Well, this doesn’t make me feel any better at all. The automotive diagnostic package known as OBD-II has been around for about a decade and a half, but only in 2008 did the Feds mandate that the Controller Area Network protocol be used in all OBD-II implementations.
Unfortunately, the CAN bus is about as secure as an old version of Windows:
Researchers at the University of Washington and University of California-San Diego have examined the multitudinous computer systems that run modern cars, discovering that they’re easily broken into [pdf] with alarming results. Hackers can disable the brakes of moving vehicles, lock the key in the ignition to prevent the engine from being turned off, jam all the door locks, and make the engine run faster. Less dangerously, they can control the radio, heating, and air conditioning, or just endlessly honk the horn.
I’ve kvetched about OBD-II before, but I had no idea it was vulnerable to malware. And once in, an intruder can do just about anything he wants:
The CAN specification requires little protection, and even those protections it requires were found to be implemented inadequately, with ECUs allowing new firmware to be flashed even while the car was moving (halting the engine in the process), and letting low-security systems like the air conditioning controller attack high security services such as the brakes.
Once the researchers had gained access, they developed a number of attacks against their target vehicles, and then tested many of them while the cars were being driven around an old airstrip. Successful attacks ranged from the annoying switching on the wipers and radio, making the heater run full blast, or chilling the car with the air conditioning to the downright dangerous. In particular, the brakes could be disabled. The ignition key could then be locked into place, preventing the driver from turning the car off.
Yet another reason to keep the old buggy, buggy as it is, for a few more years.
(Via The Truth About Cars.)