Security researcher warns cars can be hacked to remotely take control

Imagine a job where you go into work, sit down at your desk, boot up your machine and then launch a cyberattack on a car while it is being driven on the other side of the globe. While that might sound like a movie plot, security research engineer Jonathan Brossard says it’s possible.

He’s not talking about sitting in the backseat with wires connected to the car’s brain so that the driver is fully aware what might happen. Instead, imagine a scenario where the driver is the only person in the vehicle when suddenly he realizes that he no longer is in control because an attacker hacked the car’s on-board computer and remotely took over control.

Brossard, CEO of Toucan Systems, told the Sydney Morning Herald that he “does not know of a car that has been hacked on the road but says his company does it for vehicle manufacturers in Europe.” In order to determine if a car is vulnerable to a cyberattack, white hats act as attackers and try to hack a vehicle. If successful, then the car manufactures will patch it and he tries to hack it again.

Brossard explained:

”The vehicle is remote from me. I am sitting at the desk and I am using the computer and driving your car from another country. I am saying it is possible.”

”A car is, technically speaking, very much like a cell phone and that makes it vulnerable to attack from the internet. An attack is not unlikely.”

If that seems like a familiar-sounding scenario, it might be because such a cyberattack on a car, a 2013 Mercedes, was proposed as a possible theory behind journalist Michael Hastings’ horrific car crash. Hastings, according to WikiLeaks, had contacted a WikiLeaks lawyer “just a few hours before he died, saying that the FBI was investigating him.”

At the time, former US National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke claimed, “In the case of Michael Hastings, what evidence is available publicly is consistent with a car cyberattack.” But it would be “nearly impossible to trace ‘even if the dozen or so computers on board hadn’t melted’.” Clarke said, “There is reason to believe that intelligence agencies for major powers” know how to remotely seize control of a car, but if the car was hacked, “you can’t prove it.” He added that if the wreck was a result of a cyberattack, then “whoever did it would probably get away with it.”

Hastings was supposedly investigating a privacy lawsuit brought by Jill Kelley against the Department of Defense and the FBI. Kelley, you might recall, gained infamy after emails were leaked tying her to a sex scandal with former CIA Director David Petraeus. Hastings wife later said he wasn’t working on that story. Despite that Hastings sent an email with the subject of “FBI Investigation re: NSA” hours before his crash, the FBI insisted Hastings was not under investigation.

Hacking to remotely take control of vehicles has apparently moved beyond something only intelligence agencies can allegedly do; as Brossard pointed out, that’s something he does now for work. Since he’s working with car manufacturers in Europe, then it seems the cyberattack to remotely take control of the vehicle is not a backdoor hack of OnStar. Brossard knows more than a thing or two about backdoors. In his 2012 Def Con talk, “Hardware Backdooring is Practical,” he demonstrated bootkitting Windows; his proof-of-concept malware was described as the “perfect” backdoor that would be “persistent” and “virtually undetectable.”

Brossard also was a consultant for the video game Watch Dogs that “explores the impact of technology where everything is controlled by one computer and railways, traffic lights and energy systems are all vulnerable to the hacker.” But Watch Dogs is a subject for another time.

Like this? Here’s more posts:

• Hacking hotels, shells, cellphones, cars and more mischief coming to Black Hat
• Microsoft knew about ‘new’ Internet Explorer zero-day for 7 months but won’t patch
• Yikes, ICS-CERT reminds public utilities about dangers of remote access without firewall
• New NSA Chief expects attacks attempting to damage, destroy critical infrastructure
• Huge demand for NSA-proof email: ProtonMail uses a month’s server capacity in 3 days
• Consumer profiling: Data brokers know more about you than your mom or Google
• No reasonable expectation of privacy when third parties cross the creepy line?
• Over 70% of energy and financial firms say cyberattacks coming within 12 months
• Encryption canary or insecure app? TrueCrypt warning says use Microsoft’s BitLocker

Follow me on Twitter @PrivacyFanatic