Carjacking by CD? Researcher Shows How a Spiked Song Can Be Used to Hack a Car

As smart cars join the ever-expanding world of the Internet of Things, a number of studies have shown how this emerging technology is vulnerable to a number of risks. Recently, San Diego-based researcher Stephen Savage discovered a flaw in a smart car’s operating system that allows it to be carjacked by playing a song on its CD player.

“Basically, give me 18 seconds of playtime and we can insert the attack code,” the professor of Computer Sciences and head researcher of the University of California, San Diego shared in his talk to the Usenix Enigma conference in San Francisco. Savage furthered that cars today utilize a combination of various third-party and OEM software that turns a car vulnerable to compromise. This means that some operating systems used in a vehicle are not as secured as the others, thus making it a feasible area for compromise—in this case, the entertainment system.

Through this, the research team gained full control of a smart car simply by playing a malware-laced .WMA track from a CD inside the car. He stressed that most cars available now are employing a government-mandated OBD-II port that makes it easier to study and know the security system of a car. For Savage, a simple firewall would not remedy this gaping security hole given the variety of operating systems that each car use.

This isn’t the first time that the topic of automobiles as a new frontier in hacking and cybersecurity has surfaced, causing concern not only among consumers, but also for manufacturers. In 2015 alone, researchers have shown several security gaps that ultimately equate to dire consequences, be it from vulnerabilities that allowed the vehicle to be remotely controlled, or remotely unlocking doors that could allow the car to be stolen.

A car-jacking stunt demonstrated by two researchers Chris Valasek and Charlie Miller using 3G connectivity on a new Jeep Cherokee resulted in the recall of 1.4 million vehicles. Following the experiment, researchers also pointed out an exploit that could take over a vehicle’s brakes, among other critical systems.

Senior Threat Researcher Rainier Link noted on the role played by car manufacturers on ensuring the safety of smart cars, “From the manufacturer’s perspective, they might have a lot of knowledge on building cars but they may lack a little bit of knowledge on IT security because it’s new to them.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.