A note of caution to anyone who works on the security team of a major automobile manufacturer: Don’t plan your summer vacation just yet.
At the Black Hat and Defcon security conferences this August, security researchers Charlie Miller and Chris Valasek have announced they plan to wirelessly hack the digital network of a car or truck. That network, known as the CAN bus, is the connected system of computers that influences everything from the vehicle’s horn and seat belts to its steering and brakes. And their upcoming public demonstrations may be the most definitive proof yet of cars’ vulnerability to remote attacks, the result of more than two years of work since Miller and Valasek first received a DARPA grant to investigate cars’ security in 2013.
“We will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle,” the hackers write in an abstract of their talk that appeared on the Black Hat website last week. “Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle.”
Miller and Valasek won’t yet name the vehicle they’re testing, and declined WIRED’s request to comment further on their research so far ahead of their talk.
Academic researchers at the University of Washington and the University of California at San Diego demonstrated in 2011 that they could wirelessly control a car’s brakes and steering via remote attacks. They exploited the car’s cellular communications, its Wi-Fi network, and even its bluetooth connection to an Android phone. But those researchers only identified their test vehicle as an “unnamed sedan.”
Miller and Valasek, by contrast, haven’t hesitated in the past to identify the exact make and model of their hacking experiments’ multi-ton guinea pigs. Before their presentation at the Defcon hacker conference in 2013, they put me behind the wheel of a Ford Escape and a Toyota Prius, then showed that they could hijack those two vehicles’ driving functions—including disabling and slamming on brakes or jerking the steering wheel—using only laptops plugged into the OBD2 port under the automobiles’ dashboards.
Some critics, including Toyota and Ford, argued at the time that a wired-in attack wasn’t exactly a full-blown hack. But Miller and Valasek have been working since then to prove that the same tricks can be pulled off wirelessly. In a talk at Black Hat last year, they published an analysis of 24 automobiles, rating which presented the most potential vulnerabilities to a hacker based on wireless attack points, network architecture and computerized control of key physical features. In that analysis, the Jeep Cherokee, Infiniti Q50 and Cadillac Escalade were rated as the most hackable vehicles they tested. The overall digital security of a car “depends on the architecture,” Valasek, director of vehicle security research at security firm IOActive told WIRED last year. “If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?”
Miller, who aside from his car hacking work holds a day job as a senior security engineer at Twitter, did offer what might be a hint of their target in a tweet last week:
Jeep, after all, received the worst security ratings by some measures in Miller and Valasek’s earlier analysis. It was the only vehicle to get the highest rating for “hackability” in all three categories of their rating system. Jeep-owner Chrysler wrote last year in a statement responding to that research that it would “endeavor to verify these claims and, if warranted, we will remediate them.”
Valasek and Miller’s work has already led to serious pressure on automakers to tighten their vehicles’ security. Congressman Ed Markey cited their research in a strongly-worded letter sent to 20 automakers following their 2013 presentation, demanding more information on their security measures. In the responses to that letter, all of the auto companies said their vehicles did have wireless points of access. Only seven of them said they used third parties auditors to test their vehicles’ security. And only two said they had active measures in place to counteract a potential digital attack on braking and steering systems.
It’s not clear exactly how much control Miller and Valasek have gained over their target automobile’s most sensitive systems. Their abstract hints that “the ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe,” and notes that they’ll “demonstrate the reality and limitations of remote car attacks.”
But in a tweet following the announcement of their upcoming talk last week, Valasek put it more simply:
“[Miller] and I will show you how to hack a car for remote control at [Defcon],” he wrote. “No wires. No mods. Straight off the showroom floor.”