The December 2022 issue of IEEE Spectrum is here!

Close bar

Why the Next Denial-of-Service Attack Could Be Against Your Car

The "Jeep hacker" says denial-of-service attacks against cars are easy hacks—and urges people not to buy any car dongles

4 min read
A car's dashboard. Steering, braking, and even speed can be controlled by hackers
Illustration: iStockphoto

We haven’t seen the last of the car hacks, says Charlie Miller, the security researcher who in 2014 helped show that hackers can take control of certain models of cars, messing with brakes and steering and other systems while the cars are in motion.

Speaking this week at ARM TechCon, held in Santa Clara, Calif., Miller said that carmakers “are not in good shape now,” but there’s hope for the future as the companies begin to understand the risks when vehicles are connected to the outside world.

a list of vehicles vulnerable to car hacking, including 2013, 2014, and 2015 models of Dodge, Chrysler, and Jeep vehiclesCharlie Miller and Chris Valasek were able to scan the Sprint network for vulnerable vehicles. “I’m a good guy, but I was tempted when I found the Viper. I didn’t do it, but I could have changed the radio station so easily,” Miller said.Photo: Tekla S. Perry

Miller, currently an engineer at Uber, pointed out the difference between two categories of car hacks—hacks limited to the mobile app or to the head unit (the centerpiece of the audio system), and hacks that reach into the car’s controller area network (CAN) bus.

The latter are significantly more dangerous because brakes, steering, and other critical controls connect to the CAN bus. Yet mobile and head-unit hacks can go beyond simply changing the radio station.

Consider the recently detected vulnerability in the Nissan Leaf mobile app, Miller suggested (it has since been fixed). The password, he says, was the vehicle identification number, typically easy to see through a windshield. You could log in as the owner and, say, turn on the seat heaters. It’s not a safety issue, but, as Miller points out, that’s an easy way to kill a car’s battery. That’s “a denial-of-service attack against a car. Not dangerous particularly, but we’ll see more and more of these,” he says.

[shortcode ieee-pullquote quote="Figuring out how to reprogram the (Jeep) chip wasn't easy. "I would screw it up, and my head unit wouldn't work anymore. Thank you, Chrysler and their warranty system; eventually we figured out how to reprogram it without breaking it"" float="right" expand=1]

The Jeep attack that made Miller and his partner-in-hacking, Chris Valasek, famous was a CAN bus attack. Miller discovered that, although the ARM chip that controlled the entertainment system wasn’t directly connected to the CAN bus, it did connect to a chip that was. And, through that connection, that second chip could be reprogrammed.

Figuring out how to reprogram the chip wasn’t easy. Recalls Miller:

“I would screw it up, and my head unit wouldn’t work anymore, I would have to go to the dealer, with my busted head unit. It was a real lemon; that thing broke all the time. They would fix it and get me back on the road. Thank you, Chrysler and their warranty system; eventually we figured out how to reprogram it without breaking it.”

The chip that controls the audio system in cars today typically connects to a chip on the CAN busThe chip that controls the audio system in cars today typically connects to a chip on the controller area network (CAN) bus. Compromising this processor can give a hacker access to steering, brakes, and various safety systems.Photo: Tekla S. Perry

The most obvious fix for future car designers, Miller says, would be to simply not connect the two chips. But car owners like the features that such a connection enables—car audio systems that raise the volume as speed and road noise increase or guide lines that appear on rear-camera screens to indicate where your current path will lead.

“We will get more and more of these features,” Miller said, “including cars talking to other cars. There isn’t an option to disconnect this, so we need to figure out how to protect it.”

And some fixes, he said, work better than others. To shut down Jeep’s vulnerability, Miller explained, Jeep eventually went to Sprint, who provided cellular links for Jeep vehicles, and Sprint made that connection more secure. “They didn’t fix the code signing piece,” Miller said. “If I could get into a Jeep [head unit] I could still reprogram the gateway” to the CAN bus.

By contrast, Miller pointed out, after Tesla was similarly hacked by researchers from China this year, Tesla changed the gateway between the two processors to require that any code sent from one to the other be signed to prove it is authorized by the manufacturer. “So now when you read about a Tesla hack,” he said, “it is limited to whatever the head unit can do,” and doesn’t affect the car controls.

You know those dongles that allow insurers to track your car's operations or allow you to do so yourself via an app? Don't even think of using one

While these kinds of security patches are made public, Miller says, generally the car companies aren’t talking about what efforts they are making to improve security. “I would like more transparency; I’d like to see white papers from car companies that explain how they are designing systems for security,” he says.

In the meantime, is there anything a car owner can do?

Not much, says Miller. “You can’t download antivirus software” or add in other security patches yourself.

But you can avoid making your car’s vulnerabilities worse. You know those dongles that allow insurers to track your car’s operations or allow you to do so yourself via an app? (Some examples include Progressive’s Snapshot and Allstate’s Drive Wise.) Don’t even think about using one, Miller says: The safety risks are not worth the insurance discounts or convenience.

The Conversation (0)

Chinese Joint Venture Will Begin Mass-Producing an Autonomous Electric Car

With the Robo-01, Baidu and Chinese carmaker Geely aim for a fully self-driving car

4 min read
A black car sits against a white backdrop decorated with Chinese writing. The car’s doors are open, like a butterfly’s wings. Two charging stations are on the car’s left; two men stand on the right.

The Robo-01 autonomous electric car shows off its butterfly doors at a reveal to the media in Beijing, in June 2022.

Tingshu Wang/Reuters/Alamy
Purple

In October, a startup called Jidu Automotive, backed by Chinese AI giant Baidu and Chinese carmaker Geely, officially released an autonomous electric car, the Robo-01 Lunar Edition. In 2023, the car will go on sale.

At roughly US $55,000, the Robo-01 Lunar Edition is a limited edition, cobranded with China’s Lunar Exploration Project. It has two lidars, a 5-millimeter-wave radars, 12 ultrasonic sensors, and 12 high-definition cameras. It is the first vehicle to offer on-board, AI-assisted voice recognition, with voice response speeds within 700 milliseconds, thanks to the Qualcomm Snapdragon 8295 chip.

Keep Reading ↓Show less