Microsoft Subnet An independent Microsoft community View more

Security researcher warns cars can be hacked to remotely take control

Jonathan Brossard said of his work for vehicle manufacturers Europe, it’s possible to sit at desk, hack and remotely seize control of a car on the other side of the globe.

Imagine a job where you go into work, sit down at your desk, boot up your machine and then launch a cyberattack on a car while it is being driven on the other side of the globe. While that might sound like a movie plot, security research engineer Jonathan Brossard says it's possible.

Taxi on fire

He's not talking about sitting in the backseat with wires connected to the car's brain so that the driver is fully aware what might happen. Instead, imagine a scenario where the driver is the only person in the vehicle when suddenly he realizes that he no longer is in control because an attacker hacked the car's on-board computer and remotely took over control.

Brossard, CEO of Toucan Systems, told the Sydney Morning Herald that he "does not know of a car that has been hacked on the road but says his company does it for vehicle manufacturers in Europe."

car hacking
In order to determine if a car is vulnerable to a cyberattack, white hats act as attackers and try to hack a vehicle. If successful, then the car manufactures will patch it and he tries to hack it again.

Brossard explained:

''The vehicle is remote from me. I am sitting at the desk and I am using the computer and driving your car from another country. I am saying it is possible."

''A car is, technically speaking, very much like a cell phone and that makes it vulnerable to attack from the internet. An attack is not unlikely.''

If that seems like a familiar-sounding scenario, it might be because such a cyberattack on a car, a 2013 Mercedes, was proposed as a possible theory behind journalist Michael Hastings' horrific car crash. Hastings, according to WikiLeaks, had contacted a WikiLeaks lawyer "just a few hours before he died, saying that the FBI was investigating him."

At the time, former US National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke claimed, "In the case of Michael Hastings, what evidence is available publicly is consistent with a car cyberattack." But it would be "nearly impossible to trace 'even if the dozen or so computers on board hadn't melted'." Clarke said, "There is reason to believe that intelligence agencies for major powers" know how to remotely seize control of a car, but if the car was hacked, "you can't prove it." He added that if the wreck was a result of a cyberattack, then "whoever did it would probably get away with it."

Hastings was supposedly investigating a privacy lawsuit brought by Jill Kelley against the Department of Defense and the FBI. Kelley, you might recall, gained infamy after emails were leaked tying her to a sex scandal with former CIA Director David Petraeus. Hastings wife later said he wasn't working on that story. Despite that Hastings sent an email with the subject of "FBI Investigation re: NSA" hours before his crash, the FBI insisted Hastings was not under investigation.

Hacking to remotely take control of vehicles has apparently moved beyond something only intelligence agencies can allegedly do; as Brossard pointed out, that's something he does now for work. Since he's working with car manufacturers in Europe, then it seems the cyberattack to remotely take control of the vehicle is not a backdoor hack of OnStar. Brossard knows more than a thing or two about backdoors. In his 2012 Def Con talk, "Hardware Backdooring is Practical," he demonstrated bootkitting Windows; his proof-of-concept malware was described as the "perfect" backdoor that would be "persistent" and "virtually undetectable."

Brossard also was a consultant for the video game Watch Dogs that "explores the impact of technology where everything is controlled by one computer and railways, traffic lights and energy systems are all vulnerable to the hacker." But Watch Dogs is a subject for another time.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.