'Wireless' carjacking now possible, hackers discover

Now, even cars are no longer immune from hacking: two hackers have found a way to remotely unlock and start the engines of cars that use remote controls and telemetry systems. The hackers, Don Bailey and Mathew Solnik, will deliver their findings in detail next week at the Black Hat USA conference, The Hacker News reported. Bailey and Solnik reverse-engineered the remote control and telemetry systems and found their communications systems used standard mobile networks like GSM and CDMA, the report said. "With a clever bit of reverse engineering, the hackers were able to pose as these servers and communicate directly with a car’s on-board computer via 'war texting' — a riff on 'war driving,' the act of finding open wireless networks," The Hacker News said. But it said the two, who are expected to deliver a briefing entitled “War Texting: Identifying and Interacting with Devices on the Telephone Network," will not likely disclose exact details of the attack until the affected manufacturers have a chance to fix their systems. The two are also not expected to reveal at the conference which on-board systems they have successfully hacked, the report added. "But to be honest it doesn’t really matter: if two systems have been cracked (and in just a few hours no less), then it’s likely that other on-board, remote control systems are also vulnerable to the same attack vector," it said. Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things, according to computer security researchers at iSec Partners, where Bailey and Solnik work. Bailey and Solnik said they had figured out the protocols some software makers use to remote control the cars. They have also produced a video showing how they can unlock a car and turn the engine on via a laptop. Bailey said it took them about two hours to figure out how to intercept wireless messages between the car and the network and then recreate them from his laptop. In touch with authorities A separate report on tech site CNET quoted Bailey as saying he has been in touch with the Department of Homeland Security and US-CERT about these issues and representatives are interested in coordinating with vendors on solutions. But he noted the potential danger of such manipulation as more GSM-enabled systems pop up in consumer culture and industrial control systems. "They're not just in Zoombak [Global Positioning System] location devices and personal security control systems, but also in sensors deployed for waste treatment facilities, SCADA [Supervisory Control and Data Acquisition] and call-back systems, physical security systems, industrial control systems. These GSM modules open up that world to attacks in a whole new way," he said, according to CNET. CNET said Bailey stumbled on how widespread flaws in embedded systems might be when he hacked the Zoombak a few months ago. He and Solnik managed to unlock a car and start it by manipulating the car security and control system over the cellular network. "When we looked at this car security and control system we determined within the first few hours that it was completely ownable, front to back. This is not just a theoretical attack. This is a practical attack we've used on more than one system now," he told CNET. — TJD, GMA News