Brief history of automotive hacking

As part of my thesis on automotive hacking I reviewed a lot of literature and tried to piece together the history of this subject, leading to producing a ‘Brief history of automotive hacking’ - first in the form of a Twitter thread, now here.

Vehicle hacking began almost as soon as ECUs entered the mainstream auto industry in the 1980s, with car enthusiasts seeking to tune their vehicles by modifying the ECU firmware. It took 30 years until the first comprehensive research into vehicle security was published in 2010, by Koscher and Checkoway et al. Prior to this study, other academic research in this field was largely theoretical. The 2010 study demonstrated practically on two cars the security flaws which still exist today and form the basis of many automotive attacks. These attacks focus on firmware modification and CAN message injection, both requiring reverse engineering.

Despite the 2010 paper featuring sophisticated attacks, the researchers required physical access to the vehicle, and so the attacks could be matched for example, by cutting the brake wires. However, just a year later in 2011, Koscher and Checkoway et al. released their follow on paper, demonstrating remote attacks on the same vehicles. This significant paper exposed remote vulnerabilities in the information entertainment (infotainment) system, Bluetooth stack and Telematics unit. The researchers exploited these remote entry points, leading to compromising the CAN bus and performing CAN bus message injection. This paper proved provided a serious wake-up call to the automotive over security leading to some companies taking note while others not so much.

Fast forward a year to 2012 and DARPA funded two hackers inspired by the previous work of Koscher, Checkoway et al., with the goal to release open-source hacking tools to inspire more research into this area. The two researchers, Miller and Valasek, released their first investigation with example attacks on a 2010 Ford Escape and a 2010 Toyota Prius. These attacks were based on physical access to the vehicle and once again showed the great ease of CAN bus injection and firmware modification. Proving a success, DARPA then followed with another grant in 2013 for Miller & Valasek, this time to produce a platform that would help researchers conduct automotive security research without having to purchase a vehicle. Now inspired to turn the attacks from physical to remote, Miller & Valasek began analysing remote attack surfaces of 21 vehicles. They identified the 2014 Jeep Cherokee as the most vulnerable and continued to research this vehicle culminating in perhaps the most publicised remote hack of a vehicle. In this attack, Miller & Valasek demonstrated their hack live on a willing journalist driving a Jeep Cherokee on a highway; controlling the speakers, window-wipers, dashboard and finally killing the engine. This sophisticated attack was the culmination of their 3 years of research, leading to an attack chain exploiting vulnerabilities in the vehicles remote networking, infotainment architecture and poorly designed CAN bus gateways.

The Jeep Hack, like the Koscher 2011 paper, inspired another wave of researchers to get involved in vehicle hacking and these researchers were also now armed with the introduction of the ‘bible’ of vehicle hacking, authored by Craig Smith the founder of Open Garages a vehicle tuning enthusiast group.

Next came DEFCON 23 in 2015, the renowned hacker conference, where much research was presented on the topic, and the Car Hacking village (CHV) was formed. The CHV featured a CTF with physical cars and components to hack. Two main presentations stood out, one by Samy Kamkar and another by Marc Rogers and Keven Mahaffey. Kamkar’s presentation revealed vulnerabilities in the General Motors car app OnStart leading to remotely turn on/off the engine, horns and locate the vehicle. Kamkar also presented rolling code key relay attacks for car key entry. Rogers and Mahaffey’s presentation revealed the first major investigation into Tesla vehicle security, resulting in the ability to access and remotely control the infotainment system.

Also in 2015, well-known hacker George Hotz started the company Comma AI which now commercially sells autopilot hardware to attach onto cars. This hardware hack can control the steering and speed through CAN message injection accessed by the OBD-II diagnostics port. With vehicle hacking becoming more prominent Tencent Keen Security Research Lab formed in 2016, who have since released Tesla vulnerabilities every year and more recently BMW. The vulnerabilities KeenLab have exploited range from hacking the Tesla infotainment console through a WebKit vulnerability to fooling Tesla autopilot with adversarial examples.

Since 2016, the field has grown greatly with the number of researchers, penetration testing companies and security engineers in this line of work continually growing. Independent researchers have been encouraged by companies offering bug bounty programs such as Fiat-Chrysler, Tesla and Ford. Penetration consulting companies such as Pen Test Partners have released blog posts of their experience so far in this field and there’s a constant stream of automotive security roles being advertised. Looking towards the future, vehicles will remain an interesting target to hack, mainly due to the inherent complex vehicle networks but also due to vehicles containing many third-party systems.

To read more, there’s a good github repo with a load of resources I incidentally found after I had researched most of the above.