GNU Radio & USRP help reveal Security and Privacy Vulnerabilities of In-Car Wireless Networks


Just found an article at a German computer news site (Golem)[1] about a
paper by Ishtiaq Rouf and Rob M. from University of South Carolina
and Rutgers University about Security and Privacy Vulnerabilities of
In-Car Wireless Networks[2].
They used GNU Radio and USRP to record the traffic between the tire
pressure sensors and the car.



Engineers motto: cheap, good, fast: choose any two
Patrick S.
Student of Telemati_cs_, Techn. University Graz, Austria


for the really scary part, check out this paper:
Experimental Security Analysis of a Modern Automobile – K. Koscher, A.
Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B.
Kantor, D. Anderson, H. Shacham, S. Savage.
The IEEE Symposium on Security and Privacy, Oakland, CA, May 16-19,

All you need is an interface to the CAN bus of the car, and you can do
stuff like

  • disabling the brakes
  • braking individual wheels
  • increase the RPM of the engine
  • shoot windshield fluid
  • turn off the headlights
  • lock the doors
  • show what you want on the speed meter

and lots more. You can put your changes in volatile memory such that the
evidence is lost on reboot, which you can trigger at will. They have
tested it while driving as well.
I’m pretty confident that you can get to the central CAN bus via the
wireless sensors, too. They showed that it worked with third-party
components like a radio because the critical and non-critical CAN busses
are interconnected via bridges.


Am 11.08.2010 um 16:56 schrieb Patrick S.:

On Wed, Aug 11, 2010 at 04:56:10PM +0200, Patrick S. wrote:



Thanks Patrick!

Among other things, they can query the in-the-clear unique ID of each
tire sensor at distance and speed, as well as spoof the replies from
the tire sensor to the ECU.

Nothing like a “safety feature” that enables specific vehicles to be
identified at a distance… In the same class of brilliance that
enabled “I sense a Country X RFID passport nearby”…