instance.

Not wanting to single out a particular automaker, the team didn’t identify which car they used, only saying they bought a 2009 sedan equipped with fewer computer systems than most high-end cars.

The National Academies’ Committee on Electronic Vehicle Controls and Unintended Acceleration was formed partly to address last year’s Toyota scandal, in which the automaker was (incorrectly, as it turned out) blamed for faulty braking systems.

The remote car hacking was not exactly simple — it’s still much easier to do it the original way, by plugging into the car and taking it over. But the major automakers have taken notice, Kohno and Savage said.

[IDG News, Technology Review]