Wireless Car Sensors Vulnerable to Hackers
Researchers figure out how to hijack sensor communications.
Hackers could "hijack" the wireless pressure sensors built into many cars' tires, researchers have found. Criminals might then track a vehicle or force its electronic control system to malfunction, the University of South Carolina and Rutgers University researchers say.
The team, which successfully hijacked two popular tire-pressure-monitoring systems (TPMS), will describe the work at the USENIX Security conference in Washington, DC, this week.
The tire-sensor attack poses little immediate risk to drivers. However, in recent months, research groups have identified other security weaknesses in vehicle electronics systems. As automakers add more powerful computers to cars, and connect those computers to critical components, in-car systems will need to be secured against hackers, experts warn.
A TPMS consists of sensors inside a car's tires that measure pressure, and a central wireless antenna -- or an antenna in each wheel in more expensive vehicles. An electric control unit (ECU) picks up the signal, and a warning light on the automobile's dashboard warns a driver when tire pressure has dropped. As well as calculating pressure changes, the ECU filters out noise from sensors in neighboring cars, and compensates for pressure changes due to temperature. The TREAD Act, which Congress passed in 2008, mandates that all new vehicles produced or sold in the United States after that year are required to have this technology.
Using equipment costing $1,500, including a programmable radio transmitter, a specialized circuit board, and free software, the South Carolina-Rutgers team could pick up a car's tire pressure readings. The researchers deciphered the communication protocol by experimenting with different parameters of the radio transmission.
The systems tested by the South Carolina-Rutgers team had very little security in place -- they mainly relied on the fact that the communications protocol is not widely published. "In doing TPMS this way, [automakers] have left the door open to wireless attackers," says Travis Taylor, one of the paper's authors.
The team could eavesdrop on communications and, in some circumstances, alter messages in-transit. That let the team give false readings to a car's dashboard. They could also track a vehicle's movements using the unique IDs of the pressure sensors, and even cause a car's ECU to fail completely.
"Normally, these [attacks would] result in small problems," Taylor says. "But I see practical danger and damage that can happen from TPMS exploitation."
Earlier this year, researchers from the University of Washington and the University of California, San Diego showed that they could take over the control systems of a popular model of automobile, causing the brakes to lock or the engine to cut out.
"The security and privacy problems that the authors identify in TPMS systems are likely just one among many that will challenge the automotive industry in the years to come," says Stefan Savage, a UC San Diego professor of computer science and engineering and an author of the earlier report.
ECUs entered production vehicles in the 1970s, following the California Clean Air Act and a surge in gas prices. At first, the systems were just used to adjust the fuel-oxygen mix using data from the vehicle's exhaust. But the use of ECUs has expanded since then, and today they are used in every aspect of monitoring and controlling automobiles. ECUs are responsible for a feature known as roll stability control -- they can apply the brakes, reduce the throttle, and modulate the steering to keep a car from rolling over.
The South Carolina-Rutgers team stresses that it would be difficult to attack a car through the wireless tire system. One hurdle is that the tire sensors communicate infrequently -- about once every 60 to 90 seconds -- making it difficult to manipulate the system, especially if a vehicle is moving. They were able to overcome these hurdles, however, by shadowing a target vehicle, and using directional antennas.
Even so, UCSD's Savage stresses that car-hacking is a theoretical threat for the moment. "One shouldn't overreact to this kind of news," says Savage. "It's not the case, for example, that the authors have identified a means by which the TPMS channel can remotely compromise safety-critical systems, nor is there any evidence that this channel is being targeted, or even that there is a clear threat of it being a likely target in the near-term."
Savage says his group has entered discussions with the "appropriate stakeholders" regarding the exploits they discovered. The South Carolina-Rutgers team has had no luck so far in contacting carmakers.
The Alliance of Automobile Manufacturers will take the appropriate steps to secure its vehicles, says spokesman Wade Newton. "While this concern isn't unique to autos, we continue looking at this issue -- before it becomes a problem," he says.
Sensors for Tracking Home Water Use
Sensors track devices' electricity, water, and gas consumption from one spot.
When a cell phone or credit-card bill arrives, each call or purchase is itemized, making it possible to track trends in calling or spending, which is especially helpful if you use a phone plan with limited minutes or are trying to stick to a budget. Within the next few years, household utilities could be itemized as well, allowing residents to track their usage and see which devices utilize the most electricity, water, or gas. New sensor technology that consists of a single device for each utility, which builds a picture of household activity by tracing electrical wiring, plumbing, and gas lines back to specific devices or fixtures, could make this far simpler to implement.
Shwetak Patel, a professor of computer science and electrical engineering at the University of Washington, in Seattle, developed the sensors, which plug directly into existing infrastructure in buildings, thereby eliminating the need for an elaborate set of networked sensors throughout a structure. For example, an electrical sensor plugs into a single outlet and monitors characteristic "noise" in electrical lines that are linked to specific devices, such as cell-phone chargers, refrigerators, DVD players, and light switches. And a gas sensor attaches to a gas line and monitors pressure changes that can be correlated to turning on a stove or furnace, for instance.
Now, Patel and his colleagues have developed a pressure sensor that fits around a water pipe. The technology, called Hydrosense, can detect leaks and trace them back to their source, and can recognize characteristic pressure changes that indicate that a specific fixture or appliance is in use.
Patel hopes to incorporate electrical, gas, and water sensors into a unified technology and has cofounded a soon-to-be-named startup that he hopes will start offering combined smart meters to utility companies within the next year or so. The goal, says Patel, is to make a "smart home" universally deployable. "I looked at the existing infrastructures," he says, "and saw that they could be retrofitted."
Smart sensors have become increasingly popular over the past few years as more people have become interested in cutting their utility bills and minimizing the resources that they consume. A number of startups offer to connect utility providers and consumers so that resource use can be tracked over the Internet. So far, however, no company or utility has been able to provide the sort of fine-grain resource usage that Patel hopes to offer with his startup.
The idea behind the water sensor has its origins in Patel's original work with electrical lines. Rather than simply looking at the amount of power consumed by all the devices in a house, he decided to look at noise patterns -- irregularities in the electrical signal -- that propagated over household power lines as a result of electrical consumption. "Let's say you turn on a light switch in the bathroom and kitchen," he says. "We can tell the difference between the two" due to electrical impulses that resonate at a high frequency. "So if you have two different impulses you see originate from two different locations inside the home, you can trace them back to a particular device," Patel says, noting that location can be determined by the amount of time that it takes for a signal to reach the sensor, which is usually just plugged into a spare wall outlet.
Likewise, Hydrosense consists of a single device attached to a cutoff valve or water bib that monitors the entire plumbing infrastructure. "When you open a valve, the pressure on the entire system goes down," says Patel. "And whenever you change the water flow from static to kinetic, you get a shock wave that propagates throughout the pipes." He explains that the shock wave, while relatively mild, has a characteristic shape that can be used to identify different fixtures -- even the distinction between the toilets in different bathrooms.
Using data collected in nine homes of varying style and age and with a diversity of plumbing systems located in three different cities, Patel and his colleagues have shown that by monitoring these shock waves, it is possible to identify individual fixtures with 95.6 percent accuracy.
"The idea of being able to plug one device into a home and build a picture of what's going on and off is really fascinating," says Adrien Tuck, CEO of Tendril Networks, a company that makes smart meters and plugs for homes. But he suspects that there will be some kinks to iron out before the technology is deployable at a large scale. "If it were easy, it would have been done already," he says, "and that probably means that there are some things that need to be teased out."
In addition to monitoring utility usage, Patel says that the sensors can track human activity within a home, which could be useful for elder care and reducing energy waste. He has also developed a fourth sensor that can be integrated into a home's heating and cooling systems. By monitoring pressure changes that occur when people open and close doors and when they enter and exit a room, a sensor within an air-conditioning unit can infer with relative accuracy where people are within a home or apartment, Patel says.
Home Sensor Startup Snapped Up
Belkin buys Zensi, which makes sensors to track domestic energy and water usage.
If you knew how much electricity your plasma television used or how much water your dishwasher drank at different times of day, would you change your habits to conserve more and spend less on utilities? Researchers at the University of Washington, Duke University, and Georgia Tech believe that you might. Several years ago they invented sensors that could track the electricity consumption and water usage throughout an entire building via a single point on each system. In 2008, the researchers founded a company called Zensi to commercialize the technology, and last week, they sold that company to Belkin, an electronics hardware manufacturer.
A line of easy-to-install sensors for homes could be commercially available within the next year, says Shwetak Patel, professor of computer science and engineering at the University of Washington, and co-inventor of Zensi's sensors. Data from such sensors could lead to itemized utility bills -- and customers who are more aware of the energy sinks in their homes, he says.
Data from the electricity and water sensors is sent via the Internet to a base station for analysis. The algorithms differentiate between different devices and calculate electricity and water usage.
The technology will face competition, says Harvey Michaels, an energy-efficiency scientist and lecturer at MIT. Cisco and MIT researchers, not including Michaels, are collaborating on a chip that can be built into every energy-consuming object in a house. The chip will track energy use and communicate with a smart meter to automatically conserve energy and lower bills.
Belkin, a privately held company, has not disclosed the acquisition price for Zensi. The startup's CEO, Kevin Ashton, will serve as the general manager of its Belkin's Conserve business unit, which will manage the startup's intellectual property. The acquisition came before Zensi closed a first round of funding.
Belkin is still working out the product's details. Patel says the interface might be on a panel within the home, available via a website, or sent directly to a person's phone.