Anyone remember the good old days when we get computer viruses the old fashioned way? It goes like this. Someone inserts an infected floppy disk, probably a virus-infected operating system or program disk in a drive, the virus loads into memory once the infected program is run and later infects files and executables of clean floppies. Who needs the internet back then to spread malware? Now the same thing happens on a larger scale. Except today’s newfangled computer-controlled cars are the floppies and the automotive dealership’s computerized diagnostic tools act as the computer.
Someone, malicious or otherwise with a malware-infected car comes into an auto-shop or dealership and gets hooked up to their diagnostic equipment. The malware then gets uploaded to the equipment which, in turn, can spread to uninfected cars. A classic virus infection process. Is it possible? According to Craig Smith, author of the Car Hackers Handbook and founder of open source car hacking group Open Garages, it is.
Control of a lot of vehicles that is. The cars won’t exactly drive by themselves. But a malicious hacker could have potential control of hundreds of vehicles, play God and shut them down or trigger any type of chip-controlled annoyance. Worse if the hacker decides to mess with the brakes during the car’s speed run. Yes, car owners should be very nervous unless they drive the gas-guzzling classics that have no chips on them. Imagine if a car’s GPS system was integrated with another chip-controlled system? An enterprising hacker could shut down the car in the middle of nowhere and demand ransom from the driver just to get it running. Just like that remote-start feature shown in Die Hard 4 only this time, it won’t be 911 in the controls (unless that scene was put there just to emphasize connectivity). A real-world example would be that news where hackers were able to shut down a Chrysler Jeep Cherokee’s brakes resulting in the vehicle running off the road. The very same systems that keep the vehicle safe, secure and comfortable could be used against the owner.
Smith demonstrated the possibility at the recent Derbycon hacker conference in Louisville Kentucky using a PC and a very inexpensive tool he crafted that’s used to seek out vulnerabilities of automotive diagnostic systems. The theory is, that if hackers can find the right vulnerability in automotive diagnostic equipment by bombarding it with errors from an infected car, that vulnerability can be used to carry a malware payload that will then be transferred to subsequent vehicles. As more and more equipment and appliance manufacturers think it’s a good idea to add an internet connectivity feature, the more these hacking scenarios get easier. The closest scenario to Craig Smith’s idea was when a team from the University of California and Washington in 2011, tested an auto-dealership attack by hacking into the dealership’s Wi-Fi and later gaining access to the mechanic shop’s diagnostic equipment and gaining access to whatever car was connected to the equipment.