Skip to content
Naked Security Naked Security

US state police cars hacked

Virginia State Police have been waging cyberwar against Impalas and Tauruses and have found that even non-networked cars are vulnerable.

shutterstock_230571442

Thanks to security researchers Charlie Miller and Chris Valasek, we already know that late-model cars are vulnerable to cyberattacks that can range from the annoying – say, an uncontrollably blasting horn – to the potentially lethal: slamming on a Prius’s brakes at high speeds, killing power steering with commands sent from a laptop, spoofing GPS, and tinkering with speedometer and odometer displays.

Now, we know that US state police troopers’ cars are also vulnerable to cyberattack.

Virginia State Police (VSP) have been waging cyberwar against 2012 Chevrolet Impalas and 2013 Ford Tauruses and have found that even non-networked cars are susceptible to attacks.

As Dark Reading reports, the project didn’t involve sending a moving car into a ditch or rolling onto highway exit ramps after losing control of the gas pedal, a la Miller and Valasek’s handiwork.

The hacking was done by a public-private working group that focused on stationary police cars.

Virginia Governor Terry McAuliffe kicked off the project in May 2015.

Its focus is to explore the safeguards needed to protect against cyberattacks targeting automobiles.

Participating organizations included Mitre Corp., the Virginia Department of Motor Vehicles, the University of Virginia, and others, in cooperation with the Department of Homeland Security (DHS).

In a series of attacks on a VSP Impala and and one on its 2013 Ford Taurus, the researchers found they could make it impossible to shift gears from park to drive, cause a spike in engine RPMs, cause the engine to accelerate without applying a foot to the pedal, and cut off the engine completely.

Besides the groups’ success in wrecking havoc with the gearshift, the instrument panel and the engine, researchers from Mitre also wrote attack code that opened the trunk, unlocked the passenger doors, locked the driver’s door, turned on the windshield wipers, and squirted wiper fluid.

This isn’t an attack that’s easy to pull off or one that’s happened outside of a security research setting.

Like Miller and Valasek’s earlier work in this field – such as the 2013 hijacking of a Ford Escape to make it plow into some weeds in an abandoned parking lot – the hijacking of the state police cruisers’ computer systems required physically jacking in to the cars.

Mitre’s first attacks on the cars involved a mobile phone app connected via Bluetooth to a device planted in the vehicle, according to Brian Barrios, portfolio director of Mitre’s National Cybersecurity Federally Funded Research and Development Center (FFRDC).

The Impala lacked Bluetooth or cellular connectivity, so the Mitre device provided it.

Creating custom software for such an attack, as Mitre did, would require knowledge of the car model’s electronics, he said.

Between the need for physical access to a police cruiser like one of these, plus an intimate knowledge of its electronics, it’s hard to imagine an average person being able to pull off such an attack.

That doesn’t make it impossible, though, and that’s the point, Barrios said: we need to know what attacks are feasible so we can prepare for them.

According to Dark Reading, Kaprica Security built a proof-of-concept, real-time device to thwart attacks like the one Mitre came up with. The device also collects forensic data from an attack.

The device is a dongle that can be plugged into the car’s so-called On Board Diagnostics (OBD) and which can detect and block abnormal commands.

Other attacks, on the Ford Taurus, were cooked up by Msi. One such attack performed a denial-of-service (DoS) that blocks the car from starting, while yet another attack emanated from a mobile device and succeeded in remotely starting the car.

They also managed to lock and unlock the car so as to trap the driver inside – at least, until he or she rolled down the window and manually opened the door.

The researchers also came up with yet another dongle-like device that monitors the ODB II port and detects any hacking tools plugged into the car’s port, as well as any attacks over the CAN bus, and which, like Kaprica’s tool, blocks attacks and collects attack forensic data.

While neither Ford nor GM worked directly on the project, both carmakers knew of it and provided statements about vehicle cybersecurity.

From Ford:

The University of Virginia study is helpful to remind industry, regulators, law enforcement and consumers that cybersecurity is an issue that requires focused attention. The staged cyber-attack on a Ford vehicle required unrestricted physical access to the interior to install a device that provided remote access to the electronic control module.

This study does not simulate any immediate real-world risk. It highlights the need to be vigilant about vehicle security and to avoid plugging in devices or technologies that do not have proper security safeguards. And, it serves as a reminder that all connected computing systems should have appropriate safeguards in place to mitigate the threat of cyber-attacks.

And from GM:

GM takes matters such as potential cyber threats, which affect our customers’ safety and security very seriously. We are taking a layered approach to in-vehicle cybersecurity and are designing many vehicle systems so that they can be updated with enhanced security measures as potential threats evolve.

We recently created an integrated organization, Vehicle and Vehicle Services Cybersecurity, which consists of internal experts who work with outside specialists, and is actively working to minimize risks of unauthorized access to vehicles and customer data.

Well, thank heavens they’re taking it seriously.

Not that they have much choice, mind you: calls for securing vehicles have been getting ever louder since we first heard of a remote attack against an unnamed vehicle back in 2011.

Concerns have become more amplified still in the wake of Miller and Valasek remotely taking over a Jeep (no physical jacking-in required) from 10 miles away a few months ago.

US Senator Edward Markey issued a report in February 2015 that criticizes what had been, up to that point, the auto industry’s weak response to addressing security vulnerabilities, as well as the lack of privacy protections for the data collected from vehicles by the manufacturers.

Markey also introduced legislation in July seeking to establish mandatory security standards for all cars and trucks.

Image of police cruiser courtesy of Leonard Zhukovsky / Shutterstock.com

16 Comments

This does not make me want to go out and get in line for a self driving car

Reply

I have a device from Allstate that monitors my driving. It is plugged into the ODB II port. Does this allow access to my car electronics.

Reply

It certainly gives *read* access to what you’re up to:

https://nakedsecurity.sophos.com/2015/01/20/cheaper-car-insurance-dongle-could-lead-to-a-privacy-wreck/

Reply

But technically, the same (connected) device that gives *read* access also gives *write* access – The CAN bus doesn’t have read and write pins, so a change of programming in the Allstate (or other) box absolutely can easily send duplicates of packets it receives, or modified versions, as Paul’s article infers.

I remember some years back (ahem, 2004) owning a 3-year old ex-taxi E-Class Merc and wanting to use its (CAN) steering wheel controls after I removed the original radio. Even then, there were people hooking up free sample chips from the Microchip website to log and collect the control packets from the steering wheel, pulling them out to the logic signals needed to turn their new radio on and off etc.

The key is that we’re talking about physical access to the car here. Once you have that, the world is your oyster; well, at least, the car is… With (usually) 3 CAN bus networks on modern vehicles, the OBDII port normally has access to all of them and therefore to every electronically controlled component of the car.

How much do you trust your insurance company? Or their black box partner? The car is just another PC. ;-)

Reply

Surely there won’t be any lines? You’ll just order through a website and the car will deliver itself once it’s ready :-)

Reply

So if it required putting a device inside the car, I don’t see how this is “hacking”. Is putting a bomb inside the car and “hacking it” so that it explodes also an exploit?

Reply

Just imagine that the owner adds an enhancement device that connects into the systems on board, such as adding a bluetooth device to pair with their mobile phone to give ‘hands free’ operation whilst driving. That potentially opens a ‘back door’ for the nefarious hackers to gain access to more than just the phone!
That is the key danger we need to be aware of. The manufacturers can protect the known systems on board but they can’t prevent you adding something else yourself.

Reply

These findings will be used by the manufacturers to further bolster their case in claiming copyright laws applies to ECU firmware and to attempt to restrict aftermarket tuning and repair work by non-manufacturer entities.

Reply

Who needs all this rubbish. A wheel on each corner will do me.

Reply

That is the key danger we need to be aware of. The manufacturers can protect the known systems on board but they can’t prevent you adding something else yourself.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!