Yup, that is all it takes.
Eric Evenchick will present at Blackhat Asia a $60, open source, car hacking tool (see article). You have to provide your own USB and OBD2 cables. With Eric’s CANCard and his library of Python based scripts, you can hack around in your car (or maybe someone else’s) and see what kind of havoc you can wreak.
Before you panic, your car is not likely to be hacked because the car companies have one thing going for them. Diversity.
Unlike your Windows computer or iPhone, there is a huge amount of variability between cars – between cars from different companies, between cars of the same company but different models and between cars of the same model but different years,
That means that any hack you make might only work on a 2014 Ford Taurus – and not on a 2013 Taurus or 2014 Ford Escape and certainly not on a 2010 Chrysler 300. Or it might. It’s a crapshoot.
That also probably explains why it takes so long to get a new car from design to production – the designers insist on reinventing the wheel with every car. Ever notice how many auto light bulbs or wipe blades there are in an auto parts store.
Still, for $60 plus a couple of cables you too can mess with someone’s car. That has to increase the likelihood of people messing around. And when they mess around they will find stuff.
Depending on the car companies attitude when the hackers tell them about their problems, it could enhance reliability and security.
On the other hand, it may be hard for auto makers to patch your window control without having you bring the car into the dealership, which is expensive. BMW very proudly patched a security hole in their telematics system (that is sort of a fancy term for a cell phone built into your car and all the stuff that is connected to – like GM OnStar or Ford Sync) without having owners bring their cars in. High end cars are more likely to have telematics – but it is still an option in most cases.
And, if car companies can call your car and patch your window control, can hackers do it also?
Or maybe the hackers will decide to publicly disclose the security hole to embarrass the car companies into action.
Or maybe, they will report what they find to the National Transportation Safety Board.
These last two options probably will keep car executives up at night.
A bit scary.