Revealing that which is concealed. Learning about anything that resembles real freedom. A journey of self-discovery shared with the world. Have no fellowship with the unfruitful works of darkness, but rather reprove them - Ephesians 5-11 Join me and let's follow that high road...
Sunday, June 30, 2013
Kitzhaber signs vaccine bill into law
MessiahMews Blogs: Kitzhaber signs vaccine bill into law: Looks like if you live in Oregon, your government is going to force pro-vaccine propaganda and pressure you to vaccinate your child. Kit...
Friday, June 28, 2013
Quite apart from the huge disparity in Richter values, the Indonesians and Indians were disturbed to find that the normal earthquake 'preamble' was missing from their seismograph charts. All this means is that the normal steadily increasing number of transverse shear "S" waves that always precede an earthquake were missing, as were later aftershocks, which likewise always accompany a naturally occurring or Tesla standing-wave generated earthquake. There were 'warnings' of aftershocks from the NOAA, but none actually eventuated.
Then they began punishing students at all ages, even down to kindergarten level, for such “offenses” as drawing pictures of cars, bringing toy cars to school or even mentioning the word “car.”
Some 2,700 teens aged 16-19 died in car crashes in 2010, the most recent year for which the federal agency’s website has figures, and 282,000 were injured. So, the nation’s schools have rightly implemented programs that teach teens to be safer drivers.
Yet, suppose educators instead declared that cars themselves were harmful instruments of death and destruction with no useful purpose.
Then they began punishing students at all ages, even down to kindergarten level, for such “offenses” as drawing pictures of cars, bringing toy cars to school or even mentioning the word “car.”
You’d likely think this was an extreme overreaction, a textbook example of irrational behavior that was likely to punish innocent students for harmless words and actions.
Now, substitute the word “guns” for “cars,” and you have a description of what appears to be a widespread mindset on the part of school officials nationwide that one psychologist and family doctor has called “psychotic.”
School shootings are horrific crimes as well as tragedies (though annual deaths from them run 1 percent to 2 percent of the automobile total) and there is every reason to try to stop them.
Teenagers also die in inner-city gang warfare and by suicide, but those are social problems, and guns are not the reasons they occur.
In truth, there are effective and ineffective ways of addressing any problem. Schools’ “zero tolerance” policies that punish children for words and actions that create absolutely no danger to anyone are not only unjust, they border on ideologically motivated child abuse.
It’s often said that “Zero tolerance equals zero thought,” and “overreaction” is what happens when people go beyond the bounds of reason, allowing emotion to take over.
And when those in authority overreact, people’s rights get trampled.
http://libertycrier.com/education/what-if-we-looked-at-cars-the-same-way-we-look-at-guns/
Yet, suppose educators instead declared that cars themselves were harmful instruments of death and destruction with no useful purpose.
Then they began punishing students at all ages, even down to kindergarten level, for such “offenses” as drawing pictures of cars, bringing toy cars to school or even mentioning the word “car.”
You’d likely think this was an extreme overreaction, a textbook example of irrational behavior that was likely to punish innocent students for harmless words and actions.
Now, substitute the word “guns” for “cars,” and you have a description of what appears to be a widespread mindset on the part of school officials nationwide that one psychologist and family doctor has called “psychotic.”
School shootings are horrific crimes as well as tragedies (though annual deaths from them run 1 percent to 2 percent of the automobile total) and there is every reason to try to stop them.
Teenagers also die in inner-city gang warfare and by suicide, but those are social problems, and guns are not the reasons they occur.
In truth, there are effective and ineffective ways of addressing any problem. Schools’ “zero tolerance” policies that punish children for words and actions that create absolutely no danger to anyone are not only unjust, they border on ideologically motivated child abuse.
It’s often said that “Zero tolerance equals zero thought,” and “overreaction” is what happens when people go beyond the bounds of reason, allowing emotion to take over.
And when those in authority overreact, people’s rights get trampled.
http://libertycrier.com/education/what-if-we-looked-at-cars-the-same-way-we-look-at-guns/
The safest car will have no antilock brakes, a manual transmission, and an old fashioned solid metal key. If you have such a car, even if it is manufactured after 2004, they probably won't attempt a suicide run with it because all they can do is push the gas
Gosh, driving old cars now seems downright SAFE AND SANE, given the crazy government types that can access any car, at any time, via any cellular network. All you need is the software CARSHARK and a cell phone.
Then YOU ARE IN CONTROL OF THE CAR. Not the driver. They are now captive passengers.
And what about all the hackers who create their own versions of this software? That sell it to companies like Blackwater? Oh...the CIA would just give them the software anyways.
They can turn off your lights. Disable your engine. Lock up your wheels. All while you are driving down the road. Did they tell you that when you bought the car? Nope.
"I'd like to make a few things perfectly clear about remote control of modern cars ANY car with Onstar, and all other cars manufactured after 2004 can be hijacked, but some are going to be safer than others.
How they disable the brakes - Only antilock brakes can be disabled. An antilock brake system looks for wheels that are not spinning when the brake is applied, and when it senses a wheel that is not spinning it releases the brake. To hack an antilock brake system and cause it to not allow a driver to brake, all you have to do is fool it into believing none of the wheels are spinning. The brakes will not engage.
How to keep the car running with the key out - This is possible only with cars that use electronic keys. Since the ignition switch activates when it senses the correct electrical characteristics or code in the key, all you have to do is fool the ignition control module into believing the correct conditions are met. There is no mechanical disconnect with an electronic key.
How to keep the car in gear when the driver takes it out of gear - This is possible only with electronically controlled transmissions. Nowadays, all automatic transmissions are electronically controlled. If the transmission is fooled into believing it is supposed to be engaged, it won't matter where you put the selector. The solution then is (some of the time) a manual transmission, which you can take out of gear yourself and just let the engine rev until it blows, but even a few manual transmissions have electronic control now that would make that impossible. Then there is always the clutch with a manual, which you could also push, provided there is a real cable going to that clutch and not just an electronic control.
How to rev the engine to max when the driver is not pushing the gas - This is a no brainer, electronic throttle control is now as old as the hills, and common since 1980. Fool the throttle position sensor into believing it is wide open, and the manifold pressure sensor into believing the car is at 20,000 feet elevation. Everything will open right up and it's max throttle until the crash." Stone
Then YOU ARE IN CONTROL OF THE CAR. Not the driver. They are now captive passengers.
And what about all the hackers who create their own versions of this software? That sell it to companies like Blackwater? Oh...the CIA would just give them the software anyways.
They can turn off your lights. Disable your engine. Lock up your wheels. All while you are driving down the road. Did they tell you that when you bought the car? Nope.
"I'd like to make a few things perfectly clear about remote control of modern cars ANY car with Onstar, and all other cars manufactured after 2004 can be hijacked, but some are going to be safer than others.
How they disable the brakes - Only antilock brakes can be disabled. An antilock brake system looks for wheels that are not spinning when the brake is applied, and when it senses a wheel that is not spinning it releases the brake. To hack an antilock brake system and cause it to not allow a driver to brake, all you have to do is fool it into believing none of the wheels are spinning. The brakes will not engage.
How to keep the car running with the key out - This is possible only with cars that use electronic keys. Since the ignition switch activates when it senses the correct electrical characteristics or code in the key, all you have to do is fool the ignition control module into believing the correct conditions are met. There is no mechanical disconnect with an electronic key.
How to keep the car in gear when the driver takes it out of gear - This is possible only with electronically controlled transmissions. Nowadays, all automatic transmissions are electronically controlled. If the transmission is fooled into believing it is supposed to be engaged, it won't matter where you put the selector. The solution then is (some of the time) a manual transmission, which you can take out of gear yourself and just let the engine rev until it blows, but even a few manual transmissions have electronic control now that would make that impossible. Then there is always the clutch with a manual, which you could also push, provided there is a real cable going to that clutch and not just an electronic control.
How to rev the engine to max when the driver is not pushing the gas - This is a no brainer, electronic throttle control is now as old as the hills, and common since 1980. Fool the throttle position sensor into believing it is wide open, and the manifold pressure sensor into believing the car is at 20,000 feet elevation. Everything will open right up and it's max throttle until the crash." Stone
What do you do when all is lost?
Jim Stone, 6/26/13
Remember, for now it is just the most important people getting murdered, but if it ever comes down to a hot fight against the people you can bet your shorts that the government will use murder via car crash as the ultimate option for getting rid of the resistance. They will no doubt do it en masse. The capability is there via an always on cellular internet connection. Do you really think they won't use it?
This morning I sat thinking. Wondering what I was going to write today. Wondering how on earth we could ever fix the government monster that is now so far beyond control. I thought about Hasting's car, and the obvious electronic hijacking (which I at first did not believe) because LoudLabs messed with the video for visual appeal. But the day time shot proved the crash was real once everything was verified and double checked, and that made me wonder - WHAT kind of government do we have? What kind of monsters are in power?
How did we let them put in place a system where all cars are online all the time and open to tampering all the time, and we don't even realize it in our daily lives? That allows them to play god - kill anyone they want - HOW did we allow this to happen? Perhaps THAT is why the police are now fully authorized to shoot any driver that does not stop - so the fact that the driver could not stop never becomes known. Interesting it is that we now occasionally hear about people who led the police on a massive chase, who never had any criminal history or any history at all, and families saying there is no way the now dead driver would have ever done that . . . . . . Hmmmm . . . . . .
I then thought about Snowden, who is trapped in Russia. I thought he made it to Iceland but he did not, he is sitting in a Russian air port going nowhere. Can't Russia be a little more decent? Are all the nations really screwed that bad?
I then thought about all the shillage and backstabbing Snowden is getting now. How much the MSM is attacking him, calling him a traitor, a flunkee, a loser and all manner of other insults, while the alternative press stupidly postulates that you can't get a memory stick out of an NSA facility, that he is a psy op and a tool. And why? We are now at a time where it is out in the open that cars can be hacked and crashed, and that everything we do with a computer is stolen the moment it is done, the latter compliments of Snowden. We now know that you can have no secrets, the state is GOD, and it has the power to destroy you on a whim and kill you as well. What are we to do about it?
I'd like to clear a couple things up regarding Snowden
First of all, if anyone says you can't get a memory stick out of an NSA facility, they are assuming or dreaming. Once you become a familiar face, all you do is put your security tag up to a scanner and you are in. There are no friskings, no bag checks, NADA, you are just in, and you are out just as easily. Your security clearance does the rest. Obviously if you have a large bag or suitcase or something else of that nature they are going to look as you leave, but a memory stick? COME ON NOW, don't be stupid. There are many cameras available now on Ebay that work great and look like a keychain. You could smuggle even a conventional digital camera in and out repeatedly in a pocket. If anyone says snowden is fake because of the memory stick issue they are dreaming and totally out of touch with the day to day realities of life in an NSA facility, and I know this because I worked there in a much higher position than Snowden. And Snowden a flunkee working for a contractor? DO NOT BE STUPID. That DOES NOT HAPPEN.
I'd like to make a few things perfectly clear about remote control of modern cars
ANY car with Onstar, and all other cars manufactured after 2004 can be hijacked, but some are going to be safer than others.
How they disable the brakes - Only antilock brakes can be disabled. An antilock brake system looks for wheels that are not spinning when the brake is applied, and when it senses a wheel that is not spinning it releases the brake. To hack an antilock brake system and cause it to not allow a driver to brake, all you have to do is fool it into believing none of the wheels are spinning. The brakes will not engage.
How to keep the car running with the key out - This is possible only with cars that use electronic keys. Since the ignition switch activates when it senses the correct electrical characteristics or code in the key, all you have to do is fool the ignition control module into believing the correct conditions are met. There is no mechanical disconnect with an electronic key.
How to keep the car in gear when the driver takes it out of gear - This is possible only with electronically controlled transmissions. Nowadays, all automatic transmissions are electronically controlled. If the transmission is fooled into believing it is supposed to be engaged, it won't matter where you put the selector. The solution then is (some of the time) a manual transmission, which you can take out of gear yourself and just let the engine rev until it blows, but even a few manual transmissions have electronic control now that would make that impossible. Then there is always the clutch with a manual, which you could also push, provided there is a real cable going to that clutch and not just an electronic control.
How to rev the engine to max when the driver is not pushing the gas - This is a no brainer, electronic throttle control is now as old as the hills, and common since 1980. Fool the throttle position sensor into believing it is wide open, and the manifold pressure sensor into believing the car is at 20,000 feet elevation. Everything will open right up and it's max throttle until the crash.
The safest car will have no antilock brakes, a manual transmission, and an old fashioned solid metal key. If you have such a car, even if it is manufactured after 2004, they probably won't attempt a suicide run with it because all they can do is push the gas.
Solutions to the problem if your car is not one of the safe ones - A dashboard fuel pump switch, and a dashboard switch that can cut the power to the antilock brake system. Once the antilock brake system is not functioning, the car is designed to default to mechanical brakes. Introducing a failure into the ABS system by disabling the sensors won't work, because once hacked a totally new environment in which the sensors are irrelevant is created and the fact that the sensors are disabled won't make any difference. If you want, add a third switch for the ignition system.
If I ever end up being able to buy a car again, I will take the ultimate option - put super strong tape on both sides of the plastic part of the fuse bodies, ALL OF THEM, and connect all of that strong tape from all of the fuses together to make a loop, which a rope is tied to and attached to a lawn mower pull start handle, and have that mounted to the underside of the steering column. The moment I notice the car getting wanky, I can pull the handle and rip every single fuse out at the same time. That way I won't void the warranty with any safety modifications.
It's a sad world we live in when the government can pretty much murder anyone they wish. There is no doubt Hastings was murdered, but I think that with a few precautions your modern car can be made safe against a government hack. Remember, for now it is just the most important people getting murdered, but if it ever comes down to a hot fight against the people you can bet your shorts that the government will use murder via car crash as the ultimate option for getting rid of the resistance. They will no doubt do it en masse. The capability is there, via an always on cellular internet connection. Do you really think they won't use it?
Remember, for now it is just the most important people getting murdered, but if it ever comes down to a hot fight against the people you can bet your shorts that the government will use murder via car crash as the ultimate option for getting rid of the resistance. They will no doubt do it en masse. The capability is there via an always on cellular internet connection. Do you really think they won't use it?
This morning I sat thinking. Wondering what I was going to write today. Wondering how on earth we could ever fix the government monster that is now so far beyond control. I thought about Hasting's car, and the obvious electronic hijacking (which I at first did not believe) because LoudLabs messed with the video for visual appeal. But the day time shot proved the crash was real once everything was verified and double checked, and that made me wonder - WHAT kind of government do we have? What kind of monsters are in power?
How did we let them put in place a system where all cars are online all the time and open to tampering all the time, and we don't even realize it in our daily lives? That allows them to play god - kill anyone they want - HOW did we allow this to happen? Perhaps THAT is why the police are now fully authorized to shoot any driver that does not stop - so the fact that the driver could not stop never becomes known. Interesting it is that we now occasionally hear about people who led the police on a massive chase, who never had any criminal history or any history at all, and families saying there is no way the now dead driver would have ever done that . . . . . . Hmmmm . . . . . .
I then thought about Snowden, who is trapped in Russia. I thought he made it to Iceland but he did not, he is sitting in a Russian air port going nowhere. Can't Russia be a little more decent? Are all the nations really screwed that bad?
I then thought about all the shillage and backstabbing Snowden is getting now. How much the MSM is attacking him, calling him a traitor, a flunkee, a loser and all manner of other insults, while the alternative press stupidly postulates that you can't get a memory stick out of an NSA facility, that he is a psy op and a tool. And why? We are now at a time where it is out in the open that cars can be hacked and crashed, and that everything we do with a computer is stolen the moment it is done, the latter compliments of Snowden. We now know that you can have no secrets, the state is GOD, and it has the power to destroy you on a whim and kill you as well. What are we to do about it?
I'd like to clear a couple things up regarding Snowden
First of all, if anyone says you can't get a memory stick out of an NSA facility, they are assuming or dreaming. Once you become a familiar face, all you do is put your security tag up to a scanner and you are in. There are no friskings, no bag checks, NADA, you are just in, and you are out just as easily. Your security clearance does the rest. Obviously if you have a large bag or suitcase or something else of that nature they are going to look as you leave, but a memory stick? COME ON NOW, don't be stupid. There are many cameras available now on Ebay that work great and look like a keychain. You could smuggle even a conventional digital camera in and out repeatedly in a pocket. If anyone says snowden is fake because of the memory stick issue they are dreaming and totally out of touch with the day to day realities of life in an NSA facility, and I know this because I worked there in a much higher position than Snowden. And Snowden a flunkee working for a contractor? DO NOT BE STUPID. That DOES NOT HAPPEN.
I'd like to make a few things perfectly clear about remote control of modern cars
ANY car with Onstar, and all other cars manufactured after 2004 can be hijacked, but some are going to be safer than others.
How they disable the brakes - Only antilock brakes can be disabled. An antilock brake system looks for wheels that are not spinning when the brake is applied, and when it senses a wheel that is not spinning it releases the brake. To hack an antilock brake system and cause it to not allow a driver to brake, all you have to do is fool it into believing none of the wheels are spinning. The brakes will not engage.
How to keep the car running with the key out - This is possible only with cars that use electronic keys. Since the ignition switch activates when it senses the correct electrical characteristics or code in the key, all you have to do is fool the ignition control module into believing the correct conditions are met. There is no mechanical disconnect with an electronic key.
How to keep the car in gear when the driver takes it out of gear - This is possible only with electronically controlled transmissions. Nowadays, all automatic transmissions are electronically controlled. If the transmission is fooled into believing it is supposed to be engaged, it won't matter where you put the selector. The solution then is (some of the time) a manual transmission, which you can take out of gear yourself and just let the engine rev until it blows, but even a few manual transmissions have electronic control now that would make that impossible. Then there is always the clutch with a manual, which you could also push, provided there is a real cable going to that clutch and not just an electronic control.
How to rev the engine to max when the driver is not pushing the gas - This is a no brainer, electronic throttle control is now as old as the hills, and common since 1980. Fool the throttle position sensor into believing it is wide open, and the manifold pressure sensor into believing the car is at 20,000 feet elevation. Everything will open right up and it's max throttle until the crash.
The safest car will have no antilock brakes, a manual transmission, and an old fashioned solid metal key. If you have such a car, even if it is manufactured after 2004, they probably won't attempt a suicide run with it because all they can do is push the gas.
Solutions to the problem if your car is not one of the safe ones - A dashboard fuel pump switch, and a dashboard switch that can cut the power to the antilock brake system. Once the antilock brake system is not functioning, the car is designed to default to mechanical brakes. Introducing a failure into the ABS system by disabling the sensors won't work, because once hacked a totally new environment in which the sensors are irrelevant is created and the fact that the sensors are disabled won't make any difference. If you want, add a third switch for the ignition system.
If I ever end up being able to buy a car again, I will take the ultimate option - put super strong tape on both sides of the plastic part of the fuse bodies, ALL OF THEM, and connect all of that strong tape from all of the fuses together to make a loop, which a rope is tied to and attached to a lawn mower pull start handle, and have that mounted to the underside of the steering column. The moment I notice the car getting wanky, I can pull the handle and rip every single fuse out at the same time. That way I won't void the warranty with any safety modifications.
It's a sad world we live in when the government can pretty much murder anyone they wish. There is no doubt Hastings was murdered, but I think that with a few precautions your modern car can be made safe against a government hack. Remember, for now it is just the most important people getting murdered, but if it ever comes down to a hot fight against the people you can bet your shorts that the government will use murder via car crash as the ultimate option for getting rid of the resistance. They will no doubt do it en masse. The capability is there, via an always on cellular internet connection. Do you really think they won't use it?
We ALL Know You Know
Jim Stone, 6/28/13
Where are all the street cam videos? We know you have them. What's the matter, is the video "classified?" How about all the tracking of people you do with their cell phones? And what about that always on cell connection every car was forced to have at OUR expense, via Federal mandate? Don't have any records from the car with that? Would the access of a car's computer system via the cell network NOT be an unusual event you would be all over and know about instantly? How often does THAT happen?
The more you sit in silence about Hastings death, the more we know you are the enemy, working for the enemy, and that you serve ONE purpose, to subjugate and destroy the American people on behalf of a few chosen "elite". And in doing so, you prove that you are anything but "national" security, which would protect everyone, you are instead "elite" security ensuring that a small band of tyrants is able to sleep well.
You know everyone who was on the phone in the area, who hacked Hastings car, and what cell tower provided the remote control signal. You also have the video in the car which was transmitted from it's on board camera to the controller who used it to crash the car and who the controller was, as well as a recording of every control signal sent. You knew who was setting up the assassination plot before it happened and did nothing, as well as who said what afterward. And your silence about all of this proves one thing - you serve tyranny and NOTHING else.
Perhaps We the People would support you if your work actually did something to help us. But you have proven that you are no longer our National Security Agency.
You were not always a parasite, sucking the host financially while delivering a disease, no, when I was with you just a short while ago you truthfully were working to serve the national interest. What happened to you? How could you have possibly transformed into such a monster in such a short time? When I was leaving I noticed that there were changes happening I could not figure out a reason for - how they could possibly benefit the mission or the American people. Now, after over a decade has passed I have my answer - you cut straight from being a protector to being a filthy tool of tyranny that has nothing at all to do with your originally well earned title.
Come on now, PROVE ME WRONG. WE ALL KNOW YOU KNOW, step up to the plate and show us you are not only there to destroy us.
http://jimstonefreelance.com/
Where are all the street cam videos? We know you have them. What's the matter, is the video "classified?" How about all the tracking of people you do with their cell phones? And what about that always on cell connection every car was forced to have at OUR expense, via Federal mandate? Don't have any records from the car with that? Would the access of a car's computer system via the cell network NOT be an unusual event you would be all over and know about instantly? How often does THAT happen?
The more you sit in silence about Hastings death, the more we know you are the enemy, working for the enemy, and that you serve ONE purpose, to subjugate and destroy the American people on behalf of a few chosen "elite". And in doing so, you prove that you are anything but "national" security, which would protect everyone, you are instead "elite" security ensuring that a small band of tyrants is able to sleep well.
You know everyone who was on the phone in the area, who hacked Hastings car, and what cell tower provided the remote control signal. You also have the video in the car which was transmitted from it's on board camera to the controller who used it to crash the car and who the controller was, as well as a recording of every control signal sent. You knew who was setting up the assassination plot before it happened and did nothing, as well as who said what afterward. And your silence about all of this proves one thing - you serve tyranny and NOTHING else.
Perhaps We the People would support you if your work actually did something to help us. But you have proven that you are no longer our National Security Agency.
You were not always a parasite, sucking the host financially while delivering a disease, no, when I was with you just a short while ago you truthfully were working to serve the national interest. What happened to you? How could you have possibly transformed into such a monster in such a short time? When I was leaving I noticed that there were changes happening I could not figure out a reason for - how they could possibly benefit the mission or the American people. Now, after over a decade has passed I have my answer - you cut straight from being a protector to being a filthy tool of tyranny that has nothing at all to do with your originally well earned title.
Come on now, PROVE ME WRONG. WE ALL KNOW YOU KNOW, step up to the plate and show us you are not only there to destroy us.
http://jimstonefreelance.com/
Thursday, June 27, 2013
FEMA camps in 3...2...1...
Real Disposable Income is Falling at 2008 Rates
http://www.zerohedge.com/contributed/2013-06-27/real-disposable-income-falling-2008-rates
http://www.zerohedge.com/contributed/2013-06-27/real-disposable-income-falling-2008-rates
MURDERING THE YOUNG AND INNOCENT: Idaho Teen Commits Suicide After Sheriff's Office Repeated Facebook Harassment
TO PROTECT AND SERVE SOULLESS FASCISTS EVERYWHERE..
A photo of Andrew Cain, 19, who killed himself Sunday after a local Sheriff's Office posted his photo to Facebook alongside a sarcastic message saying he was the "most wanted person of the month." (photo credit: KREM)
A Washington teenager committed suicide Sunday after a local sheriff's department published a sarcastic Facebook post about him, according to multiple reports.
The Latah County Sheriff's Office in Idaho had posted a photo of 19-year-old Pullman, Wash., resident Andrew Cain alongside a message saying, “We have decided that Andrew Cain is no longer the Wanted Person of the Week… he is the Wanted Person of the Month of June. Congratulations!," according to local CBS affiliate KREM-TV.
A few days later, Cain took his own life.
http://www.huffingtonpost.com/2013/06/26/andrew-cain-suicide_n_3503387.html?ncid=edlinkusaolp00000003
A photo of Andrew Cain, 19, who killed himself Sunday after a local Sheriff's Office posted his photo to Facebook alongside a sarcastic message saying he was the "most wanted person of the month." (photo credit: KREM)
A Washington teenager committed suicide Sunday after a local sheriff's department published a sarcastic Facebook post about him, according to multiple reports.
The Latah County Sheriff's Office in Idaho had posted a photo of 19-year-old Pullman, Wash., resident Andrew Cain alongside a message saying, “We have decided that Andrew Cain is no longer the Wanted Person of the Week… he is the Wanted Person of the Month of June. Congratulations!," according to local CBS affiliate KREM-TV.
A few days later, Cain took his own life.
http://www.huffingtonpost.com/2013/06/26/andrew-cain-suicide_n_3503387.html?ncid=edlinkusaolp00000003
WikiLeaks Volunteer Was a Paid Informant for the FBI
On an August workday in 2011, a cherubic 18-year-old Icelandic man named Sigurdur “Siggi” Thordarson walked through the stately doors of the U.S. embassy in Reykjavík, his jacket pocket concealing his calling card: a crumpled photocopy of an Australian passport. The passport photo showed a man with a unruly shock of platinum blonde hair and the name Julian Paul Assange.
Thordarson was long time volunteer for WikiLeaks with direct access to Assange and a key position as an organizer in the group. With his cold war-style embassy walk-in, he became something else: the first known FBI informant inside WikiLeaks. For the next three months, Thordarson served two masters, working for the secret-spilling website and simultaneously spilling its secrets to the U.S. government in exchange, he says, for a total of about $5,000. The FBI flew him internationally four times for debriefings, including one trip to Washington D.C., and on the last meeting obtained from Thordarson eight hard drives packed with chat logs, video and other data from WikiLeaks.
http://www.wired.com/threatlevel/2013/06/wikileaks-mole/
Thordarson was long time volunteer for WikiLeaks with direct access to Assange and a key position as an organizer in the group. With his cold war-style embassy walk-in, he became something else: the first known FBI informant inside WikiLeaks. For the next three months, Thordarson served two masters, working for the secret-spilling website and simultaneously spilling its secrets to the U.S. government in exchange, he says, for a total of about $5,000. The FBI flew him internationally four times for debriefings, including one trip to Washington D.C., and on the last meeting obtained from Thordarson eight hard drives packed with chat logs, video and other data from WikiLeaks.
http://www.wired.com/threatlevel/2013/06/wikileaks-mole/
Wednesday, June 26, 2013
Know Your Rights
What makes a police officer powerless? When citizens know their rights!
Police officers hate to hear these words:
"Am I free to go?"
"I'm going to remain silent."
"I don't consent to a search."
You have rights at traffic stop or during any encounter with a police officer. Learn what your rights are and use them!
1. Your Safety - Start by putting the police officer at ease. Pull over to a safe place, turn off your ignition, stay in the car and keep your hands on the steering wheel. At night turn on the interior light. Keep your license, registration and proof of insurance close by like in your "sun visor."
Be courteous, stay calm, smile and don't complain. Show respect and say things like "sir and no sir." Never bad-mouth a police officer, stay in control of your words, body language and your emotions. Keep your hands where the police officer can see them. Never touch a police officer and never run away!
2. Never Talk To A Police Officer - You must tell the police officer "I'm going to remain silent." The only questions you need to answer is your name, address, date of birth, sometimes your social security number but NOTHING else! "In some states you can refuse to give your I.D. card to a police officer, know the laws of your state." Instead of telling the police officer who you are, give him your driver's license or your I.D. card. All the information the police officer needs to know about you, can be found on your i.d. card or drivers license. If you can keep your mouth shut, you just might come out ahead more than you expected.
Remain Silent - The Supreme Court says you should never talk to a police officer even if you're not under arrest. The Supreme Court ruled you must speak up and SAY to the police officer "I'm going to remain silent" and then keep your mouth shut even if you're not under arrest. How can you be falsely accused and charged with a crime, if you don't say anything? Never talk to a police officer before or after you get arrested. Anything you say or do, can and will be used against you at anytime by the police.
3. Just Say NO to Police Searches! - If a police officer didn't need your permission to search you, he wouldn't be asking. Never give permission for a police officer to search you, your car or your home. If a police officer does search you, don't resist and just keep saying "I don't consent to this search."
4. Am I Free to Go? - As soon as the police officer ask you a question ask him, "Am I free to go?" You have to ask if you're "free to go," otherwise the police officer will think that you're voluntarily staying around to talk with him. If the police officer says that you're being detained or arrested tell the police officer, "I'm going to remain silent."
Anything You Say Can And Will Be Used Against You!
Police officers will be videotaping or audio recording you and this is why you must NEVER talk to the police officer. You have every right NOT to talk to a police officer and you should NOT talk to a police officer unless you have first consulted with a lawyer and the lawyer has advised you differently. Police officers depend on fear and intimidation to get what they want from you and this includes giving up your rights. The government made a law that allows police officers to lie to American citizens. That's another reason not to trust the police or the Federal government "the real terrorists."
Never voluntarily talk to a police officer, there's no such thing as a "friendly chat." Let the police officer do all the talking and you stay silent. The Supreme Court has recently ruled that you should NOT talk to a police officer if you have NOT been arrested and you must say out loud "I'm going to remain silent." It can be very dangerous to talk to a police officer or a Federal Agent. Innocent people have talked to a police officer and ended up in jail and prison all because they spoke to a police officer without an attorney.
Police officers have the same right as you, "Freedom of Speech." Police may ask you anything they want, but you should never answer any of their questions. Don't let the police officer try and persuade you to talk! Say something like "I'm sorry, I don't have time to talk right now." If the cop insists on talking to you, ask him "Am I free to go?" The police officer may not like when you refuse to talk to him and challenge you with words like, "If you have anything to hide, why won't you speak to me? Say to the officer again "I told you I don't have time to talk to you right now, Am I free to go?" If you forget or the police officer tricks you into talking, it's okay just start over again and tell the police officer "I'm going to remain silent."
The Supreme Court has ruled that if a police officer doesn't force you to do something, then you're doing it "voluntarily." That means if the police officer starts being intimidating and you do what he "ask" because you're "afraid," you still have done it voluntarily. (Florida v. Bostick, 1991) If you do what the police officer "ask" you to do such as allowing him to search your car or answer any of his questions, you are "voluntarily" complying with his "requests." So don't comply, just keep your mouth shut unless you say "Am I Free to Go?" or "I don't consent to a search."
Be as nice as possible to the police officer, but stand your ground on your rights! Where do some of your rights come from? Read the Fourth and Fifth Amendment of the U.S. Constitution.
Traffic Stops and Your Rights with Police Officers
Keep your license, registration and proof of insurance in an easily accessible place, like your sun visor. When pulled over by a police officer stay in the car, turn on the interior lights and keep your hands on the steering wheel. Sit still, relax and wait for the officer to come to you. Any sudden movements, ducking down, looking nervous or appearing to be searching for something under your seat could get you shot.
Don't forget during traffic stops the police are videotaping you, this is why you must NOT talk to the police officer. Police officers like to ask the first question and that's usually, "do you know why I stopped you? Do you know how fast you were going?" The police officer is trying to get you to do two things, admit that you committed a traffic violation and to get you to "voluntarily" start a conversation with him. Remember the police officer is not your friend and should not be trusted! The only thing you need to say is "I'm going to remain silent or am I free to go?"
The police officer might start asking you personal questions such as "where are you going, where have you been and who did you see, ect." At that point it's the perfect time to exercise your rights by asking the police officer "AM I FREE TO GO?" There's NO legal requirement that American citizens provide information about their comings and goings to a police officer. It's none of the police officers damn business! Keep asking the police officer "AM I FREE TO GO?" You have to speak up and verbally ask the police officer if you're allowed to leave, otherwise the courts will assume that you wanted to stay and talk to the police officer on your own free will.
Passengers in your vehicle need to know their rights as well. They have the same right NOT to talk to a police officer and the right to refuse a search "unless it's a 'pat down' for weapons." The police will usually separate the passengers from each other and ask questions to see if their stories match. All passengers should always give the same answer and say, "I'm going to remain silent and am I free to go?" Remember you have to tell the police officer that you don't want to talk to him. It's the law
How long can a police officer keep you pulled over "detained" during a traffic stop? The Supreme Court has made mention that no more than 15-20 minutes is a reasonable amount of time for a police officer to conduct his investigation and allow you to go FREE on your way. But you have to keep asking the police officer "AM I FREE TO GO?"
During a traffic stop a good time to ask "AM I FREE TO GO," is after the police officer has given you a "warning or a ticket" and you have signed it. Once you have signed the ticket the traffic stop is legally over says the U.S. Supreme Court. There's no law that requires you to stay and talk to the police officer or answer any questions. After you have signed the ticket and got your license back you may roll up your window, start your car and leave. If you're outside the car ask the police officer, "AM I FREE TO GO?" If he says yes then get in your car and leave.
Car Searches and Body Searches
Remember the police officer wouldn't be asking you, if he didn't need your permission to search! "The right to be free from unreasonable searches is one of America's most precious First Liberties."
Police officers swore an oath to uphold the U.S. Constitution and not to violate your rights against unreasonable search and seizure Fourth Amendment. Denying a police officers request to search you or your car is not an admission of guilt, it's your American right! Some police officers might say, "if you have nothing to hide, you should allow me to search." Politely say to the police officer "I don't consent to a search, am I FREE to go?"
For the safety of police officers the government allows the police to pat down your outer clothing to see if you have any weapons. If the police officer feels something that he believes is a weapon, then he can go into your pockets and pull out the item he believes is a weapon.
A police officer may ask you or even demand that you empty your pockets, but you have the right to say "NO! AM I FREE TO GO?" There's NO law that requires you to empty your pockets when a police officer tells you to do so. The only time a police officer are allowed to be taking your personal property out of your pockets is after you have been arrested.
The police officer is allowed to handcuff you and/or detain you in his police car. Don't resist or you will be arrested! There's a big difference between being detained and being arrested. Say nothing in the police car! Police will be recording your conversation inside the police car, say nothing to your friend and don't talk to the police officers inside the car!
If you are arrested and your car is towed, the police are allowed to take an "inventory" of the items in your car. If anything is found illegal in your vehicle, the police will get a warrant from a judge and then charge you with another crime.
Never Open Your Door At Home If A Police Officer Knocks!
If the police knock on your door at home, there's no law that says you have to open your door to police officers. "Don't worry if they do have a search warrant, they'll kick down your door before they will knock." * There is NO law that requires you to open your door to a police officer.* Don't open your door with the chain-lock on either, police officers will shove their way in. Simply shout to the police officers "I HAVE NOTHING TO SAY" or just don't say anything at all.
Guest and roommates staying in your home/apartment/dorm need to be told of their rights and not to open the door to a police officer or invite police officer into your home without your permission. Police officers are like vampires, they need your permission to come into your home.
Never agree to go to the police station if the police want to question you. Just say, "I HAVE NOTHING TO SAY."
* In some emergency situations (for example when a someone is screaming for help from inside your home, police are chasing someone into your home, police see a felony being committed or if someone has called 911 from inside your house) police officers are allowed to enter and search your home without a warrant.
Teenagers have rights also, if you're under 18 click here. If your children don't know their rights and they go talking to a teacher, school principal, police officer or a Federal agent without an attorney, it could cost your family dearly and change the lives of your family forever!
Dealing With a Police Officer In Public
NEVER give consent to a police officer and allow for a conversation to start. If a police officer stops you and ask to speak with you, you're perfectly within your rights to say "I do not wish to speak with you," then say good-bye. At this point you should be free to leave, but the police officer might ask for your identification. If you have identification on you, tell the officer where it's at and ask permission to reach for it. "In some states you're not required to show an I.D. unless the police officer has reasonable suspicion that you committed a crime, know the laws of your state!"
The police officer might start asking you questions, at this point you may ask the officer "Am I Free to Go?" The police officer may not like this and may challenge you with words like, "If you have nothing to hide, why won't you speak to me?" Simply say "I'm going to remain silent."
Police officers need your permission to have a conversation. There is NO law that says you have tell a police officer where you are going or where you have been, but you must tell the police officer "I'm going to remain silent."
Probable Cause
A police officer has no right to detain you unless there exist reasonable suspicion that you have committed a crime or traffic violation. However a police officer is always allowed to initiate a "voluntary" conversation with you. You always have the right not to talk or answer any questions a police officer might ask you. Just tell the police officer, "I'm going to remain silent."
Under the Fourth Amendment of the U.S. Constitution, police may engage in "reasonable" searches and seizures. To prove that a search is reasonable the police generally must show that it's more likely than not that a crime has occurred and that if a search is conducted it's probable that the police officer will find evidence of the crime. This is called "probable cause."
Police may use first hand information or tips from an informant "snitch" to justify the need to search your property or you. If an informant's information is used, the police must prove that the information is reliable under the circumstances to a judge.
Here's a case when several police officers took the word of a "snitch," claiming he knew where a "drug dealer" lived. Corrupt police officers in Houston Texas took it upon themselves to go to this house that the snitch had "picked at random" and the officers kicked in the front door at 1:30 in the morning. Police never bothered to get a warrant from a judge. The aftermath was... Police Officers In Texas Are Allowed to Murder Innocent People and Get Away With It
Should We Trust Police Officers? (are you kidding? They are here to hurt you and destroy your life)
Are police officers allowed to lie to you? Yes the Supreme Court has ruled police officers can lie to the American people. Police officers are trained at lying, twisting words and being manipulative. Police officers and other law enforcement agents are very skilled at getting information from people. So don't try to "out smart" a police officer and don't try being a "smooth talker" because you will loose! If you can keep your mouth shut, you just might come out ahead more than you expected.
Teach your children that they must call a parent for permission before they're allowed to talk to police officer. Remember police officers are trained to put your child at ease and build trust. A police officers job is to find, arrest and help convict a suspect and that suspect could be your child!
Although police officers may seem nice and pretend to be on your side they want to learn your habits, opinions, and affiliations of other people not suspected of wrongdoing. Don't try to answer a police officers questions, it can be very dangerous! You can never tell how a seemingly harmless bit of information that you give to a police officer might be used and misconstrued to hurt you or someone else. Also keep in mind that lying to a federal agent is a Federal crime. "That's why Martha Stewart went to prison, not for insider trading but for lying to a Federal Agent."
Lies Police Officers Will Say To Get You to Talk
There's many ways a police officer can LIE and trick you into talking. It's always safe to say the Magic Words: "Am I free to leave? I'm going to remain silent and I want a lawyer."
The following are common lie's the police use when they're trying to get you to talk:
* "You will have to stay here and answer my questions" or "You're not leaving until I find out what I want to know."
* "I have evidence on you, so tell me what I want to know or else." (Police can fabricate fake evidence to convince you to tell them what they want to know.)
* "You're not a suspect, were simply investigating here. Help us understand what happened and then you may leave."
* "If you don't answer my questions, I won't have any choice but to take you to jail."
* "If you don't answer these questions, you'll be charged with resisting arrest."
* "Your friend has told his side of the story and it's not looking good for you, anything you want to tell me?
If The Police Arrest You
"I WILL NOT TALK UNTIL I HAVE A LAWYER!"
* Don't answer any questions the police ask you, (except for your name, address and age.) Any other questions the police officer ask you, just say I want to talk to my lawyer.
* Police officers don't always have to read to you the Miranda Rights after you've been arrested. If you "voluntarily" talk a police officer, the police officer doesn't have to read your Miranda Rights. Talking to a police officer at anytime can be very dangerous!
* Never talk to other jail inmates about your case.
* Within a reasonable time after your arrest or booking, you have the right to make a local phone call to a lawyer, bail bondsman, relative or any other person you choose. The police can't listen to you your phone call if you're talking to your lawyer.
* The longest you can be held in jail is 72 hours. If you get arrested on a 3 day weekend you may not see the judge until Tuesday morning. Otherwise you will usually get out of jail in 4 to 24 hours if you can make bond.
* If you're on probation or parole tell your P.O. you've been arrested and say nothing else to him!
http://policecrimes.com/police.html
Police officers hate to hear these words:
"Am I free to go?"
"I'm going to remain silent."
"I don't consent to a search."
You have rights at traffic stop or during any encounter with a police officer. Learn what your rights are and use them!
1. Your Safety - Start by putting the police officer at ease. Pull over to a safe place, turn off your ignition, stay in the car and keep your hands on the steering wheel. At night turn on the interior light. Keep your license, registration and proof of insurance close by like in your "sun visor."
Be courteous, stay calm, smile and don't complain. Show respect and say things like "sir and no sir." Never bad-mouth a police officer, stay in control of your words, body language and your emotions. Keep your hands where the police officer can see them. Never touch a police officer and never run away!
2. Never Talk To A Police Officer - You must tell the police officer "I'm going to remain silent." The only questions you need to answer is your name, address, date of birth, sometimes your social security number but NOTHING else! "In some states you can refuse to give your I.D. card to a police officer, know the laws of your state." Instead of telling the police officer who you are, give him your driver's license or your I.D. card. All the information the police officer needs to know about you, can be found on your i.d. card or drivers license. If you can keep your mouth shut, you just might come out ahead more than you expected.
Remain Silent - The Supreme Court says you should never talk to a police officer even if you're not under arrest. The Supreme Court ruled you must speak up and SAY to the police officer "I'm going to remain silent" and then keep your mouth shut even if you're not under arrest. How can you be falsely accused and charged with a crime, if you don't say anything? Never talk to a police officer before or after you get arrested. Anything you say or do, can and will be used against you at anytime by the police.
3. Just Say NO to Police Searches! - If a police officer didn't need your permission to search you, he wouldn't be asking. Never give permission for a police officer to search you, your car or your home. If a police officer does search you, don't resist and just keep saying "I don't consent to this search."
4. Am I Free to Go? - As soon as the police officer ask you a question ask him, "Am I free to go?" You have to ask if you're "free to go," otherwise the police officer will think that you're voluntarily staying around to talk with him. If the police officer says that you're being detained or arrested tell the police officer, "I'm going to remain silent."
Anything You Say Can And Will Be Used Against You!
Police officers will be videotaping or audio recording you and this is why you must NEVER talk to the police officer. You have every right NOT to talk to a police officer and you should NOT talk to a police officer unless you have first consulted with a lawyer and the lawyer has advised you differently. Police officers depend on fear and intimidation to get what they want from you and this includes giving up your rights. The government made a law that allows police officers to lie to American citizens. That's another reason not to trust the police or the Federal government "the real terrorists."
Never voluntarily talk to a police officer, there's no such thing as a "friendly chat." Let the police officer do all the talking and you stay silent. The Supreme Court has recently ruled that you should NOT talk to a police officer if you have NOT been arrested and you must say out loud "I'm going to remain silent." It can be very dangerous to talk to a police officer or a Federal Agent. Innocent people have talked to a police officer and ended up in jail and prison all because they spoke to a police officer without an attorney.
Police officers have the same right as you, "Freedom of Speech." Police may ask you anything they want, but you should never answer any of their questions. Don't let the police officer try and persuade you to talk! Say something like "I'm sorry, I don't have time to talk right now." If the cop insists on talking to you, ask him "Am I free to go?" The police officer may not like when you refuse to talk to him and challenge you with words like, "If you have anything to hide, why won't you speak to me? Say to the officer again "I told you I don't have time to talk to you right now, Am I free to go?" If you forget or the police officer tricks you into talking, it's okay just start over again and tell the police officer "I'm going to remain silent."
The Supreme Court has ruled that if a police officer doesn't force you to do something, then you're doing it "voluntarily." That means if the police officer starts being intimidating and you do what he "ask" because you're "afraid," you still have done it voluntarily. (Florida v. Bostick, 1991) If you do what the police officer "ask" you to do such as allowing him to search your car or answer any of his questions, you are "voluntarily" complying with his "requests." So don't comply, just keep your mouth shut unless you say "Am I Free to Go?" or "I don't consent to a search."
Be as nice as possible to the police officer, but stand your ground on your rights! Where do some of your rights come from? Read the Fourth and Fifth Amendment of the U.S. Constitution.
Traffic Stops and Your Rights with Police Officers
Keep your license, registration and proof of insurance in an easily accessible place, like your sun visor. When pulled over by a police officer stay in the car, turn on the interior lights and keep your hands on the steering wheel. Sit still, relax and wait for the officer to come to you. Any sudden movements, ducking down, looking nervous or appearing to be searching for something under your seat could get you shot.
Don't forget during traffic stops the police are videotaping you, this is why you must NOT talk to the police officer. Police officers like to ask the first question and that's usually, "do you know why I stopped you? Do you know how fast you were going?" The police officer is trying to get you to do two things, admit that you committed a traffic violation and to get you to "voluntarily" start a conversation with him. Remember the police officer is not your friend and should not be trusted! The only thing you need to say is "I'm going to remain silent or am I free to go?"
The police officer might start asking you personal questions such as "where are you going, where have you been and who did you see, ect." At that point it's the perfect time to exercise your rights by asking the police officer "AM I FREE TO GO?" There's NO legal requirement that American citizens provide information about their comings and goings to a police officer. It's none of the police officers damn business! Keep asking the police officer "AM I FREE TO GO?" You have to speak up and verbally ask the police officer if you're allowed to leave, otherwise the courts will assume that you wanted to stay and talk to the police officer on your own free will.
Passengers in your vehicle need to know their rights as well. They have the same right NOT to talk to a police officer and the right to refuse a search "unless it's a 'pat down' for weapons." The police will usually separate the passengers from each other and ask questions to see if their stories match. All passengers should always give the same answer and say, "I'm going to remain silent and am I free to go?" Remember you have to tell the police officer that you don't want to talk to him. It's the law
How long can a police officer keep you pulled over "detained" during a traffic stop? The Supreme Court has made mention that no more than 15-20 minutes is a reasonable amount of time for a police officer to conduct his investigation and allow you to go FREE on your way. But you have to keep asking the police officer "AM I FREE TO GO?"
During a traffic stop a good time to ask "AM I FREE TO GO," is after the police officer has given you a "warning or a ticket" and you have signed it. Once you have signed the ticket the traffic stop is legally over says the U.S. Supreme Court. There's no law that requires you to stay and talk to the police officer or answer any questions. After you have signed the ticket and got your license back you may roll up your window, start your car and leave. If you're outside the car ask the police officer, "AM I FREE TO GO?" If he says yes then get in your car and leave.
Car Searches and Body Searches
Remember the police officer wouldn't be asking you, if he didn't need your permission to search! "The right to be free from unreasonable searches is one of America's most precious First Liberties."
Police officers swore an oath to uphold the U.S. Constitution and not to violate your rights against unreasonable search and seizure Fourth Amendment. Denying a police officers request to search you or your car is not an admission of guilt, it's your American right! Some police officers might say, "if you have nothing to hide, you should allow me to search." Politely say to the police officer "I don't consent to a search, am I FREE to go?"
For the safety of police officers the government allows the police to pat down your outer clothing to see if you have any weapons. If the police officer feels something that he believes is a weapon, then he can go into your pockets and pull out the item he believes is a weapon.
A police officer may ask you or even demand that you empty your pockets, but you have the right to say "NO! AM I FREE TO GO?" There's NO law that requires you to empty your pockets when a police officer tells you to do so. The only time a police officer are allowed to be taking your personal property out of your pockets is after you have been arrested.
The police officer is allowed to handcuff you and/or detain you in his police car. Don't resist or you will be arrested! There's a big difference between being detained and being arrested. Say nothing in the police car! Police will be recording your conversation inside the police car, say nothing to your friend and don't talk to the police officers inside the car!
If you are arrested and your car is towed, the police are allowed to take an "inventory" of the items in your car. If anything is found illegal in your vehicle, the police will get a warrant from a judge and then charge you with another crime.
Never Open Your Door At Home If A Police Officer Knocks!
If the police knock on your door at home, there's no law that says you have to open your door to police officers. "Don't worry if they do have a search warrant, they'll kick down your door before they will knock." * There is NO law that requires you to open your door to a police officer.* Don't open your door with the chain-lock on either, police officers will shove their way in. Simply shout to the police officers "I HAVE NOTHING TO SAY" or just don't say anything at all.
Guest and roommates staying in your home/apartment/dorm need to be told of their rights and not to open the door to a police officer or invite police officer into your home without your permission. Police officers are like vampires, they need your permission to come into your home.
Never agree to go to the police station if the police want to question you. Just say, "I HAVE NOTHING TO SAY."
* In some emergency situations (for example when a someone is screaming for help from inside your home, police are chasing someone into your home, police see a felony being committed or if someone has called 911 from inside your house) police officers are allowed to enter and search your home without a warrant.
Teenagers have rights also, if you're under 18 click here. If your children don't know their rights and they go talking to a teacher, school principal, police officer or a Federal agent without an attorney, it could cost your family dearly and change the lives of your family forever!
Dealing With a Police Officer In Public
NEVER give consent to a police officer and allow for a conversation to start. If a police officer stops you and ask to speak with you, you're perfectly within your rights to say "I do not wish to speak with you," then say good-bye. At this point you should be free to leave, but the police officer might ask for your identification. If you have identification on you, tell the officer where it's at and ask permission to reach for it. "In some states you're not required to show an I.D. unless the police officer has reasonable suspicion that you committed a crime, know the laws of your state!"
The police officer might start asking you questions, at this point you may ask the officer "Am I Free to Go?" The police officer may not like this and may challenge you with words like, "If you have nothing to hide, why won't you speak to me?" Simply say "I'm going to remain silent."
Police officers need your permission to have a conversation. There is NO law that says you have tell a police officer where you are going or where you have been, but you must tell the police officer "I'm going to remain silent."
Probable Cause
A police officer has no right to detain you unless there exist reasonable suspicion that you have committed a crime or traffic violation. However a police officer is always allowed to initiate a "voluntary" conversation with you. You always have the right not to talk or answer any questions a police officer might ask you. Just tell the police officer, "I'm going to remain silent."
Under the Fourth Amendment of the U.S. Constitution, police may engage in "reasonable" searches and seizures. To prove that a search is reasonable the police generally must show that it's more likely than not that a crime has occurred and that if a search is conducted it's probable that the police officer will find evidence of the crime. This is called "probable cause."
Police may use first hand information or tips from an informant "snitch" to justify the need to search your property or you. If an informant's information is used, the police must prove that the information is reliable under the circumstances to a judge.
Here's a case when several police officers took the word of a "snitch," claiming he knew where a "drug dealer" lived. Corrupt police officers in Houston Texas took it upon themselves to go to this house that the snitch had "picked at random" and the officers kicked in the front door at 1:30 in the morning. Police never bothered to get a warrant from a judge. The aftermath was... Police Officers In Texas Are Allowed to Murder Innocent People and Get Away With It
Should We Trust Police Officers? (are you kidding? They are here to hurt you and destroy your life)
Are police officers allowed to lie to you? Yes the Supreme Court has ruled police officers can lie to the American people. Police officers are trained at lying, twisting words and being manipulative. Police officers and other law enforcement agents are very skilled at getting information from people. So don't try to "out smart" a police officer and don't try being a "smooth talker" because you will loose! If you can keep your mouth shut, you just might come out ahead more than you expected.
Teach your children that they must call a parent for permission before they're allowed to talk to police officer. Remember police officers are trained to put your child at ease and build trust. A police officers job is to find, arrest and help convict a suspect and that suspect could be your child!
Although police officers may seem nice and pretend to be on your side they want to learn your habits, opinions, and affiliations of other people not suspected of wrongdoing. Don't try to answer a police officers questions, it can be very dangerous! You can never tell how a seemingly harmless bit of information that you give to a police officer might be used and misconstrued to hurt you or someone else. Also keep in mind that lying to a federal agent is a Federal crime. "That's why Martha Stewart went to prison, not for insider trading but for lying to a Federal Agent."
Lies Police Officers Will Say To Get You to Talk
There's many ways a police officer can LIE and trick you into talking. It's always safe to say the Magic Words: "Am I free to leave? I'm going to remain silent and I want a lawyer."
The following are common lie's the police use when they're trying to get you to talk:
* "You will have to stay here and answer my questions" or "You're not leaving until I find out what I want to know."
* "I have evidence on you, so tell me what I want to know or else." (Police can fabricate fake evidence to convince you to tell them what they want to know.)
* "You're not a suspect, were simply investigating here. Help us understand what happened and then you may leave."
* "If you don't answer my questions, I won't have any choice but to take you to jail."
* "If you don't answer these questions, you'll be charged with resisting arrest."
* "Your friend has told his side of the story and it's not looking good for you, anything you want to tell me?
If The Police Arrest You
"I WILL NOT TALK UNTIL I HAVE A LAWYER!"
* Don't answer any questions the police ask you, (except for your name, address and age.) Any other questions the police officer ask you, just say I want to talk to my lawyer.
* Police officers don't always have to read to you the Miranda Rights after you've been arrested. If you "voluntarily" talk a police officer, the police officer doesn't have to read your Miranda Rights. Talking to a police officer at anytime can be very dangerous!
* Never talk to other jail inmates about your case.
* Within a reasonable time after your arrest or booking, you have the right to make a local phone call to a lawyer, bail bondsman, relative or any other person you choose. The police can't listen to you your phone call if you're talking to your lawyer.
* The longest you can be held in jail is 72 hours. If you get arrested on a 3 day weekend you may not see the judge until Tuesday morning. Otherwise you will usually get out of jail in 4 to 24 hours if you can make bond.
* If you're on probation or parole tell your P.O. you've been arrested and say nothing else to him!
http://policecrimes.com/police.html
What 1st amendment? Not in California.
Sidewalks are public property. Also how does it cost $6000 to clean up chalk?!? The banks own the judges, lie about cleanup costs, and ruin a man's life for speaking the obvious truth: BOA is institutionalized slavery.
---------
Jeff Olson, the 40-year-old man who is being prosecuted for scrawling anti-megabank messages on sidewalks in water-soluble chalk last year now faces a 13-year jail sentence. A judge has barred his attorney from mentioning freedom of speech during trial.
According to the San Diego Reader, which reported on Tuesday that a judge had opted to prevent Olson’s attorney from "mentioning the First Amendment, free speech, free expression, public forum, expressive conduct, or political speech during the trial,” Olson must now stand trial for on 13 counts of vandalism.
In addition to possibly spending years in jail, Olson will also be held liable for fines of up to $13,000 over the anti-big-bank slogans that were left using washable children's chalk on a sidewalk outside of three San Diego, California branches of Bank of America, the massive conglomerate that received $45 billion in interest-free loans from the US government in 2008-2009 in a bid to keep it solvent after bad bets went south.
The Reader reports that Olson’s hearing had gone as poorly as his attorney might have expected, with Judge Howard Shore, who is presiding over the case, granting Deputy City Attorney Paige Hazard's motion to prohibit attorney Tom Tosdal from mentioning the United States' fundamental First Amendment rights.
"The State's Vandalism Statute does not mention First Amendment rights," ruled Judge Shore on Tuesday.
Upon exiting the courtroom Olson seemed to be in disbelief.
"Oh my gosh," he said. "I can't believe this is happening."
Tosdal, who exited the courtroom shortly after his client, seemed equally bewildered.
"I've never heard that before, that a court can prohibit an argument of First Amendment rights," said Tosdal.
Olson, who worked as a former staffer for a US Senator from Washington state, was said to involve himself in political activism in tandem with the growth of the Occupy Wall Street movement.
On October 3, 2011, Olson first appeared outside of a Bank of America branch in San Diego, along with a homemade sign. Eight days later Olson and his partner, Stephen Daniels, during preparations for National Bank Transfer Day, the two were confronted by Darell Freeman, the Vice President of Bank of America’s Global Corporate Security.
A former police officer, Freeman accused Olson and Daniels of “running a business outside of the bank,” evidently in reference to the National Bank Transfer Day activities, which was a consumer activism initiative that sought to promote Americans to switch from commercial banks, like Bank of America, to not-for-profit credit unions.
At the time, Bank of America’s debit card fees were among one of the triggers that led Occupy Wall Street members to promote the transfer day.
"It was just an empty threat," says Olson of Freeman’s accusations. "He was trying to scare me away. To be honest, it did at first. I even called my bank and they said he couldn't do anything like that."
Olson continued to protest outside of Bank of America. In February 2012, he came across a box of chalk at a local pharmacy and decided to begin leaving his mark with written statements.
"I thought it was a perfect way to get my message out there. Much better than handing out leaflets or holding a sign," says Olson.
Over the course of the next six months Olson visited the Bank of America branch a few days per week, leaving behind scribbled slogans such as "Stop big banks" and "Stop Bank Blight.com."
According to Olson, who spoke with local broadcaster KGTV, one Bank of America branch claimed it had cost $6,000 to clean up the chalk writing.
Public records obtained by the Reader show that Freeman continued to pressure members of San Diego’s Gang Unit on behalf of Bank of America until the matter was forwarded to the City Attorney’s office.
On April 15, Deputy City Attorney Paige Hazard contacted Freeman with a response on his persistent queries.
"I wanted to let you know that we will be filing 13 counts of vandalism as a result of the incidents you reported," said Hazard.
Arguments for Olson’s case are set to be heard Wednesday morning, following jury selection.
---------
Jeff Olson, the 40-year-old man who is being prosecuted for scrawling anti-megabank messages on sidewalks in water-soluble chalk last year now faces a 13-year jail sentence. A judge has barred his attorney from mentioning freedom of speech during trial.
According to the San Diego Reader, which reported on Tuesday that a judge had opted to prevent Olson’s attorney from "mentioning the First Amendment, free speech, free expression, public forum, expressive conduct, or political speech during the trial,” Olson must now stand trial for on 13 counts of vandalism.
In addition to possibly spending years in jail, Olson will also be held liable for fines of up to $13,000 over the anti-big-bank slogans that were left using washable children's chalk on a sidewalk outside of three San Diego, California branches of Bank of America, the massive conglomerate that received $45 billion in interest-free loans from the US government in 2008-2009 in a bid to keep it solvent after bad bets went south.
The Reader reports that Olson’s hearing had gone as poorly as his attorney might have expected, with Judge Howard Shore, who is presiding over the case, granting Deputy City Attorney Paige Hazard's motion to prohibit attorney Tom Tosdal from mentioning the United States' fundamental First Amendment rights.
"The State's Vandalism Statute does not mention First Amendment rights," ruled Judge Shore on Tuesday.
Upon exiting the courtroom Olson seemed to be in disbelief.
"Oh my gosh," he said. "I can't believe this is happening."
Tosdal, who exited the courtroom shortly after his client, seemed equally bewildered.
"I've never heard that before, that a court can prohibit an argument of First Amendment rights," said Tosdal.
Olson, who worked as a former staffer for a US Senator from Washington state, was said to involve himself in political activism in tandem with the growth of the Occupy Wall Street movement.
On October 3, 2011, Olson first appeared outside of a Bank of America branch in San Diego, along with a homemade sign. Eight days later Olson and his partner, Stephen Daniels, during preparations for National Bank Transfer Day, the two were confronted by Darell Freeman, the Vice President of Bank of America’s Global Corporate Security.
A former police officer, Freeman accused Olson and Daniels of “running a business outside of the bank,” evidently in reference to the National Bank Transfer Day activities, which was a consumer activism initiative that sought to promote Americans to switch from commercial banks, like Bank of America, to not-for-profit credit unions.
At the time, Bank of America’s debit card fees were among one of the triggers that led Occupy Wall Street members to promote the transfer day.
"It was just an empty threat," says Olson of Freeman’s accusations. "He was trying to scare me away. To be honest, it did at first. I even called my bank and they said he couldn't do anything like that."
Olson continued to protest outside of Bank of America. In February 2012, he came across a box of chalk at a local pharmacy and decided to begin leaving his mark with written statements.
"I thought it was a perfect way to get my message out there. Much better than handing out leaflets or holding a sign," says Olson.
Over the course of the next six months Olson visited the Bank of America branch a few days per week, leaving behind scribbled slogans such as "Stop big banks" and "Stop Bank Blight.com."
According to Olson, who spoke with local broadcaster KGTV, one Bank of America branch claimed it had cost $6,000 to clean up the chalk writing.
Public records obtained by the Reader show that Freeman continued to pressure members of San Diego’s Gang Unit on behalf of Bank of America until the matter was forwarded to the City Attorney’s office.
On April 15, Deputy City Attorney Paige Hazard contacted Freeman with a response on his persistent queries.
"I wanted to let you know that we will be filing 13 counts of vandalism as a result of the incidents you reported," said Hazard.
Arguments for Olson’s case are set to be heard Wednesday morning, following jury selection.
Tuesday, June 25, 2013
Monday, June 24, 2013
Mind control through music: HEMISYNC tracks
The following contains shocking information from the Institute for Bio-Acoustics Research (IBAR):
"In October 1984, a nineteen-year-old teenager named John M. shot himself in the head, while listening to Ozzy Osbourne's "Suicide Solution". When the coroner entered the room, he found the headphones still on John's head. This would be one of the tragedies that caused Ozzy immeasurable grief.
In 1986, Ozzy had just gotten off a plane at LAX airport when people began asking him about the "lawsuits". Ozzy knew nothing about any lawsuit but the details quickly emerged. Three lawsuits had been launched against Ozzy, claiming that his lyrics had caused youths to commit suicide. The family of John hired attorney Thomas Anderson in a lawsuit against Ozzy. Mr. Anderson claimed on the "Don't Blame Me" Ozzy video, that the song contained tones known as 'hemisync' and would cause a person to be unable to resist what was being said in the song.
The Institute for Bio-Acoustics Research, Inc. (IBAR) was hired to evaluate the song. They claim to have found subliminal lyrics that weren't included in the lyrics sheet. These subliminal lyrics were sung at one and one-half times the normal rate of speech and are not recognized by a first time listener. The IBAR institute claimed the subliminal lyrics, "are audible enough that their meaning and true intent becomes clear after being listened to over and over again." The subliminal lyrics in question were "Why try, why try? Get the gun and try it! Shoot, Shoot, Shoot", followed by a hideous laughter.
Further analysis by IBAR revealed the hemisync tones, which result from a patented process that uses sound waves to influence an individual's mental state. The tones have been found to increase the rate at which the human brain assimilates and processes information. IBAR claimed these tones made John vulnerable to the suggestive lyrics which Ozzy sang.
Ozzy's lawyer claimed that this was nonsense and relied upon the First Amendment of the Constitution to argue that Ozzy could write about anything he wanted. Three people had now taken their lives, and in each case it was Ozzy's 'Suicide Solution' song which was the focus as the cause of the deaths. Mr. Anderson claimed that the words, "shoot shoot, get the gun, get the gun" were audible in the song. There is an effect which can be heard on the song, that could be interpreted as that if one tried hard enough. The sounds were just Ozzy messing around with the soundboard."
"In October 1984, a nineteen-year-old teenager named John M. shot himself in the head, while listening to Ozzy Osbourne's "Suicide Solution". When the coroner entered the room, he found the headphones still on John's head. This would be one of the tragedies that caused Ozzy immeasurable grief.
In 1986, Ozzy had just gotten off a plane at LAX airport when people began asking him about the "lawsuits". Ozzy knew nothing about any lawsuit but the details quickly emerged. Three lawsuits had been launched against Ozzy, claiming that his lyrics had caused youths to commit suicide. The family of John hired attorney Thomas Anderson in a lawsuit against Ozzy. Mr. Anderson claimed on the "Don't Blame Me" Ozzy video, that the song contained tones known as 'hemisync' and would cause a person to be unable to resist what was being said in the song.
The Institute for Bio-Acoustics Research, Inc. (IBAR) was hired to evaluate the song. They claim to have found subliminal lyrics that weren't included in the lyrics sheet. These subliminal lyrics were sung at one and one-half times the normal rate of speech and are not recognized by a first time listener. The IBAR institute claimed the subliminal lyrics, "are audible enough that their meaning and true intent becomes clear after being listened to over and over again." The subliminal lyrics in question were "Why try, why try? Get the gun and try it! Shoot, Shoot, Shoot", followed by a hideous laughter.
Further analysis by IBAR revealed the hemisync tones, which result from a patented process that uses sound waves to influence an individual's mental state. The tones have been found to increase the rate at which the human brain assimilates and processes information. IBAR claimed these tones made John vulnerable to the suggestive lyrics which Ozzy sang.
Ozzy's lawyer claimed that this was nonsense and relied upon the First Amendment of the Constitution to argue that Ozzy could write about anything he wanted. Three people had now taken their lives, and in each case it was Ozzy's 'Suicide Solution' song which was the focus as the cause of the deaths. Mr. Anderson claimed that the words, "shoot shoot, get the gun, get the gun" were audible in the song. There is an effect which can be heard on the song, that could be interpreted as that if one tried hard enough. The sounds were just Ozzy messing around with the soundboard."
Sunday, June 23, 2013
The Dark Side of Modern Historical Events, ongoing to this very day...
http://thespawnofthesphinx.com/index.html
The Queen of the Damned
Ixchel’s worshippers gathered at the United Nation's Framework Convention on Climate Change in Cancun to pray to the Mayan moon goddess on the forty-fourth anniversary of the founding of the Process Church of the Final Judgment on Mexico’s Yucatan peninsula. Chris Huhne, The UK's energy and environment secretary, was especially excited to finally arrive – he had been delayed in London because, for the second year in a row, England was experiencing some of the worst winter weather in over a century. It didn’t matter to Chris Huhne and other members of the Church of Settled Science that, almost eleven years earlier, in March of 2000, Dr. David Viner (a senior research scientist at the Climatic Research Unit (CRU) of the University of East Anglia), falsely prophesied, British "snowfalls are now just a thing of the past.” And within a few years snowfall in England will become "a very rare and exciting event" because "children aren't going to know what snow is.” It didn’t matter electronic documents would later show that same CRU to be perpetrating the largest scientific fraud in history. The gathering of Ixchel’s worshippers in Cancun had nothing to do with real science, and everyone at the event knew it. Climate changes every day. A tax on carbon changes nothing.
The worshippers were led in a prayer to the goddess Ixchel by the Convention's Executive Secretary, Christiana Figueres;
"May she inspire you – because today, you are gathered in Cancun to weave together the elements of a solid response to climate change, using both reason and creativity as your tools … Excellencies, the goddess Ixchel would probably tell you that a tapestry is the result of the skilful interlacing of many threads. I am convinced that twenty years from now, we will admire the policy tapestry that you have woven together and think back fondly to Cancun and the inspiration of Ixchel."
The opening prayer to a pagan goddess set the tone for representatives from one hundred and ninety-three countries. The allusion to weaving a “tapestry … of many threads” derives from the belief that this particular goddess taught humanity the art of weaving. Mesoamerica’s depiction of Ixchel's snake headdress and talons are curiously reminiscent of a Sumerian moon goddess more than four thousand years earlier.
Her most recent role in our world began on Mexico’s Yucatan Peninsula in 1966.
The Queen of the Damned
Ixchel’s worshippers gathered at the United Nation's Framework Convention on Climate Change in Cancun to pray to the Mayan moon goddess on the forty-fourth anniversary of the founding of the Process Church of the Final Judgment on Mexico’s Yucatan peninsula. Chris Huhne, The UK's energy and environment secretary, was especially excited to finally arrive – he had been delayed in London because, for the second year in a row, England was experiencing some of the worst winter weather in over a century. It didn’t matter to Chris Huhne and other members of the Church of Settled Science that, almost eleven years earlier, in March of 2000, Dr. David Viner (a senior research scientist at the Climatic Research Unit (CRU) of the University of East Anglia), falsely prophesied, British "snowfalls are now just a thing of the past.” And within a few years snowfall in England will become "a very rare and exciting event" because "children aren't going to know what snow is.” It didn’t matter electronic documents would later show that same CRU to be perpetrating the largest scientific fraud in history. The gathering of Ixchel’s worshippers in Cancun had nothing to do with real science, and everyone at the event knew it. Climate changes every day. A tax on carbon changes nothing.
The worshippers were led in a prayer to the goddess Ixchel by the Convention's Executive Secretary, Christiana Figueres;
"May she inspire you – because today, you are gathered in Cancun to weave together the elements of a solid response to climate change, using both reason and creativity as your tools … Excellencies, the goddess Ixchel would probably tell you that a tapestry is the result of the skilful interlacing of many threads. I am convinced that twenty years from now, we will admire the policy tapestry that you have woven together and think back fondly to Cancun and the inspiration of Ixchel."
The opening prayer to a pagan goddess set the tone for representatives from one hundred and ninety-three countries. The allusion to weaving a “tapestry … of many threads” derives from the belief that this particular goddess taught humanity the art of weaving. Mesoamerica’s depiction of Ixchel's snake headdress and talons are curiously reminiscent of a Sumerian moon goddess more than four thousand years earlier.
Her most recent role in our world began on Mexico’s Yucatan Peninsula in 1966.
The Spook Who Sat By the Door
The Spook Who Sat By the Door: new u can use???? codes names in ur idols alter eg...: The GAME and Young Buck caught in a real strange and suspect HollyWeird moment. Young Buck shows that he can offer little if any resistance ...
Then and Now
MessiahMews Blogs: Then and Now: 2013... A bit much, don't ya think? And as each generation is born, there is more and more damage, and nowadays, children and adults ...
organized mass murder, courtesy of the NWO |
Saturday, June 22, 2013
Oregon State Police Taser Autistic 11 year old girl Found Wandering Naked (several 250 lb skinheads shoot down child walking down road)
When police found a confused and naked 11-year-old girl wandering a stretch of highway along the I-5 corridor in Oregon, they didn’t exactly offer her a ride home. Instead the responding officer determined the best course of action would be to Taser her.
This past Sunday morning, cab driver Adam Bednar was aghast when he came upon the adolescent walking down the highway seemingly confused. She was nude and threw Bednar a smile, indicating she wasn’t fully aware of where she was or what she was doing.
“I thought she was drugged. I thought she was on bath salts, too much meth, something,” said Bednar.
“Bednar says he drove alongside her while he called police,” KDRV.com reported. “He says the trooper who arrived called for her to stop, and when she didn’t respond threatened twice to taze her.”
According to the girl’s father, who has contacted Infowars.com, the girl was autistic and didn’t respond to officers due to her ailment. “After giving no response, two little red dots appeared on her back, then metal barbs,” KDRV wrote.
“She seized up, then she just fell face first on the ground,” Bednar described. “Just face first on the ground.”
Adding insult to injury, Oregon State Police officials initially defended the officer’s reaction saying Tasering the 11-year-old girl was necessary to prevent her from wandering further down the road “and putting herself in danger.”
But Bednar says that explanation doesn’t hold up. “She wasn’t going off the road, she was set on walking down the freeway,” Bednar told KDRV. “And I think that, had [the trooper] waited for back up, they could have gotten her without the Taser.”
The girl’s father also took issue with KDRV’s reportage, which frequently referred to the girl as a “young woman,” a “woman” and a “juvenile.” The report also neglected to give her age.
“They keep calling her a ‘woman’ …she is 11 years old. Since when is an 11-year-old kid with the mind of a 3-year-old a ‘woman’?” the girl’s father, who listens to Infowars, told us. “She is very gentle and non combative. If the police cannot apprehend a child who is cooperative without Tasing then what would be the alternative? Shooting her?”
Fortunately, police were gracious enough not to charge the girl or her family with a crime.
As we have detailed numerous times, Tasers are designed to be used only in emergency situations, as a last resort before lethal force; however, police frequently employ the sometimes deadly devices to force compliance.
KDRV’s account of the event also highlights the incestuous relationship between media and police. Instead of questioning authorities and pressing officers on why they would Tase an 11-year-old, the compliant reporters attempt to convince viewers they’re remaining objective and presenting all the facts.
As her father mentioned, the reporters also intentionally misled viewers over the girl’s age, referring to her as a “woman.”
http://www.informationliberation.com/?id=44201
This past Sunday morning, cab driver Adam Bednar was aghast when he came upon the adolescent walking down the highway seemingly confused. She was nude and threw Bednar a smile, indicating she wasn’t fully aware of where she was or what she was doing.
“I thought she was drugged. I thought she was on bath salts, too much meth, something,” said Bednar.
“Bednar says he drove alongside her while he called police,” KDRV.com reported. “He says the trooper who arrived called for her to stop, and when she didn’t respond threatened twice to taze her.”
According to the girl’s father, who has contacted Infowars.com, the girl was autistic and didn’t respond to officers due to her ailment. “After giving no response, two little red dots appeared on her back, then metal barbs,” KDRV wrote.
“She seized up, then she just fell face first on the ground,” Bednar described. “Just face first on the ground.”
Adding insult to injury, Oregon State Police officials initially defended the officer’s reaction saying Tasering the 11-year-old girl was necessary to prevent her from wandering further down the road “and putting herself in danger.”
But Bednar says that explanation doesn’t hold up. “She wasn’t going off the road, she was set on walking down the freeway,” Bednar told KDRV. “And I think that, had [the trooper] waited for back up, they could have gotten her without the Taser.”
The girl’s father also took issue with KDRV’s reportage, which frequently referred to the girl as a “young woman,” a “woman” and a “juvenile.” The report also neglected to give her age.
“They keep calling her a ‘woman’ …she is 11 years old. Since when is an 11-year-old kid with the mind of a 3-year-old a ‘woman’?” the girl’s father, who listens to Infowars, told us. “She is very gentle and non combative. If the police cannot apprehend a child who is cooperative without Tasing then what would be the alternative? Shooting her?”
Fortunately, police were gracious enough not to charge the girl or her family with a crime.
As we have detailed numerous times, Tasers are designed to be used only in emergency situations, as a last resort before lethal force; however, police frequently employ the sometimes deadly devices to force compliance.
KDRV’s account of the event also highlights the incestuous relationship between media and police. Instead of questioning authorities and pressing officers on why they would Tase an 11-year-old, the compliant reporters attempt to convince viewers they’re remaining objective and presenting all the facts.
As her father mentioned, the reporters also intentionally misled viewers over the girl’s age, referring to her as a “woman.”
http://www.informationliberation.com/?id=44201
World’s largest Bitcoin exchange suspends US withdrawals (money can go in, but it can't come out: BITSCAM
For the next two weeks Bitcoin users in the US will be unable to withdraw the virtual currency in dollars. Major exchange Mt. Gox cited an unusually high demand as the reason for the suspension, while customers worried the company has run out of cash.
Mt. Gox, based in Tokyo, Japan, handles approximately 80 per cent of Bitcoin transactions in the US and 70 per cent internationally. The popularity of the service, which allows customers to buy and sell items with relative anonymity, has led, indirectly, to the current transaction freeze.
“Over the past week Mt. Gox has experienced rising volumes of deposits and withdrawals from established and upcoming markets interested in Bitcoin,” a company statement explained. “This increased volume has made it difficult for our bank to process the transactions smoothly and within a timely manner, which has created unnecessary delays for our global customers. This is especially so for those in the United States who are requesting wire transfer withdrawals from their accounts.”
Users are still able to deposit into Mt. Gox and continue trading on other Bitcoin services, but the update has fueled speculation that the largest Bitcoin provider has grown too quickly and simply run out of cash, an allegation the company has not addressed publicly.
“We are currently making improvement to process withdrawals of the United States Dollar denominations, and as a result are temporarily suspending cash withdrawals of USD for the next two weeks,” the statement continued. “Please be reassured that USD deposits and transfers to Mt. Gox will remain unaffected, as will deposits and withdrawals in other currencies, and we will be resuming USD withdrawals once the process is completed.”
Recent estimates indicate the number of Bitcoins in circulation is at approximately 11 million, with the collective market value nearing $1.4 billion. The price of one Bitcoin was 107 Friday, after fluctuating wildly in recent months, according to bitcoincharts.com.
While economists admit Bitcoin could have a bright financial future, its instability has been a point of reluctance for would-be investors. The temporary withdrawal restriction will almost certainly be another reason for hesitancy.
“Without a safe infrastructure, a digital currency will never achieve widespread adoption by a mainstream audience,” wrote Mark Courtney, a product and services director at GBGroup, an identity intelligence company, for Wired. “The initial success of Bitcoin proves that there is appetite for a type of digital currency, but without making the service trustworthy, more trading floors will close.”
http://rt.com/business/largest-bitcoin-exchange-suspends-withdrawals-094/
Mt. Gox, based in Tokyo, Japan, handles approximately 80 per cent of Bitcoin transactions in the US and 70 per cent internationally. The popularity of the service, which allows customers to buy and sell items with relative anonymity, has led, indirectly, to the current transaction freeze.
“Over the past week Mt. Gox has experienced rising volumes of deposits and withdrawals from established and upcoming markets interested in Bitcoin,” a company statement explained. “This increased volume has made it difficult for our bank to process the transactions smoothly and within a timely manner, which has created unnecessary delays for our global customers. This is especially so for those in the United States who are requesting wire transfer withdrawals from their accounts.”
Users are still able to deposit into Mt. Gox and continue trading on other Bitcoin services, but the update has fueled speculation that the largest Bitcoin provider has grown too quickly and simply run out of cash, an allegation the company has not addressed publicly.
“We are currently making improvement to process withdrawals of the United States Dollar denominations, and as a result are temporarily suspending cash withdrawals of USD for the next two weeks,” the statement continued. “Please be reassured that USD deposits and transfers to Mt. Gox will remain unaffected, as will deposits and withdrawals in other currencies, and we will be resuming USD withdrawals once the process is completed.”
Recent estimates indicate the number of Bitcoins in circulation is at approximately 11 million, with the collective market value nearing $1.4 billion. The price of one Bitcoin was 107 Friday, after fluctuating wildly in recent months, according to bitcoincharts.com.
While economists admit Bitcoin could have a bright financial future, its instability has been a point of reluctance for would-be investors. The temporary withdrawal restriction will almost certainly be another reason for hesitancy.
“Without a safe infrastructure, a digital currency will never achieve widespread adoption by a mainstream audience,” wrote Mark Courtney, a product and services director at GBGroup, an identity intelligence company, for Wired. “The initial success of Bitcoin proves that there is appetite for a type of digital currency, but without making the service trustworthy, more trading floors will close.”
http://rt.com/business/largest-bitcoin-exchange-suspends-withdrawals-094/
Full remote control of ALL modern U.S. market cars PROVEN
A team of hackers from the Department of Computer Science at the University of Washington conducted a study which has proven that all cars equipped with antilock brakes sold in the U.S. can be hacked via remote control and have their brakes entirely disabled with the car in motion, throttle revved, and remain fully operational with the key removed and the car in park with all driver input entirely ignored.
science document from research university here, until government forces it offline.
http://therebel.org/images/pdf/carhack.pdf
Experimental Security Analysis of a Modern Automobile
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, and Tadayoshi Kohno
Department of Computer Science and Engineering
University of Washington
Seattle, Washington 98195–2350
Email: {supersat,aczeskis,franzi,shwetak,yoshi}@cs.washington.edu
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage
Department of Computer Science and Engineering
University of California San Diego
La Jolla, California 92093–0404
Email: {s,dlmccoy,brian,d8anders,hovav,savage}@cs.ucsd.edu
Abstract—Modern automobiles are no longer mere mechanical
devices; they are pervasively monitored and controlled by
dozens of digital computers coordinated via internal vehicular
networks. While this transformation has driven major advancements
in efficiency and safety, it has also introduced a range of
new potential risks. In this paper we experimentally evaluate
these issues on a modern automobile and demonstrate the
fragility of the underlying system structure. We demonstrate
that an attacker who is able to infiltrate virtually any Electronic
Control Unit (ECU) can leverage this ability to completely
circumvent a broad array of safety-critical systems. Over a
range of experiments, both in the lab and in road tests, we
demonstrate the ability to adversarially control a wide range
of automotive functions and completely ignore driver input—
including disabling the brakes, selectively braking individual
wheels on demand, stopping the engine, and so on. We find
that it is possible to bypass rudimentary network security
protections within the car, such as maliciously bridging between
our car’s two internal subnets. We also present composite
attacks that leverage individual weaknesses, including an attack
that embeds malicious code in a car’s telematics unit and
that will completely erase any evidence of its presence after a
crash. Looking forward, we discuss the complex challenges in
addressing these vulnerabilities while considering the existing
automotive ecosystem.
Keywords—Automobiles, communication standards, communication
system security, computer security, data buses.
I. INTRODUCTION
Through 80 years of mass-production, the passenger automobile
has remained superficially static: a single gasolinepowered
internal combustion engine; four wheels; and the
familiar user interface of steering wheel, throttle, gearshift,
and brake. However, in the past two decades the underlying
control systems have changed dramatically. Today’s automobile
is no mere mechanical device, but contains a myriad of
computers. These computers coordinate and monitor sensors,
components, the driver, and the passengers. Indeed, one
recent estimate suggests that the typical luxury sedan now
contains over 100 MB of binary code spread across 50–70
independent computers—Electronic Control Units (ECUs)
in automotive vernacular—in turn communicating over one
or more shared internal network buses [8], [13].
While the automotive industry has always considered
safety a critical engineering concern (indeed, much of this
new software has been introduced specifically to increase
safety, e.g., Anti-lock Brake Systems) it is not clear whether
vehicle manufacturers have anticipated in their designs the
possibility of an adversary. Indeed, it seems likely that this
increasing degree of computerized control also brings with
it a corresponding array of potential threats.
Compounding this issue, the attack surface for modern
automobiles is growing swiftly as more sophisticated services
and communications features are incorporated into
vehicles. In the United States, the federally-mandated On-
Board Diagnostics (OBD-II) port, under the dash in virtually
all modern vehicles, provides direct and standard
access to internal automotive networks. User-upgradable
subsystems such as audio players are routinely attached to
these same internal networks, as are a variety of shortrange
wireless devices (Bluetooth, wireless tire pressure
sensors, etc.). Telematics systems, exemplified by General
Motors’ (GM’s) OnStar, provide value-added features such
as automatic crash response, remote diagnostics, and stolen
vehicle recovery over a long-range wireless link. To do
so, these telematics systems integrate internal automotive
subsystems with a remote command center via a widearea
cellular connection. Some have taken this concept
even further—proposing a “car as a platform” model for
third-party development. Hughes Telematics has described
plans for developing an “App Store” for automotive applications
[22] while Ford recently announced that it will
open its Sync telematics system as a platform for third-party
applications [14]. Finally, proposed future vehicle-to-vehicle
(V2V) and vehicle-to-infrastructure (V2X) communications
systems [5], [6], [7], [25] will only broaden the attack
surface further.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 1
Overall, these trends suggest that a wide range of vectors
will be available by which an attacker might compromise a
component and gain access to internal vehicular networks—
with unknown consequences. Unfortunately, while previous
research efforts have largely considered vehicular security
risks in the abstract, very little is publicly known about the
practical security issues in automobiles on the road today.
Our research aims to fill this gap.
This paper investigates these issues through an empirical
lens—with active experiments against two late-model
passenger cars (same make and model). We test these
cars’ components in isolation in the lab, as a complete
system in a controlled setting (with the car elevated on
jacks), and in live road tests on a closed course. We have
endeavored to comprehensively assess how much resilience a
conventional automobile has against a digital attack mounted
against its internal components. Our findings suggest that,
unfortunately, the answer is “little.”
Indeed, we have demonstrated the ability to systematically
control a wide array of components including engine,
brakes, heating and cooling, lights, instrument panel, radio,
locks, and so on. Combining these we have been able to
mount attacks that represent potentially significant threats
to personal safety. For example, we are able to forcibly and
completely disengage the brakes while driving, making it
difficult for the driver to stop. Conversely, we are able to
forcibly activate the brakes, lurching the driver forward and
causing the car to stop suddenly.
Rather than focus just on individual attacks, we conduct a
comprehensive analysis of our cars’ digital components and
internal networks. We experimentally evaluate the security
properties of each of the key components within our cars,
and we analyze the security properties of the underlying
network substrate. Beyond measuring the real threats against
the computerized components within modern cars, as well
as the fundamental reasons those threats are possible, we
explore considerations and directions for reconciling the
tension between strategies for better security and the broader
context surrounding automobiles.
II. BACKGROUND
There are over 250 million registered passenger automobiles
in the United States [4]. The vast majority of these
are computer controlled to a significant degree and virtually
all new cars are now pervasively computerized. However,
in spite of their prevalence, the structure of these systems,
the functionality they provide and the networks they use
internally are largely unfamiliar to the computer security
community. In this section, we provide basic background
context concerning automotive embedded systems architecture
in general and an overview of prior related work
concerning automotive security.
A. Automotive Embedded Systems
Digital control, in the form of self-contained embedded
systems called Engine Control Units (ECUs), entered US
production vehicles in the late 1970s, largely due to requirements
of the California Clean Air Act (and subsequent
federal legislation) and pressure from increasing gasoline
prices [21]. By dynamically measuring the oxygen present
in exhaust fumes, the ECU could then adjust the fuel/oxygen
mixture before combustion, thereby improving efficiency
and reducing pollutants. Since then, such systems have been
integrated into virtually every aspect of a car’s functioning
and diagnostics, including the throttle, transmission, brakes,
passenger climate and lighting controls, external lights,
entertainment, and so on, causing the term ECU to be
generalized to Electronic Control Units. Thus, over the last
few decades the amount of software in luxury sedans has
grown from virtually nothing to tens of millions of lines of
code, spread across 50–70 independent ECUs [8].
ECU Coupling. Many features require complex interactions
across ECUs. For example, modern Electronic
Stability Control (ESC) systems monitor individual wheel
speed, steering angle, throttle position, and various accelerometers.
The ESC automatically modulates engine
torque and wheel speed to increase traction when the car’s
line stops following the steering angle (i.e., a skid). If
brakes are applied they must also interact with the Antilock
Braking System (ABS). More advanced versions also
offer Roll Stability Control (RSC), which may also apply
brakes, reduce the throttle, and modulate the steering angle
to prevent the car from rolling over. Active Cruise Control
(ACC) systems scan the road ahead and automatically increase
or decrease the throttle (about some pre-programmed
cruising speed) depending on the presence of slower vehicles
in the path (e.g., the Audi Q7 will automatically apply
brakes, completely stopping the vehicle if necessary, with no
user input). Versions of this technology also provide “precrash”
features in some cars including pre-charging brakes
and pre-tensioning seat belts. Some new luxury sedans (e.g.,
the Lexus LS460) even offer automated parallel parking
features in which steering is completely subsumed. These
trends are further accelerated by electric-driven vehicles that
require precise software control over power management
and regenerative braking to achieve high efficiency, by a
slew of emerging safety features, such as VW’s Lane Assist
system, and by a wide range of proposed entertainment and
communications features (e.g., it was recently announced
that GM’s OnStar will offer integration with Twitter [10]).
Even full “steer-by-wire” functionality has been seen in a
range of concept cars including GM’s widely publicized Hywire
fuel cell vehicle [12].
While some early systems used one-off designs and
bilateral physical wire connections for such interactions
(e.g., between different sensors and an ECU), this approach
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 2
does not scale. A combination of time-to-market pressures,
wiring overhead, interaction complexity, and economy of
scale pressures have driven manufacturers and suppliers to
standardize on a few key digital buses, such as Controller
Area Network (CAN) and FlexRay, and software technology
platforms (cf. Autosar [1]) shared across component manufacturers
and vendors. Indeed, the distributed nature of the
automotive manufacturing sector has effectively mandated
such an approach—few manufacturers can afford the overhead
of full soup-to-nuts designs anymore.
Thus, the typical car contains multiple buses (generally
based on the CAN standard) covering different component
groups (e.g., a high-speed bus may interconnect powertrain
components that generate real-time telemetry while
a separate low-speed bus might control binary actuators
like lights and doors). While it seems that such buses
could be physically isolated (e.g., safety critical systems
on one, entertainment on the other), in practice they are
“bridged” to support subtle interaction requirements. For
example, consider a car’s Central Locking Systems (CLS),
which controls the power door locking mechanism. Clearly
this system must monitor the physical door lock switches,
wireless input from any remote key fob (for keyless entry),
and remote telematics commands to open the doors.
However, unintuitively, the CLS must also be interconnected
with safety critical systems such as crash detection to ensure
that car locks are disengaged after airbags are deployed to
facilitate exit or rescue.
Telematics. Starting in the mid-1990’s automotive
manufacturers started marrying more powerful ECUs—
providing full Unix-like environments—with peripherals
such as Global Positioning Systems (GPS), and adding a
“reach-back” component using cellular back-haul links. By
far the best known and most innovative of such systems
is GM’s OnStar, which—now in its 8th generation—
provides a myriad of services. An OnStar-equipped car
can, for example, analyze the car’s On Board Diagnostics
(OBD) as it is being driven, proactively detect likely
vehicle problems, and notify the driver that a trip to the
repair shop is warranted. OnStar ECUs monitor crash sensors
and will automatically place emergency calls, provide
audio-links between passengers and emergency personnel,
and relay GPS-based locations. These systems even enable
properly authorized OnStar personnel to remotely unlock
cars, track the cars’ locations and, starting with some
2009 model years, remotely stop them (for the purposes
of recovery in case of theft) purportedly by stopping the
flow of fuel to the engines. To perform these functions,
OnStar units routinely bridge all important buses in the
automobile, thereby maximizing flexibility, and implement
an on-demand link to the Internet via Verizon’s digital
cellular service. However, GM is by no means unique and
virtually every manufacturer now has a significant telematics
package in their lineup (e.g., Ford’s Sync, Chrysler’s
UConnect, BMW’s Connected Drive, and Lexus’s Enform),
frequently provided in collaboration with third-party
specialist vendors such as Hughes Telematics and ATX
Group.
Taken together, ubiquitous computer control, distributed
internal connectivity, and telematics interfaces increasingly
combine to provide an application software platform with
external network access. There are thus ample reasons to
reconsider the state of vehicular computer security.
B. Related Work
Indeed, we are not the first to observe the potential
fragility of the automotive environment. In the academic
context, several groups have described potential vulnerabilities
in automotive systems, e.g., [19], [24], [26], [27],
[28]. They provide valuable contributions toward framing
the vehicle security and privacy problem space—notably
in outlining the security limitations of the popular CAN bus
protocol—as well as possible directions for securing vehicle
components. With some exceptions, e.g., [15], most of these
efforts consider threats abstractly; considering “what-if”
questions about a hypothetical attacker. Part of our paper’s
contribution is to make this framing concrete by providing
comprehensive experimental results assessing the behavior
of real automobiles and automotive components in response
to specific attacks.
Further afield, a broad array of researchers have considered
the security problems of vehicle-to-vehicle (V2V)
systems (sometimes also called vehicular ad-hoc networks,
or VANETs); see [18] for a survey. Indeed, this work is
critical, as such future networks will otherwise present yet
another entry point by which attackers might infiltrate a
vehicle. However, our work is focused squarely on the
possibilities after any such infiltration. That is, what are the
security issues within a car, rather than external to it.
Still others have focused on theft-related access control
mechanisms, including successful attacks against vehicle
keyless entry systems [11], [16] and vehicle immobilizers
[3].
Outside the academic realm, there is a small but vibrant
“tuner” subculture of automobile enthusiasts who employ
specialized software to improve performance (e.g., by removing
electronic RPM limitations or changing spark timings,
fuel ignition parameters, or valve timings) frequently
at the expense of regulatory compliance [20], [23]. These
groups are not adversaries; their modifications are done to
improve and personalize their own cars, not to cause harm.
In our work, we consider how an adversary with malicious
motives might disrupt or modify automotive systems.
Finally, we point out that while there is an emerging
effort focused on designing fully autonomous vehicles
(e.g., DARPA Grand Challenge [9]), these are specifically
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 3
designed to be robotically controlled. While such vehicles
would undoubtedly introduce yet new security concerns,
in this paper we concern ourselves solely with the
vulnerabilities in today’s commercially-available automobiles.
C. Threat Model
In this paper we intentionally and explicitly skirt the
question of a “threat model.” Instead, we focus primarily
on what an attacker could do to a car if she was able to
maliciously communicate on the car’s internal network. That
said, this does beg the question of how she might be able
to gain such access.
While we leave a full analysis of the modern automobile’s
attack surface to future research, we briefly describe here the
two “kinds” of vectors by which one might gain access to
a car’s internal networks.
The first is physical access. Someone—such as a mechanic,
a valet, a person who rents a car, an ex-friend, a
disgruntled family member, or the car owner—can, with
even momentary access to the vehicle, insert a malicious
component into a car’s internal network via the ubiquitous
OBD-II port (typically under the dash). The attacker may
leave the malicious component permanently attached to the
car’s internal network or, as we show in this paper, they
may use a brief period of connectivity to embed the malware
within the car’s existing components and then disconnect. A
similar entry point is presented by counterfeit or malicious
components entering the vehicle parts supply chain—either
before the vehicle is sent to the dealer, or with a car owner’s
purchase of an aftermarket third-party component (such as
a counterfeit FM radio).
The other vector is via the numerous wireless interfaces
implemented in the modern automobile. In our car we
identified no fewer than five kinds of digital radio interfaces
accepting outside input, some over only a short range and
others over indefinite distance. While outside the scope of
this paper, we wish to be clear that vulnerabilities in such
services are not purely theoretical. We have developed the
ability to remotely compromise key ECUs in our car via
externally-facing vulnerabilities, amplify the impact of these
remote compromises using the results in this paper, and
ultimately monitor and control our car remotely over the
Internet.
III. EXPERIMENTAL ENVIRONMENT
Our experimental analyses focus on two 2009 automobiles
of the same make and model.1 We selected our particular
vehicle because it contained both a large number of
1We believe the risks identified in this paper arise from the architecture
of the modern automobile and not simply from design decisions made by
any single manufacturer. For this reason, we have chosen not to identify
the particular make and model used in our tests. We believe that other
automobile manufacturers and models with similar features may have
similar security properties.
electronically-controlled components (necessitated by complex
safety features such as anti-lock brakes and stability
control) and a sophisticated telematics system. We purchased
two vehicles to allow differential testing and to validate that
our results were not tied to one individual vehicle. At times
we also purchased individual replacement ECUs via thirdparty
dealers to allow additional testing. Table I lists some
of the most important ECUs in our car.
We experimented with these cars—and their internal
components—in three principal settings:
• Bench. We physically extracted hardware from the
car for analysis in our lab. As with most automobile
manufacturers, our vehicles use a variant of the
Controller Area Network (CAN) protocol for communicating
among vehicle components (in our case
both a high-speed and low-speed variant as well as
a variety of proprietary higher-layer network management
services). Through this protocol, any component
can be accessed and interrogated in isolation in
the lab. Figure 1 shows an example setup, with the
Electronic Brake Control Module (EBCM) hooked up
to a power supply, a CAN-to-USB converter, and an
oscilloscope.
• Stationary car. We conducted most of our in-car experiments
with the car stationary. For both safety and
convenience, we elevated the car on jack stands for
experiments that required the car to be “at speed”; see
Figure 3.
Figure 2 shows the experimental setup inside the car.
For these experiments, we connected a laptop to the
car’s standard On-Board Diagnostics II (OBD-II) port.
We used an off-the-shelf CAN-to-USB interface (the
CANCapture ECOM cable) to interact with the car’s
high-speed CAN network, and an Atmel AT90CAN128
development board (the Olimex AVR-CAN) with custom
firmware to interact with the car’s low-speed
CAN network. The laptop ran our custom CARSHARK
program (see below).
• On the road. To obtain full experimental fidelity, for
some of our results we experimented at speed while on
a closed course.
We exercised numerous precautions to protect the
safety of both our car’s driver and any third parties. For
example, we used the runway of a de-commissioned
airport because the runway is long and straight, giving
us additional time to respond should an emergency
situation arise (see Figure 7).
For these experiments, one of us drove the car while
three others drove a chase car on a parallel service road;
one person drove the chase car, one documented much
of the process on video, and one wirelessly controlled
the test car via an 802.11 ad hoc connection to a laptop
in the test car that in turn accessed its CAN bus.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 4
Low-Speed High-Speed
Component Functionality Comm. Bus Comm. Bus
ECM Engine Control Module
Controls the engine using information from sensors to determine the amount
of fuel, ignition timing, and other engine parameters.
X
EBCM Electronic Brake Control Module
Controls the Antilock Brake System (ABS) pump motor and valves, preventing
brakes from locking up and skidding by regulating hydraulic pressure.
X
TCM Transmission Control Module
Controls electronic transmission using data from sensors and from the ECM
to determine when and how to change gears.
X
BCM Body Control Module
Controls various vehicle functions, provides information to occupants, and
acts as a firewall between the two subnets.
X X
Telematics Telematics Module
Enables remote data communication with the vehicle via cellular link.
X X
RCDLR Remote Control Door Lock Receiver
Receives the signal from the car’s key fob to lock/unlock the doors and
the trunk. It also receives data wirelessly from the Tire Pressure Monitoring
System sensors.
X
HVAC Heating, Ventilation, Air Conditioning
Controls cabin environment.
X
SDM Inflatable Restraint Sensing and Diagnostic Module
Controls airbags and seat belt pretensioners.
X
IPC/DIC Instrument Panel Cluster/Driver Information Center
Displays information to the driver about speed, fuel level, and various alerts
about the car’s status.
X
Radio Radio
In addition to regular radio functions, funnels and generates most of the incabin
sounds (beeps, buzzes, chimes).
X
TDM Theft Deterrent Module
Prevents vehicle from starting without a legitimate key.
X
Table I. Key Electronic Control Units (ECUs) within our cars, their roles, and which CAN buses they are on.
The CARSHARK Tool. To facilitate our experimental
analysis, we wrote CARSHARK—a custom CAN bus analyzer
and packet injection tool (see Figure 4). While there
exist commercially available CAN sniffers, none were appropriate
for our use. First, we needed the ability to process
and manipulate our vendor’s proprietary extensions to the
CAN protocol. Second, while we could have performed
limited testing using a commercial CAN sniffer coupled
with a manufacturer-specific diagnostic service tool, this
combination still doesn’t offer the flexibility to support our
full range of attack explorations, including reading out ECU
memory, loading custom code into ECUs, or generating
fuzz-testing packets over the CAN interface.
IV. INTRA-VEHICLE NETWORK SECURITY
Before experimentally evaluating the security of individual
car components, we assess the security properties
of the CAN bus in general, which we describe below.
We do so by first considering weaknesses inherent to the
protocol stack and then evaluating the degree to which
our car’s components comply with the standard’s specifications.
A. CAN Bus
There are a variety of protocols that can be implemented
on the vehicle bus, but starting in 2008 all cars sold in the
U.S. are required to implement the Controller Area Network
(CAN) bus (ISO 11898 [17]) for diagnostics. As a result,
CAN—roughly speaking, a link-layer data protocol—has
become the dominant communication network for in-car
networks (e.g., used by BMW, Ford, GM, Honda, and
Volkswagen).
A CAN packet (shown in Figure 5) does not include
addresses in the traditional sense and instead supports a
publish-and-subscribe communications model. The CAN ID
header is used to indicate the packet type, and each packet
is both physically and logically broadcast to all nodes,
which then decide for themselves whether to process the
packets.
The CAN variant for our car includes slight extensions
to framing (e.g., on the interpretation of certain CAN ID’s)
and two separate physical layers—a high-speed bus which
is differentially-signaled and primarily used by powertrain
systems and a low-speed bus (SAE J2411) using a single
wire and supporting less-demanding components. When
necessary, a gateway bridge can route selected data between
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 5
Figure 1. Example bench setup within our
lab. The Electronic Brake Control Module
(ECBM) is hooked up to a power supply, a
CAN-to-USB converter, and an oscilloscope.
Figure 2. Example experimental setup. The
laptop is running our custom CARSHARK
CAN network analyzer and attack tool. The
laptop is connected to the car’s OBD-II port.
Figure 3. To test ECU behavior in a
controlled environment, we immobilized the
car on jack stands while mounting attacks.
Figure 4. Screenshot of the CARSHARK interface. CARSHARK is being
used to sniff the CAN bus. Values that have been recently updated are in
yellow. The left panel lists all recognized nodes on high and low speed
subnets of the CAN bus and has some action buttons. The demo panel on
the right provides some proof-of-concept demos.
the two buses. Finally, the protocol standards define a range
of services to be implemented by ECUs.
B. CAN Security Challenges
The underlying CAN protocol has a number of inherent
weaknesses that are common to any implementation. Key
among these:
Broadcast Nature. Since CAN packets are both physically
and logically broadcast to all nodes, a malicious
component on the network can easily snoop on all communications
or send packets to any other node on the
network. CARSHARK leverages this property, allowing us
to observe and reverse-engineer packets, as well as to inject
new packets to induce various actions.
Fragility to DoS. The CAN protocol is extremely
vulnerable to denial-of-service attacks. In addition to simple
packet flooding attacks, CAN’s priority-based arbitration
scheme allows a node to assert a “dominant” state on the
bus indefinitely and cause all other CAN nodes to back
off. While most controllers have logic to avoid accidentally
11 bits 18 bits 4 bits 0–8 bytes 15 bits 7 bits
Start-offrame
Substitute remote
request
Extended identifier
Reserved
2 bits
Data CRC
ACK
End-offrame
Identifier
Identifier
extension
Remote transmission
request
Data length
code
CRC delimiter
ACK
delimiter
Figure 5. CAN packet structure. Extended frame format is shown. Base
frame format is similar.
breaking the network this way, adversarially-controlled hardware
would not need to exercise such precautions.
No Authenticator Fields. CAN packets contain no
authenticator fields—or even any source identifier fields—
meaning that any component can indistinguishably send a
packet to any other component. This means that any single
compromised component can be used to control all of the
other components on that bus, provided those components
themselves do not implement defenses; we consider the
security of individual components in Section V.
Weak Access Control. The protocol standards for our
car specify a challenge-response sequence to protect ECUs
against certain actions without authorization. A given ECU
may participate in zero, one, or two challenge-response
pairs:
• Reflashing and memory protection. One challengeresponse
pair restricts access to reflashing the ECU and
reading out sensitive memory. By design, a service shop
might authenticate with this challenge-response pair in
order to upgrade the firmware on an ECU.
• Tester capabilities. Modern automobiles are complex
and thus diagnosing their problems requires significant
support. Thus, a major use of the CAN bus is in
providing diagnostic access to service technicians. In
particular, external test equipment (the “tester”) must
be able to interrogate the internal state of the car’s
components and, at times, manipulate this state as well.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 6
Our car implements this capability via the DeviceControl
service which is accessed in an RPC-like fashion
directly via CAN messages. In our car, the second
challenge-response pair described above is designed to
restrict access to the DeviceControl services.
Under the hood, ECUs are supposed to use a fixed challenge
(seed) for each of these challenge-response pairs; the corresponding
responses (keys) are also fixed and stored in these
ECUs. The motivation for using fixed seeds and keys is to
avoid storing the challenge-response algorithm in the ECU
firmware itself (since that firmware could be read out if an
external flash chip is used). Indeed, the associated reference
standard states “under no circumstances shall the encryption
algorithm ever reside in the node.” (The tester, however, does
have the algorithm and uses it to compute the key.) Different
ECUs should have different seeds and keys.
Despite these apparent security precautions, to the best of
our knowledge many of the seed-to-key algorithms in use
today are known by the car tuning community.
Furthermore, as described in the protocol standards, the
challenges (seeds) and responses (keys) are both just 16 bits.
Because the ECUs are required to allow a key attempt every
10 seconds, an attacker could crack one ECU key in a little
over seven and a half days. If an attacker has access to
the car’s network for this amount of time (such as through
another compromised component), any reflashable ECU can
be compromised. Multiple ECUs can be cracked in parallel,
so this is an upper bound on the amount of time it could take
to crack a key in every ECU in the vehicle. Furthermore,
if an attacker can physically remove a component from
the car, she can further reduce the time needed to crack
a component’s key to roughly three and a half days by
powercycling the component every two key attempts (we
used this approach to perform an exhaustive search for the
Electronic Brake Control Module (EBCM) key on one of
our cars, recovering the key in about a day and a half; see
Figure 1 for our experimental setup).
In effect, there are numerous realistic scenarios in which
the challenge-response sequences defined in the protocol
specification can be circumvented by a determined attacker.
ECU Firmware Updates and Open Diagnostic Control.
Given the generic weaknesses with the aforementioned
access control mechanisms, it is worth stepping back and
reconsidering the benefits and risks associated with exposing
ECUs to reflashing and diagnostic testing.
First, the ability to do software-only upgrades to ECUs
can be extremely valuable to vehicle manufacturers, who
might otherwise have to bear the cost of physically replacing
ECUs for trivial defects in the software. For example, one
of us recently received a letter from a car dealer, inviting us
to visit an auto shop in order to upgrade the firmware on
our personal car’s ECM to correctly meet certain emission
requirements. However, it is also well known that attackers
can use software updates to inject malicious code into
systems [2]. The challenge-response sequences alone are
not sufficient to protect against malicious firmware updates;
in subsequent sections we investigate whether additional
protection mechanisms are deployed at a higher level (such
as the cryptographically signed firmware updates).
Similarly, the DeviceControl service is a tremendously
powerful tool for assisting in the diagnosis of a car’s
components. But, given the generic weaknesses of the CAN
access control mechanisms, the DeviceControl capabilities
present enumerable opportunities to an attacker (indeed, a
great number of our attacks are built on DeviceControl).
In many ways this challenge parallels the security vs.
functionality tension presented by debuggers in conventional
operating systems; to be effective debuggers need to be able
to examine and manipulate all state, but if they can do that
they can do anything. However, while traditional operating
systems generally finesse this problem via access-control
rights on a per-user basis, there is no equivalent concept in
CAN. Given the weaknesses with the CAN access control
sequence, the role of “tester” is effectively open to any node
on the bus and thus to any attacker.
Worse, in Section IV-C below we find that many ECUs in
our car deviate from their own protocol standards, making
it even easier for an attacker to initiate firmware updates or
DeviceControl sequences—without even needing to bypass
the challenge-response protocols.
C. Deviations from Standards
In several cases, our car’s protocol standards do prescribe
risk-mitigation strategies with which components should
comply. However, our experimental findings revealed that
not all components in the car always follow these specifications.
Disabling Communications. For example, the standard
states that ECUs should reject the “disable CAN
communications” command when it is unsafe to accept and
act on it, such as when a car is moving. However, we
experimentally verified that this is not actually the case in
our car: we were able to disable communications to and from
all the ECUs in Table I even with the car’s wheels moving
at speed on jack stands and while driving on the closed road
course.
Reflashing ECUs While Driving. The standard also
states that ECUs should reject reflashing events if they deem
them unsafe. In fact, it states: “The engine control module
should reject a request to initiate a programming event if the
engine were running.” However, we experimentally verified
that we could place the Engine Control Module (ECM) and
Transmission Control Module (TCM) into reflashing mode
when our car was at speed on jack stands. When the ECM
enters this mode, the engine stops running. We also verified
that we could place the ECM into reflashing mode while
driving on the closed course.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 7
Noncompliant Access Control: Firmware and Memory.
The standard states that ECUs with emissions, anti-theft,
or safety functionality must be protected by a challengeresponse
access control protocol (as per Section IV-B).
Even disregarding the weakness of this protocol, we
found it was implemented less broadly than we would
have expected. For example, the telematics unit in our
car, which are connected to the car’s CAN buses, use a
hardcoded challenge and a hardcoded response common
to all similar units, seemingly in violation of the standard
(specifically, the standard states that “all nodes with the
same part number shall NOT have the same security seed”).
Even worse, the result of the challenge-response protocol
is never used anywhere; one can reflash the unit at any
time without completing the challenge-response protocol.
We verified experimentally that we can load our own code
onto our car’s telematics unit without authenticating.
Some access-controlled operations, such as reading sensitive
memory areas (such as the ECU’s program or keys)
may be outright denied if deemed too risky. For example,
the standard states that an ECU can define memory addresses
that “[it] will not allow a tester to read under any
circumstances (e.g., the addresses that contain the security
seed and key values).” However, in another instance of noncompliance,
we experimentally verified that we could read
the reflashing keys out of the BCM without authenticating,
and the DeviceControl keys for the ECM and TCM just by
authenticating with the reflashing key. We were also able to
extract the telematics units’ entire memory, including their
keys, without authentication.
Noncompliant Access Control: Device Overrides. Recall
that the DeviceControl service is used to override the
state of components. However, ECUs are expected to reject
unsafe DeviceControl override requests, such as releasing
the brakes when the car is in motion (an example mentioned
in the standard). Some of these unsafe overrides are needed
for testing during the manufacturing process, so those can be
enabled by authenticating with the DeviceControl key. However,
we found during our experiments that certain unsafe
device control operations succeeded without authenticating;
we summarize these in Tables II, V-A, and IV.
Imperfect Network Segregation. The standard implicitly
defines the high-speed network as more trusted than the
low-speed network. This difference is likely due to the fact
that the high-speed network includes the real-time safetycritical
components (e.g., engine, brakes), while the lowspeed
network commonly includes components less critical
to safety, like the radio and the HVAC system.
The standard states that gateways between the two networks
must only be re-programmable from the high-speed
network, presumably to prevent a low-speed device from
compromising a gateway to attack the high-speed network.
In our car, there are two ECUs which are on both buses and
can potentially bridge signals: the Body Controller Module
(BCM) and the telematics unit. While the telematics unit
is not technically a gateway, it connects to both networks
and can only be reprogrammed (against the spirit of the
standard) from the low-speed network, allowing a lowspeed
device to attack the high-speed network through the
telematics unit. We verified that we could bridge these
networks by uploading code to the telematics unit from the
low-speed network that, in turn, sent packets on the highspeed
network.
V. COMPONENT SECURITY
We now examine individual components on our car’s
CAN network, and what an attacker could do by communicating
with each one individually. We discuss compound
attacks involving multiple components in Section VI. We
omit certain details (such as complete packet payloads) to
prevent would-be attackers from using our results directly.
A. Attack Methodology
Recall that Table I gives an overview of our car’s critical
components, their functionality, and whether they are on
the car’s high-speed or low-speed CAN subnet. For each of
these components, our methodology for formulating attacks
consisted of some or all of the following three major
approaches, summarized below.
Packet Sniffing and Targeted Probing. To begin, we
used CARSHARK to observe traffic on the CAN buses
in order to determine how ECUs communicate with each
other. This also revealed to us which packets were sent as
we activated various components (such as turning on the
headlights). Through a combination of replay and informed
probing, we were able to discover how to control the radio,
the Instrument Panel Cluster (IPC), and a number of the
Body Control Module (BCM) functions, as we discuss
below. This approach worked well for packets that come
up during normal operation, but was less useful in mapping
the interface to safety-critical powertrain components.
Fuzzing. Much to our surprise, significant attacks do
not require a complete understanding or reverse-engineering
of even a single component of the car. In fact, because
the range of valid CAN packets is rather small, significant
damage can be done by simple fuzzing of packets (i.e.,
iterative testing of random or partially random packets). Indeed,
for attackers seeking indiscriminate disruption, fuzzing
is an effective attack by itself. (Unlike traditional uses of
fuzzing, we use fuzzing to aid in the reverse engineering of
functionality.)
As mentioned previously, the protocol standards for our
car define a CAN-based service called DeviceControl, which
allows testing devices (used during manufacturing quality
control or by mechanics) to override the normal output
functionality of an ECU or reset some learned internal
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 8
state. The DeviceControl service takes an argument called
a Control Packet Identifier (CPID), which specifies a group
of controls to override. Each CPID can take up to five bytes
as parameters, specifying which controls in the group are
being overridden, and how to override them. For example,
the Body Control Module (BCM) exports controls for the
various external lights (headlights, brakelights, etc.) and their
associated brightness can be set via the parameter data.
We discovered many of the DeviceControl functions
for select ECUs (specifically, those controlling the engine
(ECM), body components (BCM), brakes (EBCM), and
heating and air conditioning (HVAC) systems) largely by
fuzz testing. After enumerating all supported CPIDs for each
ECU, we sent random data as an argument to valid CPIDs
and correlated input bits with behaviors.
Reverse-Engineering. For a small subset of ECUs
(notably the telematics unit, for which we obtained multiple
instances via Internet-based used parts resellers) we dumped
their code via the CAN ReadMemory service and used a
third-party debugger (IDA Pro) to explicitly understand how
certain hardware features were controlled. This approach
is essential for attacks that require new functionality to be
added (e.g., bridging low and high-speed buses) rather than
simply manipulating existing software capabilities.
B. Stationary Testing
We now describe the results of our experiments with
controlling critical components of the car. All initial experiments
were done with the car stationary, in many cases
immobilized on jack stands for safety, as shown in Figure 3.
Some of our results are summarized in Tables II, V-A,
and IV for fuzzing, and in Table V for other results.
Tables II, V-A, and IV indicate the packet that was sent
to the corresponding module, the resulting action, and four
additional pieces of information: (1) Can the result of this
packet be overridden manually, such as by pulling the
physical door unlock knob, pushing on the brakes, or some
other action? A No in this column means that we have found
no way to manually override the result. (2) Does this packet
have the same effect when the car is at speed? For this
column, “at speed” means when the car was up on jack
stands but the throttle was applied to bring the wheel speed
to 40 MPH. (3) Does the module in question need to be
unlocked with its DeviceControl key before these packets
can elicit results? The fourth (4) additional column reflects
our experiments during a live road test, which we will turn
to in subsection V-C. Table V is similar, except that only
the Kill Engine result is caused by a DeviceControl packet;
we did not need to unlock the ECU before initiating this
DeviceControl packet.
All of the controlled experiments were initially conducted
on one car, and then all were repeated on our second car
(road tests were only performed with the first car).
Figure 6. Displaying an arbitrary message and a false speedometer reading
on the Driver Information Center. Note that the car is in Park.
Radio. One of the first attacks we discovered was how
to control the radio and its display. We were able to completely
control—and disable user control of—the radio,
and to display arbitrary messages. For example, we were
able to consistently increase the volume and prevent the user
from resetting it. As the radio is also the component which
controls various car sounds (e.g., turn signal clicks and seat
belt warning chimes), we were also able to produce clicks
and chimes at arbitrary frequencies, for various durations,
and at different intervals. Table V presents some of these
results.
Instrument Panel Cluster. We were able to fully control
the Instrument Panel Cluster (IPC). We were able to
display arbitrary messages, falsify the fuel level and the
speedometer reading, adjust the illumination of instruments,
and so on (also shown in Table V). For example, Figure 6
shows the instrument panel display with a message that
we set by sending the appropriate packets over the CAN
network. We discuss a more sophisticated attack using our
control over the speedometer in Section VI.
Body Controller. Control of the BCM’s function is
split across the low-speed and high-speed buses. By reverseengineering
packets sent on the low-speed bus (Table V) and
by fuzzing packets on the high-speed bus (as summarized
in Table II), we were able to control essentially all of the
BCM’s functions. This means that we were able to discover
packets to: lock and unlock the doors; jam the door locks
by continually activating the lock relay; pop the trunk;
adjust interior and exterior lighting levels; honk the horn
(indefinitely and at varying frequencies); disable and enable
the window relays; disable and enable the windshield wipers;
continuously shoot windshield fluid; and disable the key lock
relay to lock the key in the ignition.
Engine. Most of the attacks against the engine were
found by fuzzing DeviceControl requests to the ECM. These
findings are summarized in Table V-A. We were able to
boost the engine RPM temporarily, disturb engine timing by
resetting the learned crankshaft angle sensor error, disable
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 9
Manual At Need to Tested on
Packet Result Override Speed Unlock Runway
07 AE ... 1F 87 Continuously Activates Lock Relay Yes Yes No X
07 AE ... C1 A8 Windshield Wipers On Continuously No Yes No X
07 AE ... 77 09 Pops Trunk No Yes No X
07 AE ... 80 1B Releases Shift Lock Solenoid No Yes No
07 AE ... D8 7D Unlocks All Doors Yes Yes No
07 AE ... 9A F2 Permanently Activates Horn No Yes No X
07 AE ... CE 26 Disables Headlights in Auto Light Control Yes Yes No X
07 AE ... 34 5F All Auxiliary Lights Off No Yes No
07 AE ... F9 46 Disables Window and Key Lock Relays No Yes No
07 AE ... F8 2C Windshield Fluid Shoots Continuously No Yes No X
07 AE ... 15 A2 Controls Horn Frequency No Yes No
07 AE ... 15 A2 Controls Dome Light Brightness No Yes No
07 AE ... 22 7A Controls Instrument Brightness No Yes No
07 AE ... 00 00 All Brake/Auxiliary Lights Off No Yes No X
07 AE ... 1D 1D Forces Wipers Off and Shoots Windshield Fluid Continuously Yes† Yes No X
Table II. Body Control Module (BCM) DeviceControl Packet Analysis. This table shows BCM DeviceControl packets and their effects that we discovered
during fuzz testing with one of our cars on jack stands. A Xin the last column indicates that we also tested the corresponding packet with the driving on a
runway. A “Yes” or “No” in the columns “Manual Override,” “At Speed,” and “Need to Unlock” indicate whether or not (1) the results could be manually
overridden by a car occupant, (2) the same effect was observed with the car at speed (the wheels spinning at about 40 MPH and/or on the runway), and
(3) the BCM needed to be unlocked with its DeviceControl key.
†The highest setting for the windshield wipers cannot be disabled and serves as a manual override.
Manual At Need to Tested on
Packet Result Override Speed Unlock Runway
07 AE ... E5 EA Initiate Crankshaft Re-learn; Disturb Timing Yes Yes Yes
07 AE ... CE 32 Temporary RPM Increase No Yes Yes X
07 AE ... 5E BD Disable Cylinders, Power Steering/Brakes Yes Yes Yes
07 AE ... 95 DC Kill Engine, Cause Knocking on Restart Yes Yes Yes X
07 AE ... 8D C8 Grind Starter No Yes Yes
07 AE ... 00 00 Increase Idle RPM No Yes Yes X
Table III. Engine Control Module (ECM) DeviceControl Packet Analysis. This table is similar to Table II.
Manual At Need to Tested on
Packet Result Override Speed Unlock† Runway
07 AE ... 25 2B Engages Front Left Brake No Yes Yes X
07 AE ... 20 88 Engages Front Right Brake/Unlocks Front Left No Yes Yes X
07 AE ... 86 07 Unevenly Engages Right Brakes No Yes Yes X
07 AE ... FF FF Releases Brakes, Prevents Braking No Yes Yes X
Table IV. Electronic Brake Control Module (EBCM) DeviceControl Packet Analysis. This table is similar to Table II.
†The EBCM did not need to be unlocked with its DeviceControl key when the car was on jack stands. Later, when we tested these packets on the runway,
we discovered that the EBCM rejected these commands when the speed of the car exceeded 5 MPH without being unlocked.
Destination Manual At Tested on
ECU Packet Result Override Speed Runway
IPC 00 00 ... 00 00 Falsify Speedometer Reading No Yes X
Radio 04 00 ... 00 00 Increase Radio Volume No Yes
Radio 63 01 ... 39 00 Change Radio Display No Yes
IPC 00 02 ... 00 00 Change DIC Display No Yes
27 01 ... 65 00
BCM 04 03 Unlock Car† Yes Yes
BCM 04 01 Lock Car† Yes Yes
BCM 04 0B Remote Start Car† No No
BCM 04 0E Car Alarm Honk† No No
Radio 83 32 ... 00 00 Ticking Sound No Yes
ECM AE 0E ... 00 7E Kill Engine No Yes
Table V. Other Example Packets. This table shows packets, their recipients, and their effects that we discovered via observation and reverse-engineering.
In contrast to the DeviceControl packets in Tables II, V-A and IV, these packets may be sent during normal operation of the car; we simply exploited the
broadcast nature of the CAN bus to send them from CARSHARK instead of their normal sources. For this reason, we did not test most of them at the
runway, since they are naturally “tested” during normal operation.
†As ordinarily done by the key fob.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 10
all cylinders simultaneously (even with the car’s wheels
spinning at 40 MPH when on jack stands), and disable the
engine such that it knocks excessively when restarted, or
cannot be restarted at all. Additionally, we can forge a packet
with the “airbag deployed" bit set to disable the engine.
Finally, we also discovered a packet that will adjust the
engine’s idle RPM.
Brakes. Our fuzzing of the Electronic Brake Control
Module (see Table IV) allowed us to discover how to lock
individual brakes and sets of brakes, notably without needing
to unlock the EBCM with its DeviceControl key. In one case,
we sent a random packet which not only engaged the front
left brake, but locked it resistant to manual override even
through a power cycle and battery removal. To remedy this,
we had to resort to continued fuzzing to find a packet that
would reverse this effect. Surprisingly, also without needing
to unlock the EBCM, we were also able to release the brakes
and prevent them from being enabled, even with car’s wheels
spinning at 40 MPH while on jack stands.
HVAC. We were able to control the cabin environment
via the HVAC system: we discovered packets to turn on and
off the fans, the A/C, and the heat, in some cases with no
manual override possible.
Generic Denial of Service. In another set of experiments,
we disabled the communication of individual components
on the CAN bus. This was possible at arbitrary times,
even with the car’s wheels spinning at speeds of 40 MPH
when up on jack stands. Disabling communication to/from
the ECM when the wheels are spinning at 40 MPH reduces
the car’s reported speed immediately to 0 MPH. Disabling
communication to/from the BCM freezes the instrument
panel cluster in its current state (e.g., if communication is
disabled when the car is going 40 MPH, the speedometer
will continue to report 40 MPH). The car can be turned off
in this state, but without re-enabling communication to/from
the BCM, the engine cannot be turned on again.
Thus, we were able to easily prevent a car from turning
on. We were also able to prevent the car from being turned
off: while the car was on, we caused the BCM to activate
its ignition output. This output is connected in a wired-OR
configuration with the ignition switch, so even if the switch
is turned to off and the key removed, the car will still run.
We can override the key lock solenoid, allowing the key to
be removed while the car is in drive, or preventing the key
from being removed at all.
C. Road Testing
Comprehensive and safe testing of these and other attacks
requires an open area where individuals and property are at
minimal risk. Fortunately, we were able to obtain access
to the runway of a de-commissioned airport to re-evaluate
many of the attacks we had identified with the car up on
jack stands. To maximize safety, we used a second, chase
Figure 7. Road testing on a closed course (a de-commissioned airport
runway). The experimented-on car, with our driver wearing a helmet, is in
the background; the chase car is in the foreground. Photo courtesy of Mike
Haslip.
car in addition to the experimental vehicle; see Figure 7.
This allowed us to have all but one person outside of the
experimented-on car. The experimented-on car was controlled
via a laptop running CARSHARK and connected to
the CAN bus via the OBD-II port. We in turn controlled this
laptop remotely via a wireless link to another laptop in the
chase car. To maintain the wireless connection between the
laptops, we drove the chase car parallel to the experimentedon
car, which also allowed us to capture these experiments
on video.
Our experimental protocol was as follows: we started
the cars down the runway at the same time, transmitted
one or more packets on the experimented-on car’s CAN
network (indirectly through a command sent from the laptop
in the chase car), waited for our driver’s verbal confirmation/
description (using walkie-talkies to communicate
between the cars), and then sent one or more cancellation
packets. Had something gone wrong, our driver would
have yanked on a cord attached to the CAN cable and
pulled the laptop out of the OBD-II. As we verified in
preparatory safety tests, this disconnect would have caused
the car to revert back to normal within a few seconds;
fortunately, our driver never needed to make use of this
precaution.
Our allotted time at the airport prevented us from reverifying
all of our attacks while driving, and hence we
experimentally re-tested a selected subset of those attacks;
the final column of Tables II, V-A, IV, and V contain a
check mark for the experiments that we re-evaluated while
driving. Most our results while driving were identical to our
results on jack stands, except that the EBCM needed to be
unlocked to issue DeviceControl packets when the car was
traveling over 5 MPH. This a minor caveat from an actual
attack perspective; as noted earlier, attack hardware attached
to the car’s CAN bus can recover the credentials necessary
to unlock the EBCM.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 11
Even at speeds of up to 40 MPH on the runway, the attack
packets had their intended effect, whether it was honking the
horn, killing the engine, preventing the car from restarting,
or blasting the heat. Most dramatic were the effects of DeviceControl
packets to the Electronic Brake Control Module
(EBCM)—the full effect of which we had previously not
been able to observe. In particular, we were able to release
the brakes and actually prevent our driver from braking; no
amount of pressure on the brake pedal was able to activate
the brakes. Even though we expected this effect, reversed it
quickly, and had a safety mechanism in place, it was still a
frightening experience for our driver. With another packet,
we were able to instantaneously lock the brakes unevenly;
this could have been dangerous at higher speeds. We sent
the same packet when the car was stationary (but still on
the closed road course), which prevented us from moving it
at all even by flooring the accelerator while in first gear.
These live road tests are effectively the “gold standard” for
our attacks as they represent realistic conditions (unlike our
controlled stationary environment). For example, we were
never able to completely characterize the brake behavior
until the car was on the road; the fact that the back wheels
were stationary when the car was on jack stands provided
additional input to the EBCM which resulted in illogical
behavior. The fact that many of these safety-critical attacks
are still effective in the road setting suggests that few
DeviceControl functions are actually disabled when the car
is at speed while driving, despite the clear capability and
intention in the standard to do so.
VI. MULTI-COMPONENT INTERACTIONS
The previous section focused on assessing what an attacker
might be able to do by controlling individual devices.
We now take a step back to discuss possible scenarios in
which multiple components are exploited in a composite
attack. The results in this section emphasize that the issue
of vehicle security is not simply a matter of securing
individual components; the car’s network is a heterogeneous
environment of interacting components, and must be viewed
and secured as such.
A. Composite Attacks
Numerous composite attacks exist. Below we describe a
few that we implemented and experimentally verified.
Speedometer. In one attack, we manipulate the speedometer
to display an arbitrary speed or an arbitrary offset
of the current speed—such as 10 MPH less than the actual
speed (halving the displayed speed up to a real speed of
20 MPH in order to minimize obvious anomalies to the
driver). This is a composite attack because it requires both
intercepting actual speed update packets on the low speed
CAN bus (sent by the BCM) and transmitting maliciouslycrafted
speed update packets with the falsified speed. Such
an attack could, for example, trick a driver into driving
too fast. We implemented this attack both as a CARSHARK
module and as custom firmware for the AVR-CAN board.
The custom firmware consisted of 105 lines of C code.
We tested this attack by comparing the displayed speed of
one of our cars with the car’s actual speed while driving
on a closed course and measuring the speed with a radar
gun.
Lights Out. Our analysis in Section V uncovered
packets that can disable certain interior and exterior lights
on the car. We combined these packets to disable all of the
car’s lights when the car is traveling at speeds of 40 MPH
or more, which is particularly dangerous when driving in
the dark. This includes the headlights, the brake lights, the
auxiliary lights, the interior dome light, and the illumination
of the instrument panel cluster and other display lights inside
the car. This attack requires the lighting control system to
be in the “automatic” setting, which is the default setting for
most drivers. One can imagine this attack to be extremely
dangerous in a situation where a victim is driving at high
speeds at night in a dark environment; the driver would not
be able to see the the road ahead, nor the speedometer, and
people in other cars would not be able to see the victim
car’s brake lights. We conducted this experiment on both
cars while they were on jack stands and while driving on a
closed course.
Self-Destruct. Combining our control over various
BCM components, we created a “Self-Destruct” demo in
which a 60-second count-down is displayed on the Driver
Information Center (the dash), accompanied by clicks at an
increasing rate and horn honks in the last few seconds. In our
demo, this sequence culminated with killing the engine and
activating the door lock relay (preventing the occupant from
using the electronic door unlock button). This demo, which
we tested on both cars, required fewer than 200 lines of code
added to CARSHARK, most of them for timing the clicking
and the count-down. One could also extend this sequence to
include any of the other actions we learned how to control:
releasing or slamming the brakes, extinguishing the lights,
locking the doors, and so on.
B. Bridging Internal CAN Networks
Multiple components—including a wealth of aftermarket
devices like radios—are attached to or could be attached to
a car’s low-speed CAN bus. Critical components, like the
EBCM brake controller, are connected to the separate highspeed
bus, with the Body Control Module (BCM) regulating
access between the two buses. One might therefore assume
that the devices attached to the low-speed bus, including
aftermarket devices, will not be able to adversely impact
critical components on the high-speed bus.
Our experiments and analyses found this assumption
to be false. Our car’s telematics unit is also connected
to both buses. We were able to successfully reprogram
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 12
our car’s telematics unit from a device connected to the
car’s low-speed bus (in our experiments, a laptop running
CARSHARK). Once reprogrammed, our telematics
unit acts as a bridge, relaying packets from the lowspeed
bus onto the high-speed bus. This demonstrates that
any device attached to the low-speed bus can bypass the
BCM gateway and influence the operation of the safetycritical
components. Such a situation is particularly concerning
given the abundance of potential aftermarket addons
available for the low-speed bus. Our complete attack
consisted of only the following two steps: initiate a reprogramming
request to the telematics unit via the lowspeed
bus; and then upload 1184 bytes of binary code (291
instructions) to the telematics unit’s RAM via the low-speed
bus.
C. Hosting Code; Wiping Code
This method for injecting code into our car’s telematics
unit, while sufficient for demonstrating that a lowspeed
CAN device could compromise a high-speed CAN
device via the telematics unit, is also limiting. Specifically,
while that attack code is running, the telematics service is
not. A more sophisticated attack could implant malicious
code within the telematics environment itself (either in
RAM or by re-flashing the unit). Doing so would allow
the malicious code to co-exist with the existing telematics
software (we have built such code in the lab). The
result provides the attack software with a rich Unix-like
environment (our car’s telematics unit uses the QNX Neutrino
Real-Time Operating System) and provides standard
interfaces to additional hardware capabilities (e.g., GPS,
audio capture, cellular link) and software libraries (e.g.,
OpenSSL).
Hosting our own code within a car’s ECU enables yet
another extension to our attacks: complicating detection
and forensic evaluations following any malicious action.
For example, the attack code on the telematics unit could
perform some action (such as locking the brakes after
detecting a speed of over 80 MPH). The attack code could
then erase any evidence of its existence on the device. If
the attack code was installed per the method described in
Section VI-B, then it would be sufficient to simply reboot
the telematics unit, with the only evidence of something
potentially amiss being the lack of telematics records during
the time of the attack. If the attack code was implanted
within the telematics environment itself, then more sophisticated
techniques may be necessary to erase evidence of
the attack code’s existence. In either case, such an attack
could complicate (or even prevent) a forensic investigation
of a crash scene. We have experimentally verified the
efficacy of a safe version of this attack while driving on
a runway: after the car reaches 20 MPH, the attack code on
the telematics unit forces the car’s windshield fluid pump
and wipers on. After the car stops, the attack code forces
the telematics unit to reboot, erasing any evidence of its
existence.
VII. DISCUSSION AND CONCLUSIONS
Although we are not the first to observe that computerized
automotive systems may present new risks, our empirical
approach has given us a unique perspective to reflect on the
actual vulnerabilities of modern cars as they are built and
deployed today. We summarize these findings here and then
discuss the complex challenges in addressing them within
the existing automotive ecosystem.
• Extent of Damage. Past work, e.g., [19], [24], [26],
[27], [28], discuss potential risks to cyber-physical
vehicles and thus we knew that adversaries might be
able to do damage by attacking the components within
cars. We did not, however, anticipate that we would be
able to directly manipulate safety critical ECUs (indeed,
all ECUs that we tested) or that we would be allowed
to create unsafe conditions of such magnitude.
• Ease of Attack. In starting this project we expected
to spend significant effort reverse-engineering, with
non-trivial effort to identify and exploit each subtle
vulnerability. However, we found existing automotive
systems—at least those we tested—to be tremendously
fragile. Indeed, our simple fuzzing infrastructure
was very effective and to our surprise, a large fraction
of the random packets we sent resulted in changes
to the state of our car. Based on this experience, we
believe that a fuzzer itself is likely be a universal
attack for disrupting arbitrary automobiles (similar to
how the “crashme” program that fuzzed system calls
was effective in crashing operating systems before the
syscall interface was hardened).
• Unenforced Access Controls. While we believe that
standard access controls are weak, we were surprised
at the extent to which the controls that did exist were
frequently unused. For example, the firmware on an
ECU controls all of its critical functionality and thus the
standard for our car’s CAN protocol variant describes
methods for ECUs to protect against unauthorized
firmware updates. We were therefore surprised that
we could load firmware onto some key ECUs, like
our telematics unit (a critical ECU) and our Remote
Control Door Lock Receiver (RCDLR), without any
such authentication. Similarly, the protocol standard
also makes an earnest attempt to restrict access to
DeviceControl diagnostic capabilities. We were therefore
also surprised to find that critical ECUs in our
car would respond to DeviceControl packets without
authentication first.
• Attack Amplification. We found multiple opportunities
for attackers to amplify their capabilities—either in
reach or in stealth. For example, while the designated
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 13
gateway node between the car’s low-speed and highspeed
networks (the BCM) should not expose any
interface that would let a low-speed node compromise
the high-speed network, we found that we could
maliciously bridge these networks through a compromised
telematics unit. Thus, the compromise of any
ECU becomes sufficient to manipulate safety-critical
components such as the EBCM. As more and more
components integrate into vehicles, it may become
increasingly difficult to properly secure all bridging
points.
Finally, we also found that, in addition to being able
to load custom code onto an ECU via the CAN network,
it is straightforward to design this code to completely
erase any evidence of itself after executing its attack.
Thus, absent any such forensic trail, it may be infeasible
to determine if a particular crash is caused by an attack
or not. While a seemingly minor point, we believe
that this is in fact a very dangerous capability as it
minimizes the possibility of any law enforcement action
that might deter individuals from using such attacks.2
In reflecting on our overall experiences, we observe that
while automotive components are clearly and explicitly designed
to safely tolerate failures—responding appropriately
when components are prevented from communicating—it
seems clear that tolerating attacks has not been part of the
same design criteria. Given our results and the observations
thus far, we consider below several potential defensive
directions and the tensions inherent in them.
To frame the following discussion, we once again stress
that the focus of this paper has been on analyzing the
security implications if an attacker is able to maliciously
compromise a car’s internal communication’s network, not
on how an attacker might be able to do so. While we
can demonstrably access our car’s internal networks via
several means (e.g., via devices physically attached to the
car’s internal network, such as a tiny “attack iPod” that
we implemented, or via a remote wireless vulnerability
that we uncovered), we defer a complete consideration of
entry points to future work. Although we consider some
specific entry points below (such as malicious aftermarket
components), our discussion below is framed broadly and
seeks to be as agnostic as possible to the potential entry
vector.
Diagnostic and Reflashing Services. Many of the vulnerabilities
we discovered were made possible by weak
or unenforced protections of the diagnostic and reflashing
services. Because these services are never intended for
use during normal operation of the vehicle, it is tempting
to address these issues by completely locking down such
capabilities after the car leaves manufacturing. While it
2As an aside, the lack of a strong forensic trail also creates the possibility
for a driver to, after an accident, blame the car’s computers for driver error.
is clearly unsafe for arbitrary ECUs to issue diagnostic
and reflashing commands, locking down these capabilities
ignores the needs of various stakeholders.
For instance, individuals desire and should be able to
do certain things to tune their own car (but not others).
Similarly, how could mechanics service and replace components
in a “locked-down” automotive environment? Would
they receive special capabilities? If so, which mechanics and
why should they be trusted? Consider the recently proposed
“Motor Vehicle Owners’ Right to Repair Act” (H.R. 2057),
which would require manufacturers to provide diagnostic information
and tools to vehicle owners and service providers,
and to provide information to aftermarket tool vendors that
enables them to make functionally-equivalent tools. The
motivation for this legislation is clear: encouraging healthy
competition within the broader automotive industry. Even
simple security mechanisms (including some we support,
such as signed firmware updates) can be at odds with the
vision of the proposed legislation. Indeed, providing smaller
and independent auto shops with the ability to service and
diagnose vehicles without letting adversaries co-opt those
same abilities appears to be a fundamental challenge.
The core problem is lack of access control for the use
of these services. Thus, we see desirable properties of a
solution to be threefold: arbitrary ECUs should not be able to
issue diagnostic and reflashing commands, such commands
can only be issued with some validation, and physical access
to the car should be required before issuing dangerous
commands.
Aftermarket Components. Even with diagnostic and
reflashing services secured, packets that appear on the vehicle
bus during normal operation can still be spoofed by
third-party ECUs connected to the bus. Today a modern
automobile leaves the factory containing multiple third-party
ECUs, and owners often add aftermarket components (like
radios or alarms) to their car’s buses. This creates a tension
that, in the extreme, manifests itself as the need to either trust
all third-party components, or to lock down a car’s network
so that no third-party components—whether adversarial or
benign—can influence the state of the car.
One potential intermediate (and backwards compatible)
solution we envision is to allow owners to connect an
external filtering device between an untrusted component
(such as a radio) and the vehicle bus to function as a trusted
mediator, ensuring that the component sends and receives
only approved packets.
Detection Versus Prevention. More broadly, certain
considerations unique to cyber-physical vehicles raise the
possibility of security via detection and correction of anomalies,
rather than prevention and locking down of capabilities.
For example, the operational and economic realities of
automotive design and manufacturing are stringent. Manufacturers
must swiftly integrate parts from different suppliers
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 14
(changing as needed to second and third source suppliers) in
order to quickly reach market and at low cost. Competitive
pressures drive vendors to reuse designs and thus engenders
significant heterogeneity. It is common that each ECU
may use a different processor and/or software architecture
and some cars may even use different communications
architectures—one grafted onto the other to integrate a
vendor assembly and bring the car to market in time. Today
the challenges of integration have become enormous and
manufacturers seek to reduce these overheads at all costs—
a natural obstacle for instituting strict security policies.
In addition, many of an automobile’s functions are safety
critical, and introducing additional delay into the processing
of, say, brake commands, may be unsafe.
These considerations raise the possibility of exploring the
tradeoff between preventing and correcting malicious actions:
if rigorous prevention is too expensive, perhaps a quick
reversal is sufficient for certain classes of vulnerabilities.
Several questions come with this approach: Can anomalous
behavior be detected early enough, before any dangerous
packets are sent? Can a fail-safe mode or last safe state
be identified and safely reverted to? It is also unclear what
constitutes abnormal behavior on the bus in the first place, as
attacks can be staged entirely with packets that also appear
during normal vehicle operation.
Toward Security. These are just a few of many potential
defensive directions and associated tensions. There
are deep-rooted tussles surrounding the security of cyberphysical
vehicles, and it is not yet clear what the “right”
solution for security is or even if a single “right” solution
exists. More likely, there is a spectrum of solutions that each
trade off critical values (like security vs. support for independent
auto shops). Thus, we argue that the future research
agenda for securing cyber-physical vehicles is not merely to
consider the necessary technical mechanisms, but to also
inform these designs by what is feasible practically and
compatible with the interests of a broader set of stakeholders.
This work serves as a critical piece in the puzzle, providing
the first experimentally guided study into the real security
risks with a modern automobile.
ACKNOWLEDGMENTS
We thank Mike Haslip, Gary Tomsic, and the City of
Blaine, Washington, for their support and for providing access
to the Blaine decommissioned airport runway and Mike
Haslip specifically for providing Figure 7. We thank Ingolf
Krueger for his guidance on understanding automotive architectures,
Cheryl Hile and Melody Kadenko for their support
on all aspects of the project, and Iva Dermendjieva, Dan
Halperin, Geoff Voelker and the anonymous reviewers for
comments on earlier versions of this paper. Portions of this
work was supported by NSF grants CNS-0722000, CNS-
0831532, CNS-0846065, CNS-0905384, CNS-0963695, and
CNS-0963702, by a MURI grant administered by the Air
Force Office of Scientific Research, by a CCC-CRA-NSF
Computing Innovation Fellowship, by a Marilyn Fries Endowed
Regental Fellowship, and by an Alfred P. Sloan
Research Fellowship.
REFERENCES
[1] Autosar: Automotive open system architecture. http://www.
autosar.org/.
[2] A. Bellissimo, J. Burgess, and K. Fu. Secure software
updates: Disappointments and new challenges. In Proceedings
of HotSec 2006, pages 37–43. USENIX, July 2006.
[3] S. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin,
and M. Szydlo. Security analysis of a cryptographicallyenabled
RFID device. In P. McDaniel, editor, Proceedings
of USENIX Security 2005. USENIX, Aug. 2005.
[4] Bureau of Transportation Statistics. National Transportation
Statistics (Table 1-11: Number of U.S. Aircraft,
Vehicles, Vessels, and Other Conveyances), 2008.
http://www.bts.gov/publications/national_transportation_
statistics/html/table_01_11.html.
[5] CAMP Vehicle Safety Communications 2 Consortium.
Cooperative intersection collision avoidance system
limited to stop sign and traffic signal violations
midterm phase i report, Oct. 2008. Online:
http://www.nhtsa.dot.gov/staticfiles/DOT/NHTSA/NRD/
Multimedia/PDFs/Crash%20Avoidance/2008/811048.pdf.
[6] CAMP Vehicle Safety Communications 2 Consortium. Vehicle
safety communications — applications first annual
report, Sept. 2008. Online: http://www.intellidriveusa.org/
documents/09042008-vsc-a-report.pdf.
[7] CAMP Vehicle Safety Communications Consortium. Vehicle
safety communications project task 3 final report,
Mar. 2005. Online: http://www.intellidriveusa.org/documents/
vehicle-safety.pdf.
[8] R. Charette. This car runs on code. Online: http://www.
spectrum.ieee.org/feb09/7649, Feb. 2009.
[9] DARPA. Grand challenge. http://www.darpa.mil/
grandchallenge/index.asp.
[10] A. Edwards. Exclusive: Twitter integration coming to
OnStar. Online: http://www.gearlive.com/news/article/
q109-exclusive-twitter-integration-coming-to-onstar/, Mar.
2009.
[11] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh,
and M. Manzuri Shalmani. On the power of power
analysis in the real world: A complete break of the KeeLoq
code hopping scheme. In D. Wagner, editor, Proceedings of
Crypto 2008, volume 5157 of LNCS, pages 203–20. Springer-
Verlag, Aug. 2008.
[12] P. Eisenstein. GM Hy-Wire drive-by-wire hybrid fuel cell vehicle.
Online: http://www.popularmechanics.com/automotive/
new_cars/1266806.html, Aug. 2002.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 15
[13] B. Emaus. Hitchhiker’s Guide to the Automotive Embedded
Software Universe, 2005. Keynote Presentation at SEAS’05
Workshop, available at: http://www.inf.ethz.ch/personal/
pretscha/events/seas05/bruce_emaus_keynote_050521.pdf.
[14] A. Goodwin. Ford Unveils Open-Source Sync Developer
Platform. Online: http://reviews.cnet.com/8301-13746_
7-10385619-48.html, Oct. 2009.
[15] T. Hoppe, S. Kiltz, and J. Dittmann. Security threats to
automotive CAN networks – practical examples and selected
short-term countermeasures. In SAFECOMP, 2008.
[16] S. Indesteege, N. Keller, O. Dunkelman, E. Biham, and
B. Preneel. A practical attack on KeeLoq. In N. Smart, editor,
Proceedings of Eurocrypt 2008, volume 4965 of LNCS, pages
1–18. Springer-Verlag, Apr. 2008.
[17] ISO. ISO 11898-1:2003 - Road vehicles – Controller area
network. International Organization for Standardization,
Geneva, Switzerland, 2003.
[18] F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, E. Schoch,
B. Wiedersheim, T.-V. Thong, G. Calandriello, A. Held,
A. Kung, and J.-P. Hubaux. Secure vehicular communication
systems: implementation, performance, and research
challenges. IEEE Communications Magazine, 46(11):110–
118, 2008.
[19] U. E. Larson and D. K. Nilsson. Securing vehicles against
cyber attacks. In CSIIRW ’08: Proceedings of the 4th annual
workshop on Cyber security and information intelligence
research, pages 1–3, New York, NY, USA, 2008. ACM.
[20] M. Mansur. TunerPro - Professional Automobile Tuning
Software. http://www.tunerpro.net/.
[21] M. Melosi. The automobile and the environment in American
history. Online: http://www.autolife.umd.umich.edu/
Environment/E_Overview/E_Overview.htm, 2004.
[22] S. Mollman. From cars to TVs, apps are spreading to the real
world. Online: http://www.cnn.com/2009/TECH/10/08/apps.
realworld/, Oct. 2009.
[23] L. E. M. Systems. PCLink - Link ECU Tuning Software.
http://www.linkecu.com/pclink/PCLink.
[24] P. R. Thorn and C. A. MacCarley. A spy under the hood:
Controlling risk and automotive EDR. Risk Management,
February 2008.
[25] Virginia Tech Transportation Institute. Intersection collision
avoidance — violation task 5 final report, Apr.
2007. Online: http://www.intellidriveusa.org/documents/
final-report-04-2007.pdf.
[26] M. Wolf, A. Weimerskirch, and C. Paar. Security in automotive
bus systems. In Proceedings of the Workshop on
Embedded Security in Cars 2004, 2004.
[27] M. Wolf, A. Weimerskirch, and T. Wollinger. State of the
art: Embedding security in vehicles. EURASIP Journal on
Embedded Systems, 2007.
[28] Y. Zhao. Telematics: safe and fun driving. Intelligent Systems,
IEEE, 17(1):10–14, Jan/Feb 2002.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 16
science document from research university here, until government forces it offline.
http://therebel.org/images/pdf/carhack.pdf
Experimental Security Analysis of a Modern Automobile
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, and Tadayoshi Kohno
Department of Computer Science and Engineering
University of Washington
Seattle, Washington 98195–2350
Email: {supersat,aczeskis,franzi,shwetak,yoshi}@cs.washington.edu
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage
Department of Computer Science and Engineering
University of California San Diego
La Jolla, California 92093–0404
Email: {s,dlmccoy,brian,d8anders,hovav,savage}@cs.ucsd.edu
Abstract—Modern automobiles are no longer mere mechanical
devices; they are pervasively monitored and controlled by
dozens of digital computers coordinated via internal vehicular
networks. While this transformation has driven major advancements
in efficiency and safety, it has also introduced a range of
new potential risks. In this paper we experimentally evaluate
these issues on a modern automobile and demonstrate the
fragility of the underlying system structure. We demonstrate
that an attacker who is able to infiltrate virtually any Electronic
Control Unit (ECU) can leverage this ability to completely
circumvent a broad array of safety-critical systems. Over a
range of experiments, both in the lab and in road tests, we
demonstrate the ability to adversarially control a wide range
of automotive functions and completely ignore driver input—
including disabling the brakes, selectively braking individual
wheels on demand, stopping the engine, and so on. We find
that it is possible to bypass rudimentary network security
protections within the car, such as maliciously bridging between
our car’s two internal subnets. We also present composite
attacks that leverage individual weaknesses, including an attack
that embeds malicious code in a car’s telematics unit and
that will completely erase any evidence of its presence after a
crash. Looking forward, we discuss the complex challenges in
addressing these vulnerabilities while considering the existing
automotive ecosystem.
Keywords—Automobiles, communication standards, communication
system security, computer security, data buses.
I. INTRODUCTION
Through 80 years of mass-production, the passenger automobile
has remained superficially static: a single gasolinepowered
internal combustion engine; four wheels; and the
familiar user interface of steering wheel, throttle, gearshift,
and brake. However, in the past two decades the underlying
control systems have changed dramatically. Today’s automobile
is no mere mechanical device, but contains a myriad of
computers. These computers coordinate and monitor sensors,
components, the driver, and the passengers. Indeed, one
recent estimate suggests that the typical luxury sedan now
contains over 100 MB of binary code spread across 50–70
independent computers—Electronic Control Units (ECUs)
in automotive vernacular—in turn communicating over one
or more shared internal network buses [8], [13].
While the automotive industry has always considered
safety a critical engineering concern (indeed, much of this
new software has been introduced specifically to increase
safety, e.g., Anti-lock Brake Systems) it is not clear whether
vehicle manufacturers have anticipated in their designs the
possibility of an adversary. Indeed, it seems likely that this
increasing degree of computerized control also brings with
it a corresponding array of potential threats.
Compounding this issue, the attack surface for modern
automobiles is growing swiftly as more sophisticated services
and communications features are incorporated into
vehicles. In the United States, the federally-mandated On-
Board Diagnostics (OBD-II) port, under the dash in virtually
all modern vehicles, provides direct and standard
access to internal automotive networks. User-upgradable
subsystems such as audio players are routinely attached to
these same internal networks, as are a variety of shortrange
wireless devices (Bluetooth, wireless tire pressure
sensors, etc.). Telematics systems, exemplified by General
Motors’ (GM’s) OnStar, provide value-added features such
as automatic crash response, remote diagnostics, and stolen
vehicle recovery over a long-range wireless link. To do
so, these telematics systems integrate internal automotive
subsystems with a remote command center via a widearea
cellular connection. Some have taken this concept
even further—proposing a “car as a platform” model for
third-party development. Hughes Telematics has described
plans for developing an “App Store” for automotive applications
[22] while Ford recently announced that it will
open its Sync telematics system as a platform for third-party
applications [14]. Finally, proposed future vehicle-to-vehicle
(V2V) and vehicle-to-infrastructure (V2X) communications
systems [5], [6], [7], [25] will only broaden the attack
surface further.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 1
Overall, these trends suggest that a wide range of vectors
will be available by which an attacker might compromise a
component and gain access to internal vehicular networks—
with unknown consequences. Unfortunately, while previous
research efforts have largely considered vehicular security
risks in the abstract, very little is publicly known about the
practical security issues in automobiles on the road today.
Our research aims to fill this gap.
This paper investigates these issues through an empirical
lens—with active experiments against two late-model
passenger cars (same make and model). We test these
cars’ components in isolation in the lab, as a complete
system in a controlled setting (with the car elevated on
jacks), and in live road tests on a closed course. We have
endeavored to comprehensively assess how much resilience a
conventional automobile has against a digital attack mounted
against its internal components. Our findings suggest that,
unfortunately, the answer is “little.”
Indeed, we have demonstrated the ability to systematically
control a wide array of components including engine,
brakes, heating and cooling, lights, instrument panel, radio,
locks, and so on. Combining these we have been able to
mount attacks that represent potentially significant threats
to personal safety. For example, we are able to forcibly and
completely disengage the brakes while driving, making it
difficult for the driver to stop. Conversely, we are able to
forcibly activate the brakes, lurching the driver forward and
causing the car to stop suddenly.
Rather than focus just on individual attacks, we conduct a
comprehensive analysis of our cars’ digital components and
internal networks. We experimentally evaluate the security
properties of each of the key components within our cars,
and we analyze the security properties of the underlying
network substrate. Beyond measuring the real threats against
the computerized components within modern cars, as well
as the fundamental reasons those threats are possible, we
explore considerations and directions for reconciling the
tension between strategies for better security and the broader
context surrounding automobiles.
II. BACKGROUND
There are over 250 million registered passenger automobiles
in the United States [4]. The vast majority of these
are computer controlled to a significant degree and virtually
all new cars are now pervasively computerized. However,
in spite of their prevalence, the structure of these systems,
the functionality they provide and the networks they use
internally are largely unfamiliar to the computer security
community. In this section, we provide basic background
context concerning automotive embedded systems architecture
in general and an overview of prior related work
concerning automotive security.
A. Automotive Embedded Systems
Digital control, in the form of self-contained embedded
systems called Engine Control Units (ECUs), entered US
production vehicles in the late 1970s, largely due to requirements
of the California Clean Air Act (and subsequent
federal legislation) and pressure from increasing gasoline
prices [21]. By dynamically measuring the oxygen present
in exhaust fumes, the ECU could then adjust the fuel/oxygen
mixture before combustion, thereby improving efficiency
and reducing pollutants. Since then, such systems have been
integrated into virtually every aspect of a car’s functioning
and diagnostics, including the throttle, transmission, brakes,
passenger climate and lighting controls, external lights,
entertainment, and so on, causing the term ECU to be
generalized to Electronic Control Units. Thus, over the last
few decades the amount of software in luxury sedans has
grown from virtually nothing to tens of millions of lines of
code, spread across 50–70 independent ECUs [8].
ECU Coupling. Many features require complex interactions
across ECUs. For example, modern Electronic
Stability Control (ESC) systems monitor individual wheel
speed, steering angle, throttle position, and various accelerometers.
The ESC automatically modulates engine
torque and wheel speed to increase traction when the car’s
line stops following the steering angle (i.e., a skid). If
brakes are applied they must also interact with the Antilock
Braking System (ABS). More advanced versions also
offer Roll Stability Control (RSC), which may also apply
brakes, reduce the throttle, and modulate the steering angle
to prevent the car from rolling over. Active Cruise Control
(ACC) systems scan the road ahead and automatically increase
or decrease the throttle (about some pre-programmed
cruising speed) depending on the presence of slower vehicles
in the path (e.g., the Audi Q7 will automatically apply
brakes, completely stopping the vehicle if necessary, with no
user input). Versions of this technology also provide “precrash”
features in some cars including pre-charging brakes
and pre-tensioning seat belts. Some new luxury sedans (e.g.,
the Lexus LS460) even offer automated parallel parking
features in which steering is completely subsumed. These
trends are further accelerated by electric-driven vehicles that
require precise software control over power management
and regenerative braking to achieve high efficiency, by a
slew of emerging safety features, such as VW’s Lane Assist
system, and by a wide range of proposed entertainment and
communications features (e.g., it was recently announced
that GM’s OnStar will offer integration with Twitter [10]).
Even full “steer-by-wire” functionality has been seen in a
range of concept cars including GM’s widely publicized Hywire
fuel cell vehicle [12].
While some early systems used one-off designs and
bilateral physical wire connections for such interactions
(e.g., between different sensors and an ECU), this approach
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 2
does not scale. A combination of time-to-market pressures,
wiring overhead, interaction complexity, and economy of
scale pressures have driven manufacturers and suppliers to
standardize on a few key digital buses, such as Controller
Area Network (CAN) and FlexRay, and software technology
platforms (cf. Autosar [1]) shared across component manufacturers
and vendors. Indeed, the distributed nature of the
automotive manufacturing sector has effectively mandated
such an approach—few manufacturers can afford the overhead
of full soup-to-nuts designs anymore.
Thus, the typical car contains multiple buses (generally
based on the CAN standard) covering different component
groups (e.g., a high-speed bus may interconnect powertrain
components that generate real-time telemetry while
a separate low-speed bus might control binary actuators
like lights and doors). While it seems that such buses
could be physically isolated (e.g., safety critical systems
on one, entertainment on the other), in practice they are
“bridged” to support subtle interaction requirements. For
example, consider a car’s Central Locking Systems (CLS),
which controls the power door locking mechanism. Clearly
this system must monitor the physical door lock switches,
wireless input from any remote key fob (for keyless entry),
and remote telematics commands to open the doors.
However, unintuitively, the CLS must also be interconnected
with safety critical systems such as crash detection to ensure
that car locks are disengaged after airbags are deployed to
facilitate exit or rescue.
Telematics. Starting in the mid-1990’s automotive
manufacturers started marrying more powerful ECUs—
providing full Unix-like environments—with peripherals
such as Global Positioning Systems (GPS), and adding a
“reach-back” component using cellular back-haul links. By
far the best known and most innovative of such systems
is GM’s OnStar, which—now in its 8th generation—
provides a myriad of services. An OnStar-equipped car
can, for example, analyze the car’s On Board Diagnostics
(OBD) as it is being driven, proactively detect likely
vehicle problems, and notify the driver that a trip to the
repair shop is warranted. OnStar ECUs monitor crash sensors
and will automatically place emergency calls, provide
audio-links between passengers and emergency personnel,
and relay GPS-based locations. These systems even enable
properly authorized OnStar personnel to remotely unlock
cars, track the cars’ locations and, starting with some
2009 model years, remotely stop them (for the purposes
of recovery in case of theft) purportedly by stopping the
flow of fuel to the engines. To perform these functions,
OnStar units routinely bridge all important buses in the
automobile, thereby maximizing flexibility, and implement
an on-demand link to the Internet via Verizon’s digital
cellular service. However, GM is by no means unique and
virtually every manufacturer now has a significant telematics
package in their lineup (e.g., Ford’s Sync, Chrysler’s
UConnect, BMW’s Connected Drive, and Lexus’s Enform),
frequently provided in collaboration with third-party
specialist vendors such as Hughes Telematics and ATX
Group.
Taken together, ubiquitous computer control, distributed
internal connectivity, and telematics interfaces increasingly
combine to provide an application software platform with
external network access. There are thus ample reasons to
reconsider the state of vehicular computer security.
B. Related Work
Indeed, we are not the first to observe the potential
fragility of the automotive environment. In the academic
context, several groups have described potential vulnerabilities
in automotive systems, e.g., [19], [24], [26], [27],
[28]. They provide valuable contributions toward framing
the vehicle security and privacy problem space—notably
in outlining the security limitations of the popular CAN bus
protocol—as well as possible directions for securing vehicle
components. With some exceptions, e.g., [15], most of these
efforts consider threats abstractly; considering “what-if”
questions about a hypothetical attacker. Part of our paper’s
contribution is to make this framing concrete by providing
comprehensive experimental results assessing the behavior
of real automobiles and automotive components in response
to specific attacks.
Further afield, a broad array of researchers have considered
the security problems of vehicle-to-vehicle (V2V)
systems (sometimes also called vehicular ad-hoc networks,
or VANETs); see [18] for a survey. Indeed, this work is
critical, as such future networks will otherwise present yet
another entry point by which attackers might infiltrate a
vehicle. However, our work is focused squarely on the
possibilities after any such infiltration. That is, what are the
security issues within a car, rather than external to it.
Still others have focused on theft-related access control
mechanisms, including successful attacks against vehicle
keyless entry systems [11], [16] and vehicle immobilizers
[3].
Outside the academic realm, there is a small but vibrant
“tuner” subculture of automobile enthusiasts who employ
specialized software to improve performance (e.g., by removing
electronic RPM limitations or changing spark timings,
fuel ignition parameters, or valve timings) frequently
at the expense of regulatory compliance [20], [23]. These
groups are not adversaries; their modifications are done to
improve and personalize their own cars, not to cause harm.
In our work, we consider how an adversary with malicious
motives might disrupt or modify automotive systems.
Finally, we point out that while there is an emerging
effort focused on designing fully autonomous vehicles
(e.g., DARPA Grand Challenge [9]), these are specifically
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 3
designed to be robotically controlled. While such vehicles
would undoubtedly introduce yet new security concerns,
in this paper we concern ourselves solely with the
vulnerabilities in today’s commercially-available automobiles.
C. Threat Model
In this paper we intentionally and explicitly skirt the
question of a “threat model.” Instead, we focus primarily
on what an attacker could do to a car if she was able to
maliciously communicate on the car’s internal network. That
said, this does beg the question of how she might be able
to gain such access.
While we leave a full analysis of the modern automobile’s
attack surface to future research, we briefly describe here the
two “kinds” of vectors by which one might gain access to
a car’s internal networks.
The first is physical access. Someone—such as a mechanic,
a valet, a person who rents a car, an ex-friend, a
disgruntled family member, or the car owner—can, with
even momentary access to the vehicle, insert a malicious
component into a car’s internal network via the ubiquitous
OBD-II port (typically under the dash). The attacker may
leave the malicious component permanently attached to the
car’s internal network or, as we show in this paper, they
may use a brief period of connectivity to embed the malware
within the car’s existing components and then disconnect. A
similar entry point is presented by counterfeit or malicious
components entering the vehicle parts supply chain—either
before the vehicle is sent to the dealer, or with a car owner’s
purchase of an aftermarket third-party component (such as
a counterfeit FM radio).
The other vector is via the numerous wireless interfaces
implemented in the modern automobile. In our car we
identified no fewer than five kinds of digital radio interfaces
accepting outside input, some over only a short range and
others over indefinite distance. While outside the scope of
this paper, we wish to be clear that vulnerabilities in such
services are not purely theoretical. We have developed the
ability to remotely compromise key ECUs in our car via
externally-facing vulnerabilities, amplify the impact of these
remote compromises using the results in this paper, and
ultimately monitor and control our car remotely over the
Internet.
III. EXPERIMENTAL ENVIRONMENT
Our experimental analyses focus on two 2009 automobiles
of the same make and model.1 We selected our particular
vehicle because it contained both a large number of
1We believe the risks identified in this paper arise from the architecture
of the modern automobile and not simply from design decisions made by
any single manufacturer. For this reason, we have chosen not to identify
the particular make and model used in our tests. We believe that other
automobile manufacturers and models with similar features may have
similar security properties.
electronically-controlled components (necessitated by complex
safety features such as anti-lock brakes and stability
control) and a sophisticated telematics system. We purchased
two vehicles to allow differential testing and to validate that
our results were not tied to one individual vehicle. At times
we also purchased individual replacement ECUs via thirdparty
dealers to allow additional testing. Table I lists some
of the most important ECUs in our car.
We experimented with these cars—and their internal
components—in three principal settings:
• Bench. We physically extracted hardware from the
car for analysis in our lab. As with most automobile
manufacturers, our vehicles use a variant of the
Controller Area Network (CAN) protocol for communicating
among vehicle components (in our case
both a high-speed and low-speed variant as well as
a variety of proprietary higher-layer network management
services). Through this protocol, any component
can be accessed and interrogated in isolation in
the lab. Figure 1 shows an example setup, with the
Electronic Brake Control Module (EBCM) hooked up
to a power supply, a CAN-to-USB converter, and an
oscilloscope.
• Stationary car. We conducted most of our in-car experiments
with the car stationary. For both safety and
convenience, we elevated the car on jack stands for
experiments that required the car to be “at speed”; see
Figure 3.
Figure 2 shows the experimental setup inside the car.
For these experiments, we connected a laptop to the
car’s standard On-Board Diagnostics II (OBD-II) port.
We used an off-the-shelf CAN-to-USB interface (the
CANCapture ECOM cable) to interact with the car’s
high-speed CAN network, and an Atmel AT90CAN128
development board (the Olimex AVR-CAN) with custom
firmware to interact with the car’s low-speed
CAN network. The laptop ran our custom CARSHARK
program (see below).
• On the road. To obtain full experimental fidelity, for
some of our results we experimented at speed while on
a closed course.
We exercised numerous precautions to protect the
safety of both our car’s driver and any third parties. For
example, we used the runway of a de-commissioned
airport because the runway is long and straight, giving
us additional time to respond should an emergency
situation arise (see Figure 7).
For these experiments, one of us drove the car while
three others drove a chase car on a parallel service road;
one person drove the chase car, one documented much
of the process on video, and one wirelessly controlled
the test car via an 802.11 ad hoc connection to a laptop
in the test car that in turn accessed its CAN bus.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 4
Low-Speed High-Speed
Component Functionality Comm. Bus Comm. Bus
ECM Engine Control Module
Controls the engine using information from sensors to determine the amount
of fuel, ignition timing, and other engine parameters.
X
EBCM Electronic Brake Control Module
Controls the Antilock Brake System (ABS) pump motor and valves, preventing
brakes from locking up and skidding by regulating hydraulic pressure.
X
TCM Transmission Control Module
Controls electronic transmission using data from sensors and from the ECM
to determine when and how to change gears.
X
BCM Body Control Module
Controls various vehicle functions, provides information to occupants, and
acts as a firewall between the two subnets.
X X
Telematics Telematics Module
Enables remote data communication with the vehicle via cellular link.
X X
RCDLR Remote Control Door Lock Receiver
Receives the signal from the car’s key fob to lock/unlock the doors and
the trunk. It also receives data wirelessly from the Tire Pressure Monitoring
System sensors.
X
HVAC Heating, Ventilation, Air Conditioning
Controls cabin environment.
X
SDM Inflatable Restraint Sensing and Diagnostic Module
Controls airbags and seat belt pretensioners.
X
IPC/DIC Instrument Panel Cluster/Driver Information Center
Displays information to the driver about speed, fuel level, and various alerts
about the car’s status.
X
Radio Radio
In addition to regular radio functions, funnels and generates most of the incabin
sounds (beeps, buzzes, chimes).
X
TDM Theft Deterrent Module
Prevents vehicle from starting without a legitimate key.
X
Table I. Key Electronic Control Units (ECUs) within our cars, their roles, and which CAN buses they are on.
The CARSHARK Tool. To facilitate our experimental
analysis, we wrote CARSHARK—a custom CAN bus analyzer
and packet injection tool (see Figure 4). While there
exist commercially available CAN sniffers, none were appropriate
for our use. First, we needed the ability to process
and manipulate our vendor’s proprietary extensions to the
CAN protocol. Second, while we could have performed
limited testing using a commercial CAN sniffer coupled
with a manufacturer-specific diagnostic service tool, this
combination still doesn’t offer the flexibility to support our
full range of attack explorations, including reading out ECU
memory, loading custom code into ECUs, or generating
fuzz-testing packets over the CAN interface.
IV. INTRA-VEHICLE NETWORK SECURITY
Before experimentally evaluating the security of individual
car components, we assess the security properties
of the CAN bus in general, which we describe below.
We do so by first considering weaknesses inherent to the
protocol stack and then evaluating the degree to which
our car’s components comply with the standard’s specifications.
A. CAN Bus
There are a variety of protocols that can be implemented
on the vehicle bus, but starting in 2008 all cars sold in the
U.S. are required to implement the Controller Area Network
(CAN) bus (ISO 11898 [17]) for diagnostics. As a result,
CAN—roughly speaking, a link-layer data protocol—has
become the dominant communication network for in-car
networks (e.g., used by BMW, Ford, GM, Honda, and
Volkswagen).
A CAN packet (shown in Figure 5) does not include
addresses in the traditional sense and instead supports a
publish-and-subscribe communications model. The CAN ID
header is used to indicate the packet type, and each packet
is both physically and logically broadcast to all nodes,
which then decide for themselves whether to process the
packets.
The CAN variant for our car includes slight extensions
to framing (e.g., on the interpretation of certain CAN ID’s)
and two separate physical layers—a high-speed bus which
is differentially-signaled and primarily used by powertrain
systems and a low-speed bus (SAE J2411) using a single
wire and supporting less-demanding components. When
necessary, a gateway bridge can route selected data between
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 5
Figure 1. Example bench setup within our
lab. The Electronic Brake Control Module
(ECBM) is hooked up to a power supply, a
CAN-to-USB converter, and an oscilloscope.
Figure 2. Example experimental setup. The
laptop is running our custom CARSHARK
CAN network analyzer and attack tool. The
laptop is connected to the car’s OBD-II port.
Figure 3. To test ECU behavior in a
controlled environment, we immobilized the
car on jack stands while mounting attacks.
Figure 4. Screenshot of the CARSHARK interface. CARSHARK is being
used to sniff the CAN bus. Values that have been recently updated are in
yellow. The left panel lists all recognized nodes on high and low speed
subnets of the CAN bus and has some action buttons. The demo panel on
the right provides some proof-of-concept demos.
the two buses. Finally, the protocol standards define a range
of services to be implemented by ECUs.
B. CAN Security Challenges
The underlying CAN protocol has a number of inherent
weaknesses that are common to any implementation. Key
among these:
Broadcast Nature. Since CAN packets are both physically
and logically broadcast to all nodes, a malicious
component on the network can easily snoop on all communications
or send packets to any other node on the
network. CARSHARK leverages this property, allowing us
to observe and reverse-engineer packets, as well as to inject
new packets to induce various actions.
Fragility to DoS. The CAN protocol is extremely
vulnerable to denial-of-service attacks. In addition to simple
packet flooding attacks, CAN’s priority-based arbitration
scheme allows a node to assert a “dominant” state on the
bus indefinitely and cause all other CAN nodes to back
off. While most controllers have logic to avoid accidentally
11 bits 18 bits 4 bits 0–8 bytes 15 bits 7 bits
Start-offrame
Substitute remote
request
Extended identifier
Reserved
2 bits
Data CRC
ACK
End-offrame
Identifier
Identifier
extension
Remote transmission
request
Data length
code
CRC delimiter
ACK
delimiter
Figure 5. CAN packet structure. Extended frame format is shown. Base
frame format is similar.
breaking the network this way, adversarially-controlled hardware
would not need to exercise such precautions.
No Authenticator Fields. CAN packets contain no
authenticator fields—or even any source identifier fields—
meaning that any component can indistinguishably send a
packet to any other component. This means that any single
compromised component can be used to control all of the
other components on that bus, provided those components
themselves do not implement defenses; we consider the
security of individual components in Section V.
Weak Access Control. The protocol standards for our
car specify a challenge-response sequence to protect ECUs
against certain actions without authorization. A given ECU
may participate in zero, one, or two challenge-response
pairs:
• Reflashing and memory protection. One challengeresponse
pair restricts access to reflashing the ECU and
reading out sensitive memory. By design, a service shop
might authenticate with this challenge-response pair in
order to upgrade the firmware on an ECU.
• Tester capabilities. Modern automobiles are complex
and thus diagnosing their problems requires significant
support. Thus, a major use of the CAN bus is in
providing diagnostic access to service technicians. In
particular, external test equipment (the “tester”) must
be able to interrogate the internal state of the car’s
components and, at times, manipulate this state as well.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 6
Our car implements this capability via the DeviceControl
service which is accessed in an RPC-like fashion
directly via CAN messages. In our car, the second
challenge-response pair described above is designed to
restrict access to the DeviceControl services.
Under the hood, ECUs are supposed to use a fixed challenge
(seed) for each of these challenge-response pairs; the corresponding
responses (keys) are also fixed and stored in these
ECUs. The motivation for using fixed seeds and keys is to
avoid storing the challenge-response algorithm in the ECU
firmware itself (since that firmware could be read out if an
external flash chip is used). Indeed, the associated reference
standard states “under no circumstances shall the encryption
algorithm ever reside in the node.” (The tester, however, does
have the algorithm and uses it to compute the key.) Different
ECUs should have different seeds and keys.
Despite these apparent security precautions, to the best of
our knowledge many of the seed-to-key algorithms in use
today are known by the car tuning community.
Furthermore, as described in the protocol standards, the
challenges (seeds) and responses (keys) are both just 16 bits.
Because the ECUs are required to allow a key attempt every
10 seconds, an attacker could crack one ECU key in a little
over seven and a half days. If an attacker has access to
the car’s network for this amount of time (such as through
another compromised component), any reflashable ECU can
be compromised. Multiple ECUs can be cracked in parallel,
so this is an upper bound on the amount of time it could take
to crack a key in every ECU in the vehicle. Furthermore,
if an attacker can physically remove a component from
the car, she can further reduce the time needed to crack
a component’s key to roughly three and a half days by
powercycling the component every two key attempts (we
used this approach to perform an exhaustive search for the
Electronic Brake Control Module (EBCM) key on one of
our cars, recovering the key in about a day and a half; see
Figure 1 for our experimental setup).
In effect, there are numerous realistic scenarios in which
the challenge-response sequences defined in the protocol
specification can be circumvented by a determined attacker.
ECU Firmware Updates and Open Diagnostic Control.
Given the generic weaknesses with the aforementioned
access control mechanisms, it is worth stepping back and
reconsidering the benefits and risks associated with exposing
ECUs to reflashing and diagnostic testing.
First, the ability to do software-only upgrades to ECUs
can be extremely valuable to vehicle manufacturers, who
might otherwise have to bear the cost of physically replacing
ECUs for trivial defects in the software. For example, one
of us recently received a letter from a car dealer, inviting us
to visit an auto shop in order to upgrade the firmware on
our personal car’s ECM to correctly meet certain emission
requirements. However, it is also well known that attackers
can use software updates to inject malicious code into
systems [2]. The challenge-response sequences alone are
not sufficient to protect against malicious firmware updates;
in subsequent sections we investigate whether additional
protection mechanisms are deployed at a higher level (such
as the cryptographically signed firmware updates).
Similarly, the DeviceControl service is a tremendously
powerful tool for assisting in the diagnosis of a car’s
components. But, given the generic weaknesses of the CAN
access control mechanisms, the DeviceControl capabilities
present enumerable opportunities to an attacker (indeed, a
great number of our attacks are built on DeviceControl).
In many ways this challenge parallels the security vs.
functionality tension presented by debuggers in conventional
operating systems; to be effective debuggers need to be able
to examine and manipulate all state, but if they can do that
they can do anything. However, while traditional operating
systems generally finesse this problem via access-control
rights on a per-user basis, there is no equivalent concept in
CAN. Given the weaknesses with the CAN access control
sequence, the role of “tester” is effectively open to any node
on the bus and thus to any attacker.
Worse, in Section IV-C below we find that many ECUs in
our car deviate from their own protocol standards, making
it even easier for an attacker to initiate firmware updates or
DeviceControl sequences—without even needing to bypass
the challenge-response protocols.
C. Deviations from Standards
In several cases, our car’s protocol standards do prescribe
risk-mitigation strategies with which components should
comply. However, our experimental findings revealed that
not all components in the car always follow these specifications.
Disabling Communications. For example, the standard
states that ECUs should reject the “disable CAN
communications” command when it is unsafe to accept and
act on it, such as when a car is moving. However, we
experimentally verified that this is not actually the case in
our car: we were able to disable communications to and from
all the ECUs in Table I even with the car’s wheels moving
at speed on jack stands and while driving on the closed road
course.
Reflashing ECUs While Driving. The standard also
states that ECUs should reject reflashing events if they deem
them unsafe. In fact, it states: “The engine control module
should reject a request to initiate a programming event if the
engine were running.” However, we experimentally verified
that we could place the Engine Control Module (ECM) and
Transmission Control Module (TCM) into reflashing mode
when our car was at speed on jack stands. When the ECM
enters this mode, the engine stops running. We also verified
that we could place the ECM into reflashing mode while
driving on the closed course.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 7
Noncompliant Access Control: Firmware and Memory.
The standard states that ECUs with emissions, anti-theft,
or safety functionality must be protected by a challengeresponse
access control protocol (as per Section IV-B).
Even disregarding the weakness of this protocol, we
found it was implemented less broadly than we would
have expected. For example, the telematics unit in our
car, which are connected to the car’s CAN buses, use a
hardcoded challenge and a hardcoded response common
to all similar units, seemingly in violation of the standard
(specifically, the standard states that “all nodes with the
same part number shall NOT have the same security seed”).
Even worse, the result of the challenge-response protocol
is never used anywhere; one can reflash the unit at any
time without completing the challenge-response protocol.
We verified experimentally that we can load our own code
onto our car’s telematics unit without authenticating.
Some access-controlled operations, such as reading sensitive
memory areas (such as the ECU’s program or keys)
may be outright denied if deemed too risky. For example,
the standard states that an ECU can define memory addresses
that “[it] will not allow a tester to read under any
circumstances (e.g., the addresses that contain the security
seed and key values).” However, in another instance of noncompliance,
we experimentally verified that we could read
the reflashing keys out of the BCM without authenticating,
and the DeviceControl keys for the ECM and TCM just by
authenticating with the reflashing key. We were also able to
extract the telematics units’ entire memory, including their
keys, without authentication.
Noncompliant Access Control: Device Overrides. Recall
that the DeviceControl service is used to override the
state of components. However, ECUs are expected to reject
unsafe DeviceControl override requests, such as releasing
the brakes when the car is in motion (an example mentioned
in the standard). Some of these unsafe overrides are needed
for testing during the manufacturing process, so those can be
enabled by authenticating with the DeviceControl key. However,
we found during our experiments that certain unsafe
device control operations succeeded without authenticating;
we summarize these in Tables II, V-A, and IV.
Imperfect Network Segregation. The standard implicitly
defines the high-speed network as more trusted than the
low-speed network. This difference is likely due to the fact
that the high-speed network includes the real-time safetycritical
components (e.g., engine, brakes), while the lowspeed
network commonly includes components less critical
to safety, like the radio and the HVAC system.
The standard states that gateways between the two networks
must only be re-programmable from the high-speed
network, presumably to prevent a low-speed device from
compromising a gateway to attack the high-speed network.
In our car, there are two ECUs which are on both buses and
can potentially bridge signals: the Body Controller Module
(BCM) and the telematics unit. While the telematics unit
is not technically a gateway, it connects to both networks
and can only be reprogrammed (against the spirit of the
standard) from the low-speed network, allowing a lowspeed
device to attack the high-speed network through the
telematics unit. We verified that we could bridge these
networks by uploading code to the telematics unit from the
low-speed network that, in turn, sent packets on the highspeed
network.
V. COMPONENT SECURITY
We now examine individual components on our car’s
CAN network, and what an attacker could do by communicating
with each one individually. We discuss compound
attacks involving multiple components in Section VI. We
omit certain details (such as complete packet payloads) to
prevent would-be attackers from using our results directly.
A. Attack Methodology
Recall that Table I gives an overview of our car’s critical
components, their functionality, and whether they are on
the car’s high-speed or low-speed CAN subnet. For each of
these components, our methodology for formulating attacks
consisted of some or all of the following three major
approaches, summarized below.
Packet Sniffing and Targeted Probing. To begin, we
used CARSHARK to observe traffic on the CAN buses
in order to determine how ECUs communicate with each
other. This also revealed to us which packets were sent as
we activated various components (such as turning on the
headlights). Through a combination of replay and informed
probing, we were able to discover how to control the radio,
the Instrument Panel Cluster (IPC), and a number of the
Body Control Module (BCM) functions, as we discuss
below. This approach worked well for packets that come
up during normal operation, but was less useful in mapping
the interface to safety-critical powertrain components.
Fuzzing. Much to our surprise, significant attacks do
not require a complete understanding or reverse-engineering
of even a single component of the car. In fact, because
the range of valid CAN packets is rather small, significant
damage can be done by simple fuzzing of packets (i.e.,
iterative testing of random or partially random packets). Indeed,
for attackers seeking indiscriminate disruption, fuzzing
is an effective attack by itself. (Unlike traditional uses of
fuzzing, we use fuzzing to aid in the reverse engineering of
functionality.)
As mentioned previously, the protocol standards for our
car define a CAN-based service called DeviceControl, which
allows testing devices (used during manufacturing quality
control or by mechanics) to override the normal output
functionality of an ECU or reset some learned internal
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 8
state. The DeviceControl service takes an argument called
a Control Packet Identifier (CPID), which specifies a group
of controls to override. Each CPID can take up to five bytes
as parameters, specifying which controls in the group are
being overridden, and how to override them. For example,
the Body Control Module (BCM) exports controls for the
various external lights (headlights, brakelights, etc.) and their
associated brightness can be set via the parameter data.
We discovered many of the DeviceControl functions
for select ECUs (specifically, those controlling the engine
(ECM), body components (BCM), brakes (EBCM), and
heating and air conditioning (HVAC) systems) largely by
fuzz testing. After enumerating all supported CPIDs for each
ECU, we sent random data as an argument to valid CPIDs
and correlated input bits with behaviors.
Reverse-Engineering. For a small subset of ECUs
(notably the telematics unit, for which we obtained multiple
instances via Internet-based used parts resellers) we dumped
their code via the CAN ReadMemory service and used a
third-party debugger (IDA Pro) to explicitly understand how
certain hardware features were controlled. This approach
is essential for attacks that require new functionality to be
added (e.g., bridging low and high-speed buses) rather than
simply manipulating existing software capabilities.
B. Stationary Testing
We now describe the results of our experiments with
controlling critical components of the car. All initial experiments
were done with the car stationary, in many cases
immobilized on jack stands for safety, as shown in Figure 3.
Some of our results are summarized in Tables II, V-A,
and IV for fuzzing, and in Table V for other results.
Tables II, V-A, and IV indicate the packet that was sent
to the corresponding module, the resulting action, and four
additional pieces of information: (1) Can the result of this
packet be overridden manually, such as by pulling the
physical door unlock knob, pushing on the brakes, or some
other action? A No in this column means that we have found
no way to manually override the result. (2) Does this packet
have the same effect when the car is at speed? For this
column, “at speed” means when the car was up on jack
stands but the throttle was applied to bring the wheel speed
to 40 MPH. (3) Does the module in question need to be
unlocked with its DeviceControl key before these packets
can elicit results? The fourth (4) additional column reflects
our experiments during a live road test, which we will turn
to in subsection V-C. Table V is similar, except that only
the Kill Engine result is caused by a DeviceControl packet;
we did not need to unlock the ECU before initiating this
DeviceControl packet.
All of the controlled experiments were initially conducted
on one car, and then all were repeated on our second car
(road tests were only performed with the first car).
Figure 6. Displaying an arbitrary message and a false speedometer reading
on the Driver Information Center. Note that the car is in Park.
Radio. One of the first attacks we discovered was how
to control the radio and its display. We were able to completely
control—and disable user control of—the radio,
and to display arbitrary messages. For example, we were
able to consistently increase the volume and prevent the user
from resetting it. As the radio is also the component which
controls various car sounds (e.g., turn signal clicks and seat
belt warning chimes), we were also able to produce clicks
and chimes at arbitrary frequencies, for various durations,
and at different intervals. Table V presents some of these
results.
Instrument Panel Cluster. We were able to fully control
the Instrument Panel Cluster (IPC). We were able to
display arbitrary messages, falsify the fuel level and the
speedometer reading, adjust the illumination of instruments,
and so on (also shown in Table V). For example, Figure 6
shows the instrument panel display with a message that
we set by sending the appropriate packets over the CAN
network. We discuss a more sophisticated attack using our
control over the speedometer in Section VI.
Body Controller. Control of the BCM’s function is
split across the low-speed and high-speed buses. By reverseengineering
packets sent on the low-speed bus (Table V) and
by fuzzing packets on the high-speed bus (as summarized
in Table II), we were able to control essentially all of the
BCM’s functions. This means that we were able to discover
packets to: lock and unlock the doors; jam the door locks
by continually activating the lock relay; pop the trunk;
adjust interior and exterior lighting levels; honk the horn
(indefinitely and at varying frequencies); disable and enable
the window relays; disable and enable the windshield wipers;
continuously shoot windshield fluid; and disable the key lock
relay to lock the key in the ignition.
Engine. Most of the attacks against the engine were
found by fuzzing DeviceControl requests to the ECM. These
findings are summarized in Table V-A. We were able to
boost the engine RPM temporarily, disturb engine timing by
resetting the learned crankshaft angle sensor error, disable
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 9
Manual At Need to Tested on
Packet Result Override Speed Unlock Runway
07 AE ... 1F 87 Continuously Activates Lock Relay Yes Yes No X
07 AE ... C1 A8 Windshield Wipers On Continuously No Yes No X
07 AE ... 77 09 Pops Trunk No Yes No X
07 AE ... 80 1B Releases Shift Lock Solenoid No Yes No
07 AE ... D8 7D Unlocks All Doors Yes Yes No
07 AE ... 9A F2 Permanently Activates Horn No Yes No X
07 AE ... CE 26 Disables Headlights in Auto Light Control Yes Yes No X
07 AE ... 34 5F All Auxiliary Lights Off No Yes No
07 AE ... F9 46 Disables Window and Key Lock Relays No Yes No
07 AE ... F8 2C Windshield Fluid Shoots Continuously No Yes No X
07 AE ... 15 A2 Controls Horn Frequency No Yes No
07 AE ... 15 A2 Controls Dome Light Brightness No Yes No
07 AE ... 22 7A Controls Instrument Brightness No Yes No
07 AE ... 00 00 All Brake/Auxiliary Lights Off No Yes No X
07 AE ... 1D 1D Forces Wipers Off and Shoots Windshield Fluid Continuously Yes† Yes No X
Table II. Body Control Module (BCM) DeviceControl Packet Analysis. This table shows BCM DeviceControl packets and their effects that we discovered
during fuzz testing with one of our cars on jack stands. A Xin the last column indicates that we also tested the corresponding packet with the driving on a
runway. A “Yes” or “No” in the columns “Manual Override,” “At Speed,” and “Need to Unlock” indicate whether or not (1) the results could be manually
overridden by a car occupant, (2) the same effect was observed with the car at speed (the wheels spinning at about 40 MPH and/or on the runway), and
(3) the BCM needed to be unlocked with its DeviceControl key.
†The highest setting for the windshield wipers cannot be disabled and serves as a manual override.
Manual At Need to Tested on
Packet Result Override Speed Unlock Runway
07 AE ... E5 EA Initiate Crankshaft Re-learn; Disturb Timing Yes Yes Yes
07 AE ... CE 32 Temporary RPM Increase No Yes Yes X
07 AE ... 5E BD Disable Cylinders, Power Steering/Brakes Yes Yes Yes
07 AE ... 95 DC Kill Engine, Cause Knocking on Restart Yes Yes Yes X
07 AE ... 8D C8 Grind Starter No Yes Yes
07 AE ... 00 00 Increase Idle RPM No Yes Yes X
Table III. Engine Control Module (ECM) DeviceControl Packet Analysis. This table is similar to Table II.
Manual At Need to Tested on
Packet Result Override Speed Unlock† Runway
07 AE ... 25 2B Engages Front Left Brake No Yes Yes X
07 AE ... 20 88 Engages Front Right Brake/Unlocks Front Left No Yes Yes X
07 AE ... 86 07 Unevenly Engages Right Brakes No Yes Yes X
07 AE ... FF FF Releases Brakes, Prevents Braking No Yes Yes X
Table IV. Electronic Brake Control Module (EBCM) DeviceControl Packet Analysis. This table is similar to Table II.
†The EBCM did not need to be unlocked with its DeviceControl key when the car was on jack stands. Later, when we tested these packets on the runway,
we discovered that the EBCM rejected these commands when the speed of the car exceeded 5 MPH without being unlocked.
Destination Manual At Tested on
ECU Packet Result Override Speed Runway
IPC 00 00 ... 00 00 Falsify Speedometer Reading No Yes X
Radio 04 00 ... 00 00 Increase Radio Volume No Yes
Radio 63 01 ... 39 00 Change Radio Display No Yes
IPC 00 02 ... 00 00 Change DIC Display No Yes
27 01 ... 65 00
BCM 04 03 Unlock Car† Yes Yes
BCM 04 01 Lock Car† Yes Yes
BCM 04 0B Remote Start Car† No No
BCM 04 0E Car Alarm Honk† No No
Radio 83 32 ... 00 00 Ticking Sound No Yes
ECM AE 0E ... 00 7E Kill Engine No Yes
Table V. Other Example Packets. This table shows packets, their recipients, and their effects that we discovered via observation and reverse-engineering.
In contrast to the DeviceControl packets in Tables II, V-A and IV, these packets may be sent during normal operation of the car; we simply exploited the
broadcast nature of the CAN bus to send them from CARSHARK instead of their normal sources. For this reason, we did not test most of them at the
runway, since they are naturally “tested” during normal operation.
†As ordinarily done by the key fob.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 10
all cylinders simultaneously (even with the car’s wheels
spinning at 40 MPH when on jack stands), and disable the
engine such that it knocks excessively when restarted, or
cannot be restarted at all. Additionally, we can forge a packet
with the “airbag deployed" bit set to disable the engine.
Finally, we also discovered a packet that will adjust the
engine’s idle RPM.
Brakes. Our fuzzing of the Electronic Brake Control
Module (see Table IV) allowed us to discover how to lock
individual brakes and sets of brakes, notably without needing
to unlock the EBCM with its DeviceControl key. In one case,
we sent a random packet which not only engaged the front
left brake, but locked it resistant to manual override even
through a power cycle and battery removal. To remedy this,
we had to resort to continued fuzzing to find a packet that
would reverse this effect. Surprisingly, also without needing
to unlock the EBCM, we were also able to release the brakes
and prevent them from being enabled, even with car’s wheels
spinning at 40 MPH while on jack stands.
HVAC. We were able to control the cabin environment
via the HVAC system: we discovered packets to turn on and
off the fans, the A/C, and the heat, in some cases with no
manual override possible.
Generic Denial of Service. In another set of experiments,
we disabled the communication of individual components
on the CAN bus. This was possible at arbitrary times,
even with the car’s wheels spinning at speeds of 40 MPH
when up on jack stands. Disabling communication to/from
the ECM when the wheels are spinning at 40 MPH reduces
the car’s reported speed immediately to 0 MPH. Disabling
communication to/from the BCM freezes the instrument
panel cluster in its current state (e.g., if communication is
disabled when the car is going 40 MPH, the speedometer
will continue to report 40 MPH). The car can be turned off
in this state, but without re-enabling communication to/from
the BCM, the engine cannot be turned on again.
Thus, we were able to easily prevent a car from turning
on. We were also able to prevent the car from being turned
off: while the car was on, we caused the BCM to activate
its ignition output. This output is connected in a wired-OR
configuration with the ignition switch, so even if the switch
is turned to off and the key removed, the car will still run.
We can override the key lock solenoid, allowing the key to
be removed while the car is in drive, or preventing the key
from being removed at all.
C. Road Testing
Comprehensive and safe testing of these and other attacks
requires an open area where individuals and property are at
minimal risk. Fortunately, we were able to obtain access
to the runway of a de-commissioned airport to re-evaluate
many of the attacks we had identified with the car up on
jack stands. To maximize safety, we used a second, chase
Figure 7. Road testing on a closed course (a de-commissioned airport
runway). The experimented-on car, with our driver wearing a helmet, is in
the background; the chase car is in the foreground. Photo courtesy of Mike
Haslip.
car in addition to the experimental vehicle; see Figure 7.
This allowed us to have all but one person outside of the
experimented-on car. The experimented-on car was controlled
via a laptop running CARSHARK and connected to
the CAN bus via the OBD-II port. We in turn controlled this
laptop remotely via a wireless link to another laptop in the
chase car. To maintain the wireless connection between the
laptops, we drove the chase car parallel to the experimentedon
car, which also allowed us to capture these experiments
on video.
Our experimental protocol was as follows: we started
the cars down the runway at the same time, transmitted
one or more packets on the experimented-on car’s CAN
network (indirectly through a command sent from the laptop
in the chase car), waited for our driver’s verbal confirmation/
description (using walkie-talkies to communicate
between the cars), and then sent one or more cancellation
packets. Had something gone wrong, our driver would
have yanked on a cord attached to the CAN cable and
pulled the laptop out of the OBD-II. As we verified in
preparatory safety tests, this disconnect would have caused
the car to revert back to normal within a few seconds;
fortunately, our driver never needed to make use of this
precaution.
Our allotted time at the airport prevented us from reverifying
all of our attacks while driving, and hence we
experimentally re-tested a selected subset of those attacks;
the final column of Tables II, V-A, IV, and V contain a
check mark for the experiments that we re-evaluated while
driving. Most our results while driving were identical to our
results on jack stands, except that the EBCM needed to be
unlocked to issue DeviceControl packets when the car was
traveling over 5 MPH. This a minor caveat from an actual
attack perspective; as noted earlier, attack hardware attached
to the car’s CAN bus can recover the credentials necessary
to unlock the EBCM.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 11
Even at speeds of up to 40 MPH on the runway, the attack
packets had their intended effect, whether it was honking the
horn, killing the engine, preventing the car from restarting,
or blasting the heat. Most dramatic were the effects of DeviceControl
packets to the Electronic Brake Control Module
(EBCM)—the full effect of which we had previously not
been able to observe. In particular, we were able to release
the brakes and actually prevent our driver from braking; no
amount of pressure on the brake pedal was able to activate
the brakes. Even though we expected this effect, reversed it
quickly, and had a safety mechanism in place, it was still a
frightening experience for our driver. With another packet,
we were able to instantaneously lock the brakes unevenly;
this could have been dangerous at higher speeds. We sent
the same packet when the car was stationary (but still on
the closed road course), which prevented us from moving it
at all even by flooring the accelerator while in first gear.
These live road tests are effectively the “gold standard” for
our attacks as they represent realistic conditions (unlike our
controlled stationary environment). For example, we were
never able to completely characterize the brake behavior
until the car was on the road; the fact that the back wheels
were stationary when the car was on jack stands provided
additional input to the EBCM which resulted in illogical
behavior. The fact that many of these safety-critical attacks
are still effective in the road setting suggests that few
DeviceControl functions are actually disabled when the car
is at speed while driving, despite the clear capability and
intention in the standard to do so.
VI. MULTI-COMPONENT INTERACTIONS
The previous section focused on assessing what an attacker
might be able to do by controlling individual devices.
We now take a step back to discuss possible scenarios in
which multiple components are exploited in a composite
attack. The results in this section emphasize that the issue
of vehicle security is not simply a matter of securing
individual components; the car’s network is a heterogeneous
environment of interacting components, and must be viewed
and secured as such.
A. Composite Attacks
Numerous composite attacks exist. Below we describe a
few that we implemented and experimentally verified.
Speedometer. In one attack, we manipulate the speedometer
to display an arbitrary speed or an arbitrary offset
of the current speed—such as 10 MPH less than the actual
speed (halving the displayed speed up to a real speed of
20 MPH in order to minimize obvious anomalies to the
driver). This is a composite attack because it requires both
intercepting actual speed update packets on the low speed
CAN bus (sent by the BCM) and transmitting maliciouslycrafted
speed update packets with the falsified speed. Such
an attack could, for example, trick a driver into driving
too fast. We implemented this attack both as a CARSHARK
module and as custom firmware for the AVR-CAN board.
The custom firmware consisted of 105 lines of C code.
We tested this attack by comparing the displayed speed of
one of our cars with the car’s actual speed while driving
on a closed course and measuring the speed with a radar
gun.
Lights Out. Our analysis in Section V uncovered
packets that can disable certain interior and exterior lights
on the car. We combined these packets to disable all of the
car’s lights when the car is traveling at speeds of 40 MPH
or more, which is particularly dangerous when driving in
the dark. This includes the headlights, the brake lights, the
auxiliary lights, the interior dome light, and the illumination
of the instrument panel cluster and other display lights inside
the car. This attack requires the lighting control system to
be in the “automatic” setting, which is the default setting for
most drivers. One can imagine this attack to be extremely
dangerous in a situation where a victim is driving at high
speeds at night in a dark environment; the driver would not
be able to see the the road ahead, nor the speedometer, and
people in other cars would not be able to see the victim
car’s brake lights. We conducted this experiment on both
cars while they were on jack stands and while driving on a
closed course.
Self-Destruct. Combining our control over various
BCM components, we created a “Self-Destruct” demo in
which a 60-second count-down is displayed on the Driver
Information Center (the dash), accompanied by clicks at an
increasing rate and horn honks in the last few seconds. In our
demo, this sequence culminated with killing the engine and
activating the door lock relay (preventing the occupant from
using the electronic door unlock button). This demo, which
we tested on both cars, required fewer than 200 lines of code
added to CARSHARK, most of them for timing the clicking
and the count-down. One could also extend this sequence to
include any of the other actions we learned how to control:
releasing or slamming the brakes, extinguishing the lights,
locking the doors, and so on.
B. Bridging Internal CAN Networks
Multiple components—including a wealth of aftermarket
devices like radios—are attached to or could be attached to
a car’s low-speed CAN bus. Critical components, like the
EBCM brake controller, are connected to the separate highspeed
bus, with the Body Control Module (BCM) regulating
access between the two buses. One might therefore assume
that the devices attached to the low-speed bus, including
aftermarket devices, will not be able to adversely impact
critical components on the high-speed bus.
Our experiments and analyses found this assumption
to be false. Our car’s telematics unit is also connected
to both buses. We were able to successfully reprogram
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 12
our car’s telematics unit from a device connected to the
car’s low-speed bus (in our experiments, a laptop running
CARSHARK). Once reprogrammed, our telematics
unit acts as a bridge, relaying packets from the lowspeed
bus onto the high-speed bus. This demonstrates that
any device attached to the low-speed bus can bypass the
BCM gateway and influence the operation of the safetycritical
components. Such a situation is particularly concerning
given the abundance of potential aftermarket addons
available for the low-speed bus. Our complete attack
consisted of only the following two steps: initiate a reprogramming
request to the telematics unit via the lowspeed
bus; and then upload 1184 bytes of binary code (291
instructions) to the telematics unit’s RAM via the low-speed
bus.
C. Hosting Code; Wiping Code
This method for injecting code into our car’s telematics
unit, while sufficient for demonstrating that a lowspeed
CAN device could compromise a high-speed CAN
device via the telematics unit, is also limiting. Specifically,
while that attack code is running, the telematics service is
not. A more sophisticated attack could implant malicious
code within the telematics environment itself (either in
RAM or by re-flashing the unit). Doing so would allow
the malicious code to co-exist with the existing telematics
software (we have built such code in the lab). The
result provides the attack software with a rich Unix-like
environment (our car’s telematics unit uses the QNX Neutrino
Real-Time Operating System) and provides standard
interfaces to additional hardware capabilities (e.g., GPS,
audio capture, cellular link) and software libraries (e.g.,
OpenSSL).
Hosting our own code within a car’s ECU enables yet
another extension to our attacks: complicating detection
and forensic evaluations following any malicious action.
For example, the attack code on the telematics unit could
perform some action (such as locking the brakes after
detecting a speed of over 80 MPH). The attack code could
then erase any evidence of its existence on the device. If
the attack code was installed per the method described in
Section VI-B, then it would be sufficient to simply reboot
the telematics unit, with the only evidence of something
potentially amiss being the lack of telematics records during
the time of the attack. If the attack code was implanted
within the telematics environment itself, then more sophisticated
techniques may be necessary to erase evidence of
the attack code’s existence. In either case, such an attack
could complicate (or even prevent) a forensic investigation
of a crash scene. We have experimentally verified the
efficacy of a safe version of this attack while driving on
a runway: after the car reaches 20 MPH, the attack code on
the telematics unit forces the car’s windshield fluid pump
and wipers on. After the car stops, the attack code forces
the telematics unit to reboot, erasing any evidence of its
existence.
VII. DISCUSSION AND CONCLUSIONS
Although we are not the first to observe that computerized
automotive systems may present new risks, our empirical
approach has given us a unique perspective to reflect on the
actual vulnerabilities of modern cars as they are built and
deployed today. We summarize these findings here and then
discuss the complex challenges in addressing them within
the existing automotive ecosystem.
• Extent of Damage. Past work, e.g., [19], [24], [26],
[27], [28], discuss potential risks to cyber-physical
vehicles and thus we knew that adversaries might be
able to do damage by attacking the components within
cars. We did not, however, anticipate that we would be
able to directly manipulate safety critical ECUs (indeed,
all ECUs that we tested) or that we would be allowed
to create unsafe conditions of such magnitude.
• Ease of Attack. In starting this project we expected
to spend significant effort reverse-engineering, with
non-trivial effort to identify and exploit each subtle
vulnerability. However, we found existing automotive
systems—at least those we tested—to be tremendously
fragile. Indeed, our simple fuzzing infrastructure
was very effective and to our surprise, a large fraction
of the random packets we sent resulted in changes
to the state of our car. Based on this experience, we
believe that a fuzzer itself is likely be a universal
attack for disrupting arbitrary automobiles (similar to
how the “crashme” program that fuzzed system calls
was effective in crashing operating systems before the
syscall interface was hardened).
• Unenforced Access Controls. While we believe that
standard access controls are weak, we were surprised
at the extent to which the controls that did exist were
frequently unused. For example, the firmware on an
ECU controls all of its critical functionality and thus the
standard for our car’s CAN protocol variant describes
methods for ECUs to protect against unauthorized
firmware updates. We were therefore surprised that
we could load firmware onto some key ECUs, like
our telematics unit (a critical ECU) and our Remote
Control Door Lock Receiver (RCDLR), without any
such authentication. Similarly, the protocol standard
also makes an earnest attempt to restrict access to
DeviceControl diagnostic capabilities. We were therefore
also surprised to find that critical ECUs in our
car would respond to DeviceControl packets without
authentication first.
• Attack Amplification. We found multiple opportunities
for attackers to amplify their capabilities—either in
reach or in stealth. For example, while the designated
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 13
gateway node between the car’s low-speed and highspeed
networks (the BCM) should not expose any
interface that would let a low-speed node compromise
the high-speed network, we found that we could
maliciously bridge these networks through a compromised
telematics unit. Thus, the compromise of any
ECU becomes sufficient to manipulate safety-critical
components such as the EBCM. As more and more
components integrate into vehicles, it may become
increasingly difficult to properly secure all bridging
points.
Finally, we also found that, in addition to being able
to load custom code onto an ECU via the CAN network,
it is straightforward to design this code to completely
erase any evidence of itself after executing its attack.
Thus, absent any such forensic trail, it may be infeasible
to determine if a particular crash is caused by an attack
or not. While a seemingly minor point, we believe
that this is in fact a very dangerous capability as it
minimizes the possibility of any law enforcement action
that might deter individuals from using such attacks.2
In reflecting on our overall experiences, we observe that
while automotive components are clearly and explicitly designed
to safely tolerate failures—responding appropriately
when components are prevented from communicating—it
seems clear that tolerating attacks has not been part of the
same design criteria. Given our results and the observations
thus far, we consider below several potential defensive
directions and the tensions inherent in them.
To frame the following discussion, we once again stress
that the focus of this paper has been on analyzing the
security implications if an attacker is able to maliciously
compromise a car’s internal communication’s network, not
on how an attacker might be able to do so. While we
can demonstrably access our car’s internal networks via
several means (e.g., via devices physically attached to the
car’s internal network, such as a tiny “attack iPod” that
we implemented, or via a remote wireless vulnerability
that we uncovered), we defer a complete consideration of
entry points to future work. Although we consider some
specific entry points below (such as malicious aftermarket
components), our discussion below is framed broadly and
seeks to be as agnostic as possible to the potential entry
vector.
Diagnostic and Reflashing Services. Many of the vulnerabilities
we discovered were made possible by weak
or unenforced protections of the diagnostic and reflashing
services. Because these services are never intended for
use during normal operation of the vehicle, it is tempting
to address these issues by completely locking down such
capabilities after the car leaves manufacturing. While it
2As an aside, the lack of a strong forensic trail also creates the possibility
for a driver to, after an accident, blame the car’s computers for driver error.
is clearly unsafe for arbitrary ECUs to issue diagnostic
and reflashing commands, locking down these capabilities
ignores the needs of various stakeholders.
For instance, individuals desire and should be able to
do certain things to tune their own car (but not others).
Similarly, how could mechanics service and replace components
in a “locked-down” automotive environment? Would
they receive special capabilities? If so, which mechanics and
why should they be trusted? Consider the recently proposed
“Motor Vehicle Owners’ Right to Repair Act” (H.R. 2057),
which would require manufacturers to provide diagnostic information
and tools to vehicle owners and service providers,
and to provide information to aftermarket tool vendors that
enables them to make functionally-equivalent tools. The
motivation for this legislation is clear: encouraging healthy
competition within the broader automotive industry. Even
simple security mechanisms (including some we support,
such as signed firmware updates) can be at odds with the
vision of the proposed legislation. Indeed, providing smaller
and independent auto shops with the ability to service and
diagnose vehicles without letting adversaries co-opt those
same abilities appears to be a fundamental challenge.
The core problem is lack of access control for the use
of these services. Thus, we see desirable properties of a
solution to be threefold: arbitrary ECUs should not be able to
issue diagnostic and reflashing commands, such commands
can only be issued with some validation, and physical access
to the car should be required before issuing dangerous
commands.
Aftermarket Components. Even with diagnostic and
reflashing services secured, packets that appear on the vehicle
bus during normal operation can still be spoofed by
third-party ECUs connected to the bus. Today a modern
automobile leaves the factory containing multiple third-party
ECUs, and owners often add aftermarket components (like
radios or alarms) to their car’s buses. This creates a tension
that, in the extreme, manifests itself as the need to either trust
all third-party components, or to lock down a car’s network
so that no third-party components—whether adversarial or
benign—can influence the state of the car.
One potential intermediate (and backwards compatible)
solution we envision is to allow owners to connect an
external filtering device between an untrusted component
(such as a radio) and the vehicle bus to function as a trusted
mediator, ensuring that the component sends and receives
only approved packets.
Detection Versus Prevention. More broadly, certain
considerations unique to cyber-physical vehicles raise the
possibility of security via detection and correction of anomalies,
rather than prevention and locking down of capabilities.
For example, the operational and economic realities of
automotive design and manufacturing are stringent. Manufacturers
must swiftly integrate parts from different suppliers
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 14
(changing as needed to second and third source suppliers) in
order to quickly reach market and at low cost. Competitive
pressures drive vendors to reuse designs and thus engenders
significant heterogeneity. It is common that each ECU
may use a different processor and/or software architecture
and some cars may even use different communications
architectures—one grafted onto the other to integrate a
vendor assembly and bring the car to market in time. Today
the challenges of integration have become enormous and
manufacturers seek to reduce these overheads at all costs—
a natural obstacle for instituting strict security policies.
In addition, many of an automobile’s functions are safety
critical, and introducing additional delay into the processing
of, say, brake commands, may be unsafe.
These considerations raise the possibility of exploring the
tradeoff between preventing and correcting malicious actions:
if rigorous prevention is too expensive, perhaps a quick
reversal is sufficient for certain classes of vulnerabilities.
Several questions come with this approach: Can anomalous
behavior be detected early enough, before any dangerous
packets are sent? Can a fail-safe mode or last safe state
be identified and safely reverted to? It is also unclear what
constitutes abnormal behavior on the bus in the first place, as
attacks can be staged entirely with packets that also appear
during normal vehicle operation.
Toward Security. These are just a few of many potential
defensive directions and associated tensions. There
are deep-rooted tussles surrounding the security of cyberphysical
vehicles, and it is not yet clear what the “right”
solution for security is or even if a single “right” solution
exists. More likely, there is a spectrum of solutions that each
trade off critical values (like security vs. support for independent
auto shops). Thus, we argue that the future research
agenda for securing cyber-physical vehicles is not merely to
consider the necessary technical mechanisms, but to also
inform these designs by what is feasible practically and
compatible with the interests of a broader set of stakeholders.
This work serves as a critical piece in the puzzle, providing
the first experimentally guided study into the real security
risks with a modern automobile.
ACKNOWLEDGMENTS
We thank Mike Haslip, Gary Tomsic, and the City of
Blaine, Washington, for their support and for providing access
to the Blaine decommissioned airport runway and Mike
Haslip specifically for providing Figure 7. We thank Ingolf
Krueger for his guidance on understanding automotive architectures,
Cheryl Hile and Melody Kadenko for their support
on all aspects of the project, and Iva Dermendjieva, Dan
Halperin, Geoff Voelker and the anonymous reviewers for
comments on earlier versions of this paper. Portions of this
work was supported by NSF grants CNS-0722000, CNS-
0831532, CNS-0846065, CNS-0905384, CNS-0963695, and
CNS-0963702, by a MURI grant administered by the Air
Force Office of Scientific Research, by a CCC-CRA-NSF
Computing Innovation Fellowship, by a Marilyn Fries Endowed
Regental Fellowship, and by an Alfred P. Sloan
Research Fellowship.
REFERENCES
[1] Autosar: Automotive open system architecture. http://www.
autosar.org/.
[2] A. Bellissimo, J. Burgess, and K. Fu. Secure software
updates: Disappointments and new challenges. In Proceedings
of HotSec 2006, pages 37–43. USENIX, July 2006.
[3] S. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin,
and M. Szydlo. Security analysis of a cryptographicallyenabled
RFID device. In P. McDaniel, editor, Proceedings
of USENIX Security 2005. USENIX, Aug. 2005.
[4] Bureau of Transportation Statistics. National Transportation
Statistics (Table 1-11: Number of U.S. Aircraft,
Vehicles, Vessels, and Other Conveyances), 2008.
http://www.bts.gov/publications/national_transportation_
statistics/html/table_01_11.html.
[5] CAMP Vehicle Safety Communications 2 Consortium.
Cooperative intersection collision avoidance system
limited to stop sign and traffic signal violations
midterm phase i report, Oct. 2008. Online:
http://www.nhtsa.dot.gov/staticfiles/DOT/NHTSA/NRD/
Multimedia/PDFs/Crash%20Avoidance/2008/811048.pdf.
[6] CAMP Vehicle Safety Communications 2 Consortium. Vehicle
safety communications — applications first annual
report, Sept. 2008. Online: http://www.intellidriveusa.org/
documents/09042008-vsc-a-report.pdf.
[7] CAMP Vehicle Safety Communications Consortium. Vehicle
safety communications project task 3 final report,
Mar. 2005. Online: http://www.intellidriveusa.org/documents/
vehicle-safety.pdf.
[8] R. Charette. This car runs on code. Online: http://www.
spectrum.ieee.org/feb09/7649, Feb. 2009.
[9] DARPA. Grand challenge. http://www.darpa.mil/
grandchallenge/index.asp.
[10] A. Edwards. Exclusive: Twitter integration coming to
OnStar. Online: http://www.gearlive.com/news/article/
q109-exclusive-twitter-integration-coming-to-onstar/, Mar.
2009.
[11] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh,
and M. Manzuri Shalmani. On the power of power
analysis in the real world: A complete break of the KeeLoq
code hopping scheme. In D. Wagner, editor, Proceedings of
Crypto 2008, volume 5157 of LNCS, pages 203–20. Springer-
Verlag, Aug. 2008.
[12] P. Eisenstein. GM Hy-Wire drive-by-wire hybrid fuel cell vehicle.
Online: http://www.popularmechanics.com/automotive/
new_cars/1266806.html, Aug. 2002.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 15
[13] B. Emaus. Hitchhiker’s Guide to the Automotive Embedded
Software Universe, 2005. Keynote Presentation at SEAS’05
Workshop, available at: http://www.inf.ethz.ch/personal/
pretscha/events/seas05/bruce_emaus_keynote_050521.pdf.
[14] A. Goodwin. Ford Unveils Open-Source Sync Developer
Platform. Online: http://reviews.cnet.com/8301-13746_
7-10385619-48.html, Oct. 2009.
[15] T. Hoppe, S. Kiltz, and J. Dittmann. Security threats to
automotive CAN networks – practical examples and selected
short-term countermeasures. In SAFECOMP, 2008.
[16] S. Indesteege, N. Keller, O. Dunkelman, E. Biham, and
B. Preneel. A practical attack on KeeLoq. In N. Smart, editor,
Proceedings of Eurocrypt 2008, volume 4965 of LNCS, pages
1–18. Springer-Verlag, Apr. 2008.
[17] ISO. ISO 11898-1:2003 - Road vehicles – Controller area
network. International Organization for Standardization,
Geneva, Switzerland, 2003.
[18] F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, E. Schoch,
B. Wiedersheim, T.-V. Thong, G. Calandriello, A. Held,
A. Kung, and J.-P. Hubaux. Secure vehicular communication
systems: implementation, performance, and research
challenges. IEEE Communications Magazine, 46(11):110–
118, 2008.
[19] U. E. Larson and D. K. Nilsson. Securing vehicles against
cyber attacks. In CSIIRW ’08: Proceedings of the 4th annual
workshop on Cyber security and information intelligence
research, pages 1–3, New York, NY, USA, 2008. ACM.
[20] M. Mansur. TunerPro - Professional Automobile Tuning
Software. http://www.tunerpro.net/.
[21] M. Melosi. The automobile and the environment in American
history. Online: http://www.autolife.umd.umich.edu/
Environment/E_Overview/E_Overview.htm, 2004.
[22] S. Mollman. From cars to TVs, apps are spreading to the real
world. Online: http://www.cnn.com/2009/TECH/10/08/apps.
realworld/, Oct. 2009.
[23] L. E. M. Systems. PCLink - Link ECU Tuning Software.
http://www.linkecu.com/pclink/PCLink.
[24] P. R. Thorn and C. A. MacCarley. A spy under the hood:
Controlling risk and automotive EDR. Risk Management,
February 2008.
[25] Virginia Tech Transportation Institute. Intersection collision
avoidance — violation task 5 final report, Apr.
2007. Online: http://www.intellidriveusa.org/documents/
final-report-04-2007.pdf.
[26] M. Wolf, A. Weimerskirch, and C. Paar. Security in automotive
bus systems. In Proceedings of the Workshop on
Embedded Security in Cars 2004, 2004.
[27] M. Wolf, A. Weimerskirch, and T. Wollinger. State of the
art: Embedding security in vehicles. EURASIP Journal on
Embedded Systems, 2007.
[28] Y. Zhao. Telematics: safe and fun driving. Intelligent Systems,
IEEE, 17(1):10–14, Jan/Feb 2002.
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 16
Subscribe to:
Posts (Atom)