AOL's Story About Terrorist Carhacking Is Fearmongering Bullshit

Here's the scenario: a "14-year-old in Indonesia" sits in front of a laptop, gives an evil laugh and says whatever is Indonesian for 'check this out.' He furiously types on the keyboard, dramatically hits "enter," and then immediately cars start crashing in LA. AOL says this can happen. We say that's bullshit.

Just so you don't think I'm putting words in the mouth of AOL Autos' Pete Bigelow, here's a direct quote:

Imagine this grisly scenario: You're driving down the interstate with the cruise control set at the speed limit. Without warning, your car accelerates. The speedometer pushes past 100 miles per hour. Suddenly, the car turns left and crashes into the concrete median.

and also

"Can some 14-year-old in Indonesia shut a bunch of cars down because everything is wired up?" That's the question U.S. Senator Jay Rockefeller posed to a panel of automotive experts during a Senate Commerce Committee hearing last month.

The short answer is yes.

While technically some of what's described in the article is certainly true, the fear-mongering tone, calculated to terrify the rapidly aging AOL dial-up readership, is uncalled for at this point. Let's break down exactly why this is.

First of all, here's what is true: modern cars are packed full of computers. Even so, reducing cars to "rolling computers" as stated in the AOL article is absurd. Yes, they're full of computers and software and probably blinking lights, there's still a hell of a lot of real, mechanical equipment on a car. And, as importantly, there's certain key pieces of equipment that are not on cars, at least not yet.

One of the major pieces of missing equipment would be key to the "Suddenly, the car turns left and crashes into the concrete median." part of the story, and that's a true steering-by-wire system. Currently, only one car maker, Nissan, has started to implement this sort of system. And it's only available on their new Infiniti Q50. So for almost everyone who may read this article, that part of the horrorshow just can't happen.

Plus, Nissan's system still includes a conventional steering column and system as a backup, and the data from the potentiometer that indicates steering wheel angle isn't just sent to the servos controlling the steering without check — it knows the speed the car's travelling, and there are speed-based safety protocols in play.

Of course, even complaining about that all presupposes that getting an outside signal into your car's brains is happening, and the truth is while it has been done, in lab environments, by experts, it's not likely to happen by an attack from that hypothetical 14 year old Indonesian kid who for some reason really wants to wreck your car.

AOL's Story About Terrorist Carhacking Is Fearmongering Bullshit

In fact, modern cars internal networks (known as the CAN bus) aren't normally equipped to receive wireless instructions, with the exception of the tire pressure monitoring system (a very short range wireless link) and the radio/nav/infotainment system.

These systems can be wirelessly compromised, but even studies that did successfully compromise a wide variety of vehicle systems (beyond the TPMS, etc) acknowledge that normally, some manner of physical access to the car's systems is required, and if you have that access, there's easier ways to screw with a car:

However, the threat model underlying past work (including our own) has been met with significant, and justifiable, criticism (e.g., [1, 3, 16]). In particular, it is widely felt that presupposing an attacker’s ability to physically connect to a car’s internal computer network may be unrealistic. Moreover, it is often pointed out that attackers with physical access can easily mount non-computerized attacks as well (e.g., cutting the brake lines).

I don't want to diminish what these researchers did achieve: they did manage to send wireless data to a car and get control or at least interrupt a variety of systems, including door locks, radio volume, wipers, and most alarmingly, some brake functions.

Plus, all those vulnerable computers do more than just sit around waiting to be hacked. They're constantly checking and evaluating the conditions the car is in, and they're programmed not to do anything that would kill you or your car even if their input suggests it. And that programming is not something that's going to be changed remotely as you drive by. For example, in the University of Washington study, researchers found

Most our results while driving were identical to our results on jack stands, except that the EBCM needed to be unlocked to issue DeviceControl packets when the car was traveling over 5 MPH. This a minor caveat from an actual attack perspective; as noted earlier, attack hardware attached to the car’s CAN bus can recover the credentials necessary to unlock the EBCM.

Which basically means that their pure-wireless attacks were filtered out or ignored at speeds over a walking pace, and the only way to get access to unlock those protections would require a physical connection to the car's CAN bus. I think that's more than a "minor caveat."

Also, nothing they managed to do remotely was dramatically remote — as in from, say, Indonesia. There are services like OnStar that can access some functions (engine shutdown, say) from very remote locations, but there are additional security protocols in place there far beyond what's on normal cars. Hacking is theoretically possible, but not an easy prospect.

Other forms of hacking referenced in the article require physical OBD-II pass-through devices or trojan-horse-type security breeching programs loaded into the car via an encoded file on a CD or USB drive. Again, while this is possible, if you have direct, physical access to a car, you may as well just cut some brake lines or shove a pipe bomb in the frame.

While most of what was pointed out in the article is hypothetically possible, at least in lab environments by teams of very smart people, this article is still, essentially, just needless fear-mongering.

You're far, far more likely to die in your car because of something stupid you or someone else on the road does. Driving in a car anywhere carries some inherent danger, but worrying that your car will be remotely hacked into from the other side of the earth is about as useful as worrying about all the meteors that could hit your car.

Just don't text and drive, pay attention to what your car's doing, and focus on driving instead of boogeyman "terrorists" trying to get you.

If you're still concerned, I have two pieces of practical advice for you:

• Practice yanking fuses. In many cars, the fusebox is accessible from the driver's seat, usually to the left and below the dash. If you get a message that your car has been PWND by 733t H4X0Rs on your dash, and they've locked out your off switch or key, just start yanking fuses. In a panic, I'm sure you can empty that fusebox in seconds.

• Buy and drive a vintage car. No hacking, no computers, no worries. Just driving joy.