Car Hackers Use Laptop to Control Standard Car
Two security experts have demonstrated taking control of two popular models of car, while someone else was driving them, using a laptop.
Speaking to the BBC ahead of revealing their research at security conference Defcon in Las Vegas in August, Charlie Miller and Chris Valasek said they hoped to raise awareness about the security issues around increasingly computer-dominated car control.
"At the moment there are people who are in the know, there are nay-sayers who don't believe it's important, and there are others saying it's common knowledge but right now there's not much data out there," said Miller, a security engineer at Twitter.
"We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars."
The researchers used cables to connect the devices to the vehicles' electronic control units (ECUs) via the on-board diagnostics port (also used by mechanics to identify faults) inside a 2010 model Ford Escape and Toyota Prius.
Contained within most modern vehicles, ECUs are part of the computer network that controls most aspects of car functionality including acceleration, braking, steering, monitor displays and the horn.
The pair were able to write software which sent instructions to the car network computer and over-rode the commands from the actual drivers of the cars.
They filmed themselves in the back of one of the vehicles steering it left and right, activating the brakes and showing the fuel gauge drop to zero, all while the vehicle was under driver control and in motion.
A spokesman for Toyota told the BBC that because the hardware had to be physically connected inside the car, he did not consider it to be "hacking".
"Altered control can only be made when the device is connected. After it is disconnected the car functions normally," he said.
"We don't consider that to be 'hacking' in the sense of creating unexpected behaviour, because the device must be connected - ie the control system of the car physically altered.
"The presence of a laptop or other device connected to the OBD [on board diagnostics] II port would be apparent."
"This particular attack was not performed remotely over-the-air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers on any mass level," it said in a statement. "The safety, privacy, and security of our customers is and always will be paramount."