Computer hackers claim to have taken control of a Toyota Prius, steering the car and applying its brakes, and of a Ford Escape, disabling its brakes at low speeds.
Charlie Miller, a security researcher with Twitter, and Chris Valasek, director of security intelligence at IOActive, took over some of the car’s systems using a laptop computer connected to its OBD (on-board diagnostic) port, and were able to drive it using a video-game controller.
Miller and Valasek say they will present detailed findings at Def Con 21 hacking convention in Las Vegas on Friday. They have compiled detailed blueprints of the techniques in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government.
The two “white hats” — hackers who try to uncover software vulnerabilities before criminals can exploit them — will also release the software they built for hacking the cars at the Def Con hacking convention in Las Vegas this week.
They said they devised ways to force a Toyota Prius to brake suddenly at 128 kph, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.
“Imagine what would happen if you were near a crowd,” said Valasek.
But it is not as scary as it may sound at first blush.
They were sitting inside the cars using laptops connected directly to the vehicles’ computer networks when they did their work. So they will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack.
The two say they hope the data they publish will encourage other white-hat hackers to uncover more security flaws in autos so they can be fixed.
“I trust the eyes of 100 security researchers more than the eyes that are in Ford and Toyota,” said Miller, a Twitter security engineer known for his research on hacking Apple Inc’s App Store.
Toyota Motor Corp spokesman John Hanson said the company was reviewing the work. He said the carmaker had invested heavily in electronic security, but that bugs remained — as they do in cars of other manufacturers.
“It’s entirely possible to do,” Hanson said, referring to the newly exposed hacks. “Absolutely we take it seriously.”
Ford Motor Co spokesman Craig Daitch said the company takes seriously the electronic security of its vehicles. He said the fact that Miller’s and Valasek’s hacking methods required them to be inside the vehicle they were trying to manipulate mitigated the risk.
“This particular attack was not performed remotely over the air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers and any mass level,” Daitch said.
Columns Everything you need to know about purchasing, maintaining and driving your car.
Become a member
Register now to access all features including:
- Save and ask friends to review vehicles
- Exclusive rebates & offers from local dealers
- Premium content, reviews and tools
- You can unsubscribe at any time. Please Contact Us for details.
All for free!
Already a member?
Registration 2 of 2
Welcome to Wheels!
As a final step we've sent a confirmation to your email address as a security measure. Please click the link in the email to complete your registration.
Terms of services
DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY
TO THE FULLEST EXTENT PERMITTED BY LAW, TORONTO STAR IS PROVIDING THE TORONTO STAR WEBSITES ON AN "AS IS" AND "AS AVAILABLE" BASIS AND MAKES NO WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, IN ANY CONNECTION WITH THE TORONTO STAR WEBSITES, THEIR CONTENTS, OR ANY WEB SITE OR CONTENTS WITH WHICH IT IS LINKED. TORONTO STAR DOES NOT WARRANT THAT THE FUNCTION OF THE TORONTO STAR WEBSITES OR THEIR CONTENTS WILL BE UNINTERRUPTED OR ERROR FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE TORONTO STAR WEBSITES OR THE SERVERS THAT MAKE IT AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.
TO THE FULLEST EXTENT PERMITTED BY LAW, UNDER NO CIRCUMSTANCES, INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE, SHALL TORONTO STAR BE LIABLE FOR ANY LOSS OF USE, LOSS OF DATA, LOSS OF INCOME OR PROFIT, LOSS OF OR DAMAGE TO PROPERTY, OR FOR ANY DAMAGES OF ANY KIND OR CHARACTER (INCLUDING WITHOUT LIMITATION ANY COMPENSATORY, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES), EVEN IF TORONTO STAR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE TORONTO STAR WEBSITES, THEIR CONTENTS, OR ANY WEBSITE OR CONTENTS WITH WHICH IT IS LINKED. IN NO EVENT SHALL TORONTO STAR'S TOTAL LIABILITY FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE), OR OTHERWISE, EXCEED THE AMOUNT PAID BY YOU FOR ACCESSING THIS SITE.X