ADVERTISEMENT
  About the SA Blog Network













Observations

Observations


Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

Hacked in 60 Seconds: Thieves Could Steal Cars via Text Messages

The views expressed are those of the author and are not necessarily those of Scientific American.


Email   PrintPrint



Forget your car keys? Soon it won’t make a difference, as long as you have your laptop. An interesting viral Web video (see below) making the rounds since the Black Hat cybersecurity conference earlier this month depicts two researchers from iSEC Partners (a San Francisco-based security firm) breaking into a 1998 Subaru Outback via their PC. In less than 60 seconds, they wirelessly find the car’s security system module, bypass it and start the engine remotely.

iSEC researchers Don Bailey and Mat Solnik claim to be able to hack their way into a securely locked car because its alarm relies on a cell phone or satellite network that can receive commands via text messaging. Devices connecting via a cellular or satellite network are assigned the equivalent of a phone number or Web address. If hackers can figure out the number or address for a particular car, they could use a PC to send commands via text messages that instruct the car to disarm, unlock and start.

One of the reasons this text-messaging approach is disconcerting is that text messages aren’t so easy to block, unless you don’t want to receive any texts (either to your car or phone). Google Voice, iBlacklist and a few others (including wireless carriers AT&T and Verizon) do offer some tools for filtering unwanted text messages.

The researchers acknowledge that stealing a particular car would be difficult because you would have to know that car’s number or address, neither of which are easy to find. What bothers them more is that wireless-enabled systems are showing up not just in cars but also in Supervisory Control and Data Acquisition (SCADA) systems that control and secure power plants, water-treatment facilities and other components of the nation’s critical infrastructure, they told CNET.

iSEC isn’t the only research team to have caught on to the dangers of ubiquitous networking. As Scientific American reported in April, researchers from the University of California, San Diego (UCSD), and the University of Washington in Seattle likewise claimed that a hacker could insert malicious software onto a car’s computer system using the vehicle’s Bluetooth and cell phone connections, allowing someone to use a mobile phone to unlock the car’s doors and start its engine remotely. UCSD computer science professor Stefan Savage and Washington assistant computer science and engineering professor Tadayoshi Kohno had also previously demonstrated the ability to use a computer plugged into a car’s On-Board Diagnostic system (OBD–II) port to take control of the electronic control units to (among other things) disable the brakes, selectively brake individual wheels on demand, and stop the engine—all independent of the driver’s actions (pdf). This was not done wirelessly but did highlight vulnerabilities that car-makers might want to investigate as they continue to open up their vehicles to outside communications.

Image courtesy of webphotographeer, via iStockphoto.com

About the Author: Larry is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The views expressed are those of the author and are not necessarily those of Scientific American.





Rights & Permissions

Comments 2 Comments

Add Comment
  1. 1. markt1964 6:43 pm 08/22/2011

    While this could allow a person to break in, and possibly even start the vehicle, it would not necessarily enable a person to actually steal it, because such vehicles often require the physical key to be inserted into the slot, or at least be within a few inches of it, before such a vehicle’s steering will unlock, or even before you can shift gears out of “Park”. On my own car, if no key is inserted within about 20 minutes, the car shuts off.

    Link to this
  2. 2. stevepolard 8:48 am 03/20/2012

    If hackers can figure out the number or address for a particular car, they could use a PC to send commands via text messages that instruct the car to disarm, unlock and start.

    http://www.usamotorbike.com

    Link to this

Add a Comment
You must sign in or register as a ScientificAmerican.com member to submit a comment.

More from Scientific American

Scientific American Back To School

Back to School Sale!

12 Digital Issues + 4 Years of Archive Access just $19.99

Order Now >

X

Email this Article



This function is currently unavailable

X