July 29, 2013
DARPA-Funded Hackers Gain Control Of Toyota Prius, Ford Escape
redOrbit Staff & Wire Reports - Your Universe Online
Two computer hackers who have successfully managed to hack into and manipulate a pair of widely-owned automobiles will present their findings at the Def Con hacking conference in Las Vegas this week, various media outlets are reporting.
According to FoxNews.com, veteran hackers Charlie Miller and Chris Valasek have discovered a way to remotely force a 2010 Toyota Prius to stop suddenly at high speeds or accelerate without the driver's foot even being on the gas pedal. Likewise, they claim to be able to disable the breaks of a 2010 Ford Escape at "very low speeds."
The two "white hats" (the name given for hackers who try to detect software vulnerabilities before criminals can exploit them) received funding from the US Defense Advanced Research Projects Agency (DARPA) for their research, according to the International Business Times.
Miller, a security engineer at Twitter, and Valasek, director of security intelligence for Seattle-based IOActive, were tasked by government officials to find out how vulnerable cars could be to computer hacks. They will publish blueprints of the techniques they discovered for attacking the two vehicles in a 100-page white paper, as well as all associated software used in their project, during this week's conference.
Their findings might sound downright frightening, but Reuters reporter Jim Finkle said Prius and Escape owners shouldn't be too concerned just yet. After all, in order to manipulate the cars, the duo had to be seated within the vehicle and use laptops connected directly to each car's computer network.
"They will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack," Finkle said. Miller and Valasek said they are releasing the data hoping their "white hat" colleagues will be able to build upon their efforts and discover additional automotive security flaws that could be corrected.
"At the moment there are people who are in the know, there are naysayers who don't believe it's important, and there are others saying it's common knowledge but right now there's not much data out there," Miller told BBC News Technology Reporter Zoe Kleinman. "We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars."
So how did they do it? According to Kleinman, they used cables to connect their laptops to the electronic control units (ECUs) of the vehicles using the on-board diagnostics post, which is also used by mechanics to discover problems with the vehicles.
The ECUs are the part of the computer network responsible for acceleration, braking, steering and several other aspects of the car's regular operations process. Once Miller and Valasek gained access to it, they were able to write programs that sent instructions to the car network and overrode the drivers' commands, she added.
Toyota spokesman John Hanson told reporters the company was reviewing the duo's research, calling the hacks "entirely possible" and stating the manufacturer is "absolutely" taking the findings seriously.
Conversely, Craig Daitch of Ford said since the attack was not "performed remotely" but required "highly aggressive direct physical manipulation of one vehicle over an elongated period of time," it most likely did not pose "a risk to customers at any mass level."