August 19, 2011 | 2
Forget your car keys? Soon it won’t make a difference, as long as you have your laptop. An interesting viral Web video (see below) making the rounds since the Black Hat cybersecurity conference earlier this month depicts two researchers from iSEC Partners (a San Francisco-based security firm) breaking into a 1998 Subaru Outback via their PC. In less than 60 seconds, they wirelessly find the car’s security system module, bypass it and start the engine remotely.
iSEC researchers Don Bailey and Mat Solnik claim to be able to hack their way into a securely locked car because its alarm relies on a cell phone or satellite network that can receive commands via text messaging. Devices connecting via a cellular or satellite network are assigned the equivalent of a phone number or Web address. If hackers can figure out the number or address for a particular car, they could use a PC to send commands via text messages that instruct the car to disarm, unlock and start.
One of the reasons this text-messaging approach is disconcerting is that text messages aren’t so easy to block, unless you don’t want to receive any texts (either to your car or phone). Google Voice, iBlacklist and a few others (including wireless carriers AT&T and Verizon) do offer some tools for filtering unwanted text messages.
The researchers acknowledge that stealing a particular car would be difficult because you would have to know that car’s number or address, neither of which are easy to find. What bothers them more is that wireless-enabled systems are showing up not just in cars but also in Supervisory Control and Data Acquisition (SCADA) systems that control and secure power plants, water-treatment facilities and other components of the nation’s critical infrastructure, they told CNET.
iSEC isn’t the only research team to have caught on to the dangers of ubiquitous networking. As Scientific American reported in April, researchers from the University of California, San Diego (UCSD), and the University of Washington in Seattle likewise claimed that a hacker could insert malicious software onto a car’s computer system using the vehicle’s Bluetooth and cell phone connections, allowing someone to use a mobile phone to unlock the car’s doors and start its engine remotely. UCSD computer science professor Stefan Savage and Washington assistant computer science and engineering professor Tadayoshi Kohno had also previously demonstrated the ability to use a computer plugged into a car’s On-Board Diagnostic system (OBD–II) port to take control of the electronic control units to (among other things) disable the brakes, selectively brake individual wheels on demand, and stop the engine—all independent of the driver’s actions (pdf). This was not done wirelessly but did highlight vulnerabilities that car-makers might want to investigate as they continue to open up their vehicles to outside communications.
Image courtesy of webphotographeer, via iStockphoto.com