Musical Car Hacking

March 12, 2011

Last May, I posted a note here about some research from the Center for Embedded Automotive Systems Security [CAESS], a research collaboration between the University of California, San Diego, and the University of Washington.   A team from CAESS had found that, by gaining access to a car’s Controller Area Network [CAN] via the On-Board Diagnostics [OBD] port, they could modify the behavior of many of the vehicle’s electronic control systems.  (The CAN bus is essentially a local-area network that links together the various electronic control units in the car.)   The attacks that they described in their paper [PDF] did, however, require physical access to the vehicle.

According to an article at IT World, the same group has now done further experiments, and found that other attack channels are possible as well.

In a new paper, they [the CAESS researchers] say they’ve identified a handful of ways a hacker could break into a car, including attacks over the car’s Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops.

The CAESS team also found that it was possible to launch an attack via the vehicle’s sound system.

Their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car.

It might, at first glance, seem improbable that this sort of attack would be possible; however, the CAN network includes lots of components of the car.  (For example, we have a car in which the radio will continue to play after the engine is switched off, as long as the key is in the ignition lock.)   This attack would not be easy to create from scratch, but it is possible to imagine an “attack kit” being distributed over the Internet, with the actual malware being spread via file-sharing networks.

One mitigating factor is that car system, unlike PC systems, tend to be idiosyncratic to the maker and even the model, so the possibility of “generic” exploits, like those for Windows or Flash, is small.  Still, this is worthwhile research; it is the methods of attack that no one previously thought of that tend to create the biggest problems.

Google Chrome Update

March 12, 2011

Google has released an updated version, 10.0.648.133, of its Chrome browser for Mac OS X, Linux, Windows, and Chrome Frame.  According to the Release Announcement on the Chrome Releases blog, this update fixes a single, serious security vulnerability.

WIndows users can obtain the new version via the built-in update mechanism (Help / About Google Chrome). Linux users should be able to get the new version using standard package update tools (e.g., apt-get, synaptic).

Because of the security content of this update, I recommend that you install it as soon as you conveniently can.

%d bloggers like this: