Imagine that a car goes into a dealership's garage for a tune-up. As the mechanic connects the in-house diagnostic computer to the vehicle's on-board network, a computer worm silently travels from the car to the computer. Then, when the same diagnostic machine is connected to other cars in the shop for repairs, each is infected by the same worm.
That was the scenario presented Friday (Mar. 11) by automotive hacker Craig Smith at the NullCon hacker conference in Goa, India. He's created and released a free Linux software tool called UDSim that lets anyone try to turn a car into a Trojan horse, using parts easily found online for less than $20.
Smith doesn't really plan to hijack connected cars. Rather, he wants automakers and car owners to take automotive information security more seriously. Smith founded the Open Garages car-hacker movement, and is a member of the I Am The Cavalry white-hat hacker group, which is working with carmakers.
UDSim is a car-network simulator that runs on a Linux laptop and connects to a car's on-board diagnostics (OBD-II) port, which can be found on most autos made after the late 1990s. It begins by going into Learning mode to map out and download all of a car's system information.
UDSim then goes into Simulation mode, recreating the car's network on the laptop, enabling researchers to probe the network's vulnerabilities without having to spend time and money working on an actual car. It can even fool a dealership's diagnostic computer into thinking it's connected to a real car instead of a laptop, in which case Learning mode can be used again to monitor all communications between the two devices.
In Attack mode, the software uses a technique called "fuzzing" to spam the simulated vehicle or the mechanic's computer with bad code and commands to ferret out flaws, though Smith's current version of UDSim is underpowered and not made to wreak serious havoc.
UDSim is so easy to use that it requires no understanding of how coding works, and provides users a simple graphical user interface that reveals the individual modules that could be fuzzed. Smith told Forbes the software will soon save results to an "easy to read text file" that would make fuzzing results easy to understand "for non-technical users." However, a fair amount of technical skill would be needed to write malware.
Smith told Forbes he plans to have a vulnerability scanner for car owners ready for next year. The scanner would not only show how a car could be hacked through its OBD-II port, but also if it might be vulnerable to remote-hijacking attacks such as the famous Jeep hack in 2015.