By Sebastian Anthony on July 28, 2011 at 7:10 am
In news that will probably leave you tutting and muttering “I knew this would happen,” two hackers have found a way to unlock cars that use remote control and telemetry systems like BMW Assist, GM OnStar, Ford Sync, and Hyundai Blue Link. These systems communicate with the automaker’s remote servers via standard standard mobile networks like GSM and CDMA — and with a clever bit of reverse engineering, the hackers were able to pose as these servers and communicate directly with a car’s on-board computer via “war texting” — a riff on “war driving,” the act of finding open wireless networks.
Don Bailey and Mathew Solnik, both employees of iSEC Partners, will deliver their findings at next week’s Black Hat USA conference in Las Vegas in a briefing entitled “War Texting: Identifying and Interacting with Devices on the Telephone Network.” The exact details of the attack won’t be disclosed until the affected manufacturers have had a chance to fix their systems, and the hackers are not expected to reveal at the conference which on-board systems they have successfully hacked, but to be honest it doesn’t really matter: if two systems have been cracked (and in just a few hours no less), then it’s likely that other on-board, remote control systems are also vulnerable to the same attack vector.
How did Bailey and Solnik do it then? By creating their own ad-hoc GSM network using off-the-shelf parts and sniffing the traffic sent between car and server. Generally a proprietary protocol is used — but seemingly they are not obfuscated enough, as Bailey and Solnik were able to reverse engineer these protocols and send control messages from a laptop to the car to disable the alarm and unlock the doors.
Unlocking cars is scary enough, but this is merely the antechamber of a very deep and menacing rabbit hole. Over the last few years, GSM has become a commodity that can be used by almost anyone. It’s not just cars that use telephony as a control network: there are 3G security cameras, traffic control systems, home automation systems, and — most worryingly — SCADA systems. SCADA is an acronym that covers almost any industrial control system, from manufacturing to power generation, to water treatment and the management of oil and gas pipelines. To quote Don Bailey, one of the hackers: “What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary.”
Basically this is yet another case of security through obscurity being useful in the short term, but utterly useless in the long run. These vital control systems will have been implemented with the dumb assumption that no one will ever have the resources to hack it — but here we are, five years down the line, and two researchers have managed to crack a system with off-the-shelf tools, a laptop, and a couple of hours of reverse engineering. Let’s just hope that vital and government-level SCADA systems use a modicum of encryption, or we might be in for a rough few years while these control systems are patched and upgraded.
Incidentally, Die Hard 4, which features “internet terrorists” shutting down utilities and traffic systems, doesn’t seem quite so far-fetched now.