Researchers at the University of Washington and University of California-San Diego have examined the multitudinous computer systems that run modern cars, discovering that they're easily broken into with alarming results. Hackers can disable the brakes of moving vehicles, lock the key in the ignition to prevent the engine from being turned off, jam all the door locks, and make the engine run faster. Less dangerously, they can control the radio, heating, and air conditioning, or just endlessly honk the horn.

Their attacks used physical access to the federally mandated On-Board Diagnostics (OBD-II) port, typically located under the dashboard. This provided access to another piece of federally mandated equipment, the Controller Area Network (CAN) bus. With this access, they could control the various Electronic Control Units (ECUs) located throughout the vehicle, with scant few restrictions.

Though there is some security built in to the network, it was easily defeated through a combination of brute-force attacking and implementation flaws. The CAN specification requires little protection, and even those protections it requires were found to be implemented inadequately, with ECUs allowing new firmware to be flashed even while the car was moving (halting the engine in the process), and letting low-security systems like the air conditioning controller attack high security services such as the brakes.

Once the researchers had gained access, they developed a number of attacks against their target vehicles, and then tested many of them while the cars were being driven around an old airstrip. Successful attacks ranged from the annoying—switching on the wipers and radio, making the heater run full blast, or chilling the car with the air conditioning—to the downright dangerous. In particular, the brakes could be disabled. The ignition key could then be locked into place, preventing the driver from turning the car off.

The researchers could even upload new firmware to various ECUs, permitting a range of complex behaviors to be programmed in. What they tested was harmless—turning on the wipers when the car reached 20mph—but the possibilities were enormous: for example, the ECU could wait until the car was going at 80mph, and then disable all the brakes. They could also program in the ability to reboot and reset the ECU, so their hacked firmware would be removed from the system, leaving no trace of what they had done.

About the only thing it seemed they couldn't do was steer the car, and even that may be possible in high-end vehicles with self-parking capabilities.

The research makes clear that the embedded computer systems within cars, and the specifications they are built on, simply aren't designed with security in mind. The CAN protocol requires only minimal security, and the car and component manufacturers have done a poor job of implementing it. Even if they had done their job properly, however, many of the attacks are likely to have been successful anyway.

Their interest was also purely in the network security (or lack thereof) of these vehicular networks, not the general safety of controlling critical systems with computers. Though they gave their test driver a taste of the (alleged) Toyota experience, they didn't examine the plausibility or frequency of such systems failures.

They also refrained from naming the exact make and model of vehicle that they tested. They said that this was because they didn't believe anything they found was specific to any one make or model, and as such didn't want to make it look as if this was a limited problem—it looks to be industry-wide.

The researchers' dependence on physical access certainly reduces the scope of the attacks (though thanks to the convenience of the OBD part, not beyond what a valet or disgruntled spouse could achieve), but there's bad news on that front too: the researchers found that the wireless access to their car (like many, it had integrated Bluetooth and similar capabilities) was inadequately secure, and they could break in that way, too.

Figurative drive-by hacks where a system is exploited just by visiting a malicious webpage are commonplace. With research like this, it looks like they might be taking a turn for the literal. What a terrifying prospect.