‘Secret music’—How bad guys can control your car through the radio & CD Player

Your car is highly vulnerable to hacking, experts say.

“Can you hear the secret music?” sings the Scottish music group The Pastels on their 2013 album, Slow Summits.

Researchers are finding ways to hide hacks in CD’s and sounds, a sort of “secret music” that can allow them to do things like take over your car while you are at the wheel. And some are helping car makers before the bad guys can take control.

“No one thinks of music as being malicious,” computer science professor Stefan Savage told Archer News. “And who would imagine that there was a path from the CD player to the engine?”

The University of California at San Diego researcher talked about his team’s work at the Enigma conference in San Francisco in January.

He described how they implanted code in file on a CD. When it played in a car’s CD player, it allowed them to control not just the entertainment system, but other systems in the car as well.

“Anything,” he said. “From the CD player, we controlled the brakes, engine, signals, etc.”

The sound of an attack

You would probably not hear the hack on the CD, he said, but you could feel it if an attacker wreaked havoc upon your car.

In their research on car systems, the team worked with a volunteer who was driving slowly, and they were able to run the car by remote control, turning on the windshield wipers and hitting—and disabling—the brakes.

They carried out this test at close range, researchers said, but it could work at any distance.

Sounds unlikely

Cybersecurity experts agree, this kind of attack is not likely to happen in real life.

“Ask yourself, ‘Do I have a crazy mad scientist enemy who could both pull this off and for which this is a cheaper and easier way to mess with me than something far more banal?’” said Savage. “I suspect that for 99.99% of people the answer is no.”

The average person is not at risk, he said.

“You need capability, motivation and resources, and thankfully all three come together rarely here,” he explained.

New “music”

Still, researchers envision how attackers could use a car hack to their advantage.

A thief could unlock a car’s doors, or, better yet, set up a system to steal expensive cars on demand, a research paper by Savage’s team suggested. The crook could identify expensive cars by their VIN, find their location, and unlock the doors at will. 

“An enterprising thief might stop stealing cars himself, and instead sell his capabilities as a ‘service’ to other thieves,” the paper said. “’I’m looking for late model BMWs or Audis within a half mile of 4th and Broadway. Do you have anything for me?’”

The research also showed that an attacker could access the car’s microphone, normally used for hands-free calling, a potentially useful tool for private investigators, corporate spies, the paparazzi and more.

“For example, someone wishing to eavesdrop on Google executives might filter a set of compromised cars down to those that are both expensive and located in the Google parking lot at 10 a.m.,” the paper said. “The location of those same cars at 7 p.m. is likely to be the driver’s residence, allowing the attacker to identify the driver (e.g., via commercial credit records). We suspect that one could identify promising targets for eavesdropping quite quickly in this manner.”

Radio attack

Researchers in England hacked a car through its radio in 2015, according to the BBC.

Andy Davis of NCC Group told the BBC he created a digital audio station and broadcast a signal that allowed him to control a car, including its brakes and steering.

“Because infotainment systems processed DAB [digital audio broadcast] data to display text and pictures on car dashboard screens, he said, an attacker could send code that would let them take over the system,” the BBC reported.

Sound attack

Although these attacks use code, cybersecurity experts say there are ways attackers can use sound itself.

 “Hacking through audio is a new field, ripe with possibilities,” said Patrick C. Miller with Archer Security Group.

 Researchers in 2013 were able to send secret computer commands up to 65 feet using the sound processor, speaker and microphones on a laptop, according to Inside Science.

 The sound is a high-frequency audio signal that humans cannot hear, the report said.

 Cars are vulnerable

 Cybersecurity experts say the car hacks, including the famous Jeep hack in July 2015, highlight just how vulnerable cars are.

 “It’s kind of scary to know that the design of modern cars lets all electronic components talk to and command all other electronic components,” said Jim Feely with Archer Security Group.

 “If you can hack the stereo, keyless entry, or OBD-II systems [on-board diagnostic systems], you can get full access to the engine, brakes and airbags,” he said. “Not a particularly robust network architecture.” 

 Just about everything you do in a modern car is controlled by a computer, according to Savage.

 Modern cars often have “50 interlinked computers running more than 50 million lines of code,” said Mike Parris of car security company SBD in the BBC article.

 “By contrast, he said, a modern airliner ‘has around 14 million lines of code,’” the BBC reported.

 “Today’s cars are a mess of different third-party and OEM [original equipment manufacturer] software that is poorly written and badly integrated,” reported The Register.

 Looking for answers

 Government agencies are starting to address problems with car vulnerabilities.

 The U.S. Department of Transportation and 17 automakers reached an agreement on the new safety principles in January, said Bloomberg, one of which is to improve cybersecurity in cars.

 The list of Proactive Safety Principles for 2016 says people in the auto industry should share information about cybersecurity issues and how to deal with them, and also to “develop appropriate means for engaging with cybersecurity researchers as an additional tool for cyber threat identification and remedy.”

 The head of the National Highway Traffic Safety Administration said the agency will take action this year to deal with car cybersecurity issues, reported Automotive News.

 The European Union just launched a call for experts to create a new expert group for car cybersecurity, as well as security for intelligent road systems.

 A fix

 Savage and his team held back some of their research so that car manufacturers could work on the problem, The Register said.

 “As an academic it felt weird not publishing my research,” he said in The Register. “But it’s a trade off. Had we published then there would be a pool of cars out there that were easily hackable with a little knowledge.”

 He told Archer News he believes the vulnerability was addressed.

 “I don’t know if this particular unit was fixed in the field or not (i.e., via the GM over-the-air update),” he wrote in an e-mail. “But I’m fairly confident that subsequent units for subsequent model years were likely fixed (i.e. we certainly gave all the information/code to the manufacturer who gave it to the CD player supplier).”

 The answer is for cars to have automatic wireless software updates that can fix new vulnerabilities, according to Savage in The Register.

 “Every manufacturer now either has remote update or will shortly announce it,” said Savage in the article. “The cost of not having it is just too great.”

 It is a reminder that with new connected “toys” and devices can come new vulnerabilities.

 “We need more gadgets in cars,” said Andrew Mazurek, a cybersecurity professional based in Toronto. “The more attack vectors, the better, right?”