Car security challenged by hackers, computer scientists

To be presented by Twitter security engineer Charlie Miller and IOActive director of security intelligence Chris Valasek, the talk entitled Adventures in Automotive Networks and Control Units will focus on hacking into cars’ electronic control units (ECU) and demonstrate how controls can be overridden.

According to the security experts’ own abstract, the duo will first cover the requisite tools and software needed to analyse a Controller Area Network (CAN) bus before demonstrating the software to show how data can be read and written to the CAN bus.

“Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering,” it says.

Finally, the pair will discuss aspects of reading and modifying the firmware of ECUs installed in modern cars.

Hacking into a vehicle’s ECU via a diagnostics port usually reserved for use by mechanics to diagnose mechanical issues, the pair was able to manipulate the steering, brakes, horn, seat belts, fuel gauge and speedo of a Toyota Prius and Ford Escape.

DefCon 21, which for the first time in its 21-year history has asked the US federal government to “call a time-out” and stay away, starts on August 1 in Las Vegas.

Meanwhile, a group of computer scientists has also been prevented from releasing information about cracking an ignition key security encryption system used by many manufacturers including the Volkswagen Group.

The UK’s High Court has granted Volkswagen an injunction into the publication of the academic paper entitled Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser, due to be made public next month.

The three scientists from Birmingham University in England and Radboud University Nijmegen in the Netherlands, argued "the public have a right to see weaknesses in security on which they rely exposed".

The group stressed the paper was unlikely to facilitate car theft as the weakness described requires a complex technique, £50,000 ($83,700) and two days of computer processing to exploit.

Megamos Crypto uses an algorithm to verify the correct identity of an ignition key.

According to reports, Volkswagen had requested that a redacted form of the paper be released, but the scientists declined and are seeking further legal advice.

Brands under the Volkswagen Group umbrella include high-end marques such as Audi, Bentley, Lamborghini and Porsche.