DEF CON 24: Car Talk
At Defcon this weekend, vehicle hacks held a weighty presence. For the second year running, the con hosted a Car Hacking Village (complete with its own badge). It sure looks like manufacturers have kicked off a security war that they weren’t prepared to enter, and they don’t seem to have caught up yet.
What are attackers able to do?
A malicious hacker may be able to run down your battery using the environmental controls (a common component of smart vehicles’ official apps), track your present and past locations, and even take command of essential driving controls.
In 2013, Charlie Miller and Chris Valasek famously hacked a Ford Escape, controlling the speed and brakes with a reporter behind the wheel.
Most (reported) hacks since then have had a more subtle flavor: Mitsubishi’s vulnerability could be used for tracking your physical location, as well as manipulating some controls on the vehicle itself.
Your garage door may be wide open, too—as discussed in our fascinating interview with the infamous Samy Kamkar.
What about hacking your own car?
Gone are the days when each DeLorean came with a delicious illustrated guide. But you can still get your hack on without a degree in Vroom Science!
In the vendor area, we chatted with Alan Mond, co-inventor of the CarLoop. This device plugs into the OBD-II port and allows you to communicate with your car wirelessly, from anywhere, via Particle microcontrollers (WiFi Photon / cellular Electron). It’s still on pre-order, so we’re getting ready to see some awesome mods!
However, there’s still room for car companies to take legal action against DIY tinkerers—for now. Andrew “Bunnie” Huang has partnered with the EFF in suing the US Government to roll back outdated legislation that puts many hardware hacks outside the law, and the EFF’s press release specifically mentions vehicle mods.
How do we move forward?
Be people-aware: The Nissan Leaf hack required only the vehicle identification number, which in some cars is actually visible from the outside. As Drew told me, the first Car Hacking Village hosted a competition to socially engineer as many VINs as possible. It’s amazing what information people easily give away. (From San Francisco’s scavenger-hunt scene, I can confirm: simply stating that you’re playing a game will open many hands and minds.)
Still, it’s easy to forget the reality of the threat. At the con, I left my laptop off (except for 10 minutes with the WiFi disabled)… but I was complacent enough to use my personal cell phone. Having so many other fish in the water can ease paranoia.
And then, on my ride to the airport, the taxi driver railed against some hackers at the Paris who had disabled his wife’s phone and killed comms for her real-estate business over the weekend. As Drew had just pointed out, phones are now popular for 2-factor authentication; anyone who can intercept texts can get verification codes for online services. With cross-linked accounts, and the mesh of personal data they use for identity verification, that’s a huge problem.
The driver said he just knew all these “guys” were “couch potatoes, living in their mom’s basement, who will never touch the lips of a woman like [his wife].” I shifted uncomfortably on the seat and offered sympathy; this brand of casual malice truly is horrible. But I had just partied with hackers of every demographic. And the guys sporting a QueerCon octopus badge? They probably don’t worry about how many women they’ve kissed. I’m pretty sure he wasn’t picturing a lesbian, either; he explained Defcon to this woman while we rode away from the scene of the crime. Social engineering thrives on stereotypes… don’t underestimate anyone.
Next, as I boarded the plane back to SF, I learned that my friend’s bag was stolen sometime between frozen yogurt and roulette. Security footage revealed that another pair of gamblers had walked off with it. It contained his car keys — a low-tech (and possibly accidental), but very human, vehicle security breach. He was finally able to head home around 2am.
Educate yourself: The free Car Hacker’s Handbook can teach you about numerous exploits that may work on you. Get familiar with your system and learn what you can do to avoid common attacks. Coursera and other educational sites offer free courses in security, and Becky Stern is digging in with some videos as well.
Buy smart: What’s your best bet for a new car? Despite the Model S hack, the Tesla system is said to be pretty well-protected — understandable for a modern company with innovative tech in its veins. Or stick with a vintage car that only comes with the usual set of hardware vulnerabilities. I dunno. It seems hard to make a perfect choice, at this point. But pick one of the manufacturers who…
Listen: Car companies, listen to the white hats who come to you with vulnerabilities. This is what Tesla and Mitsubishi did right—and where Nissan went disastrously wrong, ignoring a month’s warning before the researcher took things public. As mentioned before, this is a key interest of the EFF in its suit to nullify Section 1201. They’ve even tried it before:
That’s why we filed for an exemption to Section 1201 that would specifically protect security and safety research on vehicle software from DMCA liability. The automakers showed up in force to oppose it (including the “Auto Alliance” trade group, of which Fiat Chrysler is a member), arguing that there was no need for independent security research and that they had the legal right to shut it down — even when researchers only look at code on vehicles they own.
This hurts everyone.
Sign it: Chrysler sent 1.4 million Jeep owners USB drives with security-boosting updates that they could install via a port in the car. But even this could be a vulnerability, if someone with a malicious version of the software gets access to the car (or hands you the wrong drive). Manufacturers should provide a way for owners to verify the origin of each update or fix—some simpler alternative to the hashes commonly provided by free software groups.
Humans vs. Machines?
Defcon this year was themed around human/machine conflict: the badges were Terminator heads, the floors decorated with grand cyber/organic battles. And there was even a machine-on-machine competition, the glorious Cyber Grand Challenge. But at its heart, security is all humans vs. humans.
People write those scripts. People build those cars. People hack each other, for revenge or jealousy or the hell of it.
And this will only get closer to home: Today’s car hacks are tomorrow’s heart hacks, eye hacks, hearing aid hacks. Miller and Valasek were able to blast the Jeep’s car radio at full volume, which is actually an effective military tactic.
So, figure out how much you care to balance humanity with healthy paranoia. In the meantime, go join the EFF. Check out our security and vehicle-hacking projects. Install your software updates. And when you build projects like these…
Lock and Unlock your car via the Internet!
× 1 × 1 × 1 My car has a key with a built-in keyfob. The plastic housing broke, but the keyfob inside the key still…
Smartwatch car remote
Software apps and online services: The idea of this project is to be able to turn on/off lights (or any electrical…
My Kid's Driving Habits
About this project Here is an interesting way of monitoring yours or your kids driving habits by monitoring hard…
iBrake Remote Braking System for Kids Bikes
About this project The iBrake system allows the girls to have the freedom but me the piece of mind knowing that i can…
…Keep an eye on your auth keys.