Colloquium - Kohno

Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this talk I will discuss our experimental evaluation of the security properties of a real, modern automobile.

We find that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) in a car can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input -- including disabling the brakes, selectively braking individual wheels, and stopping the engine. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car's internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car's telematics unit and that will completely erase any evidence of its presence after performing a malicious action. We also systematically analyze the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, I will discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.

This is joint work with Karl Koscher, Alexei Czeskis, Franziska Roesner and Shwetak Patel (University of Washington) and Stephen Checkoway, Damon McCoy, Danny Anderson, Brian Kantor, Hovav Shacham and Stefan Savage (University of California San Diego).

is an Associate Professor in the University of Washington's Department of Computer Science and Engineering and an Adjunct Associate Professor in the UW Information School. His research focuses on helping protect the security, privacy, and safety of users of current and future generation technologies. Kohno is the recipient of an Alfred P. Sloan Research Fellowship, a U.S. National Science Foundation CAREER Award, and a Technology Review TR-35 Young Innovator Award. Kohno has authored more than a dozen award papers, has presented his research to the U.S. House of Representatives, and is chairing the 2012 USENIX Security Symposium. Kohno received his PhD from the University of California at San Diego and his BS from the University of Colorado.

Hosted by James Martin.