On balance, maybe I’ll take the bike

Wow! Impressed by your vehicle’s sophisticated electronics? Well, have a look at this.

We conducted our computer security analyses on two modern cars. These cars were introduced into the U.S. market in 2009 and are of the same make and model. We determined that someone with access to the internal network in the car could use his or her own computer equipment to take over a broad array of safety-critical computer systems.

For example, in live road tests, were able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we were able to forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly. We were also able to control the lighting within the cabin, the external lighting, the vehicle’s dash, and so on. A full description of the road tests is described beginning on page 11 of the IEEE Symposium on Security and Privacy paper (PDF).

We stress that all our experiments focused on what an unauthorized party could do if they had the ability to access the car’s internal network (e.g., via physical access to the car). For example, that unauthorized party might plug in a computer to the standard OBD-II diagnostic port under the dash. Clearly the risk in this scenario is low — it implies that someone already has physical access to the car — which is one reason we think consumers should not be alarmed by our results.

But our concern is that the increasing use of externally facing wireless interfaces may increase the risks for future vehicles and provide a way for someone to remotely access the car’s wired network. Hence, even though it may be challenging — and unlikely — for an unauthorized individual to perform the actions we describe in this paper, it is still important to understand them so that we can develop solutions that will continue to be robust even as our cars become increasingly connected.