Future Tense

For $20 You Can Turn a Car Into a Hacked Zombie

A hacked car could endanger a lot of people if a hacker initiated an attack while the car was on the road and caused the driver to lose control.

Photo by PIUS UTOMI EKPEI/AFP/Getty Images

Your car doesn’t look like a laptop, but if it has digitized features, then it’s really a computer. And if it’s a computer, it can be hacked. To that end, Spanish security researchers are going to present a device next month at the Black Hat Asia security conference that can penetrate a car’s network and sabotage its functions.

For about $20, Javier Vazquez-Vidal and Alberto Garcia Illera built a device that’s smaller than a smartphone. If it’s physically connected to a car, the device causes things like windows, headlights, and even crucial functions like brakes or power steering to malfunction. Cars have an onboard network called a Controller Area Network (CAN bus) that coordinates and operates all of these features. When attached, the hacking device draws power from the vehicle’s electrical systems and connects to the CAN bus via four wires to input commands over Bluetooth from an attack computer. Vazquez-Vidal and Garcia Illera call the device the deviCAN Hacking Tool, or CHT.

As Vazquez-Vidal pointed out in an interview with Forbes, the device is small enough that someone could plant it in a place where it’s not visible and then initiate an attack on the car weeks or months later. With some car models attackers would need to get under the hood or in the trunk to plant the device, but with others the attacker could simply crawl under the car to plant the CHT. Vazquez-Vidal says that the goal of the researcher is to alert car manufacturers to as many vulnerabilities as possible. Garcia Illera adds, “A car is a mini network, and right now there’s no security implemented.”

This is a problem in many “embedded devices” that aren’t thought of as vulnerable and therefore have no anti-virus or malware protection. Anything with a processor is potentially hackable and an embedded device with an Internet connection, like a VoIP phone, can be an open door for hackers to get onto an otherwise protected network. Vazquez-Vidal and Garcia Illera aren’t the first to show how cars can be hacked, but this device is dirt cheap to build, and similar ones could easily spread.

As Reuters reports, lawmakers are looking into the danger posed by vulnerabilities in cars, including Sen. Edward Markey, a Democrat from Massachusetts, who is talking to top automakers about the situation. “As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code and more avenues through which a driver’s basic right to privacy could be compromised,” he wrote in the letter in December. And Vazquez-Vidal is promising that the CHT he and Garcia Illera are presenting at Black Hat Asia will be even more extreme than most of what has been seen previously. Your car may feel like your own personal bubble, but until its network is protected, you won’t know if you have a digital passenger.