Car hacking code released at Defcon

Car computer hacking hit the gas on the very first morning of Defcon 21, as hackers exposed how they took over two of the most popular cars in America.

LAS VEGAS — You may hate parallel parking, but you’re going to hate it even more when somebody commandeers control of your car with you in it.

That was the scary script painted over the very first two hours at the 21st annual Defcon hacker conference.

“Car hacking is certainly coming,” said Zoz, of Cannytophic Design, who introduced on how to hack autonomous cars.

Zoz’s talk on vulnerabilities that autonomous autos will face followed a fast-paced explanation by well-known computer security experts Charlie Miller and Christopher Valasek of how they spent the past ten months hacking the self-driving features of two popular cars. Miller, Valasek, and Zoz all spoke to standing-room only crowds of more than 1,000 people.

While car hacking made a big splash at Defcon in two thousand ten and 2011, those hacks were not publicly documented. “We want it to take two months for everybody to do this,” Miller said to noisy applause from the packed house.

Before going into their hacking explanation, Miller and Valasek admitted that they were not hardware hackers, and had little practice on hardware basics like splicing wires. But they only had one requirement for their test car: that it be able to drive itself.

From there, hilarity ensued. Instead of following Toyota’s guide to removing the dash of their test two thousand ten Prius, they used a crowbar. Subsequent movies and photos demonstrated them driving around with a laptop wired to the open dash of a car, much to the amusement of the crowd.

The pair also tested a two thousand ten Ford Escape.

Prerecorded movie demos of the hacks displayed Miller and Valasek disabling the car’s brakes, jerking the steering wheel back and forward while the car was in maneuverability, accelerating, taking utter control of the steering wheel, yanking the seat belt taut, turning off the engine, turning interior and exterior lights on and off, honking the horn, and making the console display a utter tank of gas when it wasn’t.

Remarkably, neither wore a helmet.

At one point, the car wouldn’t embark, and they had to get it taken to the Toyota dealer for repairs. It turns out, Valasek said, that they had gargled up the inverter. “They said they couldn’t fix the car because they’d never seen this problem before.”

The two detailed much of the nitty-gritty of their hacking work, covering how they gained physical access to the car’s computer and how they figured out how to program the car’s computer.

The documentation that they will be releasing in the next few weeks sounds comprehensive, totaling one hundred one pages of code and data.

Zoz spent his talk in the next hour on the future of automation. Self-driving cars, he told, are essentially robots and will be particularly susceptible to the same kinds of hacks as less complicated robots.

Zoz details the concepts behind how to hack self-driving cars at Defcon 21. Seth Rosenblatt/CNET

Many of these vulnerabilities will be related to directly hacking or indirectly altering the sensors that permit a car to navigate the road without causing accidents. Automated vehicles of all sorts, from person-carrying cars to puny drones, rely on a multitude of sensors such as GPS, LIDAR, cameras, millimeter wave radar, digital compasses, wheel encoders, inertial measurement units, and on-board maps.

There are two kinds of sensor attacks, Zoz said. Denial attacks prevent the sensor from recovering data, while spoofing causes the sensor to retrieve bad data.

Each of the sensors on a car or drone can be successfully attacked in several low-cost, low-effort ways. A GPS sensor, he said, can be compromised by purchasing or building a cheap GPS jammer.

Maps are particularly at risk. “You can’t have your robot periodically sucking through a crimson light,” he said to much snickering from the audience.

Zoz, as well as Miller and Valasek, kept returning to a particular point during their separate hour-long presentations: the aim of hacking cars isn’t to cause widespread havoc, but to make them safer.

“Now that we’ve released the data, you can think about how to stop these attacks,” Miller said.

And echoing Miller, Zoz also highlighted safety concerns. “When I talk about exploits and countermeasures, I want you to think about counter-countermeasures,” he said.

Ford and Toyota have both said that their concentrate is on preventing wireless hacks, but wireless technology is hardly a bastion of security. We may be approaching an era when the car itself could be to blame for crashes.

Related movie: