One car loaded with malware could someday infect hundreds or thousands of other vehicles at the local car dealership or auto repair shop. To prevent that “auto brothel” scenario, a security researcher recently presented a $20 tool designed to reveal security flaws in the testing equipment commonly used to update car software or check vehicle systems.
The dangerous scenario for modern drivers was presented during a talk at the Derbycon hacker conference held in Louisville, Kentucky, last week, according to Wired. A hacker could theoretically bring in an infected vehicle for service with the aim of spreading malware to the testing equipment used by mechanics and dealerships, said Craig Smith, a security consultant and author of the Car Hacker’s Handbook. The infected equipment could spread the malware to other customers’ vehicles and possibly compromise electronically-controlled systems such as steering or braking.
Smith created a tool that mimics how a malware-carrying car might try to infect a dealership’s testing equipment. The hardware consists of On-board Diagnostic ports similar to the ones that mechanics would plug their diagnostic tools into for access to the car’s CAN network. (CAN typically connects the car’s central computer to its various electronic subsystems.) The tool’s software tests the diagnostic tool with random data until it causes glitches that may represent security holes to exploit.