How to disable your car’s firewall

The power and perils of OBD-II

In 2010, the Centre for Automotive Embedded Systems Security demonstrated the devastating consequences that could arise should malicious attackers gain access to the on-board diagnostics port (OBD-II) that has been fitted to most vehicles since the mid 1990s.

This collaborative group of academic researchers from the University of California San Diego and the University of Washington developed a tool dubbed “CarShark” which, when plugged into the OBD-II port of a 2009 car, gave them almost total control of the vehicle.

While some of the effects of their activities could be deemed as only mildly annoying, for example turning the audio equipment volume to maximum, sounding the horn, or even spoofing the dashboard speed display, others are nothing short of life threatening.

The team demonstrated that by transmitting correct commands (and even random bit streams in some cases), it was possibly to shut down the engine, prevent the brakes from functioning, and cause the brakes to lock unevenly, all during a typical driving scenario with speeds up to 40mph.

CarShark demonstration in 2010
CarShark demonstration in 2010


Dashboard speed and RPM spoofing demonstrated in 2010
Dashboard speed and RPM spoofing demonstrated in 2010

Interest from independent researchers and hobbyist hackers

At the Black Hat Asia conference in May 2014, two Spanish security researchers demonstrated how their CAN Hacking Tool, based on a £20 Arduino, puts a similar degree of power into the hands of the average hobbyist or hacker. However, when the story was covered by Forbes, Toyota’s safety manager dismissed the viability of this type of attack due to the need for physical access to the vehicle.

A £20 tool for attacking a vehicle's communication network.
A £20 tool for attacking a vehicle’s communication network.

When I forwarded details of the CarShark tool to one of the researchers, it was apparent that they had not been influenced by this or any other similar previous work. Their £20 hacking tool was purely a product of their own ingenuity and desire to discover the limits of what is possible with the vehicles they own.

Toyota’s safety manager however dismissed the viability of this type of attack due to the need for physical access to the vehicle.

Removing the firewall

According to the following tweet that appeared in my feed this morning, some drivers may soon be about to remove the single layer of network security provided by the vehicle’s locked doors, when they connect their OBD-II interface directly to the internet.

This Kickstarter campaign, which promises to allow drivers to monitor and control their car via a mobile phone application or web interface, has already exceeded the original $50,000 goal.

Worryingly, while the Kickstarter page discusses regulation and certification regarding the wireless aspects of the product, there is no mention of the product’s safety and security aspects.

Functional safety should be a primary concern when designing a device with such potential control over a moving vehicle.

Wider concerns with the Internet of Things

Earlier this year we saw the story of how a fridge connected to the internet had been requisitioned by hackers to take part in a spam campaign along with 100,000 other devices.

To me, this demonstrates several important points:

  • Manufacturers typically do not design against attacks that their products will face in the real world;
  • Hackers are indiscriminate in the types of device that they attack;
  • Average users are not aware of the way in which their devices could be compromised;
  • Society in general has become so accustomed to connecting devices to the internet that this is now done blindly, without any thought.

While a fridge sending spam is indeed a nuisance, giving malicious individuals the power to cause road traffic accidents is an entirely different matter.

For this reason, I hope that all involved in this Kickstarter project will seriously consider the potential consequences that their product may have before it is released to the public.