- The Washington Times - Friday, August 7, 2015

The surge of high-tech smart cars on the roads is a surefire sign the auto industry is embracing the so-called “Internet of things.” But at a hacker conference in Las Vegas on Friday, researchers said poor security practices could pose some very serious problems down the road.

During back-to-back talks on day two of DefCon, an annual conference billed as the largest as of its kind on the world, security experts explained how they were able to exploit computer vulnerabilities to do everything from open the garage door of a neighbor’s house to hacking the Tesla Model S.

“Anything that man makes, man can break,” said Mark Rogers, a researcher with CloudFlare who co-hosted a packed room brimming with computer hackers and the outright curious on Friday afternoon. He discussed how the onboard devices embedded in the Model S had been compromised to give attackers control over many of the car’s features.

The Model S is the “most connected car in the world,” Mr. Rogers said. And on the eve of what he called an “explosion of connected things,” he said it’s imperative to start spotting vulnerabilities now as more and more devices are outfitted to be used on the Internet.

“What we are trying to do is secure all the things,” added his colleague, Kevin Mahaffey, the chief technology officer at San Francisco-based security firm Lookout.

“But when that happens you have all of these new industries building connected things?” he asked.

Mr. Mahaffey said the answer is that “bad things happen.” When new industries start to make devices that connect to the Web, he said, companies lacking an adequate understanding of digital security roll out hardware and software amidst intense competition with not always the right oversight.

That’s not to say they’ve labeled the Model S as such. The duo said that they consider Tesla’s top car to be an archetype for what all automobiles will soon look like and is actually designed very well, by their standards. Nevertheless, their team of roughly 20 security researchers were able to physically disassemble portions of the Model S to gain an understanding of the technology inside and then commandeer the carriage.

“What that essentially means is we can do anything the touchscreen can do,” Rogers said, demonstrating later with a brief video how their hack had allowed them to power on a Tesla engine sans keys and drive it away.

Earlier in the week, the duo said, Tesla released a software patch to automatically fix some of the very vulnerabilities they helped identify. Had the auto maker not acted fast, however, then the update might have been tragically too late.

“You have to be really careful hacking cars,” Rogers said, because “a car is a computer system that is traveling at 65 miles per hour.”

“The worst thing that happens isn’t a bluescreen,” warned Mr. Mahaffey, referring to the infamous and universally dreaded error message that has long popped up on broken Windows computers.

Earlier in the afternoon, security researcher Samy Kamkar explained during a separate talk how his own interest in understanding and exploiting the technology behind autoparts had motivated him to make a device, the OwnStar, which he built with barely $300 worth of parts. Once the device was physically affixed to a car, he said, he was able to take advantage of a vulnerability in the smartphone application used in tandem with the highly popular OnStar navigation system, the results of which allowed him to remotely control a hacked car’s horn, lights, locks and more.

Elsewhere in his talk, Mr. Kamkar detailed how he had hacked a Barbie toy sold by Mattel to bypass the security of commonly sold garage door locks — one of many exploits he said he was able to carry out inexpensively to take advantage of outdated but widely used technology all too common in the auto industry.

For other security researchers, however, hacking cars doesn’t crack it. Later on Saturday, Runa Sandvik and Michael Auger detailed during their own presentation how they were able to hack the technology behind a computer-powered rifle scope, giving them a range of abilities from preventing a gun from firing to confusing its supposedly smart crosshairs.

“Journalists and CNN last week asked me why we decided to hack a firearm, and I told them it’s because cars are boring,” Ms. Sandvik said. “In reality, it’s because we can. It’s fun, the technology is there, and it seemed like something that was worth poking at.”

DefCon continues through Sunday at Paris and Bally’s on the Vegas strip.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide