It's Easy to Hack Today's Connected Cars

This story is part of Treehugger's news archive. Learn more about our news archiving process or read our latest news.
Take a quick course like this one, and you're ready to hack. But maybe not cars — that could require advanced study. (Photo: Relly Annett-Baker/flickr).

We all know that when a plane crashes, investigators can tell what happened by looking at the “black box,” which usually survives the impact and records data leading up to the disaster. But did you know your car almost certainly has a black box, too?

Yep, an estimated 96 percent of 2013 cars and trucks left the factory with so-called event data recorders, and that will be 100 percent by September via mandates from the federal safety agency.

That’s good news, right? Unfortunately, if you Google “erase crash data youtube” you’re going to see a huge number of highly trafficked videos letting you know that with their software it’s possible to manipulate the post-crash data that the black box (below) records. In effect, hacking your own accident after the fact. Do you want the evidence to show that you hit the brakes, when you really didn’t? No problem.

By the way, there are many ways of accessing data from today's cars, as Jim Farley, a global vice president at Ford, just pointed out at the huge Consumer Electronics Show in Las Vegas this week. "We know everyone who breaks the law," he said. "We have GPS in your car, so we know what you're doing." Eek! Ford later apologized, and said it would never do anything nefarious with peoples' data.

car black box

The implications of black box manipulation are pretty huge, because if the data (which is legitimately accessed by cops, insurance investigators and carmakers) isn’t credible, the whole purpose of the data recorders disappears.

Tom Kowalick, a motor vehicle standards guru for the Institute of Electrical and Electronics Engineers (IEEE) told Design News that there are as many as 23 companies that are profiting off crash data hacking. And it’s not currently illegal, because there’s no clear ownership of the black box data.

There are other reasons to worry about third parties getting access to your car’s data. As more and more cars have Internet connections, it might even be able to hack into a moving vehicle and do nasty things — like slam on the brakes, manipulate the steering wheel or even worse. Some researchers recently demonstrated exactly this with a Toyota Prius and Ford Explorer.

Sure, it’s cool that, for instance, the Tesla Model S can get a software update while its owner sleeps. But what if the download is not so benign? The issue has gotten some legislators concerned. Sen. Ed Markey (D-Mass.) sent a letter to Volvo North America in December noting the more than 50 electronic control units (ECUs) that today’s cars carry, and pointed to a Defense Department study that demonstrated that government hackers were able to get in and “cause cars to suddenly accelerate, turn, and kill the breaks (sic).”

Markey went on to note, “As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised.”

There are lots of ways in, the Senator said — a Bluetooth connection, OnStar (on GM vehicles), malware in a synced Android cellphone, even an up-to-no-good file on a CD in the stereo.

And you thought it was just your email that was getting hacked — and it was only the government you had to worry about. Here's a video of how some guys hacked that Prius and Explorer: