14-Year-Old Hacker Shows Auto Engineers How it's Done
02-20-15, 03:50 PM
#1
Lexus Fanatic
Thread Starter
14-Year-Old Hacker Shows Auto Engineers How it's Done
http://www.autoblog.com/2015/02/18/1...rise-featured/
A 14-year-old boy may have forever changed the way the auto industry views cyber security.
He was part of a group of high-school and college students that joined professional engineers, policy-makers and white-hat security experts for a five-day camp last July that addressed car-hacking threats.
"This kid was 14, and he looked like he was 10," said Dr. Andrew Brown Jr., vice president and chief technologist at Delphi Automotive.
With some help from the assembled experts, he was supposed to attempt a remote infiltration of a car, a process that some of the nation's top security experts say can take weeks or months of intricate planning. The student, though, eschewed any guidance. One night, he went to Radio Shack, spent $15 on parts and stayed up late into the night building his own circuit board.
The next morning, he used his homemade device to hack into the car of a major automaker.Camp leaders and automaker representatives were dumbfounded. "They said, 'There's no way he should be able to do that,'" Brown said Tuesday, recounting the previously undisclosed incident at a seminar on the industry's readiness to handle cyber threats. "It was mind-blowing."
Windshield wipers turned on and off. Doors locked and unlocked. The remote start feature engaged. The student even got the car's lights to flash on and off, set to the beat from songs on his iPhone. Though they wouldn't divulge the student's name or the brand of the affected car, representatives from both Delphi and Battelle, the nonprofit that ran the CyberAuto Challenge event, confirmed the details.
If car makers weren't taking cyber threats seriously before the demonstration, they were afterward.
"It was a pivot moment," said Dr. Anuja Sonalker, lead scientist and program manager at Battelle. "For the automakers participating, they realized, 'Huh, the barrier to entry was far lower than we thought.' You don't have to be an engineer. You can be a kid with $14."
She described the breach as more of a nuisance attack, and emphasized that, in this case, no critical safety functions, like steering, braking or acceleration, were compromised. But the incident underscored just how vulnerable cars have become.
Security analysts have long expressed concerns over the industry's preparedness in fending off a cyber attack. Those concerns have mushroomed in recent weeks, as German researchers infiltrated BMW's remote-services system and 60 Minutes demonstrated how another research team remotely commandeered control of a Chevy Impala.
Then last week, Sen. Ed Markey (D-Mass.) released a report that criticized automakers' preparations, noting only 2 of 16 car companies surveyed could describe how they would respond to a real-time hack of one of their vehicles.
Experts at Tuesday's conference, sponsored by the Center for Automotive Research, conceded the auto industry got off to slow start in responding to cyber weaknesses. But now, even as they approach the problem with more earnestness, problems remain.
For one, technology companies still have a grip on the experts who best understand cyber-security vulnerabilities in the automotive realm, and those problems are so new that colleges and universities aren't yet producing engineering students who understand the solutions. (Though we know of one student who deserves a scholarship in about three years).
"Those experts don't live in Detroit," said Shawn Slusser, vice president of the automotive business at Infineon.
Even if they were on hand, those engineers would need time to examine and re-draw the network architectures of their cars and bolster the security for every electronic control unit on a vehicle. In the product-planning life-cycle, it could take three to five years for those alterations to reach new vehicles. And that's to say nothing of the 230 million vehicles already on the road.
In short, the car-hacking problem will probably get worse before it gets better.
A 14-year-old boy may have forever changed the way the auto industry views cyber security.
He was part of a group of high-school and college students that joined professional engineers, policy-makers and white-hat security experts for a five-day camp last July that addressed car-hacking threats.
"This kid was 14, and he looked like he was 10," said Dr. Andrew Brown Jr., vice president and chief technologist at Delphi Automotive.
With some help from the assembled experts, he was supposed to attempt a remote infiltration of a car, a process that some of the nation's top security experts say can take weeks or months of intricate planning. The student, though, eschewed any guidance. One night, he went to Radio Shack, spent $15 on parts and stayed up late into the night building his own circuit board.
The next morning, he used his homemade device to hack into the car of a major automaker.Camp leaders and automaker representatives were dumbfounded. "They said, 'There's no way he should be able to do that,'" Brown said Tuesday, recounting the previously undisclosed incident at a seminar on the industry's readiness to handle cyber threats. "It was mind-blowing."
Windshield wipers turned on and off. Doors locked and unlocked. The remote start feature engaged. The student even got the car's lights to flash on and off, set to the beat from songs on his iPhone. Though they wouldn't divulge the student's name or the brand of the affected car, representatives from both Delphi and Battelle, the nonprofit that ran the CyberAuto Challenge event, confirmed the details.
If car makers weren't taking cyber threats seriously before the demonstration, they were afterward.
"It was a pivot moment," said Dr. Anuja Sonalker, lead scientist and program manager at Battelle. "For the automakers participating, they realized, 'Huh, the barrier to entry was far lower than we thought.' You don't have to be an engineer. You can be a kid with $14."
She described the breach as more of a nuisance attack, and emphasized that, in this case, no critical safety functions, like steering, braking or acceleration, were compromised. But the incident underscored just how vulnerable cars have become.
Security analysts have long expressed concerns over the industry's preparedness in fending off a cyber attack. Those concerns have mushroomed in recent weeks, as German researchers infiltrated BMW's remote-services system and 60 Minutes demonstrated how another research team remotely commandeered control of a Chevy Impala.
Then last week, Sen. Ed Markey (D-Mass.) released a report that criticized automakers' preparations, noting only 2 of 16 car companies surveyed could describe how they would respond to a real-time hack of one of their vehicles.
Experts at Tuesday's conference, sponsored by the Center for Automotive Research, conceded the auto industry got off to slow start in responding to cyber weaknesses. But now, even as they approach the problem with more earnestness, problems remain.
For one, technology companies still have a grip on the experts who best understand cyber-security vulnerabilities in the automotive realm, and those problems are so new that colleges and universities aren't yet producing engineering students who understand the solutions. (Though we know of one student who deserves a scholarship in about three years).
"Those experts don't live in Detroit," said Shawn Slusser, vice president of the automotive business at Infineon.
Even if they were on hand, those engineers would need time to examine and re-draw the network architectures of their cars and bolster the security for every electronic control unit on a vehicle. In the product-planning life-cycle, it could take three to five years for those alterations to reach new vehicles. And that's to say nothing of the 230 million vehicles already on the road.
In short, the car-hacking problem will probably get worse before it gets better.
02-20-15, 05:11 PM
#3
Lexus Champion
Here are some of my thoughts on this topic, as a mission- and safety-critical systems engineer.
1. This shows that anything is possible, given the will and the way. The will was the gathering of students and engineers for this white-hat ("good guys") hack-a-thon (to learn what is possible). The way was the shopping bag of electronics assembled into a homemade, specific-purpose circuit board.
2. It may be cheaper than you think to do the 'impossible'.
3. BUT, we should not all be incited into mass panic (as other threads in Car Chat have attempted to do) by this news.
While this exercise proved that it is possible to hack into a car's electronic systems, it also showed that a piece of special-purpose equipment (the homemade circuit board, plugged into some interface port, perhaps the OBD II port) is necessary to do so. What it proved is that if someone wants to hack into YOUR car's electronic systems, the bad guy must possess a special piece of electronics, must physically break into your car, and must physically plug this circuit board into some interface port of your car's electronics systems before starting to do his/her dirty deeds.
Why would someone want to go to all this time and trouble just to damage ONE car? If someone does not like you and wants to do you harm, there are other, easier ways to do so than to physically and electronically break into your car.
4. The auto manufacturers should learn from this exercise (and I have no doubt that they have) but it is no cause for alarm at this point. It is another "the sky is falling" story from writers that have little understanding of technology and automotive electronics.
1. This shows that anything is possible, given the will and the way. The will was the gathering of students and engineers for this white-hat ("good guys") hack-a-thon (to learn what is possible). The way was the shopping bag of electronics assembled into a homemade, specific-purpose circuit board.
2. It may be cheaper than you think to do the 'impossible'.
3. BUT, we should not all be incited into mass panic (as other threads in Car Chat have attempted to do) by this news.
While this exercise proved that it is possible to hack into a car's electronic systems, it also showed that a piece of special-purpose equipment (the homemade circuit board, plugged into some interface port, perhaps the OBD II port) is necessary to do so. What it proved is that if someone wants to hack into YOUR car's electronic systems, the bad guy must possess a special piece of electronics, must physically break into your car, and must physically plug this circuit board into some interface port of your car's electronics systems before starting to do his/her dirty deeds.
Why would someone want to go to all this time and trouble just to damage ONE car? If someone does not like you and wants to do you harm, there are other, easier ways to do so than to physically and electronically break into your car.
4. The auto manufacturers should learn from this exercise (and I have no doubt that they have) but it is no cause for alarm at this point. It is another "the sky is falling" story from writers that have little understanding of technology and automotive electronics.
02-20-15, 05:24 PM
#4
Lexus Fanatic
Thread Starter
Here are some of my thoughts on this topic, as a mission- and safety-critical systems engineer.
1. This shows that anything is possible, given the will and the way. The will was the gathering of students and engineers for this white-hat ("good guys") hack-a-thon (to learn what is possible). The way was the shopping bag of electronics assembled into a homemade, specific-purpose circuit board.
2. It may be cheaper than you think to do the 'impossible'.
3. BUT, we should not all be incited into mass panic (as other threads in Car Chat have attempted to do) by this news.
While this exercise proved that it is possible to hack into a car's electronic systems, it also showed that a piece of special-purpose equipment (the homemade circuit board, plugged into some interface port, perhaps the OBD II port) is necessary to do so. What it proved is that if someone wants to hack into YOUR car's electronic systems, the bad guy must possess a special piece of electronics, must physically break into your car, and must physically plug this circuit board into some interface port of your car's electronics systems before starting to do his/her dirty deeds.
Why would someone want to go to all this time and trouble just to damage ONE car? If someone does not like you and wants to do you harm, there are other, easier ways to do so than to physically and electronically break into your car.
4. The auto manufacturers should learn from this exercise (and I have no doubt that they have) but it is no cause for alarm at this point. It is another "the sky is falling" story from writers that have little understanding of technology and automotive electronics.
1. This shows that anything is possible, given the will and the way. The will was the gathering of students and engineers for this white-hat ("good guys") hack-a-thon (to learn what is possible). The way was the shopping bag of electronics assembled into a homemade, specific-purpose circuit board.
2. It may be cheaper than you think to do the 'impossible'.
3. BUT, we should not all be incited into mass panic (as other threads in Car Chat have attempted to do) by this news.
While this exercise proved that it is possible to hack into a car's electronic systems, it also showed that a piece of special-purpose equipment (the homemade circuit board, plugged into some interface port, perhaps the OBD II port) is necessary to do so. What it proved is that if someone wants to hack into YOUR car's electronic systems, the bad guy must possess a special piece of electronics, must physically break into your car, and must physically plug this circuit board into some interface port of your car's electronics systems before starting to do his/her dirty deeds.
Why would someone want to go to all this time and trouble just to damage ONE car? If someone does not like you and wants to do you harm, there are other, easier ways to do so than to physically and electronically break into your car.
4. The auto manufacturers should learn from this exercise (and I have no doubt that they have) but it is no cause for alarm at this point. It is another "the sky is falling" story from writers that have little understanding of technology and automotive electronics.
. This was simply an autoblog article that I found interesting, so I thought I'd share it. However, even if it doesn't justify a full-scale panic (and I agree with you that it doesn't).......it shows how sharp today's kids can be playing with computers and computer-parts. Teen-age hackers have done some pretty impressive things....even getting into top-secret NSA files, which are some of the most closely guarded in the country.
02-20-15, 05:38 PM
#5
The pursuit of F
Yeah, it shows that again and again, when technology exists to protect something, there is (or will be) a way to penetrate it.
If anything, this is great visibility for car manufacturers to take this seriously and invest in beefing up and keeping ahead of the hackers in the area of remote access security.
If anything, this is great visibility for car manufacturers to take this seriously and invest in beefing up and keeping ahead of the hackers in the area of remote access security.
02-21-15, 11:51 AM
#7
Lexus Test Driver
Hahaha
There was concerns with the Tesla as well in getting non critical systems breached (opening the sunroof or altering radio stations) so it is just a matter of time I suppose. But doubt anyone would go through a lot of trouble for just one car...
There was concerns with the Tesla as well in getting non critical systems breached (opening the sunroof or altering radio stations) so it is just a matter of time I suppose. But doubt anyone would go through a lot of trouble for just one car...
Trending Topics
02-21-15, 02:09 PM
#8
Lexus Test Driver
Hahaha
There was concerns with the Tesla as well in getting non critical systems breached (opening the sunroof or altering radio stations) so it is just a matter of time I suppose. But doubt anyone would go through a lot of trouble for just one car...
There was concerns with the Tesla as well in getting non critical systems breached (opening the sunroof or altering radio stations) so it is just a matter of time I suppose. But doubt anyone would go through a lot of trouble for just one car...
02-21-15, 02:55 PM
#9
Here are some of my thoughts on this topic, as a mission- and safety-critical systems engineer.
1. This shows that anything is possible, given the will and the way. The will was the gathering of students and engineers for this white-hat ("good guys") hack-a-thon (to learn what is possible). The way was the shopping bag of electronics assembled into a homemade, specific-purpose circuit board.
2. It may be cheaper than you think to do the 'impossible'.
3. BUT, we should not all be incited into mass panic (as other threads in Car Chat have attempted to do) by this news.
While this exercise proved that it is possible to hack into a car's electronic systems, it also showed that a piece of special-purpose equipment (the homemade circuit board, plugged into some interface port, perhaps the OBD II port) is necessary to do so. What it proved is that if someone wants to hack into YOUR car's electronic systems, the bad guy must possess a special piece of electronics, must physically break into your car, and must physically plug this circuit board into some interface port of your car's electronics systems before starting to do his/her dirty deeds.
Why would someone want to go to all this time and trouble just to damage ONE car? If someone does not like you and wants to do you harm, there are other, easier ways to do so than to physically and electronically break into your car.
4. The auto manufacturers should learn from this exercise (and I have no doubt that they have) but it is no cause for alarm at this point. It is another "the sky is falling" story from writers that have little understanding of technology and automotive electronics.
1. This shows that anything is possible, given the will and the way. The will was the gathering of students and engineers for this white-hat ("good guys") hack-a-thon (to learn what is possible). The way was the shopping bag of electronics assembled into a homemade, specific-purpose circuit board.
2. It may be cheaper than you think to do the 'impossible'.
3. BUT, we should not all be incited into mass panic (as other threads in Car Chat have attempted to do) by this news.
While this exercise proved that it is possible to hack into a car's electronic systems, it also showed that a piece of special-purpose equipment (the homemade circuit board, plugged into some interface port, perhaps the OBD II port) is necessary to do so. What it proved is that if someone wants to hack into YOUR car's electronic systems, the bad guy must possess a special piece of electronics, must physically break into your car, and must physically plug this circuit board into some interface port of your car's electronics systems before starting to do his/her dirty deeds.
Why would someone want to go to all this time and trouble just to damage ONE car? If someone does not like you and wants to do you harm, there are other, easier ways to do so than to physically and electronically break into your car.
4. The auto manufacturers should learn from this exercise (and I have no doubt that they have) but it is no cause for alarm at this point. It is another "the sky is falling" story from writers that have little understanding of technology and automotive electronics.
^ I agree with you for the most part, but remember it was our lack of imagination that led to planes being used as missiles.
Somebody could hack one of those double decker Mega Buses that hold 80 people and cause it to crash. I doubt the bus has such electronic drivers aids like a new S-Class Benz to where the computer can take over steering completely, but I'd imagine it has some sort of anti-skid stability control to where you could hack the brakes or pin the electric throttle wide open.
Thread
Thread Starter
Forum
Replies
Last Post
LexFather
Car Chat
1
07-18-09 10:54 PM
Gojirra99
Car Chat
12
01-15-08 07:45 PM