Hacking Under the Hood and Into Your Car

Automakers are making cars "smarter" by including more computerized features —but these features are also opening up cars to hackers. Security specialists Charlie Miller and Chris Valasek discuss how they were able to tap into car computer systems and control the horn, steering wheel, and even the brakes.

Copyright © 2013 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

IRA FLATOW, HOST:

As I say, have you ever noticed how cars are becoming more computerized or smarter, like you can make a call through your steering wheel and have your car parallel park for you? You can even hit the brakes. It will even hit the brakes automatically to stop short of hitting that kid running after the beach ball in the street. And there are - and, of course, these are all controlled by computers. And where there are computers, there are hackers. Can someone hack into your car and take over those computers, perhaps for evil purposes? Yes, they can.

My next guests hacked into a Ford Escape and a Toyota Prius to figure out their weaknesses and their - joining me now from the Def Con hacking conference in Las Vegas where they just stepped off the stage from presenting their results. Charlie Miller is a security engineer at Twitter, and Chris Valasek is director of security at IOActive. Welcome to SCIENCE FRIDAY.

CHARLIE MILLER: Thanks for having us.

FLATOW: Hey there.

CHRIS VALASEK: Thanks, Ira.

FLATOW: I was just watching the video of you guys hacking into a Prius in a parking lot.

MILLER: Yeah. It's been a fun trip so far.

FLATOW: How do you do that? How did you do that?

MILLER: So if I really wanted to attack your previous guest's Prius, what I would want to do is two steps. The first step was I would have to remotely attack one of their, like you mentioned, the Bluetooth that allows your phone to talk to your car. So I would do - we need a remote attack first. And once I had compromised any piece of - any electronic on your car, then I would be able to send messages to the other computers in your car to make them do things. Our research focused on that second thing because the remote has actually already been done a couple of years ago by some other researchers.

So for our research, we said let's suppose you already have a remote attack, what do can you do the car? And like you said, you can do a lot of crazy stuff like control the seatbelts, control the speedometer, honk the horn, yank the steering wheel, engage the brakes. You know, the possibilities are endless.

VALASEK: And it's not going away anytime soon. More and more computers are being added to cars that do more and more things. The functionality really is going to be complete control by the computer network sometime in the near future.

FLATOW: So you're going to be - like in these fighter jets, you don't fly the jet. You fly the computer, and the computer drives the car in this case.

VALASEK: Yeah. I hope so. I mean one of the things that we didn't want out of this is to have car manufacturers stop putting these cool new gadgets in cars because we like that. We just want them to do it in a secure way.

FLATOW: And so you're out there sort of to show them where the weaknesses are.

VALASEK: Yeah, we'd like to point out that if someone were to remotely compromise your car, as Charlie talked about before, there's a lot of safety critical functionality that's computer controlled and can be forged when you're already on that network. So you don't want to people to, you know, be able to control these things, but no one's really talking much about it or releasing much information, and we figure we'd start doing that.

FLATOW: 1-800-989-8255 is our number, if you want to talk about hacking into your car. So you think you want to get the conversation going so we can be ready for when the day we need it?

VALASEK: Exactly, so that was a big part of our research was to make sure we released everything in an open manner, and we're releasing a paper and all our code, and the hope is that other researchers will get involved, and we can all work together to make cars a lot safer than they are now.

MILLER: But we want a lot of researchers to be able to repeat this work, and then we can all work together.

FLATOW: So far we've talked about the Toyota. What about the Ford Escape? What did you find you could do with the Ford Escape?

VALASEK: So similar things, but the Ford Escape we had did not have quite as sophisticated electronics as the Prius. So it limited the attacks that we could do. So on the Ford we could do things like speedometer, of course, odometer, GPS. We could make the lights all turn off. We could engage the brakes if you were stopped.

And the scariest thing we could do is we could actually make the brakes not work if you were going slowly, so like five miles an hour or something. So you can imagine pulling into a parking spot or going to a crosswalk and, you know, the attack happens, now the brakes aren't working, and you're still driving, and there's nothing you could do.

FLATOW: And how could, if someone really wanted to hack in, how could they get into the car without you noticing it or knowing about it?

VALASEK: Yes, there's so much in the car, too, that is - communicates wirelessly. Cars have tire pressure monitoring systems that monitor the pressure of each individual tire. So that's a method you could get in. As you talked before about making a phone call from your steering wheel, you know, that's Bluetooth. The telematics unit, you know, your entertainment, infotainment systems, are now having Wi-Fi-enabled access points in the car. So there's more and more attack vectors the more technology that gets put into these things.

MILLER: And also, another one is like the telemax unit, like OnStar, that you would have in your car.

FLATOW: You could get in through OnStar?

MILLER: I don't know if anyone's done that, but it's a theoretical way you could do that.

VALASEK: Yeah.

FLATOW: Wow, what about through you CD, the old-fashioned CD slot? Any way you could get in there?

MILLER: Yeah, academics actually performed that attack in their research. So that's a very real possibility.

VALASEK: In 2011 they had a CD that if you put it into the car stereo, it's - any other stereo it sounded like real music, but you put it into the car stereo of the car that they were looking at, and it actually exploited the radio, and then it was able to do the same kinds of things we were able to do inside the cars.

FLATOW: This is really spooky. Hang around guys, we're going to take break, and we're going to come back and talk more with Charlie Miller, a security engineer at Twitter; and Chris Valasek, who is director of security at IOActive. Our number, 1-800-989-8255. You can tweet us with questions about security for your car @scifri, you can tweet us there, also on our website at sciencefriday.com. And we'll be back after this break, so stay with us.

(SOUNDBITE OF MUSIC)

FLATOW: I'm Ira Flatow. This is SCIENCE FRIDAY. We're talking this hour about hacking. My guests are security experts Charlie Miller, he's a security engineer at Twitter; Chris Valasek, he is director of security at IOActive. Our number, 1-800-989-8255.

Did you gentlemen discover, were you surprised by how easily it was to do all these things?

VALASEK: I wouldn't call it easy. It actually - we've been doing this research for 10 months now. So it's not like we stepped in the cares for a weekend and had complete control of them. It takes a lot of research and a lot of time to do the type of attacks that we did.

MILLER: It wasn't easy, but I guess we were surprised at the amount of different things that we could actually accomplish.

FLATOW: Yeah, getting in through the tire pressure valve mechanism. Wow.

VALASEK: Yeah, that's not something we did, but again it's something that communicates with this computer network and has some kind of external existence on the car. So really anything that communicates with the outside could potentially be used as an attack vector.

FLATOW: Now in Europe, Volkswagen hacker - took hackers to court who were going to release codes to cars like you did. What has been the response from Ford and Toyota to your dealings with their automobile?

MILLER: So luckily Ford and Toyota did not take us to court, so that's good. But their response has basically been that they are focusing on the remote attack part of the equation, and they don't necessarily care about the second part of the equation, which is, you know, controlling the car from - you know, any one computer controlling all the rest of the computers.

So obviously we're concerned with the entire safety of the car and security, so from - we think there should be a layered approach where, you know, not only is hard to attack the car, but once you attack the car, it's also hard to, say, crash the car. But, you know, right now they're really focusing, they said, on the remote aspect.

VALASEK: (Unintelligible) manufacturers have started doing this as well. They want you know, they assume that eventually they'll be attacked, so you want to make it hard for the attacker to do something after he's already in.

FLATOW: But on the video I was watching of you, you were actually able to steer the car also.

VALASEK: Yeah, absolutely. We had control over steering, braking, acceleration, lack of braking in the Ford's case. So we could really do just about anything that the car would do with our computer code.

MILLER: Right, and it's quite scary. I was driving along, and Chris, you know, going maybe 40 miles an hour, and Chris would just yank - with the computer, he would tell the computer to turn left, and it would just yank the steering wheel right out of my hand and turn us left, you know, off the road.

FLATOW: Wow, wow, let's go to the phones, 1-800-989-8255. Sam(ph) in Cincinnati, hi Sam, welcome to SCIENCE FRIDAY.

SAM: Hello, I had a quick question. Like a lot of people, when I heard the story I thought of "Minority Report," where there were remote control cars, and the police were involved in stopping Tom Cruise's car. And I was wondering if you gentlemen had been approached by law enforcement regarding this issue. I'm sure they'd be giddy about the idea of being able to stop people's cars remotely.

FLATOW: Interesting question.

VALASEK: Yeah, so we actually have the functionality that we refer to as the car immobilizer. We can clamp the brakes of the Prius and it stops the car. Also even if you press the acceleration pedal, you still can't move. So we have that ability, but we haven't been approached by any law enforcement people.

MILLER: I believe OnStar has that ability, as well, and actually work with law enforcement sometimes.

FLATOW: Oh, they're stopping the car. Well there you go, Sam, it's already happening.

SAM: Great, thank you.

FLATOW: You're welcome, 1-800-98-8255 is our number. Let's go - keep going to the phones. Ben in Tarrytown, Hi Ben, welcome to SCIENCE FRIDAY.

BEN: Hey, how's it going?

FLATOW: Hey there.

BEN: Hey, I was just wondering if anyone ever stops your car, when the brakes are working, I mean, and you got into an accident, is there any evidence left behind that can be used to prove you innocent?

VALASEK: Yeah, that's a question, the question of sort of forensics after the fact. And all of our attacks, there might be, if you did the remote aspect, there might some forensics there. But all of our attacks leave no trace at all. We're just sending messages that once they're received, they're acted on, and they're not stored anywhere. So yeah, you would - there wouldn't be any evidence that anything had happened with what we did.

FLATOW: So there's no little black box that keeps track or recording of the signals being sent to the various brakes, wheels, things like that?

VALASEK: No, when there's an error with one of the computers, those may be stored somewhere, but what we're doing is just kind of simulating what naturally happens in the car. So there's really no evidence that it ever occurred.

FLATOW: So how do you take your research further from here? What do you want to do next?

MILLER: Well, one of the things that we'd like to do is, as we said, get more researchers involved and get more eyes on this problem so that, you know, we can be safe in our cars. And the biggest obstacle to us and almost any researcher is you need a car to do this, and, you know, cars don't come cheap.

So one of the things we're working on is trying to get some way to get all the computers out of a car and package them up in a way that maybe for a couple thousand dollars a researcher could, you know, buy this and do all the same research that we would have in our real car except, you know, they wouldn't have to actually buy a car.

VALASEK: Yeah, you can buy - you can go on eBay and buy old, used computers from the cars from a salvage yard and be able to hook them all up and do the kind of same research we're doing right now, but you don't have to spend, $40,000 on cars.

FLATOW: Could you not have a car simulator that you could put on your Mac or your PC instead of going to buy the guts of the car?

MILLER: You could, but the problem is all the sort of interesting things happen in the very low-level proprietary things that are very manufacturer specific, and so you really need the actual computers, called ECUs, from the cars to know how to handle all these weird error conditions that we're taking advantage of.

FLATOW: Is there any way for anybody to prevent this from happening, at least the wireless part, at the moment, or are you just, you know, you can't put the tin foil beanie over your car?

VALASEK: No, no, there's no tin foil hat for the cars as of yet. So right now if you were to remotely compromise a car, you kind of have full remote access to it. That being said...

MILLER: Yeah, yeah, so I mean that's one of the scary parts if there's not much you can do as a driver. So we really need to get the manufacturers to make changes to make the cars safer because as a user, you're just trusting that the cars are going to work in a safe fashion.

FLATOW: Here's a tweet from David Henry(ph) who says: Does the fact that most cars run on proprietary software make them harder or easier to hack?

VALASEK: I wouldn't say harder or easier. It's just a matter of time. You know, Charlie had a Ford, and I had the Toyota, and we both figured out all the messages that we really needed to make control. So it's not a matter of being difficult, it's just a matter of spending the hours, I think.

MILLER: Right, and each, the Ford or the Toyota, the actually messages were completely different.

FLATOW: Do you think it's just a matter of time until someone actually gets hacked, I mean, and we'll see an accident or some result of it?

MILLER: I hope not. I mean, that's why we're doing this research now instead of waiting for someone to get hurt. Like we want to get things fixed now before there's a problem. I hope that this is never a problem for anybody.

FLATOW: Well, I want to thank you guys for taking time to be with us, and good luck to you, and good luck at the meeting. What kind of response have you been getting?

VALASEK: The people here seemed to think it was great. So we're happy about that.

FLATOW: Yeah, OK, good to you, thanks again.

MILLER: Thanks for having us.

VALASEK: Thank you.

FLATOW: You're welcome Charlie Miller, security engineer at Twitter; and Chris Valasek, director of security intelligence at IOActive.

Copyright © 2013 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.