Estimated reading time: 2 minutes
Demonstrated on an Audi TT, the process starts by compromising a mechanic’s computer to be plugged into the car’s MCU for diagnostics purposes. Once in, the mechanic’s computer can be used by intruders to disable airbags (and other functions) silently and without the mechanic’s or car owner’s knowledge. This is done by replacing the FTDI DLL (which is used to communicate information via the diagnostics cable) with a malicious version.
Levente Buttyán of CrySyS Lab told Vulture South that the software he and his team infiltrated is widely-used by Volkswagen cars and while the hack was demonstrated on an Audi, “it works with other cars in the VW group…”
The scariest part of the attack is the silence with which it’s carried out.
“After switching off the airbag, we can consistently report to the application that it is still switched on,” Levente says.
The malicious software intercepts diagnostic information with a man-in-the-middle attack, then sends a command to the car to disable the airbags while replaying “a recorded message” that tells the mechanic’s diagnostics application that everything is fine (much like the famous Stuxnet hack did).
The team stressed that this is not a vulnerability that’s specific to VW but a flaw in the third party software widely used by mechanics.
A QUICK PSA
This feeds straight into the concept of the weakest link in a chain being our own flaws. Even if Paypal employed the strongest security system known to man, it wouldn’t matter much if you can simply social engineer your way into someone’s accounts… and in this case, it’s mechanics’ computers that are the weakest link. Sure, you can’t simply disable the Audi’s airbags remotely, but what good does that do when you’ve got mechanics jacking compromised computers and diagnostic machines into your car’s ECU?
Car hacks have been on the rise lately and it is no surprise. The farther we go down the road of self-driving and smart cars, the more of these types of hacks we’ll see. Smart cars are the way of the future, but we are nowhere close to being safe, and that needs to change.
That change starts by educating ourselves (and mechanics) about the dangers of using unclean computers, especially when it comes to jacking our machines into other people’s property. As the internet of things grows, so must our awareness and the steps we take to keep ourselves safe.