Skip to main content

Can your car be hacked? From brakes to GPS, a look at what’s vulnerable

can your car be hacked hacking threats analyzed brakes deactivated
Image used with permission by copyright holder

Having a hacker charge a carbon fiber toilet seat to your Visa card is inconvenient, but what if they decide that your car would function better without brakes?

That’s exactly what happened to Forbes journalist Andy Greenberg in a very unusual recent road test. Greenberg hopped into a car with some hackers, who deactivated the vehicle’s brakes by jacking into an onboard data port.

The idea of a hacker taking control of a car and endangering its occupants sounds like the ultimate dark side of the ongoing digitization that has made cars more efficient, safer, and more connected to our lives than ever before. So, is car hacking a real threat, or fodder for science fiction?

Vital systems

Car hacking hit the tech mainstream in an ugly way this past June when journalist Michael Hastings, famous for bringing down General Stanley McCrystal with a revealing Rolling Stone profile, was killed in a horrific car crash.

A hacker looking to take over someone’s car would have to put in a lot more effort than one looking to take over one’s credit card.

Shortly after, President George W. Bush’s top counterterrorism expert, Richard Clarke, went public implying that Hastings could have been assassinated, and that his own car could have been the weapon.

“There is reason to believe that intelligence agencies for major powers — including the United States — know how to remotely seize control of a car,” Clarke told the Huffington Post at the time.

“So if there was a cyber attack on the car — and I’m not saying there was… I think whoever did it would probably get away with it,” Clarke said.

Hastings’ 2013 Mercedes-Benz C250 coupe hit a tree with such speed that witnesses said the crash sounded like an explosion. There were no other cars involved.

So how would a government assassin take control of a car? At first, it seems as easy as Richard Clarke suggested. Modern cars are now essentially rolling computers that control everything from anti-lock brakes to the engine and transmission.

Many cars even have “drive-by-wire” throttles and brakes, with no physical connection between the pedals and the mechanisms they control. Nissan is even launching a steer-by-wire system on the 2014 Infiniti Q50.

Infiniti Q50 direct adaptive steering
Infiniti Q50 Direct Adaptive Steering Image used with permission by copyright holder

With a car’s gas and braking systems already controlled by computers, all a hacker would have to do to commit vehicular homicide is insert some malicious code into those computers, right? Not quite.

For hackers to have taken over Hastings’ car they would have had to access it wirelessly, and that’s easier said than done.

A car’s computer control system, called a Controller Area Network (CAN) bus, isn’t like your desktop or laptop computer; it’s hard-wired and not designed to receive wireless commands. Charlie Miller and Chris Valasek, the hackers that actually cut a car’s brake function in the Forbes story, did so by physically plugging their laptops into the vehicle after taking most of the dash apart to get at the car’s wiring.

Fully electric vehicles may also be vulnerable. Putting them “in gear” is usually done with a stalk or button rather than a mechanical linkage.

Wireless car hacking has only been achieved in the lab – at least that we know of. Separate experiments conducted by the University of Washington and the University of California, San Diego were able to penetrate the CAN bus using connected devices such as smartphones.

However, their success was limited. The University of Washington’s report states that, while researchers were able to get wireless access to a moving car, they were only able to send commands at speeds below five mph. Above that speed, the CAN bus realized that the vehicle was operating outside normal parameters and ignored the errant code.

True, a hacker could attach hardware to the car to gain direct access, but if an attacker already has that much physical access to a car, why bother with software? Cutting the brake lines or planting a Casino-style bomb would be just as easy.

That’s what officials from Ford and Toyota said when Miller and Valasek showed them their research. If someone has access to a car, there are already numerous ways to cause harm.

Cars also don’t share a common programming language like a Mac or a PC. Miller and Valasek bought a 2010 Ford Escape and 2010 Toyota Prius and spent months analyzing their computer systems; they’d have to start all over again if they wanted to mess with a BMW or Nissan.

Audio, Infotainment, and Navigation

The computers that control a car’s throttle, steering, and brakes aren’t like the ones people have on their desktops, but there are other systems onboard that are.

2014 Chevrolet MyLink
2014 Chevrolet MyLink Image used with permission by copyright holder

While the CAN bus can so far only be accessed directly through a hard line, there are many ways to breach a car’s infotainment devices remotely. The University of Washington and University of California, San Diego researchers were able to insert malware on CDs and mp3s, which were then installed on an iPod that was then synced with a vehicle’s system.

A driver could inadvertently get their car hacked by downloading third party software to their phone, but that software would have to pass through two phalanxes of corporate scrutiny first.

A hacker could potentially distract a driver by blasting the stereo, or disable the navigation system…

The makers of smartphone operating systems vet third party apps and so do the car companies. That’s why the number of apps available for infotainment systems like Ford’s Sync or Chevrolet’s MyLink number in the tens, not the thousands.

Still, assuming a hacker could get some malware into a car’s infotainment system, could they do any damage?

A hacker could potentially distract a driver by blasting the stereo, or disable the navigation system, but these types of attacks are more annoying than life-threatening. The driver would still be in control of the car, after all. But if the driver was unaware that the GPS system had been tampered with or was being controlled, a car could be sent the wrong way down a one-way street or into a hazardous situation. Far-fetched? Maybe not, since that is what apparently happened to this yacht.

Interconnected systems

So some parts of a car are hard to access, while others are easy to access but can’t do anything dangerous. So you’re pretty safe, right?

Ford OpenXC
Ford OpenXC Image used with permission by copyright holder

That may change in the future, though. In the past, car control systems have been separated from secondary systems like audio and navigation, but that’s changing as the computerization and interconnectivity throughout a car’s systems grows to, ironically, give drivers more control over things like suspension settings, steering sensitivity and engine power output.

A vehicle’s different automated features can be linked in many ways. For example, in some cars, the doors lock automatically when the transmission is shifted into gear. This seemingly innocuous feature isn’t as well-protected as the vital CAN bus, so could it be used as a back door for an attack? Not necessarily.

A connection may exist, but that doesn’t mean it can be exploited by hackers. In the case of automatic door locks, the information usually only flows one way: the locks are activated by the engine or transmission, not vice versa.

However, this could become more of a problem as a car’s mechanical systems become intertwined with its digital ones. Car companies like Ford are looking to leverage vehicle data to improve the customer experience, but that means giving programmers more access to cars than ever before.

Ford’s OpenXC program gives third party developers access to a car’s onboard sensors, in order to collect data that can be used by driving-specific apps. If that practice becomes commonplace, carmakers will have to work harder to separate vital controls from connected devices.

Many cars can now be accessed remotely by smartphones or assistance services like OnStar and Drone Mobile, which can track a vehicle’s position, remotely open doors, start engines and run heating or cooling systems in advance of the driver getting into the vehicle. All of this is done by remote control, whether it’s from a computer terminal, smartphone or key fob. Each presents a possible intercept window for hackers.

Fully electric vehicles may also be vulnerable. Putting them “in gear” is usually done with a stalk or button rather than a mechanical linkage. Suddenly putting an EV into reverse remotely or gaining control of the car’s acceleration as it goes down the highway could obviously cause a crash.

Conclusion: Is car hacking a threat?

Given the numbers of computers in modern cars, and the fact that researchers have hacked them under very limited circumstances, car hacking seems like a very possible threat.

However, while cars are computerized, they don’t work like desktops or smartphones. A hacker looking to take over someone’s car would have to put in a lot more effort than one looking to take over one’s credit card.

Car control systems aren’t set up to accept randomly inserted commands, and even if a hacker managed to fool an onboard computer, that attack would only work for that specific car.

Hacking may become more of an issue in the future as cars become more automated and more connected, but for now, the road is hacker-free.

Editors' Recommendations

Stephen Edelstein
Stephen is a freelance automotive journalist covering all things cars. He likes anything with four wheels, from classic cars…
Here’s what Bosch hopes to learn from deploying autonomous cars in San Jose
Bosch, Daimler autonomous Mercedes-Benz S-Class

The companies racing to deploy autonomous cars on the world's roads took a reality check in the 2010s, but multimillion-dollar development efforts remain ongoing across the automotive and tech industries. German supplier Bosch is notably moving full speed ahead with its quest to make driverless cars a reality. Kay Stepper, Bosch's senior vice president of automated driving, sat down with Digital Trends to talk about the state of autonomous driving in 2020, and what's next for the artificial intelligence technology that powers the prototypes it's testing.

Bosch has never made a car, so it brings its innovations to the market through partnerships with automakers. It chose Mercedes-Benz parent company Daimler to test autonomous technology in real-world conditions via a ridesharing pilot program in San Jose, California, close to one of the company's research centers. Stepper explained that, while engineers learn a lot from software-based simulations, field testing is still crucial.

Read more
Mercedes-Benz wants to know what you expect from a ride in a self-driving car
mercedes benz testing self driving cars in california bosch daimler autonomous s class feat

With warm weather and indulgent legislation, California has become one of the most popular places in America for companies looking to test autonomous technology. Mercedes-Benz parent company Daimler has joined the list of tech firms and automakers putting driverless systems through their paces in the Golden State, according to a recent report.

The news comes about a year after Daimler and Bosch teamed up to deploy autonomous Mercedes-Benz S-Class-based prototypes in San Jose, and a few short weeks after company CEO Ola Källenius warned that his team of engineers had taken a reality check on self-driving cars. Anonymous sources told industry trade journal Automotive News Europe that the project is nonetheless moving forward, and approximately 30 prototypes are part of the latest round of testing.

Read more
Most people want to keep their cars away from full self-driving, study says
ford buys quantum signal to aid self driving car development argo ai fusion autonomous prototype in detroit

Americans and their cars are a tight-knit relationship that goes back to the Model T and in some cases, it is a love story. Some of us love the feel of the road and the symbiotic relationship between human beings and machines. What about when the autonomous machine takes over and we are reduced to nothing more than freight?  That is what SAE International wanted to know in a poll conducted over 18 months.

SAE had a series of demo days in Los Angeles, Tampa, Detroit, and Babcock Ranch, Florida, where 1,400 respondents took pre- and post-ride questionnaires answering a variety of questions about brand, mobility, and consumer preference. Two-thousand self-driving vehicle rides were given over the course of the study. Participants experienced Level 3 and Level 4 driving features such as the vehicle starting, stopping, accelerating, and decelerating on its own. The vehicle systems were from AutonomouStuff, Perrone Robotics or Dataspeed Inc. on closed courses with a driver in place for safety intervention only.

Read more