Hacking a Car With Music 133
itwbennett writes "Researchers at the University of California, San Diego, and the University of Washington have identified a handful of ways a hacker could break into a car, including attacks over the car's Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops. But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. 'It's hard to think of something more innocuous than a song,' said Stefan Savage, a professor at the University of California."
Hackers can turn your home computer into a bomb! (Score:5, Funny)
Re: (Score:3)
When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade
Re: (Score:2)
LOL, funniest part about that story:
When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade
And turn into a cloud.
Re:Hackers can turn your home computer into a bomb (Score:4, Funny)
Would that be Mushroom Cloud computing?
Re: (Score:2)
Would that be Mushroom Cloud computing?
One more hot number and it goes up like Hiroshima.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Keep in mind the source.
It's actually a Weekly World News article (Score:2)
It originally comes from these guys, back when they still did print [weeklyworldnews.com]
Re: (Score:3)
Case in point : the development monkeys recently tested a product release on a 1280x1024 (or thereabouts) screen and passed i
Cars are the new assassins? (Score:2)
Uh, what? (Score:5, Interesting)
Maybe newer cars, where everything is "integrated", are different. In which case, I'm glad I bought a used '99 Talon rather than a brand-new anything.
Re:Uh, what? (Score:5, Informative)
Newer cars with integrated stereos hook them up to the car's CAN bus. From there all bets are off.
Re: (Score:1, Offtopic)
Offtopic: I love Republicans/Regressives! [regressives.com]
Re: (Score:3)
Re: (Score:3, Interesting)
Even from the CAN bus your largest attack would be messing with fuel economy. The communications on the CAN bus are usually quite secluded from any form of digital engine control.
For example, the Oxygen and MAP sensors might broadcast on the CAN bus, and you may be able to spoof them so in the ECU it causes an engine light or bad fuel economy. Beyond that, the CAN bus is pretty much just information being sent about the status of things. There is usually no control taking place via those connections. All co
Re: (Score:1)
You are very wrong. You should read the posted paper.
Re: (Score:2)
It turns out that the links in the article don't actually take you to the paper. So, where is the paper? The article is too short on detail to find out what this is really about?
Re: (Score:3)
That's simply wrong. Lots of safety relevant systems, like ESP, communicate via CAN (or FlexRey in more modern cars). So, in theory, if you hijacked the whole bus you could pretty easily kill everyone inside the car. In praxis, however, it's not quite that simple. e.g. the bus driver of a FlexRay bus will electrically prevent sending any data outside of your designated timeslot, so you can't override data send by other ECUs. (Not to mention that the only place data from the entertainment system and from saf
Re:Uh, what? Nonsense! (Score:1)
My car - a toyota - has 2 can buses which are isolated. The stereo/satnav sits on one, vital systems sit on the other - never the twain shall meet. Sensationalist reporting as usual...
Re: (Score:2)
Your car will probably have a lot more then just two busses. It will probably even have ECUs that are conected to more then two busses. However, I'd guess that in theroy the network of ECUs and busses will be fully connected, e.g. most systems report data to the dashboard, so that will be a point where many busses will meet. (Not that this would help taking over the bus or safety relevant systems in any relevant way)
Re: (Score:2)
From one point of view, it is isolated. The car is not connected to any other devices.
From another, the components are not isolated from each other for all kinds of reasons. The CAN bus hosts all kinds of things that might care about each other. Door locks talk to lighting systems. The tire pressure sensors talk to the dashboard. The speedometer talks to the stability controls. The stability controls tie into the braking systems. The stereo shuts off when the doors open. The stereo could even increa
Re:Uh, what? (Score:4, Informative)
Maybe newer cars, where everything is "integrated", are different. In which case, I'm glad I bought a used '99 Talon rather than a brand-new anything.
If your car uses the CAN-bus for stereo controls, and has only a single CAN-bus, then yeah, you can probably hack the security, which is integrated into the PCM, from the stereo.
Re:Uh, what? (Score:4, Interesting)
I've never seen a keyless entry system connected to a CAN bus.
I have in no way worked on all cars out there, but that would be what we with common sense call 'poor system design'.
Re: (Score:2)
In virtually all cases the factory security is integrated into or at least closely with the PCM so that it can control starting (or not) at the source. This is especially true when the car has a special key required for starting. The PCM is on the CAN bus. QED.
Re: (Score:3)
Newer VWs have the following things all on a single CAN bus (and there actually is a justification for it):
Engine control unit
Transmission control unit
Anti-lock brakes/traction/stability control (and these can actually command the ECU to accelerate or decelerate)
Instrument cluster (this one can command the ECU to shut down, if it thinks the car is stolen)
Radio
Climate control
Central convenience module (handles remote locks, power windows, and things like that)
Airbags
Electric power steering
So, the reason for
Re: (Score:2)
And they actually share the address space without any network segmentation and routing? You know, CAN has something between a NAT and a network bridge - can't remember the term used by the spec right now - which was designed to allow controlled routing between parallel networks precisely for such things as this. I can't believe they wouldn't use that. For example, new Citroen C5s use such routing to separate vital and non-vital networking while allowing certain devices to communicate cross-network for reaso
Re: (Score:1)
And they actually share the address space without any network segmentation and routing? You know, CAN has something between a NAT and a network bridge - can't remember the term used by the spec right now.
What is employes in most cars are CAN Gateways, which are able to route Messages between different Networks or even different Bus systems (think CAN/LIN gateway).
On a single bus, the Messages (read: Packets) go to every device on the bus, where local acceptance filters decide whether to accept it or not. These filters are usually defined in Software so if I can take control of the Stereos CAN Stack, I am able to listen to every device on the Bus, as well as to mimic every other device. Since CAN Messages ha
Re: (Score:2)
And they actually share the address space without any network segmentation and routing?
You mean like early computer networks? Network segmentation and routing isn't enough to keep you secure, so now we even have firewalling. A programmer who is CAN-savvy could probably make some money right now rolling a portable firewalling framework.
Re: (Score:2)
The thing is, that those "gateways" can be smart and only allow certain packet types between certain senders and receivers. It is a kind of a very simple firewall, actually. In a C5, it most likely restricts communications only to those packets that were intended to be used by design, so it should let the airbag controller send a 112 request to the stereo, but not let the stereo deploy airbags spontaneously, even if the controller actualy does support triggering over CAN (I have no idea wether it does). I d
Re: (Score:2)
The thing is, that those "gateways" can be smart and only allow certain packet types between certain senders and receivers. It is a kind of a very simple firewall, actually.
Sure, that's the idea, but I don't think those gateways are very smart yet.
Thus, we have another good reason to use network separation, or at least signal-level repeaters immune to shorts and noise.
To my mind, it makes zero sense to use such an approach, and it makes more sense to simply have multiple CAN (or other) buses, and either actually route messages (with firewalling) inside the relevant module, or not use CAN in such a way. Cars are not yet so complicated that this will lead to a significant increase in cost. I DO anticipate that eventually every sensor will be a computer (really a microcontroller and as little else as
Re:Uh, what? (Score:4, Informative)
can bus
http://en.wikipedia.org/wiki/Controller_area_network [wikipedia.org]
course it all depends on what your car has in it, my 06 kia not a big deal as my stereo is not connected to it, much like you mention above, my mom's 2011 jeep on the other hand, you cant even unlock a door without talking on it
Re: (Score:1)
Yeah, it's for the more integrated systems I suppose. I had a few cars over the years that the factory deck held at least part of the "brains" too, so I couldn't just mash in any ol' after market unit.
Especially at risk would be something like the Ford Sync systems. But, this CD with magic code method would require the ne'r do weller to be *in* the car, presumably with the ignition at least in ACC, to pull off. The bluetooth hacks are more ominous. If someone could send a malformed BT packet storm and pop t
Re: (Score:2)
But, this CD with magic code method would require the ne'r do weller to be *in* the car, presumably with the ignition at least in ACC, to pull off.
What TFA doesn't say is if the hacked music file was an MP3 (which many modern car stereos can play directly) or a plain audio CD. A hacked MP3 could be pushed out on a p2p network.
Granted you'd need a bit of a perfect storm - someone who uses P2P to download the hacked MP3, to burn it direct to a CD for in-car listening and to have the exact model and revision of parts in their car necessary. I can't see it being terribly likely on its own.
Re: (Score:2)
Nice way to put it. I find it hard to believe that there could be a flaw in handling of uncompressed audio data that could be used to take control over the CD player in the first place. If we are talking about the standard stereo 16 bits per sample audio, then it is unlikely to have a flaw in the code to handle it for too reasons. It is ******* simple. There are no possibility of the code to handle it having forgotten to check for invalid inputs, as every possible combination of
Re: (Score:2)
These days, car stereos are not car stereos, they are stereos + MP3 players + iPod docks + navigation systems + bluetooth car kits + emergency help systems and more.
And a lot of this stuff needs to talk to the cars sensors and systems (e.g. these systems may require knowing how fast the car is going or the like)
Re: (Score:2)
It's not a big stretch to assume their electronics are designed by the lowest bidder.
The fact that such a device would run arbitrary code from a music file, that tells me today's programmers really are as idiotic and useless as I assumed. It's music, decoded by some type of finite state machine. There is no dynamic execution, it should treat "trojan code" like any other bits in the input stream and play them as static noise, or skip them if the checksum fails. The decoder shouldn't even be capable of sma
Re: (Score:3)
The fact that such a device would run arbitrary code from a music file,
It can't. There is *no possible way* that you can send a malicious audio track to mess about with the car's electronics. The article is totally on crack.
What you can do on most cars with multiplexed (CANBus) electronics is put new firmware onto various systems from a CD. Rather than recall a batch of cars to do an update, you can just pop a CD in the post. It speeds things up at the workshop, too - when my van needed an update the guy from Mercedes was able to come out to me, but I dropped by the garage
Re: (Score:2)
OnStar, sure... but the stereo ? I'm a tech freak, and I still can't think of a use for unlocking my car doors by inserting a CD.
Re: (Score:2)
and
Re: (Score:2)
My stereo is integrated with my navigation system. The nav system is (read only I hope, come on) able to get data from the EC, such as current speed. I suppose that is one path.
Re: (Score:1)
agreed, I had a 94 talon turbo and a 2000 eclipse GS
Re: (Score:1)
Slightly interesting, but I'd say it's still full of crap.
There's too much noise/static and lossy compression from mp3/$foo to even think about trying to infect a machine through line-in. Yes the audio may be digitally processed, but you'd have to find such a noise that would work and give you a full blown infection, that works compressed, can handle line-in static, for a specific make of a car radio system.
But it's slightly off-topic, since there wouldn't be static/errors in an audio cd unless it was scra
Re: (Score:2)
more innocuous than a song (Score:1)
until you bump into the RIAA..
Just make sure not to play the stereo loud enough for anybody to hear it.
Re: (Score:2)
OT / sig reply:
Hey, what's the story about that craft? Was it ever reported? I can't find a report anywhere to satisfy my curiosity :P (assuming the tail number is N717T)
Predicted... (Score:1)
Re: (Score:1)
Re: (Score:1)
Attacks (Score:1)
This is a follow-up to http://www.autosec.org/pubs/cars-oakland2010.pdf [autosec.org] where they demonstrate various attacks of varying levels of danger from relatively innocuous (turn the horn on permanently) to kind of scary (disable brakes and power steering). In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
Re:Attacks (Score:5, Informative)
> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).
Re: (Score:2)
I just wanted to chime in and say that my friends and I always found your talks and papers to be awesome. =) I attended your DOS backscatter talk (in the old AP&M building) when I was getting my Masters at UCSD. (I worked with Scott Baden, and Fran Berman a bit.)
Re: (Score:1)
Thanks for clearing that up, it was indeed not claimed. I believe you said you would be surprised if it wasn't possible.
That's it! (Score:3, Insightful)
Back to the horse and buggy everyone.
Or at least to pre '80s cars with a dumb ignition/electrical system instead of this newer butt-kissing junk.
"The more they try to overtake the plumbing, the easier it is to stuff up the drain. "
Scotty -- Star Trek III:The Search for Spock. (or was it "search for more money"?)
Re: (Score:3, Insightful)
If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.
Yeah, the auto industry is taking its cues from Wall Street: more bullshit = more money.
Re: (Score:3)
Pfft. You're stuck in the 80s.
My Nissan and my wife's Honda dealership both charge ~$24 for an oil change. I actually bought a lifetime
Re: (Score:2)
My Nissan and my wife's Honda dealership both charge ~$24 for an oil change. I actually bought a lifetime (for the ownership of the car) all-you-can-eat oil change plan (with Synthetic) for $400, which includes oil filters, air filters, etc.
I think they dropped oil change prices as a loss leader to more costly stuff.
But I've got you beat...My Subaru dealer gives me free every other oil changes (paid for ones are $25), and they recently sent me two $25 certificates for an "inconvenient" factory recall I had done while getting an oil change. While using one of these certificates for a $25 oil change, they handed me a promotional $35 gift card. I am MAKING money on oil changes.
Re: (Score:2)
Heh, that's hilarious.
You're right, of course, about them wanting to keep you coming into the dealership hoping to get more expensive repairs made / keep a good relationship for buying a new car in 5 years, but one very nice thing about getting oil changes at the dealership is that they have records of all your oil changes, which are required for car warranties these days. We got a pretty good price on a 7 year bumper to bumper on my wife's Honda, so it all works out pretty well.
Re: (Score:2)
When I bought my new car (ten years ago), the sales guy was trying to hype up the "premium" factory stereo, so I popped in my own CD, pointed out the distorted mess coming out of the speakers, and turned it off. A week later, I tore all that crap out of my doors and dashboard, and replaced it with about $700 worth of aftermarket equipment (no subwoofer yet). Even though it was "cheap" gear, the difference was night-and-day.
Full disclosure: I am an audiophile, as you had probably guessed, but I am also a h
Re: (Score:3)
>>You actually think it's reasonable that a stereo should cost more than a computer? Snap out of it.
The head unit costs a few hundred bucks, a XM radio costs more money, and good speakers cost even more.
The point the GGP was trying to make was that dealerships screw you on car audio systems, but I found they were reasonably comparative with DIY.
Though there are pros and cons on each side, I could see a reasonable person choosing to do it either way.
Re: (Score:2)
A "reasonable" stereo ? No. Here's what I think a modest, or bang-for-the-buck stereo would be:
$129 head unit
$69 front speakers
$49 rear speakers
$100 installation
So under $350 installed, or $250 if you DIY (an hour or two with a screwdriver and socket wrench). I think that setup would satisfy about 95% of motorists out there. Where things get hairy is if you want a subwoofer. Even a $200 active sub is still pretty terrible, you generally have to set aside $500 or more for anything remotely decent.
Ten ye
Re: (Score:2)
Re: (Score:2)
There's not much I can tell you, other than "I was once like you". There is a whole world of audio beyond the five brands you'll find in most car-audio and big-box stores. They frown on 3-way speakers for the same reasons I do: off-axis positioning, space-constrained 2nd order crossovers and unfixable group delay. The result is muddy mid-bass and very uneven tweeter response. Some people don't notice or care, especially if they stick to popular music where those specific weaknesses may be harder to dete
Re: (Score:2)
I listen very closely to music, especially when listening to classical when there's a lot of different instruments playing at once.
Between my 2.1 speaker setup on my computer, 9-speaker system in one car, and the new system I had put in, all of them are comparable though differences are indeed noticeable. I haven't noticed any of the specific complaints you made about the three-axis speakers, but I *have* heard lots of problems with two-axis speakers (I spent hours at a specialty audio store listening to my
Re: (Score:2)
If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.
Yeah, the auto industry is taking its cues from Wall Street: more bullshit = more money.
Careful there, you're sounding a bit too anticapitalist. Perhaps rethink your values. Or perhaps various lawsuits, tax audits, rumors, and accidents might occur.
Re: (Score:1)
Sony! (Score:2)
Great, so now Sony doesn't have to stop with rooting your PC, they can also root your car. All in the name of copy protection, natch!
Re: (Score:1)
Simple solution (Score:1)
I drive a car that's over 20 years old. It has no computers in it that could be hacked to do anything more harmful than cause me to have poor gas mileage.
I could leave the keys laying on the hood in the parking lot of Walmart and no one would bother with it.
I don't care about luxury, I care about a simple old car that will get me 5 miles a month to the grocery store twice a month.
I care that it's old and simple enough that I can find someone besides a NASA scientist to work on it if it breaks.
You want to d
Re: (Score:2)
So, how hard is it to access Slashdot on your Commodore 64?
Re: (Score:1)
http://jinx.etv.cx/media/contiki-eyecandy-slashdot-contiki.png
Are car stereos so different now? (Score:2)
What kind of CD player is designed to do anything with what's on the cd other than run it through the D/A converters?
Even if it's supposed to read CD-ROMs to get map/navigating info, wouldn't it treat it all as data rather than instructions?
Re: (Score:1)
Buffer overflow attacks are just one way to get a system to treat data as executable code.
used to work in Windows (Score:3, Interesting)
Microsoft Windows products have been known to scan media streams for executables, either deliberately (for installing gov't keyloggers, for example) or accidentally:
http://www.iss.net/security_center/reference/vuln/RIFF_Codec_Overflow.htm [iss.net]
Please Do (Score:4, Funny)
If it will disable bass boomers in my neighborhood.
Sounds like my AV receiver (Score:4, Interesting)
After obtaining a service manual for my AV Receiver, firmware updates are done by using a CD player with digital out, and hooking it to the TOSlink input on the front.
Put it in a special service mode, put a specially burned CD in the CD player, and hit play. The AV receiver grabs the firmware update information off the digital input.
Presumably there's safeguards to ensure that the firmware is transferred correctly, as well as various sync signals to ensure that if you accidentally seeked at the beginning or the player skipped it would be detected.
Probably not a simple modulated audio stream since that'll be quite slow.
Re: (Score:2)
1. Terrible update design. Someone needs to be fired.
2. Audio streams transmit (via normal CD) at 44.1kbps, with dual channel, for a total of about 88.2kbps. A healthy virus can take less than one kB to get started (about 1/5th of a second of audio)..
Re: (Score:1)
Looks like you missed the part about "service mode". Provided you have to physically flip a swich or press a series of buttons, it's perfectly safe - Unless the user decides to update with a virus cd that just -happens- to be signed and encrypted correctly, nothing will happen.
And, if it's not in service mode, it should just play as bad data.
Re: (Score:1)
CD quality audio is 44.1 KHz, not kbps. As each audio sample is 16 bit wide, the total bit rate in a CD audio stream is 1411.2kbps (44.1 * 2 channels * 16).
You wouldn't download a car (Score:2)
Explain (Score:3)
... car's stereo system, giving attackers an entry point to change other components on the car...
Explain?
Wtf? This is just silly.
Namshub for cars (Score:1)
http://en.wikipedia.org/wiki/Namcub [wikipedia.org]
How long does it take before there is a hotkey combination for Emacs? And until it is applicable to humans?
i'd rather... (Score:1)
hack a bicycle
silly cagers
Dig those sweet dulcet tones! (Score:1)
Makes you wonder... (Score:1)
Why is everyone so easily convinced that Toyota's problems are "user error"?
Well, it makes me wonder that, anyway.
Slightly offtopic, I guess. Oh well.
so maybe ford wasn't lying to that kid. (Score:1)
a few weeks back there was this story of a kid who was told by ford that he had infected his parent's car stereo with a virus by playing a pirated mp3 through his ipod.
http://www.reddit.com/r/technology/comments/fj04r/reddit_the_dealership_told_me_that_pirated_music/ [reddit.com]
apparently there was a kernel of truth in that mechanic's bullsht.
Well I RTFA... (Score:2)
And I won't be trusting a word of it.
"In fact, attacks over Bluetooth, the cellular network [...]"
Shit, I can barely get my headphones to work properly with my phone in my pocket when I'm out jogging. How the hell do I get it to go 25km to the base station?
Re: (Score:2, Insightful)
Rap
Notice I didn't say music....'cause the terms 'rap' and 'music ' are pretty much exclusive terms....
:)
Re: (Score:2)
Well, I'd not be surprised that much about audio codec vulnerabilities than about the possibility to use the radio to attack other parts of the car. The radio should be a self-contained unit which apart from speaker cables and power supply has no connection to the rest of the car.
Re: (Score:3)
Unfortunately, that's not the case. Let's see how the radio (or to be exact, the stereo system) can be wired up to other systems:
- it can be wired to the engine RPM-reader/speedometer to detect approximately how loud the environment will be, and turn its volume accordingly.
- It might want to display the current song title in the one display available in the car
- Wheel-mounted Volume/FF/Rewind/Play/Pause/Next/Prev Track controls anyone? And since that'll be a lot of buttons, they might replace it with a gene
Re: (Score:2)
Well, I'd not be surprised that much about audio codec vulnerabilities than about the possibility to use the radio to attack other parts of the car. The radio should be a self-contained unit which apart from speaker cables and power supply has no connection to the rest of the car.
See--this is why I run Linux^H^H^H^Hconvert all my downloaded to music to .wav files. It filters out the viruses from all that high-tech new-fangled high tech MP3 stuff.
Re:Bad Programmers (Score:5, Insightful)
Maybe because they (products) need to be cheap and quick to market to become ubiquitous?
Remember the old "joke"?
* Cheap
* Good
* Fast
Pick 2
There are a lot of folks who just by the latest (fast) stuff they can afford (cheap). Quality (good) doesn't enter into the equation.
But Cynics and other realists. (Score:2)
* Cheap
* Good
* Fast
Pick ONE.
Re: (Score:2)
Your customers are getting shafted.
It's easy enough to build something quickly that works well, but it won't be cheap.
It's easy enough to build something quickly that doesn't cost a lot, but it won't work well.
It's easy enough to build something that works well and doesn't cost a lot, but it won't be done quickly.
Re: (Score:3)
Because they receive the most post-release testing to detect bugs.
Re: (Score:2, Funny)
Yeah, Jimmy Carter used to think that.