A couple of months ago the security researchers Charlie Miller and Chris Valasek demonstrated how to remotely hack a connected, we the news that cars sued by the US state police are also vulnerable to cyberattack is alarming the automotive industry.
The fleet of the VSP includes around 155 2012 Chevrolet Impalas and 427 2013 Ford Tauruses, as well as many other cars.
According to the Dark Reading, Virginia State Police (VSP) launched a project to test the resilience to cyber attacks of its models 2012 Chevrolet Impalas and 2013 Ford Tauruses.
The initiative has been announced by Virginia Governor Terry McAuliffe in May, it aimed at protecting the state’s public safety agencies and citizens from car hacking. The tests were conducted by a public-private working group that focused on stationary police cars.
Several organizations contributed to the project, including the Virginia State Police, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), Kaprica Security, Spectrum, Johns Hopkins Applied Physics Lab, Digital Bond Labs, the Aerospace Corporation, and the Virginia Department of Motor Vehicles. The activities were conducted in coordination with the US Department of Homeland Security’s Science and Technology division and the US Department of Transportation’s Volpe Transportation Systems Center.
“Our executive staff was aware of the issue in the arena and some of the cascading effects that could occur if we didn’t start to take a proactive” approach, explained the Capt. Jerry L. Davis of the Virginia State Police’s Bureau of Criminal Investigation.
The findings are disconcerting, even non-connected cars are vulnerable to attacks, the researchers demonstrated they could make shift gears from park to drive, cause a spike in engine RPMs, cause the engine to accelerate without applying a foot to the pedal, and turn off the engine completely.
The hacks of the VSP vehicles require initial physical tampering of the vehicle as well, the researchers used rogue devices that were installed in the police vehicles. The devices allow to reprogram some of the car’s electronic operations or to work as a bridge to run the attacks via mobile devices.
Another success related to this project is represented by the release of an attack code by the Mitre, the code was used to open the trunk, lock the driver’s door, unlock the passenger doors, turn on the windshield wipers, and squirt wiper fluid.
The hack of state police cruisers’ computer systems required the physical access to the vehicles in order to implant a specifically crafted device.
Like the devices used by Valasek and Miller in the first turn of their tests on car hacking, the researchers used the a dongle that can be plugged into the On Board Diagnostics (OBD) port in order to access the internal Bus of the vehicle. The attackers were able to inject malicious packets to interfere with operations of the police cars.
Brian Barrios, portfolio director of Mitre’s National Cybersecurity Federally Funded Research and Development Center (FFRDC) explained that the first attack proposed by the researchers at Mitre involved a mobile phone app connected via Bluetooth to the implanted device
The Impala isn’t a connected car, so the device designed by the Mitre provided the radio connectivity used to control the car.
Other attacks, on the Ford Taurus were elaborated by Msi, they carried out denial-of-service (DoS) attack that blocked the car from starting, in another successful attack the researchers were able to remotely start the car.
The researchers also designed another dongle-like device that was able to monitor the ODB II port in order to detect any physical attack on it. It is able to detect if hacking tools are plugged into the car’s port, as well as any attacks over the CAN bus.
Even if the attacks on the police cars request for physical access to a vehicle and a deep knowledge of its electronics, it is important to not underestimate the results of this interesting project.
(Security Affairs – Police cars, car hacking)