How you learn to hack a car
LAS VEGAS -- At first glance, the Las Vegas ballroom looked like the set of an auto show: three cars in the middle of a room filled with a rumbling crowd.
But behind the vehicles were rows of tables filled with car parts connected to laptops. Seated at the stations were hackers watching screens flashing as they learned just how the computers inside the cars work -- and how they could break in.
The "Car Hacking Village" at the recent DEF CON cybersecurity conference was just the latest reflection of how security experts are scrambling to keep up with risks posed by the new technology that now come standards in most cars. Industry researchers recently found flaws in the Tesla Model S and the Jeep Cherokee, giving the issue more urgency.
Learning to hack a car isn't simple. Finding the right car to experiment on can be expensive, for example -- and you need to figure out how its computer systems work. At the Car Hacking Village, researchers got hands-on experience with cars' digital systems. But the goal isn't just to manipulate the technology, it's to help find problems so they can be fixed.
DEF CON has long included spaces for participants to practice hacking skills and attend small talks about the latest technology and methods. But this was the first year for the Car Hacking Village.
The threat posed by car hacking is "finally hitting mainstream, and people are starting to care about it now," said K.C. Johnson of CanBusHack, a car security firm, who was helping oversee the village.
Attendees learned to remove vehicle panels on two rental cars in order to practice gaining physical access to electronics. (They weren't allowed to actually hack the cars, and the panels on a Tesla Model S stayed intact.)
The main attractions were the demo stations with used vehicle electronic systems -- including an unpatched Uconnect console. That is the system researchers Charlie Miller and Chris Valasek were recently able to leverage to remotely shut off the brakes and engine of a Jeep Cherokee, perhaps the most high-profile car hack in recent memory.
The networks inside cars are not much different than a the ones inside your laptop, said Craig Smith, chief executive of Seattle-based Theia Labs, who was helping run demos at the village. Smith says he consults with a handful of automakers on security issues but can't say which ones due to non-disclosure agreements.
Picking the right car to hack is a kind of science. Something too old may not have enough digital systems to really do a lot of damage. Smith says he looks for cars with as many automated features as possible, such as adaptive cruise control and assisted parking, because those indicate that computers have a lot of access to actual driving systems; He also seeks out cars that include multiple wireless ways of connecting to the vehicle -- like WiFi or BlueTooth. Those create "attack surfaces" -- potential ways into the vehicle.
"We've bolted on capabilities that connect to the outside world -- it's basically a gateway," Smith said.
Once an attacker accesses a car's internal computers they typically look for ways to access the CanBus -- the system generally used by vehicles to control things such as the brakes, engine and steering. Because these systems weren't designed to be connected to the outside world, they usually accept almost any commands they receive, he said. That can be a major safety concern if the CanBus isn't kept separate from the car's other systems, which often feature wireless connections, Smith said.
At the Car Hacking Village a model CanBus system was attached to several laptops. Attendees could watch as orders were sent across the system and see which parts of the model reacted -- and send their own. While the CanBus is standardized, car-makers use their own proprietary code on top of it, so figuring out how to digitally control a vehicle often involves a lot of observation and trial and error, said Smith.
The Car Hacking Village served as a gathering place for people inspired by some of the blockbuster car hacking presentations at the conference. Valasek and Miller's remote Jeep hack drew a massive crowd both at DEF CON and at Black Hat earlier this week. And a presentation on vulnerabilities inside Tesla's Model S was also packed.
Tesla, which organizers said provided the Model S in the Car Hacking Village, is trying to position itself on the forefront of digital car security. The company has a "bug bounty" program that rewards hackers who report serious flaws in its products with up to $10,000.
The company's chief technology officer, JB Straubel, came up to thank researchers Marc Rogers and Kevin Mahaffey, who discovered vulnerabilities that let them take over certain parts of a Tesla Model S if they had physical access to the vehicle first, at the end of their presentation. Straubel gave them Tesla "challenge coins" at the end of the talk -- a sort of physical kudos based on a military tradition. (The company has already released fixes for the issues.)
But the reaction to the Tesla presentation exposed a bit of a rift in the car hacking community. Miller, one of the Jeep hacking presenters, thought Tesla's involvement in the presentation was a little much. He took to Twitter to say it almost seemed like an advertisement for the company's approach to security.
The Tesla car hacking talk felt a bit like an advertisement for @TeslaMotors security. Couldn't handle it when Tesla CSO got on stage.
Josh Corman, the founder of I am the Cavalry, a group that tries to push Internet of Things companies to better security practices, thinks it's a good thing that Tesla showed up. He also worried that the live highway test used to show off the Jeep hack, featured in a Wired article that unveiled it, might make automakers question the maturity of the hacking community.
But Miller and Valasek did get results: After the Wired article, Fiat Chrysler recalled 1.4 million Jeep Grand Cherokees, Chrysler sedans, Ram pickup trucks and other vehicles effected by the problems.
"Hackers make a difference," Valasek said during the pair's presentation at DEF CON.