Defcon to deliver auto industry wake-up call

by Rob Lever

AFP-JIJI

Computer geeks already knew it was possible to hack into a car’s computerized systems and potentially alter some electronic control functions.

But new research to be presented this week shows the vulnerabilities are greater and the potential for mischief worse than believed, in a wake-up call for the automobile industry.

Chris Valasek, director of security intelligence for the security firm IOActive, and Charlie Miller, security engineer for Twitter, found these vulnerabilities in on-board computers, a mandatory feature on U.S. vehicles since 1996.

They found that by accessing this device, which sits under the steering wheel, someone with a brief period of access, like a parking attendant, could hack the car and reprogram key safety features.

“We had full control of braking,” Valasek said in a telephone interview.

“We disengaged the brakes so if you were going slow and tried to press the brakes they wouldn’t work. We could turn the headlights on and off, honk the horn. We had control of many aspects of the automobile.”

The pair, working with partial funding from the U.S. government’s Defense Advanced Research Projects Agency, also manipulated a vehicle’s steering by hijacking the “park assist” feature which was designed only to move slowly in reverse.

“You would need a brief moment of physical access,” Valasek said. “You could reprogram and untether from the car and the system.”

While some earlier research focused on the potential to wirelessly gain control of some functions, Valasek said his project looked at overwriting the software code in the vehicles, with even more damaging consequences.

The research is to presented this week at Def Con, an annual gathering of hackers and security experts in Las Vegas.

The research is not the first to show the potential for hacking into car computer systems, which are becoming more ubiquitous as more vehicles add services connecting to the Internet or cellular phone networks, and some firms like Google are using self-driving automobiles.

A 2010 study by researchers from the University of Washington and University of California at San Diego demonstrated how an attacker could infiltrate virtually any car’s electronic control unit and “leverage this ability to completely circumvent a broad array of safety-critical systems.”

That study showed that the engine control devices initially designed for pollution reduction had been integrated into other aspects of a car’s functioning and diagnostics.

And the U.S. Department of Homeland Security issued an advisory in May warning of flaws in the wireless Bluetooth systems in some cars which could be exploited by an outsider to take control of some functions.

Valasek said most cars have a number of computers and “they all trust each other. As long as they are receiving information, they don’t care who is sending it.”

This highlights the need for more focus on cybersecurity in vehicle design, he said. “We want an intelligent discussion on this,” he said.

Valasek and Miller will release the full technical details of their findings at Def Con.

“We hope people enjoy the presentation and take our tools and data and try to reproduce them and do their own research,” he said.

“Although there is research on automobile security no one is releasing the data.”

Valasek said there have been no real-life exploits of automobile hacking, but added that “we just don’t know what could be done with this.”

He said it is more complicated than hacking into a personal computer but that his latest research shows that “with a minimal number of people you can have results where you can control the car, and do things that are detrimental to safety.”

GM lops heads over fake data

NEW YORK
Bloomberg

General Motors Co. has fired several employees after an internal investigation into the recall of a sport utility vehicle built and sold exclusively in India uncovered violations of company policy, it said.

“We take these matters very seriously and hold our leaders and employees to high standards,” Greg Martin, a GM spokesman at its Detroit headquarters, said Saturday in an email. “When those standards are not met, we will take the appropriate action to hold employees accountable.”

The fired employees included workers in India and the U.S., GM said without specifying the number involved. The announcement comes as India opens a probe into GM’s subsidiary after the unit said employees had manipulated emissions tests over the past eight years to comply with requirements, a person familiar with the situation said.

The government is reviewing its systems and investigating GM to see if there were systemic errors, willful negligence or other wrongdoing, Ambuj Sharma, joint secretary at India’s Ministry of Heavy Industry, said Saturday. The report should be completed next month, and GM may face penalties and production stoppages, Sharma said.

The Economic Times in India earlier reported that GM said in a July 18 letter to the government that an internal investigation uncovered employees manipulating emissions tests for the Chevrolet Tavera SUV.

Automotive News reported Saturday that Sam Winegarden, GM’s vice president for global engine engineering, was fired along with about 10 other people.