Miller and Valasek released the tools alongside a white paper explaining their research. The tools relate to the 2010 Toyota Prius and the 2010 Ford Escape and let hackers remotely take control of the cars' electronic smart steering, braking, acceleration, engines and lights.
Miller and Valasek originally showed off the attack with a live demonstration at the Defcon hacker conference at the start of August. The paper shows the specific processes required to hack various different electronic components to enact specific commands.
At the time of publishing Ford and Toyota had not responded to V3's request for comment on the research. Miller and Valasek said the research is designed to prove that smartcar manufacturers take an inadequate approach towards security.
The white paper said: "When electronic networked components are added to any device, questions of the robustness and reliability of the code running on those devices can be raised. When physical safety is in question, as in the case of the automobile, code reliability is a more important and practical concern.
"In typical computing environments, such as a desktop computer, it is possible to easily write scripts or applications to monitor and adjust the way the computer runs. Yet, in highly computerised automobiles, there is no easy way to write applications capable of monitoring or controlling the various embedded systems. Drivers and passengers are strictly at the mercy of the code running in their automobiles and, unlike when their web browser crashes or is compromised, the threat to their physical wellbeing is real."
Miller and Valasek said they hope by releasing the tools other hackers will build on their work, helping create answers to modern cars' security issues.
"Besides discussing new attacks, this paper aims to bring accessibility to automotive systems to security researchers in an open and transparent way. Currently, there is no easy way to write custom software to monitor and interact with the engine control units (ECUs) in modern automobiles. The fact that a risk of attack exists but there is not a way for researchers to monitor or interact with the system is distressing," read the white paper.
"This paper is intended to provide a framework that will allow the construction of such tools for automotive systems and to demonstrate the use on two modern vehicles. This framework will allow researchers to demonstrate the threat to automotive systems in a concrete way as well as write monitoring and control applications to help alleviate this threat."
Car security has been a growing area of interest within the research community. Prior to Miller and Valasek's release, Volkswagen won a high court ruling blocking University of Birmingham lecturer Flavio Garcia from releasing a similar research paper.
No comments:
Post a Comment