How dangerous is a rootkit for automobiles that enables the new root to:
- honk the horn
- brake at high speeds
- kill power steering
- spoof the GPS
- alter speedometer/odometer displays
while using a GSM cellular rado?
Lisa Vaas reports in Hackers to demo a $20 iPhone-sized gadget that zombifies cars that:
At Black Hat Asia next month, two Spanish security researchers are going to show a palm-sized device that costs less than $20 to build from off-the-shelf, untraceable parts and that, depending on the car model, can screw with windows, headlights and even the truly scary, make-you-crash bits: i.e., steering and brakes.
The upcoming demo, colorfully titled “DUDE, WTF IN MY CAN!“, is being given by Javier Vazquez-Vidal and Alberto Garcia Illera.
In case you are already looking for your travel site, Black Hat Asia Registration has the details.
Lisa also points to the response of the National Highway Traffic Safety Administration (NHTSA) to reports of the vulnerability of automobiles to hacking:
While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities. NHTSA recognises these new challenges but is not aware of any consumer incidents where any vehicle control system has been hacked.
On the day before 9/11 NHTSA could have equally said:
While increased use of air travel is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities. NHTSA recognises these new challenges but is not aware of any incidents where any plane has been flown into a commercial building. (Fictional – Did not happen.)
After the Black Hat conference, watch for the United States Congress to do something remarkably ineffectual, like prohibiting the possession of automobile rootkits.
Making an automobile rootkit illegal is going to deter someone committed to mass murder? You bet.
Enforcing existing liability statutes on manufacturers who design and market products with known security flaws, that could result in safer generations of cars, at least in the future.
The large mass of existing vehicles will remain vulnerable to such attacks so now would be a good time to start collecting information on the nuances and crannies of such attacks. For liability purposes if nothing else.
Check out Lisa’s post and then see Can bus (controller area network) at Wikipedia as starting points.