Version Tomorrow is the first day of the rest of your life

lecture: Car hacking: getting from A to B with Eve

Event large

Car security is, not surprisingly, a hot topic; after all they are fast and heavy computer controlled machinery that nowadays come with all kinds of internet connectivity. So we decided to have a look at it. In our presentation, we’ll first cover some theory behind the IT-part of car architecture. We’ll discuss attack vectors and their likelihood of success, and then discuss the various vulnerabilities we found. Finally, we will combine these vulnerabilities into a remote attack. Depending on the disclosure process with the vendor, which is pending, we might be able to demonstrate the attack.

#DeviceSecurity #IoT

Car security is, not surprisingly, a hot topic; after all they are fast and heavy computer controlled machinery that nowadays come with all kinds of internet connectivity. Previous research has shown that the state of security in automotive vehicles is still in its early stage. While the move towards autonomous driving has pushed security higher up the agenda, the vehicles we all currently drive have a long way to go in terms of security measures. We decided to look at one of the most popular cars currently on the market, and see how far we could get in remotely controlling it.

Now halfway through our research, we have identified several vulnerabilities and gained remote access to one of the car’s systems. Our research is currently focused on using that access to gain control over further internal systems, with as ultimate goal to use the high-speed CAN bus, which controls things like braking and steering.

Furthermore, our research shows that component re-use is very common among car manufacturers, making our findings applicable to other models and brands as well.

In our presentation, we’ll first cover some theory behind the IT-part of car architecture. We’ll discuss attack vectors and their likelihood of success, and then discuss the various vulnerabilities we found. Finally, we will combine these vulnerabilities into a remote attack. Depending on the disclosure process with the vendor, which is pending, we might be able to demonstrate the attack.