Digital radio hack sees car steering and braking remotely hijacked

Hackers can hijack digital radio broadcasts to hack into car computers and take control of their braking and steering, potentially putting lives in danger.

A leading security company claims data can be sent to a car through Digital Audio Broadcasting (DAB) radio signals, which then mines its way into the car's computer system and gives the hackers remote access to its key systems, including braking and steering.

NCC Group revealed the exploit on the same day that two US researchers were reported to have taken remote control of a Jeep Cherokee (with the driver's permission) and applied the brakes without having any previous physical contact with the vehicle. Chrysler has released a software update to address the problem.

Manchester-based NCC Group revealed its findings to the BBC, and explained how it had carried out the hack using relatively cheap, off-the-shelf components connected to a laptop.

Researcher Andy Davis created a DAB station, which a car would be able to connect to through its radio; because DAB stations can send text and pictures to a car's dashboard screen, an attacker can bundle malicious code with these to gain control of the system.

Taking control of the steering and brakes

Once the attacker has compromised the dashboard and entertainment system, Davis claims they could then work their way into the car's critical systems, such as steering and braking. A more powerful transmitter could let attacks target several vehicles at once, the researcher claims. He also described how attackers could broadcast over the top of existing stations to target as many vehicles as possible.

Speaking to Radio 4, Davis said: "As this is a broadcast medium, if you had a vulnerability within a certain infotainment system in a certain manufacturer's vehicle, by sending one stream of data, you could attack many cars simultaneously. [The attacker] would probably choose a common radio station to broadcast over the top of to make sure they reached the maximum number of target vehicles."

Modern cars are increasingly becoming targets for cyberattacks due to their expanding roster of autonomous features. Automatic parking is an option in a number of mid-range cars and gives the vehicle's computer control of the steering, while automatic braking to avoid low-speed accidents in traffic is also fitted to many others, even at the lower end of the market; cruise control can be used to adjust a car's speed without a physical connection between the driver and the engine.

If all three systems are compromised on an automatic car (wherein the driver cannot press the clutch pedal to stop the engine engaging the gears), then hackers can potentially gain full control of the vehicle.

Davis added: "If someone were able to compromise the infotainment system, because of the architecture of its vehicle network, they would in some cases be able to disable the automatic braking functionality."

He admitted that the hack would take "a lot of time, skill and money" but warned that this "isn't to say that there aren't large organisations interested in it."