Remote Car Hacking Investigation, Part I
Like everybody else, I learned from the news reports about the recent passing of journalist Michael Hastings in a car crash. There are people who speculate that the car could have been remotely controlled by other parties at the time of crash. I would like to offer my own story to show that it is possible.
A few years ago, I wrote a few posts on several Internet blogs about my discovery of discrepancies in official 9/11 stories. Shortly after, I noticed that every time I drove around different towns, there were apparent higher probabilities to encounter police cars. This happened even during my vacation out of my home state. I wondered what was going on. As this phenomenon continued for many months, I started to suspect that there was a GPS tracker in my vehicle. I did some research online and bought a “Frequency Counter” which can detect both analog and digital wireless signals up to 2.8 GHz, a range which covers most of the commercial mobile phone frequency bands.
Wow, this was very sensitive piece of equipment: it can detect cell phone signals more than 20 feet away. As I drove around the town with it in my car, a 2008 Honda without any premium package, the RF Frequency Counter buzzed as I passed a Utility truck and a cell tower. How could I be sure that any signal picked up by this device was originated from my car, presumably from a GPS tracker, given the abundant external “noise”? One day I noticed a short-buzz when I shifted the automatic gear of my car from “P” to “D”. Then when I shifted the gear from “D” to “P”, the “Frequency Counter” detects another very short burst of signals at the same frequency range — about 2.4 GHz. I drove to a different location, and it gave me the same readings: the wireless signals were sent when I shifted the gears.
At that time, I was aware of the debate about whether attaching a GPS tracker to a car amounts to legally defined “search”, which supposedly required a court issued warrant. However, in that particular case under review by the US supreme court, the GPS tracker was attached externally to the bottom of the car. However, in my case, given the fact that gear shifting triggers the signal transmitter, the presumed GPS tracker must have been attached to the transmission control unit (TCU), and ultimately the onboard vehicle computer system. ( I am not a car technician so I only hypothesize here.) Or in other words, the GPS tracker has become a part of the vehicle electric control system.
On January 23, 2012, the US Supreme court ruled that court issued warrants were required in the GPS tracking case. I took out the “Frequency Counter” and found that those signals were no longer present when I shifted gears. But after two more weeks, the signals came back — the short burst of wireless signals were detected again every time I shifted the gear from “P” to “D” or from “D” to “P”. From this observation, I hypothesized that it was possible to turn the GPS tracker on or off remotely.
Now, thanks to Ed Snowden, we know that our phone calls, emails, and online activities are collected, permanently stored and probably searched. It might not be news for you if your car is also gps-tracked. Even today, I am still not sure how the device got into my car, factory installed or through unauthorized access to my car. If you want to do some research to find out, then check out this page.
No matter whether you want to purchase a “frequency counter” or other similar devices to detect the RF the signals, make sure that you get one that can detect DIGITAL signals since most of the commercial wireless providers are using digital technologies nowadays. And learn about wireless signals since you will need such knowledge in the future.
As to Michael Hastings’ car crash, if his car was indeed remotely hacked, then there has to be digital fingerprints, such as wireless communication signals through cell towers or satellites, left to be discovered.
Remote Car Hacking Investigation, Part II
In my further research, I noticed this Gizmag article. Apparently, the vulnerability of modern vehicle on-board computer to hacking has been well known within “geek” circle for some times. In the experiments conducted by the joint research team of University of Washington and University of California San Diego, the researchers uploaded malicious instructions/codes through physical connection to the vehicle diagnostic port. But in reality, it is technically possible to plug a transceiver device onto the input ports, such as the vehicle diagnostic port, and then inject the external instructions/codes through the ubiquitous wireless netowork into the on-board computer. It is similar to a USB Wi-Fi adapter plugged into the USB of your home computer, which relays data between the remote Wi-Fi access point and your computer.
Such vehicle on-board computer wireless communication adapter, if you will, would allow data to be sent to remote receivers and at the same time instructions to be received from remote devices.Now the question is what kind of security mechanism has been implemented in the on-board vehicle computer systems, or specifically whether the security protocol allows the instructions/codes issued by the remote devices to disrupt the normal operating process of the vehicle, or even to override the manual command, such as pressed brake-pedal.
We know that, in the vehicle Cruise Control system, manually applying the pressure on brake-pedal should override the previously established cruising speed settings. That is what most people would think vehicle on-board system should work: the driver’s manual inputs should supersede all other forms of instructions in the system.
If Machael Hastings’ car was indeed remotely hacked so that he had no control of his vehicle at all shortly before it crashed. then we need to start to pay attention to the security of on-board vehicle computer system. We need to ask the car manufacturers the following questions:
(1) In designing the vehicle on-board computer system, what kind of security features/protocols have they put into place to prevent external hacking attempt?
(2) Can an external device attached to the computer system, such as a GPS tracking device, both read and write data to and from the computer system? What kind of restrictions are put into place to limit its access to READ only? ( In my earlier story, the suspected GPS tracker presumably read data from the Transmission Control Unit (TCU) in order to identify whether I shifted the gear from “P” to “D” and “D” to “P”. I did not see any sign that the tracker could WRITE to the TCU or other part of the system, but I could not rule it out.)
(3) On some critical operations such as braking, etc., does the action of the driver, i.e. manual input, override all other type of computer instructions/codes, as it should, or are there higher privileged users, such as Superuser, etc., who would be able to override even the manual operations conducted by the car drivers?
I urge you, especially those who are journalists, to investigate this matter further so that the general public could be made aware of this risk. For those law professionals, there is potential chance of a major “Class Action Lawsuit”, in my view.
Remote Car Hacking Investigation, Part III
According to the paper authored by the joint team of researchers from University of California, San Diego and University of Washington — “Comprehensive Experimental Analyses of Automotive Attack Surfaces”, the remote hacking of automobile computer system is not just possible but also quite accessible for people who know their trade.
The potential attack access points are (1) vehicle on board diagnostic OBD-II port, through physical connection to a laptop computer or through a “pass-through” device (typically directly via USB or WiFi ); (2) vehicle entertainment system, such as CD Player, iPod port, etc; (3) short-range wireless access through blue tooth, Remote Keyless Entry, etc; (4) long-range wireless access through broadcast channels, such on board GPS and Satellite Radio system, etc., and addressable channels, such as remote telematics systems ( OnStar, mBrace, etc) that provide continuous connectivity via cellular communication networks.
Some of their findings are:
(1) It is possible to compromise the “pass-through” devices through dealer WiFi network, and the malicious codes would be injected into the every vehicle that connects to the infected devices. This type of attack is similar to the Stuxnet worms.
(2) It is possible to inject malicious codes/programs through CD players or IPod connectors.
Modern automobiles are controlled by diverse sets of digital components, the Electronic Control Units (ECUs). They are all interconnected so that malicious codes/programs embedded in a song, when played in the CD player, could be spread from Media ECU to other components without much restrictions.
(3) “To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s system.” That includes “forcibly engaging and disengaging individual brakes independent of driver input”.
These findings are really appalling. I wonder why it has not yet garnered enough media attention. But they answer my question earlier about whether the potential malicious programs would have higher privilege than the manual operation conducted by the driver. Apparently if remote hacker takes over control of the brake or engine, there is nothing the driver can do about it. That could be what has killed Michael Hastings.
I urge you to share these findings with other people, and learn to detect the RF signals that are sent from or received by your on board computer system.