Security Firm Hacks A Car With A Text

Two researchers at the security firm iSEC Partners recently uploaded a YouTube video that shows them unlocking a 1998 Subaru Outback and then starting the engine — all by way of a laptop. Robert Siegel talks to Mat Solnik, one of those iSEC researchers, about how it's done — and what the bigger implications could be.

Copyright © 2011 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

MELISSA BLOCK, host: From NPR News, this is ALL THINGS CONSIDERED. I'm Melissa Block.

ROBERT SIEGEL, host: And I'm Robert Siegel. It's now time for All Tech Considered.

(SOUNDBITE OF MUSIC)

SIEGEL: We've all heard about people hacking websites, cell phones at company databases. Well, now drivers beware, it is also possible to hack into a car.

Driving and texting just got a little more interesting. Two researchers at the security firm iSEC Partners recently demonstrated unlocking the doors of a car by overriding its alarm system and starting the engine all by sending the car a text message.

Matthew Solnik is one of those researchers at iSEC and he joins me now from San Francisco. Welcome to the program.

MATTHEW SOLNIK: Thank you.

SIEGEL: And first, explain to us how can you hack into a car by sending a text message.

SOLNIK: Well, these cars are connected to the M2M, which is the machine-to-machine GSM cell phone network. And with that, they can be communicated with over that network. By sending certain commands, we are able to then unlock the doors, start the car and things like that.

SIEGEL: Drive the car, move it?

SOLNIK: There are cars coming out that do have remote drive capabilities, but we have not played with them yet.

SIEGEL: Now, we're not talking about somebody's 1971 Dodge Dart out there. You're talking about cars that are equipped with technology that you are, in effect, turning against the car here.

SOLNIK: Correct. The cars have to be equipped with more or less a cellular modem, something that allows them to connect to the cell networks.

SIEGEL: But by sending a text message, you're communicating to a car. Cars have telephone numbers, you're saying.

SOLNIK: Correct, yes. A lot of vehicles have telephone numbers now. You know, it's not advertised but that's how they communicate with the kind of home office per se, of, you know, like OnStar or Ford SYNC.

The features that they bring are pretty amazing, you know, being able to contact the police if you're in an accident, or have someone remotely unlock your car if you leave your keys in it. These are amazing features. We just want to make sure that they are implemented properly and securely.

SIEGEL: Now, you and your colleague at iSEC were doing this to demonstrate a vulnerability and to help, I guess in this case, manufacturers of cars and car components protect against such things. But what are the implications beyond car theft of what you've demonstrated here?

SOLNIK: Well, we did the cars to show a proof of concept, to show that it could be done. The bigger issue is the same chipsets are used across the board in manufacturing, in power grids, water treatment centers - all with the same kind of vulnerabilities.

SIEGEL: The car that you're actually start on the video that I watched online, you had actually added up-to-date equipment so that you could do this to it. Could that equipment have been encrypted in some way so it would have kept you out?

SOLNIK: Yes. Yes. The manufacturers have actually been very good since we started contacting them about fixing the issues, you know. The problem is a lot of these chipsets were designed to be easy to use, both on the manufacturer side but that also means that it's easy to use from an attacker's point of view.

SIEGEL: Well, Mathews Solnik, thanks a lot for talking with us about this.

SOLNIK: Thank you so much, Robert.

SIEGEL: Mat Solnik is a researcher and consultant at the security firm iSEC Partners in San Francisco. On the topic of vulnerabilities in the power grid, he told us that his company has had extensive discussions with the Department of Homeland Security.

Copyright © 2011 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.