With $15 in Radio Shack parts, 14-year-old hacks a car

A 14-year-old boy taking part in a cyber-hacking challenge -- after just one night with $15 worth of Radio Shack parts -- was able to communicate wirelessly with a vehicle's internal bus and control some mechanical functions.

A teenager not even old enough to drive a car was able to wirelessly connect to a vehicle's internal computer network and control various functions.

The 14-year-old built an electronic remote auto communications device with $15 worth of Radio Shack parts that were assembled in less than a night.

Auto executives at a conference this week sponsored by the Center for Automotive Research revealed how stunned they were by the feat, which actually happened last summer, noting it shed light on the need for greater security as vehicles gain more wireless capabilities.

The boy, whose name is not being released, was among 30 other students ranging in age from high school to college undergraduates to PhD students who participated in the third annual Battelle CyberAuto Challenge. The year, make and models of the cars experimented on during the challenge were not disclosed.

While the CyberAuto Challenge was held last July, a recent report by U.S. Sen. Edward Markey (D-Mass.) and comments from auto executives at this week's conference brought it back into the spotlight.

Markey's office issued a report on vehicle security and privacy earlier this month, noting that automakers are developing fleets with fully adopted wireless technologies like Bluetooth and wireless Internet access, but aren't addressing "the real possibilities of hacker infiltration into vehicle systems.

"Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected," Markey, a member of the Commerce, Science and Transportation Committee, said in a statement. "We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st century American drivers."

Held in Troy, Mich., the CyberAuto Challenge is a five-day gathering of auto industry engineers, academic researchers and members of the white-hat hacker community  who assist the students with knowledge of their various vehicles.

Also in attendance at the CyberAuto Challenge were White House staff members and lawmakers.

After the students were educated on vehicle hardware, internal bus systems and wireless communication protocols, they divided into teams and attacked their assigned automobiles.

With just a little soldering and assembly, the 14-year-old built a device to wirelessly communicate with a vehicle's controller area network (CAN) and remotely control non-safety related equipment such as headlights, window wipers and the horn. He was also able to unlock the car and engage the vehicle's remote start feature.

Andrew Brown Jr., chief technologist at Delphi Automotive, was on hand for the challenge and was quoted as saying there is no way the boy should have been able to do what he did.

According to some security experts, infiltrating a vehicle's CAN should be an arduous process that requires in-depth planning. But, the kid even declined help from the technical experts on hand.

"It was mind-blowing," Brown said.

Anuja Sonalker, lead scientist for Battelle's cyber auto group, said that -- just like the computer industry -- automakers are rolling out technology first and security second.

"Malware surfaced a lot later than computer technology," Sonalker said. "We've built security as an after thought in all industries."

The Battelle CyberAuto Challenge is meant to keep the auto industry "on its toes," she said.

Sonalker also noted that critical vehicle systems, those that control braking or acceleration, could not be accessed remotely because there are physical firewalls built into CANs. "Automakers have done a good job with safety," she said.

Far from being upset, those from the industry who were in attendance at the academic challenge were pleased to learn of the security issues.

"The findings...were handed over to automakers so they can take it back to their engineers, and they've been happy with what was discovered," Sonalker said.

"Hopefully, this is something the auto industry understands: This means people are watching and we have to do a great job with new technology in putting all the protections in from day one," Sonalker said.

But Markey's report, "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk," accused the auto industry of neglecting security and privacy gaps.

The report is based on responses from 16 major automakers to questions from the lawmaker about security and privacy vulnerabilities, and cited a 2013 Defense Advanced Research Projects Agency (DARPA) study. That study included two researchers who were able to connect a laptop to two different vehicles' computer systems using a cable, send commands to different electronic control units (ECUs) through the vehicle CAN. That allowed them to control the engine, brakes, steering and other critical vehicle components.

"Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers," the Markey report said.

In fact, most automobile manufacturers were unaware of or unable to report on past hacking incidents, according to the report.

Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, the report said, "and most say they rely on technologies that cannot be used for this purpose at all."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AdvancedDefense Advanced Research Projects AgencyTransportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place