Hackers have once again shown just how vulnerable the computer systems in present day vehicles are, adding concern to how safe the self driving cars of the not too distant future will be.
Using a zero day vulnerability in software popular with car mechanics, hackers have been able to disable the airbag systems in cars sold by Volkswagen.
The attacks, which were demonstrated to the media using an Audi as the guinea pig, require hackers to first compromise a mechanic’s diagnostic computer externally, or plug in a malicious USB device. The hack allows intruders to conceal the disabling of airbags from mechanics by falsifying diagnostic read outs from the car.
Researchers Levente Buttyán and András Szijj of CrySyS Lab, and Zsolt Szalay of Budapest University of Technology and Economics, say that even though the latest attack is a more “plausible” but less capable threat than other recent attacks, it is still of concern.
Buttyán says the most recent example of a more dangerous compromise was the recent dramatic remote hacking of Jeep engines which were disabled at high speed, had their brake operating systems seized, and locks popped.
He says the third-party software used in the hack his team demonstrated is widely-used and compatible with cars sold by the Volkswagen Group.
“It works with other cars in the VW group too without any modification. Anything that can be switched on or off from the diagnostic application could have been switched on or off. After switching off the airbag, we can consistently report to the application that it is still switched on.”
Buttyán says the flaw “has nothing to do with VW itself” but is contained in “third-party software”.
“It is not the specific software which makes our work interesting, but the main message that embedded devices are typically managed from PCs and they can be infected and used as stepping stones.” says Buttyán.