Digital carjackingResearchers show how to unlock, start a car remotely

Published 5 August 2011

Two researchers at the Black Hat event in Las Vegas demonstrated they could send commands from a laptop to unlock the doors of a Subaru Outback — and then start the car; they said that in addition to vehicles, many other GPS-tracking devices, 3G security cameras, urban traffic control systems, SCADA sensors, and home controls and systems are also telephony-enabled and, as a result, susceptible to attack

On Wednesday, at Black Hat in Las Vegas, two researchers demonstrated they could send commands, via a laptop, to unlock the doors of a Subaru Outback — and then start the car.

The researchers, Don Bailey and Matthew Solnik, security consultants at iSec Partners, used what they called “war texting” to tap into a system used to control the cars remotely.

CNN reports that the researchers did not identify the name of the affected system so that the manufacturer would have  time to correct the problem.

In the presentation, titled “War Texting: Identifying and Interacting with Devices on the Telephone Network,” Bailey said that in addition to vehicles, many other GPS-tracking devices, 3G security cameras, urban traffic control systems, SCADA sensors, and home controls and systems are also telephony-enabled and, as a result, susceptible to attack.

I could care less if I could unlock a car door,” he said. “It’s cool. It’s sexy. But the same system is used to control phone, power, traffic systems. I think that’s the real threat.”

Bailey said that such systems often receive firmware updates and other messages over the Global System for Mobile Communications (GSM) telephone network in the form of SMS messages. It is their reliance on the GSM network that makes such systems vulnerable to reverse engineering and abuse.

“Technology is a good thing for us,” he said. “We can’t be overly paranoid about what we’re doing. But at the same time, history has shown us it’s not always a good idea.”

It took Bailey and Solnik only two hours to set up their private GSM network, then figure out how to communicate with the in-car system directly by posing as an authorized server.

An attacker could easily locate other vulnerable systems on the global telephone network, he added. Once these platforms are identified, attackers can intercept the messages sent to and from such systems, then send their own messages commanding the system to send back its location or other data.

Bailey noted that manufacturers could purchase more expensive parts that would make these types of hacks impossible. He urged industry associations to recommend this approach to their members, even though cost increases would be “highly significant.”

We have to,” he said. “We have to find elegant ways to find that sweet spot between cost and security.”