The two researchers who demonstrated on Friday in Las Vegas how to compromise a car’s internal network to perform acts such as controlling the steering wheel or the brakes have made their work publicly available.
Three days after their DefCon talk, Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at services firm IOActive, on Monday released a white paper (PDF) describing their research, as well the data, tools and code used in their exploits.
“We hope that these items will help others get involved in automotive security research,” Valasek wrote in a blog post. “The paper is pretty refined but the tools are a snapshot of what we had.
The pair tested on a 2010 Ford Escape and 2010 Toyota Prius. Both car manufacturers received the documents several weeks before DefCon.
“If the only thing that keeps our cars safe is that no one bothers to do this kind of research, then they’re not really secure,” Miller told IDG News Service. “I think it’s better to lay it all out, find the problems and start talking about them.”
Their talk, “Adventures in Automotive Networks and Control Units,” discussed findings involving controller area networks (CAN) and automobile firmware. CAN is a protocol that enables electronic systems in cars to speak to each other without the need for a centralized computer.
Toyota and Ford reportedly have responded to say they were more concerned with remote hacking and that Miller and Valasek’s reserach required direct access to the automobile, something that would be visible to an in-real-life victim.
Miller and Valasek responded that researchers a few years ago already accomplished remote infiltration. The purpose of their work was to learn how far one can go with direct access. In addition, they said that dashboard removal was not necessary.
Meanwhile in the U.K., a British judge has barred researchers from publishing an academic paper on security weaknesses impacting luxury cars.
University of Birmingham researcher Flavio Garcia and two Stichting Katholieke Universiteit researchers, Baris Ege and Roel Verdult, discovered how to crack the algorithm of a system called “Megamos Crypto,” which is used to validate an owner’s ignition key in cars like Lamborghinis, Porsches, Audis and Bentleys.
According to The Guardian, the researchers, who refused to edit portions of the paper (which had been online since 2009), planned to publish the findings next month at the USENIX Security Symposium in Washington, D.C.
The judge said that releasing the academic paper could result in the widescale theft of vehicles. The university said it will honor the judge’s ruling.