Hacking Smart Cars Without an Internet Connection

A Chinese hacker who goes by Daishen claims he can hack the Volkswagen Toureg, Audi A6, Audi A7 and more, without an internet connection through the car’s GPS and stereo systems exploiting the flaws in car’s security layers. Craig Young, Cybersecurity Researcher for Tripwire commented below on this claim.

Craig Young, Cybersecurity Researcher, Tripwire:

“Early automobile hacking did not actually involve internet connections.  University of South Carolina and Rutgers researchers demonstrated in 2010 that it was possible to gain control of a car’s onboard computers by exploiting the wireless tire pressure monitor even with the car moving 60mph.  Bluetooth stacks used in entertainment systems have also been shown over the years to expose attack surface.

Hacking GPS systems has become much easier in recent years with considerable improvements in software defined radio.  For well under $500, anyone can get started spoofing GPS satellites now.  This means that flaws within these layers are readily within reach of a moderately advanced attacker.  It is also not surprising to hear that computer systems on cars are still not doing an effective job at authenticating access.  Auto manufacturers must take the risk of car hacking seriously especially in a post Miller/Valasek world.  (This hacker duo turned the idea of car hacking on its head when their DARPA sponsored research led to a massive recall by Fiat Chrysler of America.)

Fortunately the industry is evolving to introduce bug bounties and support the security community at events like DEF CON.  This year will mark the second “car hacking village” at DEF CON, an area where security enthusiasts and auto engineers can learn about the problems of auto security.”