Recently in Austin, Texas (United States), over 100 cars were rendered entirely unusable after a hacker gained access to a previously undisclosed “black box” hidden inside the vehicle by the automobile dealership that sold the cars. The purpose of the black box was to remotely disable vehicles for automobile owners who failed to make payments on time to the dealership.
In the ‘good-old days,’ dealers who attempted to repossess cars were faced with the challenge of actually locating the car and towing them away, often in the middle of the night, in a high-risk operation which often resulted in confrontations with the vehicle owners. Now, as the result of technological ‘advances’ a company known as Pay Teck has developed a method for “ensuring payment for cars and equipment from customers who may have a less-than-perfect credit rating by installing a controller that allows dealers to disable the starter function of the vehicle in case of delinquent payments.”
In theory, this may have sounded like a fine idea, but as demonstrated below, once one installs a back-door black-box system in a vehicle, one never knows who might eventually access the device. In the Texas case, a disgruntled employee from a local car dealership triggered the hidden back-door devices after being fired from his job. Using the password and account of fellow employee, the individual in question, Omar Ramos-Lopez, had the capability to disable more than a thousand vehicles “protected” with the Paytech black box. The case originally came to police attention after the dealership, the Texas Auto Center, received hundreds of calls within a few days from angry customers complaining that either their vehicles would not start or that their horns were honking incessantly and could not be turned off. Eventually the Austin Police Department High Tech Crime Unit tracked down and arrested Ramos-Lopez as the primary suspect in the case.
This incident raises a significant number of legal, technological, security and policy questions about the use of such technologies. Firstly, is it a good idea to have these devices installed in automobiles capable of traveling at highway speeds? Could the cars have been disabled while moving at 100 kilometers per hour? What injuries might have been caused? Did the drivers of the vehicle know that such devices were in fact installed in the cars they had purchased? If not, and if the systems were installed surreptitiously, how is this technology different from any other criminal trojan horse program? Without due disclosure, could either the dealership or the manufacturer of the technology be criminally prosecuted for unauthorized access to a computer system?
Today’s vehicles may have up-to 50 separate microprocessors on board and are packed with up to 100 million lines of computer code, more than in some jet fighters. The software and processors from these on-board computers control any number of systems including those that unlock doors, adjust seats, start the ignition, manage the powertrain, deploy airbags, determine the correct transmission gears and optimize fuel efficiency. Together, they represent an exciting new challenge and unexplored frontier for criminal hackers looking to test their mettle and prove their hacking skills.
A 2009 Toyota Prius is vastly more technologically complicated than a 1970 Toyota Corolla. The increased technology has a host of benefits including improved fuel economy, horsepower and a nice connector for your iPod—but at what cost? The more complex the system, the more likelihood for failure. Thus whether through a deliberate hacker attack or an engineering deficiency, the modern automobile is subject to computer system failures.
Significant press coverage has been dedicated to the recent challenges faced by Toyota Motor Corporation and the purported sudden acceleration and braking problems on their vehicles. With nearly ten million vehicles recalled to-date, Toyota is facing considerable expense and lawsuits. What was originally described simplistically as a problem with the vehicle’s floor mats, has instead now been attributed to the car’s electronics and on-board computers. Yet given the complexity of the modern automobile and the amount of sub-contracted parts manufactured by third-party suppliers, how long will it be before such problems plague the rest of the industry?
Recently Ford announced plans to turn its cars into mobile Wi-Fi hot spots, boasting that its customers on their next road-trip to grandma’s house would soon “be able to finish online holiday shopping, while the kids chatted with friends and updated their Facebook profiles.” (Really? The twenty-minute trip to grandma’s requires broadband access to Tweet about what you had for lunch?). That point aside, what will be the effect of millions of new wifi hotspots in the form of automobiles making their way through highways, cities and towns?
How much harder will it be for investigators to try to locate and identify suspects committing computer crime when ever new car on the road is it own internet cafe subject to wardriving? How might these automobile-based Wifi systems connect with, intentionally or unintentionally, with the 50 other on board computers? How might Wifi-enabled autos provide an obvious method of attack for computer hackers to go after other auto-based computer systems?
While Utopian plans to bring the infobahn to the autobahn sound enticing, serious consideration must be given to plethora of unanswered legal, privacy, technological and security concerns. While intelligent road systems promising drivers the ability to put their cars on autopilot, the potential damage could be significant should a hacker gain access to an individual cars computer system. Moreover, what are the potential critical infrastructure implications of hundreds of cars suddenly accelerating or stopping due to a remote input command delivered over the Internet?
In the Pay Teck black-box case below, what would the effect have been if several thousand cars were disabled simultaneously? What might happen if these or similar devices were installed in police cars, ambulances, fire engines and school buses for the purposes of “protecting” the municipal vehicles from theft? Could the disgruntled insider disable the police force or fire department?
Vehicle on-board assistance systems such as General Motors Onstar have been installed in nearly five-million vehicles in the United States of Canada. The systems, which offer an array of vehicle safety and security systems via the mobile telephone and GPS networks, recently upgraded their services to offer remote ignition blocking to slown down stolen vehicles. The service allows equipped Onstar vehicles to be disabled in a fashion similar to the Pay Tech technology. Given the vast turbulence, layoffs and restructuring in the automobile industry, could another disgruntled employee issue a command that remotely disabled five million cars? While GM and Onstar would no doubt dispute the possibility, as demonstrated in the Texas case below, a built-in backdoor is just that. One never knows who will walk through it…
Hacker Disables More Than 100 Cars Remotely
by Kevin Poulsen
March 17, 2010
More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.
Police with Austin’s High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots.
“We initially dismissed it as mechanical failure,” says Texas Auto Center manager Martin Garcia. “We started having a rash of up to a hundred customers at one time complaining. Some customers complained of the horns going off in the middle of the night. The only option they had was to remove the battery.”
The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle.
Texas Auto Center began fielding complaints from baffled customers the last week in February, many of whom wound up missing work, calling tow trucks or disconnecting their batteries to stop the honking. The troubles stopped five days later, when Texas Auto Center reset the Webtech Plus passwords for all its employee accounts, says Garcia. Then police obtained access logs from Pay Technologies, and traced the saboteur’s IP address to Ramos-Lopez’s AT&T internet service, according to a police affidavit filed in the case.
Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.
“Omar was pretty good with computers,” says Garcia.
The incident is the first time an intruder has abused the no-start system, according to Jim Krueger, co-owner of Pay Technologies. “It was a fairly straightforward situation,” says Krueger. “He had retained a password, and what happened was he went in and created a little bit of havoc.”
Krueger disputes that the horns were honking in the middle of the night; he says the horn honking can only be activated between 9 a.m. and 9 p.m.
First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency. Proponents say the systems let financers extend credit to consumers who might otherwise be ineligible for an auto loan.
Austin police filed computer intrusion charges against Ramos-Lopez on Tuesday.