Car Hacking

Modern cars contain dozens of computers (ECUs) connected via CAN bus. Security researchers have demonstrated remote takeover attacks, including disabling brakes and steering. The automotive industry is now implementing security-by-design.

Period2010-Present

The Jeep Hack Demonstration

In 2015, security researchers Charlie Miller and Chris Valasek made headlines by remotely hacking a Jeep Cherokee via its Uconnect infotainment system. They could control the radio, climate control, windshield wipers, and most critically—steering, brakes, and transmission.

Attack Vectors

Cars present multiple attack surfaces:

  • OBD-II Port: Direct access to CAN bus, used for diagnostics and flashing ECU firmware
  • Infotainment: Connected to CAN bus, vulnerable to malware and remote exploits
  • Bluetooth: Can contain vulnerabilities enabling code execution
  • Wi-Fi: Passive monitoring mode can capture packets
  • Cellular: Telematics units provide remote connectivity
  • USB: Malicious charging cables or infected software updates

The CAN Bus Exploit

Once on the CAN bus, an attacker can spoof any ECU message. Brakes are controlled by a simple CAN message—there's no authentication or verification that the message came from the brake module. This fundamental vulnerability affects most vehicles.

Industry Response

After the Jeep recall, the automotive industry took security seriously. ISO/SAE 21434 (2021) defines cybersecurity engineering requirements. General Motors, Ford, and others now have bug bounty programs. Secure gateways, hardware security modules (HSM), and secure boot are now standard in new vehicles.

Timeline

2010Miller & Valasek begin car hacking research
2013Miller demonstrates wireless Jeep hack
2015Remote Jeep hack - Charlie Miller & Chris ValasekWired article, Uconnect vulnerability
2016Jeep recall - 1.4 million vehicles
2016CAN bus security standards beginISO/SAE 21434
2019ECU patching debateAftermarket vs OEM
2020sV2X security protocolsC-V2X security architectures