Remote Car Hacking

Remote Car Hacking Investigation, Part I

Like everybody else, I learned from the news reports about the recent passing of journalist Michael Hastings in a car crash. There are people who speculate that the car could have been remotely controlled by other parties at the time of crash. I would like to offer my own story to show that it is possible.

A few years ago, I wrote a few posts on several Internet blogs about my discovery of discrepancies in official 9/11 stories. Shortly after, I noticed that every time I drove around different towns, there were apparent higher probabilities to encounter police cars. This happened even during my vacation out of my home state. I wondered what was going on. As this phenomenon continued for many months, I started to suspect that there was a GPS tracker in my vehicle. I did some research online and bought a “Frequency Counter” which can detect both analog and digital wireless signals up to 2.8 GHz, a range which covers most of the commercial mobile phone frequency bands.

Wow, this was very sensitive piece of equipment: it can detect cell phone signals more than 20 feet away. As I drove around the town with it in my car, a 2008 Honda without any premium package, the RF Frequency Counter buzzed as I passed a Utility truck and a cell tower. How could I be sure that any signal picked up by this device was originated from my car, presumably from a GPS tracker, given the abundant external “noise”? One day I noticed a short-buzz when I shifted the automatic gear of my car from “P” to “D”. Then when I shifted the gear from “D” to “P”, the “Frequency Counter” detects another very short burst of signals at the same frequency range — about 2.4 GHz. I drove to a different location, and it gave me the same readings: the wireless signals were sent when I shifted the gears.

At that time, I was aware of the debate about whether attaching a GPS tracker to a car amounts to legally defined “search”, which supposedly required a court issued warrant. However, in that particular case under review by the US supreme court, the GPS tracker was attached externally to the bottom of the car. However, in my case, given the fact that gear shifting triggers the signal transmitter, the presumed GPS tracker must have been attached to the transmission control unit (TCU), and ultimately the onboard vehicle computer system. ( I am not a car technician so I only hypothesize here.) Or in other words, the GPS tracker has become a part of the vehicle electric control system.

On January 23, 2012, the US Supreme court ruled that court issued warrants were required in the GPS tracking case. I took out the “Frequency Counter” and found that those signals were no longer present when I shifted gears. But after two more weeks, the signals came back — the short burst of wireless signals were detected again every time I shifted the gear from “P” to “D” or from “D” to “P”. From this observation, I hypothesized that it was possible to turn the GPS tracker on or off remotely.

Now, thanks to Ed Snowden, we know that our phone calls, emails, and online activities are collected, permanently stored and probably searched. It might not be news for you if your car is also gps-tracked. Even today, I am still not sure how the device got into my car, factory installed or through unauthorized access to my car. If you want to do some research to find out, then check out this page.

No matter whether you want to purchase a “frequency counter” or other similar devices to detect the RF the signals, make sure that you get one that can detect DIGITAL signals since most of the commercial wireless providers are using digital technologies nowadays. And learn about wireless signals since you will need such knowledge in the future.

As to Michael Hastings’ car crash, if his car was indeed remotely hacked, then there has to be digital fingerprints, such as wireless communication signals through cell towers or satellites, left to be discovered.

Remote Car Hacking Investigation, Part II

In my further research, I noticed this Gizmag article. Apparently, the vulnerability of modern vehicle on-board computer to hacking has been well known within “geek” circle for some times. In the experiments conducted by the joint research team of University of Washington and University of California San Diego, the researchers uploaded malicious instructions/codes through physical connection to the vehicle diagnostic port. But in reality, it is technically possible to plug a transceiver device onto the input ports, such as the vehicle diagnostic port, and then inject the external instructions/codes through the ubiquitous wireless netowork into the on-board computer. It is similar to a USB Wi-Fi adapter plugged into the USB of your home computer, which relays data between the remote Wi-Fi access point and your computer.

Such vehicle on-board computer wireless communication adapter, if you will, would allow data to be sent to remote receivers and at the same time instructions to be received from remote devices.Now the question is what kind of security mechanism has been implemented in the on-board vehicle computer systems, or specifically whether the security protocol allows the instructions/codes issued by the remote devices to disrupt the normal operating process of the vehicle, or even to override the manual command, such as pressed brake-pedal.

We know that, in the vehicle Cruise Control system, manually applying the pressure on brake-pedal should override the previously established cruising speed settings. That is what most people would think vehicle on-board system should work: the driver’s manual inputs should supersede all other forms of instructions in the system.

If Machael Hastings’ car was indeed remotely hacked so that he had no control of his vehicle at all shortly before it crashed. then we need to start to pay attention to the security of on-board vehicle computer system. We need to ask the car manufacturers the following questions:

(1) In designing the vehicle on-board computer system, what kind of security features/protocols have they put into place to prevent external hacking attempt?

(2) Can an external device attached to the computer system, such as a GPS tracking device, both read and write data to and from the computer system? What kind of restrictions are put into place to limit its access to READ only? ( In my earlier story, the suspected GPS tracker presumably read data from the Transmission Control Unit (TCU) in order to identify whether I shifted the gear from “P” to “D” and “D” to “P”. I did not see any sign that the tracker could WRITE to the TCU or other part of the system, but I could not rule it out.)

(3) On some critical operations such as braking, etc., does the action of the driver, i.e. manual input, override all other type of computer instructions/codes, as it should, or are there higher privileged users, such as Superuser, etc., who would be able to override even the manual operations conducted by the car drivers?

I urge you, especially those who are journalists, to investigate this matter further so that the general public could be made aware of this risk. For those law professionals, there is potential chance of a major “Class Action Lawsuit”, in my view.

Remote Car Hacking Investigation, Part III

According to the paper authored by the joint team of researchers from University of California, San Diego and University of Washington — “Comprehensive Experimental Analyses of Automotive Attack Surfaces”, the remote hacking of automobile computer system is not just possible but also quite accessible for people who know their trade.

The potential attack access points are (1) vehicle on board diagnostic OBD-II port, through physical connection to a laptop computer or through a “pass-through” device (typically directly via USB or WiFi ); (2) vehicle entertainment system, such as CD Player, iPod port, etc; (3) short-range wireless access through blue tooth, Remote Keyless Entry, etc; (4) long-range wireless access through broadcast channels, such on board GPS and Satellite Radio system, etc., and addressable channels, such as remote telematics systems ( OnStar, mBrace, etc) that provide continuous connectivity via cellular communication networks.

Some of their findings are:
(1) It is possible to compromise the “pass-through” devices through dealer WiFi network, and the malicious codes would be injected into the every vehicle that connects to the infected devices. This type of attack is similar to the Stuxnet worms.

(2) It is possible to inject malicious codes/programs through CD players or IPod connectors.
Modern automobiles are controlled by diverse sets of digital components, the Electronic Control Units (ECUs). They are all interconnected so that malicious codes/programs embedded in a song, when played in the CD player, could be spread from Media ECU to other components without much restrictions.

(3) “To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s system.” That includes “forcibly engaging and disengaging individual brakes independent of driver input”.

These findings are really appalling. I wonder why it has not yet garnered enough media attention. But they answer my question earlier about whether the potential malicious programs would have higher privilege than the manual operation conducted by the driver. Apparently if remote hacker takes over control of the brake or engine, there is nothing the driver can do about it. That could be what has killed Michael Hastings.

I urge you to share these findings with other people, and learn to detect the RF signals that are sent from or received by your on board computer system.

5 thoughts on “Remote Car Hacking

  1. admin Post author

    Let us exam the evidences:
    (1) My car has only standard package.
    (2) There are RF devices standard in most of the cars, such as remote key entry and tire TPMS system, etc. But they only transmit signals over published frequency bands, which are different from commercial wireless phone service bands.
    (3) For about two weeks, during a Supreme Court ruling, the RF signal could not be detected when I shifted the gears. But it came back later. (Was the GPS tracker turned off, remotely?)
    (4) These signals have lasted for two years so, I assume, that it drew electricity from my car electric system, instead of using a standalone battery pack.
    (5) The periodic RF signals are also detected when I was driving for vacations.

    The major point of my discovery is not about the GPS tracker, but about the GPS tracker connecting to the onboard car computers (ECUs), since it needs to reference data from the Transmission Control Unit. What if this “GPS Tracker” receives the remote instruction and write it into the car computers — a remote hacking?

    Thank you for your comment!

  2. admin Post author

    The way to “fight for freedom” in this case is to spread the words around and to let more and more people wake up from their trance state: their cars could have been illegally tracked, monitored, and even hacked, by Government agencies and/or by private contractors.
    I try to show that it is not hard to do that: they only need to attach a small wireless communication capable module to your onboard vehicle computers (ECUs) circuitry, then they will be able to receive info from the device or even send remote instruction to your vehicle, which could potentially override your manual operation. If the manufacturers are part of this scheme, then I expect massive class-action lawsuits. That would means possible awarded damage in the amount of tens of billions.
    I learned from an Internet News report that all 2009 model year and later cars might be affected, and it does not matter whether the car has standard package or premium package.

  3. admin Post author

    Please share with all of us interesting things which you have learned. That is how we empower our collective being.

    Thank you for your comment!

  4. admin Post author

    Wow, that is a piece of breaking news: Princess Diana’s car could have been hacked, either locally or remotely. I have no doubt that that incidence was not pure accident.

    Thank you for your comment!

  5. admin Post author

    It is reported that any new car sold in North American market after 2009 could be potentially be remotely hacked.
    “An ordinary car with no computer in it” would have to be an older model. I am considering getting a used Pickup truck manufactured prior to 2002.

    Thank you for your comment!

Comments are closed.