Car Hacking Research Accelerates At UC San Diego
Thursday, October 29, 2015
New legal protections issued this week are emboldening San Diego researchers who tinker with cars to find the security flaws that make them vulnerable to hacking.
Researchers who tinker with cars to find their security flaws were emboldened this week when the U.S. Copyright Office issued new legal protections covering their activities.
That includes a team of UC San Diego computer scientists who've shown that all kinds of cars — from the eco-friendly Prius to the flashy 2013 Corvette — can be vulnerable to hacking.
A few days before the Copyright Office made its decision, Karl Koscher was in a quiet parking lot on the eastern edge of the UC San Diego campus getting ready to break into a car. He wasn't going to smash its windows or jimmy its locks. He just had to send it a text message.
Tugging on the locked door of a white, 2010 Toyota Prius, Koscher said, "We're going to send it a command to unlock the door."
His colleague, Ian Foster, typed a command into his laptop and sent it over the cellular network as an SMS message. Within a second or two, the car's locks clicked.
"There we go," Koscher said, opening the door. "We're in the car."
Koscher and Foster aren't car thieves. They're co-authors on a research paper that explains how they were able to hack this car — with the owner's consent.
In this case, the car's weak point was a device plugged into what's called the OBD-II port. If you drive a U.S. car made since 1996, your car has one of these federally mandated ports just under the steering wheel. And in newer cars, that port leads directly into an onboard network that acts sort of like a vehicle's brain.
"Most cars are architected the way that this one is," Koscher said. "If you plug into this port, you can take almost total control of the car."
The device itself was a little mile-tracking dongle used by some car insurance companies to sell coverage by the mile. Koscher said its security is really flimsy. He can send the device software updates, sweet talking it into letting him do just about anything with the car.
"Once our program is on the dongle, it connects back to us over the internet through the cellular network, and we can send it commands," Koscher said.
He doesn't have to be anywhere near the car to send those commands. "We don't even have to be in the same country," he said.
Once he's in, it's pretty much open sesame. Koscher took the car for a spin to demonstrate how hackers could mess with the dashboard display.
"So we're going along, and the fuel gauge is about 75 percent," he said. Then the car let out a disconcerting beep. "And now it's empty."
The fuel gauge flashed at zero percent for a moment before returning to normal.
Hackers could also lay on the horn. Foster typed another command, and the car horn started blaring. Above the noise, Koscher said, "And now it won't stop until we send a command to turn off the horn."
In a previous demo, the UC San Diego researchers were even able to cut the brakes in a slow-rolling Corvette.
"You could do all sorts of things to spook out the driver," Koscher said.
Now, these researchers don't want to spook out drivers. They want companies to patch the flaws they and other security researchers are finding.
But the auto industry has argued that anyone messing with copyrighted car software is violating the Digital Millennium Copyright Act — or DMCA. So, was what Koscher did to this Prius strictly legal?
"We believe so," he said. "We think we're in the clear."
But Koscher did admit, "I think some people would like to interpret the DMCA to say that parts of what we did might have been illegal. But that's not our interpretation of it."
On Tuesday, security researchers had their interpretation supported by the U.S. Copyright Office. They were granted exemptions from the DMCA, allowing them to hack into car systems without fear of breaking copyright laws. The auto industry opposed those exemptions.
"What makes them nervous is the uncontrolled nature of independent researchers finding stuff," said computer science professor Stefan Savage, who oversees car security research at UC San Diego. In 2010, his research showed that cars outfitted with OnStar could be almost completely taken over.
"The auto industry has come down pretty strongly saying we want to keep these restrictions in place, because it's not safe to allow hackers to look at this stuff. So it should continue to be illegal," Savage said. "And, taken on its face, that would make basically all the kinds of research we do illegal."
Savage and his team won't have to worry about that accusation once the new exemptions security researchers won this week go into effect. The Alliance of Automobile Manufacturers, a lobbying group that opposed those exemptions, declined an interview with KPBS. But the Copyright Office noted in its decision:
"Opponents asserted that the proposal presented serious public health and safety concerns. For example, opponents claimed that information obtained by engaging in security research could be used by bad actors to hack into highly regulated machines and devices, including medical devices and vehicles."
As for what this all means to drivers, Savage said car hacking hasn't reached the point where the average person needs to panic.
"I wouldn't lose any sleep about it, and I wouldn't pick what car to buy based on that at this moment," he said.
"Do I think that means that no one should be worried about it? No, I think that's a huge mistake. I think the car industry has the luxury, which is so rare, of having five to 10 years of advanced warning to get their act together before there are real and serious attacks."
Savage said what will keep drivers safe is more research, and a car industry that's open to criticism.
To view PDF documents, Download Acrobat Reader.