Sunday, June 30, 2013

Kitzhaber signs vaccine bill into law

MessiahMews Blogs: Kitzhaber signs vaccine bill into law: Looks like if you live in Oregon, your government is going to force pro-vaccine propaganda and pressure you to vaccinate your child. Kit...

Friday, June 28, 2013

Quite apart from the huge disparity in Richter values, the Indonesians and Indians were disturbed to find that the normal earthquake 'preamble' was missing from their seismograph charts. All this means is that the normal steadily increasing number of transverse shear "S" waves that always precede an earthquake were missing, as were later aftershocks, which likewise always accompany a naturally occurring or Tesla standing-wave generated earthquake. There were 'warnings' of aftershocks from the NOAA, but none actually eventuated.

http://www.jimstonefreelance.com/vialls1.html

Aurora shooting and Newtown Ct = same op, different day

http://www.jimstonefreelance.com/aurora.html

Then they began punishing students at all ages, even down to kindergarten level, for such “offenses” as drawing pictures of cars, bringing toy cars to school or even mentioning the word “car.”

Some 2,700 teens aged 16-19 died in car crashes in 2010, the most recent year for which the federal agency’s website has figures, and 282,000 were injured. So, the nation’s schools have rightly implemented programs that teach teens to be safer drivers.


Yet, suppose educators instead declared that cars themselves were harmful instruments of death and destruction with no useful purpose.

Then they began punishing students at all ages, even down to kindergarten level, for such “offenses” as drawing pictures of cars, bringing toy cars to school or even mentioning the word “car.”

You’d likely think this was an extreme overreaction, a textbook example of irrational behavior that was likely to punish innocent students for harmless words and actions.

Now, substitute the word “guns” for “cars,” and you have a description of what appears to be a widespread mindset on the part of school officials nationwide that one psychologist and family doctor has called “psychotic.”

School shootings are horrific crimes as well as tragedies (though annual deaths from them run 1 percent to 2 percent of the automobile total) and there is every reason to try to stop them.

Teenagers also die in inner-city gang warfare and by suicide, but those are social problems, and guns are not the reasons they occur.

In truth, there are effective and ineffective ways of addressing any problem. Schools’ “zero tolerance” policies that punish children for words and actions that create absolutely no danger to anyone are not only unjust, they border on ideologically motivated child abuse.

It’s often said that “Zero tolerance equals zero thought,” and “overreaction” is what happens when people go beyond the bounds of reason, allowing emotion to take over.

And when those in authority overreact, people’s rights get trampled.

http://libertycrier.com/education/what-if-we-looked-at-cars-the-same-way-we-look-at-guns/




The safest car will have no antilock brakes, a manual transmission, and an old fashioned solid metal key. If you have such a car, even if it is manufactured after 2004, they probably won't attempt a suicide run with it because all they can do is push the gas

Gosh, driving old cars now seems downright SAFE AND SANE, given the crazy government types that can access any car, at any time, via any cellular network. All you need is the software CARSHARK and a cell phone.

Then YOU ARE IN CONTROL OF THE CAR. Not the driver. They are now captive passengers.

And what about all the hackers who create their own versions of this software? That sell it to companies like Blackwater? Oh...the CIA would just give them the software anyways.

They can turn off your lights. Disable your engine. Lock up your wheels. All while you are driving down the road. Did they tell you that when you bought the car? Nope.

"I'd like to make a few things perfectly clear about remote control of modern cars ANY car with Onstar, and all other cars manufactured after 2004 can be hijacked, but some are going to be safer than others.

How they disable the brakes - Only antilock brakes can be disabled. An antilock brake system looks for wheels that are not spinning when the brake is applied, and when it senses a wheel that is not spinning it releases the brake. To hack an antilock brake system and cause it to not allow a driver to brake, all you have to do is fool it into believing none of the wheels are spinning. The brakes will not engage.

How to keep the car running with the key out - This is possible only with cars that use electronic keys. Since the ignition switch activates when it senses the correct electrical characteristics or code in the key, all you have to do is fool the ignition control module into believing the correct conditions are met. There is no mechanical disconnect with an electronic key.

How to keep the car in gear when the driver takes it out of gear - This is possible only with electronically controlled transmissions. Nowadays, all automatic transmissions are electronically controlled. If the transmission is fooled into believing it is supposed to be engaged, it won't matter where you put the selector. The solution then is (some of the time) a manual transmission, which you can take out of gear yourself and just let the engine rev until it blows, but even a few manual transmissions have electronic control now that would make that impossible. Then there is always the clutch with a manual, which you could also push, provided there is a real cable going to that clutch and not just an electronic control.

How to rev the engine to max when the driver is not pushing the gas - This is a no brainer, electronic throttle control is now as old as the hills, and common since 1980. Fool the throttle position sensor into believing it is wide open, and the manifold pressure sensor into believing the car is at 20,000 feet elevation. Everything will open right up and it's max throttle until the crash." Stone

What do you do when all is lost?

Jim Stone, 6/26/13



Remember, for now it is just the most important people getting murdered, but if it ever comes down to a hot fight against the people you can bet your shorts that the government will use murder via car crash as the ultimate option for getting rid of the resistance. They will no doubt do it en masse. The capability is there via an always on cellular internet connection. Do you really think they won't use it?

This morning I sat thinking. Wondering what I was going to write today. Wondering how on earth we could ever fix the government monster that is now so far beyond control. I thought about Hasting's car, and the obvious electronic hijacking (which I at first did not believe) because LoudLabs messed with the video for visual appeal. But the day time shot proved the crash was real once everything was verified and double checked, and that made me wonder - WHAT kind of government do we have? What kind of monsters are in power?

How did we let them put in place a system where all cars are online all the time and open to tampering all the time, and we don't even realize it in our daily lives? That allows them to play god - kill anyone they want - HOW did we allow this to happen? Perhaps THAT is why the police are now fully authorized to shoot any driver that does not stop - so the fact that the driver could not stop never becomes known. Interesting it is that we now occasionally hear about people who led the police on a massive chase, who never had any criminal history or any history at all, and families saying there is no way the now dead driver would have ever done that . . . . . . Hmmmm . . . . . .

I then thought about Snowden, who is trapped in Russia. I thought he made it to Iceland but he did not, he is sitting in a Russian air port going nowhere. Can't Russia be a little more decent? Are all the nations really screwed that bad?

I then thought about all the shillage and backstabbing Snowden is getting now. How much the MSM is attacking him, calling him a traitor, a flunkee, a loser and all manner of other insults, while the alternative press stupidly postulates that you can't get a memory stick out of an NSA facility, that he is a psy op and a tool. And why? We are now at a time where it is out in the open that cars can be hacked and crashed, and that everything we do with a computer is stolen the moment it is done, the latter compliments of Snowden. We now know that you can have no secrets, the state is GOD, and it has the power to destroy you on a whim and kill you as well. What are we to do about it?

I'd like to clear a couple things up regarding Snowden

First of all, if anyone says you can't get a memory stick out of an NSA facility, they are assuming or dreaming. Once you become a familiar face, all you do is put your security tag up to a scanner and you are in. There are no friskings, no bag checks, NADA, you are just in, and you are out just as easily. Your security clearance does the rest. Obviously if you have a large bag or suitcase or something else of that nature they are going to look as you leave, but a memory stick? COME ON NOW, don't be stupid. There are many cameras available now on Ebay that work great and look like a keychain. You could smuggle even a conventional digital camera in and out repeatedly in a pocket. If anyone says snowden is fake because of the memory stick issue they are dreaming and totally out of touch with the day to day realities of life in an NSA facility, and I know this because I worked there in a much higher position than Snowden. And Snowden a flunkee working for a contractor? DO NOT BE STUPID. That DOES NOT HAPPEN.

I'd like to make a few things perfectly clear about remote control of modern cars

ANY car with Onstar, and all other cars manufactured after 2004 can be hijacked, but some are going to be safer than others.

How they disable the brakes - Only antilock brakes can be disabled. An antilock brake system looks for wheels that are not spinning when the brake is applied, and when it senses a wheel that is not spinning it releases the brake. To hack an antilock brake system and cause it to not allow a driver to brake, all you have to do is fool it into believing none of the wheels are spinning. The brakes will not engage.

How to keep the car running with the key out - This is possible only with cars that use electronic keys. Since the ignition switch activates when it senses the correct electrical characteristics or code in the key, all you have to do is fool the ignition control module into believing the correct conditions are met. There is no mechanical disconnect with an electronic key.

How to keep the car in gear when the driver takes it out of gear - This is possible only with electronically controlled transmissions. Nowadays, all automatic transmissions are electronically controlled. If the transmission is fooled into believing it is supposed to be engaged, it won't matter where you put the selector. The solution then is (some of the time) a manual transmission, which you can take out of gear yourself and just let the engine rev until it blows, but even a few manual transmissions have electronic control now that would make that impossible. Then there is always the clutch with a manual, which you could also push, provided there is a real cable going to that clutch and not just an electronic control.

How to rev the engine to max when the driver is not pushing the gas - This is a no brainer, electronic throttle control is now as old as the hills, and common since 1980. Fool the throttle position sensor into believing it is wide open, and the manifold pressure sensor into believing the car is at 20,000 feet elevation. Everything will open right up and it's max throttle until the crash.

The safest car will have no antilock brakes, a manual transmission, and an old fashioned solid metal key. If you have such a car, even if it is manufactured after 2004, they probably won't attempt a suicide run with it because all they can do is push the gas.

Solutions to the problem if your car is not one of the safe ones - A dashboard fuel pump switch, and a dashboard switch that can cut the power to the antilock brake system. Once the antilock brake system is not functioning, the car is designed to default to mechanical brakes. Introducing a failure into the ABS system by disabling the sensors won't work, because once hacked a totally new environment in which the sensors are irrelevant is created and the fact that the sensors are disabled won't make any difference. If you want, add a third switch for the ignition system.

If I ever end up being able to buy a car again, I will take the ultimate option - put super strong tape on both sides of the plastic part of the fuse bodies, ALL OF THEM, and connect all of that strong tape from all of the fuses together to make a loop, which a rope is tied to and attached to a lawn mower pull start handle, and have that mounted to the underside of the steering column. The moment I notice the car getting wanky, I can pull the handle and rip every single fuse out at the same time. That way I won't void the warranty with any safety modifications.

It's a sad world we live in when the government can pretty much murder anyone they wish. There is no doubt Hastings was murdered, but I think that with a few precautions your modern car can be made safe against a government hack. Remember, for now it is just the most important people getting murdered, but if it ever comes down to a hot fight against the people you can bet your shorts that the government will use murder via car crash as the ultimate option for getting rid of the resistance. They will no doubt do it en masse. The capability is there, via an always on cellular internet connection. Do you really think they won't use it?



We ALL Know You Know

Jim Stone, 6/28/13



Where are all the street cam videos? We know you have them. What's the matter, is the video "classified?" How about all the tracking of people you do with their cell phones? And what about that always on cell connection every car was forced to have at OUR expense, via Federal mandate? Don't have any records from the car with that? Would the access of a car's computer system via the cell network NOT be an unusual event you would be all over and know about instantly? How often does THAT happen?

The more you sit in silence about Hastings death, the more we know you are the enemy, working for the enemy, and that you serve ONE purpose, to subjugate and destroy the American people on behalf of a few chosen "elite". And in doing so, you prove that you are anything but "national" security, which would protect everyone, you are instead "elite" security ensuring that a small band of tyrants is able to sleep well.

You know everyone who was on the phone in the area, who hacked Hastings car, and what cell tower provided the remote control signal. You also have the video in the car which was transmitted from it's on board camera to the controller who used it to crash the car and who the controller was, as well as a recording of every control signal sent. You knew who was setting up the assassination plot before it happened and did nothing, as well as who said what afterward. And your silence about all of this proves one thing - you serve tyranny and NOTHING else.

Perhaps We the People would support you if your work actually did something to help us. But you have proven that you are no longer our National Security Agency.

You were not always a parasite, sucking the host financially while delivering a disease, no, when I was with you just a short while ago you truthfully were working to serve the national interest. What happened to you? How could you have possibly transformed into such a monster in such a short time? When I was leaving I noticed that there were changes happening I could not figure out a reason for - how they could possibly benefit the mission or the American people. Now, after over a decade has passed I have my answer - you cut straight from being a protector to being a filthy tool of tyranny that has nothing at all to do with your originally well earned title.

Come on now, PROVE ME WRONG. WE ALL KNOW YOU KNOW, step up to the plate and show us you are not only there to destroy us.

http://jimstonefreelance.com/



Thursday, June 27, 2013

Money Confiscation Legal? Keep YOUR Money OUT of the Banks!!

FEMA camps in 3...2...1...

Real Disposable Income is Falling at 2008 Rates

http://www.zerohedge.com/contributed/2013-06-27/real-disposable-income-falling-2008-rates

MURDERING THE YOUNG AND INNOCENT: Idaho Teen Commits Suicide After Sheriff's Office Repeated Facebook Harassment

TO PROTECT AND SERVE SOULLESS FASCISTS EVERYWHERE..

A photo of Andrew Cain, 19, who killed himself Sunday after a local Sheriff's Office posted his photo to Facebook alongside a sarcastic message saying he was the "most wanted person of the month." (photo credit: KREM)


A Washington teenager committed suicide Sunday after a local sheriff's department published a sarcastic Facebook post about him, according to multiple reports.

The Latah County Sheriff's Office in Idaho had posted a photo of 19-year-old Pullman, Wash., resident Andrew Cain alongside a message saying, “We have decided that Andrew Cain is no longer the Wanted Person of the Week… he is the Wanted Person of the Month of June. Congratulations!," according to local CBS affiliate KREM-TV.

A few days later, Cain took his own life.

http://www.huffingtonpost.com/2013/06/26/andrew-cain-suicide_n_3503387.html?ncid=edlinkusaolp00000003

WikiLeaks Volunteer Was a Paid Informant for the FBI

On an August workday in 2011, a cherubic 18-year-old Icelandic man named Sigurdur “Siggi” Thordarson walked through the stately doors of the U.S. embassy in Reykjavík, his jacket pocket concealing his calling card: a crumpled photocopy of an Australian passport. The passport photo showed a man with a unruly shock of platinum blonde hair and the name Julian Paul Assange.


Thordarson was long time volunteer for WikiLeaks with direct access to Assange and a key position as an organizer in the group. With his cold war-style embassy walk-in, he became something else: the first known FBI informant inside WikiLeaks. For the next three months, Thordarson served two masters, working for the secret-spilling website and simultaneously spilling its secrets to the U.S. government in exchange, he says, for a total of about $5,000. The FBI flew him internationally four times for debriefings, including one trip to Washington D.C., and on the last meeting obtained from Thordarson eight hard drives packed with chat logs, video and other data from WikiLeaks.



http://www.wired.com/threatlevel/2013/06/wikileaks-mole/

Wednesday, June 26, 2013

close off more than 2 million acres of California's forests - the big squeeze play to take away beauty out of our lives

Know Your Rights

What makes a police officer powerless? When citizens know their rights!


Police officers hate to hear these words:

"Am I free to go?"

"I'm going to remain silent."

"I don't consent to a search."

You have rights at traffic stop or during any encounter with a police officer. Learn what your rights are and use them!

1. Your Safety - Start by putting the police officer at ease. Pull over to a safe place, turn off your ignition, stay in the car and keep your hands on the steering wheel. At night turn on the interior light. Keep your license, registration and proof of insurance close by like in your "sun visor."

Be courteous, stay calm, smile and don't complain. Show respect and say things like "sir and no sir." Never bad-mouth a police officer, stay in control of your words, body language and your emotions. Keep your hands where the police officer can see them. Never touch a police officer and never run away!

2. Never Talk To A Police Officer - You must tell the police officer "I'm going to remain silent." The only questions you need to answer is your name, address, date of birth, sometimes your social security number but NOTHING else! "In some states you can refuse to give your I.D. card to a police officer, know the laws of your state." Instead of telling the police officer who you are, give him your driver's license or your I.D. card. All the information the police officer needs to know about you, can be found on your i.d. card or drivers license. If you can keep your mouth shut, you just might come out ahead more than you expected.

Remain Silent - The Supreme Court says you should never talk to a police officer even if you're not under arrest. The Supreme Court ruled you must speak up and SAY to the police officer "I'm going to remain silent" and then keep your mouth shut even if you're not under arrest. How can you be falsely accused and charged with a crime, if you don't say anything? Never talk to a police officer before or after you get arrested. Anything you say or do, can and will be used against you at anytime by the police.

3. Just Say NO to Police Searches! - If a police officer didn't need your permission to search you, he wouldn't be asking. Never give permission for a police officer to search you, your car or your home. If a police officer does search you, don't resist and just keep saying "I don't consent to this search."

4. Am I Free to Go? - As soon as the police officer ask you a question ask him, "Am I free to go?" You have to ask if you're "free to go," otherwise the police officer will think that you're voluntarily staying around to talk with him. If the police officer says that you're being detained or arrested tell the police officer, "I'm going to remain silent."

Anything You Say Can And Will Be Used Against You!

Police officers will be videotaping or audio recording you and this is why you must NEVER talk to the police officer. You have every right NOT to talk to a police officer and you should NOT talk to a police officer unless you have first consulted with a lawyer and the lawyer has advised you differently. Police officers depend on fear and intimidation to get what they want from you and this includes giving up your rights. The government made a law that allows police officers to lie to American citizens. That's another reason not to trust the police or the Federal government "the real terrorists."

Never voluntarily talk to a police officer, there's no such thing as a "friendly chat." Let the police officer do all the talking and you stay silent. The Supreme Court has recently ruled that you should NOT talk to a police officer if you have NOT been arrested and you must say out loud "I'm going to remain silent." It can be very dangerous to talk to a police officer or a Federal Agent. Innocent people have talked to a police officer and ended up in jail and prison all because they spoke to a police officer without an attorney.

Police officers have the same right as you, "Freedom of Speech." Police may ask you anything they want, but you should never answer any of their questions. Don't let the police officer try and persuade you to talk! Say something like "I'm sorry, I don't have time to talk right now." If the cop insists on talking to you, ask him "Am I free to go?" The police officer may not like when you refuse to talk to him and challenge you with words like, "If you have anything to hide, why won't you speak to me? Say to the officer again "I told you I don't have time to talk to you right now, Am I free to go?" If you forget or the police officer tricks you into talking, it's okay just start over again and tell the police officer "I'm going to remain silent."

The Supreme Court has ruled that if a police officer doesn't force you to do something, then you're doing it "voluntarily." That means if the police officer starts being intimidating and you do what he "ask" because you're "afraid," you still have done it voluntarily. (Florida v. Bostick, 1991) If you do what the police officer "ask" you to do such as allowing him to search your car or answer any of his questions, you are "voluntarily" complying with his "requests." So don't comply, just keep your mouth shut unless you say "Am I Free to Go?" or "I don't consent to a search."

Be as nice as possible to the police officer, but stand your ground on your rights! Where do some of your rights come from? Read the Fourth and Fifth Amendment of the U.S. Constitution.


Traffic Stops and Your Rights with Police Officers

Keep your license, registration and proof of insurance in an easily accessible place, like your sun visor. When pulled over by a police officer stay in the car, turn on the interior lights and keep your hands on the steering wheel. Sit still, relax and wait for the officer to come to you. Any sudden movements, ducking down, looking nervous or appearing to be searching for something under your seat could get you shot.

Don't forget during traffic stops the police are videotaping you, this is why you must NOT talk to the police officer. Police officers like to ask the first question and that's usually, "do you know why I stopped you? Do you know how fast you were going?" The police officer is trying to get you to do two things, admit that you committed a traffic violation and to get you to "voluntarily" start a conversation with him. Remember the police officer is not your friend and should not be trusted! The only thing you need to say is "I'm going to remain silent or am I free to go?"

The police officer might start asking you personal questions such as "where are you going, where have you been and who did you see, ect." At that point it's the perfect time to exercise your rights by asking the police officer "AM I FREE TO GO?" There's NO legal requirement that American citizens provide information about their comings and goings to a police officer. It's none of the police officers damn business! Keep asking the police officer "AM I FREE TO GO?" You have to speak up and verbally ask the police officer if you're allowed to leave, otherwise the courts will assume that you wanted to stay and talk to the police officer on your own free will.

Passengers in your vehicle need to know their rights as well. They have the same right NOT to talk to a police officer and the right to refuse a search "unless it's a 'pat down' for weapons." The police will usually separate the passengers from each other and ask questions to see if their stories match. All passengers should always give the same answer and say, "I'm going to remain silent and am I free to go?" Remember you have to tell the police officer that you don't want to talk to him. It's the law

How long can a police officer keep you pulled over "detained" during a traffic stop? The Supreme Court has made mention that no more than 15-20 minutes is a reasonable amount of time for a police officer to conduct his investigation and allow you to go FREE on your way. But you have to keep asking the police officer "AM I FREE TO GO?"

During a traffic stop a good time to ask "AM I FREE TO GO," is after the police officer has given you a "warning or a ticket" and you have signed it. Once you have signed the ticket the traffic stop is legally over says the U.S. Supreme Court. There's no law that requires you to stay and talk to the police officer or answer any questions. After you have signed the ticket and got your license back you may roll up your window, start your car and leave. If you're outside the car ask the police officer, "AM I FREE TO GO?" If he says yes then get in your car and leave.

Car Searches and Body Searches

Remember the police officer wouldn't be asking you, if he didn't need your permission to search! "The right to be free from unreasonable searches is one of America's most precious First Liberties."

Police officers swore an oath to uphold the U.S. Constitution and not to violate your rights against unreasonable search and seizure Fourth Amendment. Denying a police officers request to search you or your car is not an admission of guilt, it's your American right! Some police officers might say, "if you have nothing to hide, you should allow me to search." Politely say to the police officer "I don't consent to a search, am I FREE to go?"

For the safety of police officers the government allows the police to pat down your outer clothing to see if you have any weapons. If the police officer feels something that he believes is a weapon, then he can go into your pockets and pull out the item he believes is a weapon.

A police officer may ask you or even demand that you empty your pockets, but you have the right to say "NO! AM I FREE TO GO?" There's NO law that requires you to empty your pockets when a police officer tells you to do so. The only time a police officer are allowed to be taking your personal property out of your pockets is after you have been arrested.

The police officer is allowed to handcuff you and/or detain you in his police car. Don't resist or you will be arrested! There's a big difference between being detained and being arrested. Say nothing in the police car! Police will be recording your conversation inside the police car, say nothing to your friend and don't talk to the police officers inside the car!

If you are arrested and your car is towed, the police are allowed to take an "inventory" of the items in your car. If anything is found illegal in your vehicle, the police will get a warrant from a judge and then charge you with another crime.


Never Open Your Door At Home If A Police Officer Knocks!

If the police knock on your door at home, there's no law that says you have to open your door to police officers. "Don't worry if they do have a search warrant, they'll kick down your door before they will knock." * There is NO law that requires you to open your door to a police officer.* Don't open your door with the chain-lock on either, police officers will shove their way in. Simply shout to the police officers "I HAVE NOTHING TO SAY" or just don't say anything at all.

Guest and roommates staying in your home/apartment/dorm need to be told of their rights and not to open the door to a police officer or invite police officer into your home without your permission. Police officers are like vampires, they need your permission to come into your home.


Never agree to go to the police station if the police want to question you. Just say, "I HAVE NOTHING TO SAY."

* In some emergency situations (for example when a someone is screaming for help from inside your home, police are chasing someone into your home, police see a felony being committed or if someone has called 911 from inside your house) police officers are allowed to enter and search your home without a warrant.

Teenagers have rights also, if you're under 18 click here. If your children don't know their rights and they go talking to a teacher, school principal, police officer or a Federal agent without an attorney, it could cost your family dearly and change the lives of your family forever!

Dealing With a Police Officer In Public

NEVER give consent to a police officer and allow for a conversation to start. If a police officer stops you and ask to speak with you, you're perfectly within your rights to say "I do not wish to speak with you," then say good-bye. At this point you should be free to leave, but the police officer might ask for your identification. If you have identification on you, tell the officer where it's at and ask permission to reach for it. "In some states you're not required to show an I.D. unless the police officer has reasonable suspicion that you committed a crime, know the laws of your state!"

The police officer might start asking you questions, at this point you may ask the officer "Am I Free to Go?" The police officer may not like this and may challenge you with words like, "If you have nothing to hide, why won't you speak to me?" Simply say "I'm going to remain silent."

Police officers need your permission to have a conversation. There is NO law that says you have tell a police officer where you are going or where you have been, but you must tell the police officer "I'm going to remain silent."


Probable Cause

A police officer has no right to detain you unless there exist reasonable suspicion that you have committed a crime or traffic violation. However a police officer is always allowed to initiate a "voluntary" conversation with you. You always have the right not to talk or answer any questions a police officer might ask you. Just tell the police officer, "I'm going to remain silent."

Under the Fourth Amendment of the U.S. Constitution, police may engage in "reasonable" searches and seizures. To prove that a search is reasonable the police generally must show that it's more likely than not that a crime has occurred and that if a search is conducted it's probable that the police officer will find evidence of the crime. This is called "probable cause."

Police may use first hand information or tips from an informant "snitch" to justify the need to search your property or you. If an informant's information is used, the police must prove that the information is reliable under the circumstances to a judge.


Here's a case when several police officers took the word of a "snitch," claiming he knew where a "drug dealer" lived. Corrupt police officers in Houston Texas took it upon themselves to go to this house that the snitch had "picked at random" and the officers kicked in the front door at 1:30 in the morning. Police never bothered to get a warrant from a judge. The aftermath was... Police Officers In Texas Are Allowed to Murder Innocent People and Get Away With It


Should We Trust Police Officers? (are you kidding? They are here to hurt you and destroy your life)

Are police officers allowed to lie to you? Yes the Supreme Court has ruled police officers can lie to the American people. Police officers are trained at lying, twisting words and being manipulative. Police officers and other law enforcement agents are very skilled at getting information from people. So don't try to "out smart" a police officer and don't try being a "smooth talker" because you will loose! If you can keep your mouth shut, you just might come out ahead more than you expected.

Teach your children that they must call a parent for permission before they're allowed to talk to police officer. Remember police officers are trained to put your child at ease and build trust. A police officers job is to find, arrest and help convict a suspect and that suspect could be your child!

Although police officers may seem nice and pretend to be on your side they want to learn your habits, opinions, and affiliations of other people not suspected of wrongdoing. Don't try to answer a police officers questions, it can be very dangerous! You can never tell how a seemingly harmless bit of information that you give to a police officer might be used and misconstrued to hurt you or someone else. Also keep in mind that lying to a federal agent is a Federal crime. "That's why Martha Stewart went to prison, not for insider trading but for lying to a Federal Agent."


Lies Police Officers Will Say To Get You to Talk

There's many ways a police officer can LIE and trick you into talking. It's always safe to say the Magic Words: "Am I free to leave? I'm going to remain silent and I want a lawyer."

The following are common lie's the police use when they're trying to get you to talk:

* "You will have to stay here and answer my questions" or "You're not leaving until I find out what I want to know."

* "I have evidence on you, so tell me what I want to know or else." (Police can fabricate fake evidence to convince you to tell them what they want to know.)

* "You're not a suspect, were simply investigating here. Help us understand what happened and then you may leave."

* "If you don't answer my questions, I won't have any choice but to take you to jail."

* "If you don't answer these questions, you'll be charged with resisting arrest."

* "Your friend has told his side of the story and it's not looking good for you, anything you want to tell me?

If The Police Arrest You

"I WILL NOT TALK UNTIL I HAVE A LAWYER!"

* Don't answer any questions the police ask you, (except for your name, address and age.) Any other questions the police officer ask you, just say I want to talk to my lawyer.

* Police officers don't always have to read to you the Miranda Rights after you've been arrested. If you "voluntarily" talk a police officer, the police officer doesn't have to read your Miranda Rights. Talking to a police officer at anytime can be very dangerous!

* Never talk to other jail inmates about your case.

* Within a reasonable time after your arrest or booking, you have the right to make a local phone call to a lawyer, bail bondsman, relative or any other person you choose. The police can't listen to you your phone call if you're talking to your lawyer.

* The longest you can be held in jail is 72 hours. If you get arrested on a 3 day weekend you may not see the judge until Tuesday morning. Otherwise you will usually get out of jail in 4 to 24 hours if you can make bond.


* If you're on probation or parole tell your P.O. you've been arrested and say nothing else to him!

http://policecrimes.com/police.html

What 1st amendment? Not in California.

Sidewalks are public property. Also how does it cost $6000 to clean up chalk?!?  The banks own the judges, lie about cleanup costs, and ruin a man's life for speaking the obvious truth: BOA is institutionalized slavery.
---------



Jeff Olson, the 40-year-old man who is being prosecuted for scrawling anti-megabank messages on sidewalks in water-soluble chalk last year now faces a 13-year jail sentence. A judge has barred his attorney from mentioning freedom of speech during trial.


According to the San Diego Reader, which reported on Tuesday that a judge had opted to prevent Olson’s attorney from "mentioning the First Amendment, free speech, free expression, public forum, expressive conduct, or political speech during the trial,” Olson must now stand trial for on 13 counts of vandalism.

In addition to possibly spending years in jail, Olson will also be held liable for fines of up to $13,000 over the anti-big-bank slogans that were left using washable children's chalk on a sidewalk outside of three San Diego, California branches of Bank of America, the massive conglomerate that received $45 billion in interest-free loans from the US government in 2008-2009 in a bid to keep it solvent after bad bets went south.

The Reader reports that Olson’s hearing had gone as poorly as his attorney might have expected, with Judge Howard Shore, who is presiding over the case, granting Deputy City Attorney Paige Hazard's motion to prohibit attorney Tom Tosdal from mentioning the United States' fundamental First Amendment rights.

"The State's Vandalism Statute does not mention First Amendment rights," ruled Judge Shore on Tuesday.

Upon exiting the courtroom Olson seemed to be in disbelief.

"Oh my gosh," he said. "I can't believe this is happening."

Tosdal, who exited the courtroom shortly after his client, seemed equally bewildered.

"I've never heard that before, that a court can prohibit an argument of First Amendment rights," said Tosdal.

Olson, who worked as a former staffer for a US Senator from Washington state, was said to involve himself in political activism in tandem with the growth of the Occupy Wall Street movement.

On October 3, 2011, Olson first appeared outside of a Bank of America branch in San Diego, along with a homemade sign. Eight days later Olson and his partner, Stephen Daniels, during preparations for National Bank Transfer Day, the two were confronted by Darell Freeman, the Vice President of Bank of America’s Global Corporate Security.

A former police officer, Freeman accused Olson and Daniels of “running a business outside of the bank,” evidently in reference to the National Bank Transfer Day activities, which was a consumer activism initiative that sought to promote Americans to switch from commercial banks, like Bank of America, to not-for-profit credit unions.

At the time, Bank of America’s debit card fees were among one of the triggers that led Occupy Wall Street members to promote the transfer day.

"It was just an empty threat," says Olson of Freeman’s accusations. "He was trying to scare me away. To be honest, it did at first. I even called my bank and they said he couldn't do anything like that."

Olson continued to protest outside of Bank of America. In February 2012, he came across a box of chalk at a local pharmacy and decided to begin leaving his mark with written statements.

"I thought it was a perfect way to get my message out there. Much better than handing out leaflets or holding a sign," says Olson.

Over the course of the next six months Olson visited the Bank of America branch a few days per week, leaving behind scribbled slogans such as "Stop big banks" and "Stop Bank Blight.com."

According to Olson, who spoke with local broadcaster KGTV, one Bank of America branch claimed it had cost $6,000 to clean up the chalk writing.

Public records obtained by the Reader show that Freeman continued to pressure members of San Diego’s Gang Unit on behalf of Bank of America until the matter was forwarded to the City Attorney’s office.

On April 15, Deputy City Attorney Paige Hazard contacted Freeman with a response on his persistent queries.

"I wanted to let you know that we will be filing 13 counts of vandalism as a result of the incidents you reported," said Hazard.


Arguments for Olson’s case are set to be heard Wednesday morning, following jury selection.


Monday, June 24, 2013

Mind control through music: HEMISYNC tracks

The following contains shocking information from the Institute for Bio-Acoustics Research (IBAR):


"In October 1984, a nineteen-year-old teenager named John M. shot himself in the head, while listening to Ozzy Osbourne's "Suicide Solution". When the coroner entered the room, he found the headphones still on John's head. This would be one of the tragedies that caused Ozzy immeasurable grief.

In 1986, Ozzy had just gotten off a plane at LAX airport when people began asking him about the "lawsuits". Ozzy knew nothing about any lawsuit but the details quickly emerged. Three lawsuits had been launched against Ozzy, claiming that his lyrics had caused youths to commit suicide. The family of John hired attorney Thomas Anderson in a lawsuit against Ozzy. Mr. Anderson claimed on the "Don't Blame Me" Ozzy video, that the song contained tones known as 'hemisync' and would cause a person to be unable to resist what was being said in the song.

The Institute for Bio-Acoustics Research, Inc. (IBAR) was hired to evaluate the song. They claim to have found subliminal lyrics that weren't included in the lyrics sheet. These subliminal lyrics were sung at one and one-half times the normal rate of speech and are not recognized by a first time listener. The IBAR institute claimed the subliminal lyrics, "are audible enough that their meaning and true intent becomes clear after being listened to over and over again." The subliminal lyrics in question were "Why try, why try? Get the gun and try it! Shoot, Shoot, Shoot", followed by a hideous laughter.

Further analysis by IBAR revealed the hemisync tones, which result from a patented process that uses sound waves to influence an individual's mental state. The tones have been found to increase the rate at which the human brain assimilates and processes information. IBAR claimed these tones made John vulnerable to the suggestive lyrics which Ozzy sang.

Ozzy's lawyer claimed that this was nonsense and relied upon the First Amendment of the Constitution to argue that Ozzy could write about anything he wanted. Three people had now taken their lives, and in each case it was Ozzy's 'Suicide Solution' song which was the focus as the cause of the deaths. Mr. Anderson claimed that the words, "shoot shoot, get the gun, get the gun" were audible in the song. There is an effect which can be heard on the song, that could be interpreted as that if one tried hard enough. The sounds were just Ozzy messing around with the soundboard."

Sunday, June 23, 2013

The Dark Side of Modern Historical Events, ongoing to this very day...

http://thespawnofthesphinx.com/index.html

The Queen of the Damned


Ixchel’s worshippers gathered at the United Nation's Framework Convention on Climate Change in Cancun to pray to the Mayan moon goddess on the forty-fourth anniversary of the founding of the Process Church of the Final Judgment on Mexico’s Yucatan peninsula. Chris Huhne, The UK's energy and environment secretary, was especially excited to finally arrive – he had been delayed in London because, for the second year in a row, England was experiencing some of the worst winter weather in over a century. It didn’t matter to Chris Huhne and other members of the Church of Settled Science that, almost eleven years earlier, in March of 2000, Dr. David Viner (a senior research scientist at the Climatic Research Unit (CRU) of the University of East Anglia), falsely prophesied, British "snowfalls are now just a thing of the past.” And within a few years snowfall in England will become "a very rare and exciting event" because "children aren't going to know what snow is.” It didn’t matter electronic documents would later show that same CRU to be perpetrating the largest scientific fraud in history. The gathering of Ixchel’s worshippers in Cancun had nothing to do with real science, and everyone at the event knew it. Climate changes every day. A tax on carbon changes nothing.

The worshippers were led in a prayer to the goddess Ixchel by the Convention's Executive Secretary, Christiana Figueres;

"May she inspire you – because today, you are gathered in Cancun to weave together the elements of a solid response to climate change, using both reason and creativity as your tools … Excellencies, the goddess Ixchel would probably tell you that a tapestry is the result of the skilful interlacing of many threads. I am convinced that twenty years from now, we will admire the policy tapestry that you have woven together and think back fondly to Cancun and the inspiration of Ixchel."

The opening prayer to a pagan goddess set the tone for representatives from one hundred and ninety-three countries. The allusion to weaving a “tapestry … of many threads” derives from the belief that this particular goddess taught humanity the art of weaving. Mesoamerica’s depiction of Ixchel's snake headdress and talons are curiously reminiscent of a Sumerian moon goddess more than four thousand years earlier.

Her most recent role in our world began on Mexico’s Yucatan Peninsula in 1966.

The Spook Who Sat By the Door

The Spook Who Sat By the Door: new u can use???? codes names in ur idols alter eg...: The GAME and Young Buck caught in a real strange and suspect HollyWeird moment. Young Buck shows that he can offer little if any resistance ...

Then and Now

MessiahMews Blogs: Then and Now: 2013...  A bit much, don't ya think? And as each generation is born, there is more and more damage, and nowadays, children and adults ...
organized mass murder, courtesy of the NWO

Saturday, June 22, 2013

Oregon State Police Taser Autistic 11 year old girl Found Wandering Naked (several 250 lb skinheads shoot down child walking down road)

When police found a confused and naked 11-year-old girl wandering a stretch of highway along the I-5 corridor in Oregon, they didn’t exactly offer her a ride home. Instead the responding officer determined the best course of action would be to Taser her.


This past Sunday morning, cab driver Adam Bednar was aghast when he came upon the adolescent walking down the highway seemingly confused. She was nude and threw Bednar a smile, indicating she wasn’t fully aware of where she was or what she was doing.

“I thought she was drugged. I thought she was on bath salts, too much meth, something,” said Bednar.

“Bednar says he drove alongside her while he called police,” KDRV.com reported. “He says the trooper who arrived called for her to stop, and when she didn’t respond threatened twice to taze her.”

According to the girl’s father, who has contacted Infowars.com, the girl was autistic and didn’t respond to officers due to her ailment. “After giving no response, two little red dots appeared on her back, then metal barbs,” KDRV wrote.

“She seized up, then she just fell face first on the ground,” Bednar described. “Just face first on the ground.”

Adding insult to injury, Oregon State Police officials initially defended the officer’s reaction saying Tasering the 11-year-old girl was necessary to prevent her from wandering further down the road “and putting herself in danger.”

But Bednar says that explanation doesn’t hold up. “She wasn’t going off the road, she was set on walking down the freeway,” Bednar told KDRV. “And I think that, had [the trooper] waited for back up, they could have gotten her without the Taser.”

The girl’s father also took issue with KDRV’s reportage, which frequently referred to the girl as a “young woman,” a “woman” and a “juvenile.” The report also neglected to give her age.

“They keep calling her a ‘woman’ …she is 11 years old. Since when is an 11-year-old kid with the mind of a 3-year-old a ‘woman’?” the girl’s father, who listens to Infowars, told us. “She is very gentle and non combative. If the police cannot apprehend a child who is cooperative without Tasing then what would be the alternative? Shooting her?”

Fortunately, police were gracious enough not to charge the girl or her family with a crime.

As we have detailed numerous times, Tasers are designed to be used only in emergency situations, as a last resort before lethal force; however, police frequently employ the sometimes deadly devices to force compliance.

KDRV’s account of the event also highlights the incestuous relationship between media and police. Instead of questioning authorities and pressing officers on why they would Tase an 11-year-old, the compliant reporters attempt to convince viewers they’re remaining objective and presenting all the facts.

As her father mentioned, the reporters also intentionally misled viewers over the girl’s age, referring to her as a “woman.”



http://www.informationliberation.com/?id=44201



World’s largest Bitcoin exchange suspends US withdrawals (money can go in, but it can't come out: BITSCAM

For the next two weeks Bitcoin users in the US will be unable to withdraw the virtual currency in dollars. Major exchange Mt. Gox cited an unusually high demand as the reason for the suspension, while customers worried the company has run out of cash.


Mt. Gox, based in Tokyo, Japan, handles approximately 80 per cent of Bitcoin transactions in the US and 70 per cent internationally. The popularity of the service, which allows customers to buy and sell items with relative anonymity, has led, indirectly, to the current transaction freeze.

“Over the past week Mt. Gox has experienced rising volumes of deposits and withdrawals from established and upcoming markets interested in Bitcoin,” a company statement explained. “This increased volume has made it difficult for our bank to process the transactions smoothly and within a timely manner, which has created unnecessary delays for our global customers. This is especially so for those in the United States who are requesting wire transfer withdrawals from their accounts.”

Users are still able to deposit into Mt. Gox and continue trading on other Bitcoin services, but the update has fueled speculation that the largest Bitcoin provider has grown too quickly and simply run out of cash, an allegation the company has not addressed publicly.

“We are currently making improvement to process withdrawals of the United States Dollar denominations, and as a result are temporarily suspending cash withdrawals of USD for the next two weeks,” the statement continued. “Please be reassured that USD deposits and transfers to Mt. Gox will remain unaffected, as will deposits and withdrawals in other currencies, and we will be resuming USD withdrawals once the process is completed.”

Recent estimates indicate the number of Bitcoins in circulation is at approximately 11 million, with the collective market value nearing $1.4 billion. The price of one Bitcoin was 107 Friday, after fluctuating wildly in recent months, according to bitcoincharts.com.

While economists admit Bitcoin could have a bright financial future, its instability has been a point of reluctance for would-be investors. The temporary withdrawal restriction will almost certainly be another reason for hesitancy.

“Without a safe infrastructure, a digital currency will never achieve widespread adoption by a mainstream audience,” wrote Mark Courtney, a product and services director at GBGroup, an identity intelligence company, for Wired. “The initial success of Bitcoin proves that there is appetite for a type of digital currency, but without making the service trustworthy, more trading floors will close.”



http://rt.com/business/largest-bitcoin-exchange-suspends-withdrawals-094/



Full remote control of ALL modern U.S. market cars PROVEN

A team of hackers from the Department of Computer Science at the University of Washington conducted a study which has proven that all cars equipped with antilock brakes sold in the U.S. can be hacked via remote control and have their brakes entirely disabled with the car in motion, throttle revved, and remain fully operational with the key removed and the car in park with all driver input entirely ignored.

science document from research university here, until government forces it offline.

http://therebel.org/images/pdf/carhack.pdf


Experimental Security Analysis of a Modern Automobile


Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, and Tadayoshi Kohno

Department of Computer Science and Engineering

University of Washington

Seattle, Washington 98195–2350

Email: {supersat,aczeskis,franzi,shwetak,yoshi}@cs.washington.edu

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage

Department of Computer Science and Engineering

University of California San Diego

La Jolla, California 92093–0404

Email: {s,dlmccoy,brian,d8anders,hovav,savage}@cs.ucsd.edu

Abstract—Modern automobiles are no longer mere mechanical

devices; they are pervasively monitored and controlled by

dozens of digital computers coordinated via internal vehicular

networks. While this transformation has driven major advancements

in efficiency and safety, it has also introduced a range of

new potential risks. In this paper we experimentally evaluate

these issues on a modern automobile and demonstrate the

fragility of the underlying system structure. We demonstrate

that an attacker who is able to infiltrate virtually any Electronic

Control Unit (ECU) can leverage this ability to completely

circumvent a broad array of safety-critical systems. Over a

range of experiments, both in the lab and in road tests, we

demonstrate the ability to adversarially control a wide range

of automotive functions and completely ignore driver input—

including disabling the brakes, selectively braking individual

wheels on demand, stopping the engine, and so on. We find

that it is possible to bypass rudimentary network security

protections within the car, such as maliciously bridging between

our car’s two internal subnets. We also present composite

attacks that leverage individual weaknesses, including an attack

that embeds malicious code in a car’s telematics unit and

that will completely erase any evidence of its presence after a

crash. Looking forward, we discuss the complex challenges in

addressing these vulnerabilities while considering the existing

automotive ecosystem.

Keywords—Automobiles, communication standards, communication

system security, computer security, data buses.

I. INTRODUCTION

Through 80 years of mass-production, the passenger automobile

has remained superficially static: a single gasolinepowered

internal combustion engine; four wheels; and the

familiar user interface of steering wheel, throttle, gearshift,

and brake. However, in the past two decades the underlying

control systems have changed dramatically. Today’s automobile

is no mere mechanical device, but contains a myriad of

computers. These computers coordinate and monitor sensors,

components, the driver, and the passengers. Indeed, one

recent estimate suggests that the typical luxury sedan now

contains over 100 MB of binary code spread across 50–70

independent computers—Electronic Control Units (ECUs)

in automotive vernacular—in turn communicating over one

or more shared internal network buses [8], [13].

While the automotive industry has always considered

safety a critical engineering concern (indeed, much of this

new software has been introduced specifically to increase

safety, e.g., Anti-lock Brake Systems) it is not clear whether

vehicle manufacturers have anticipated in their designs the

possibility of an adversary. Indeed, it seems likely that this

increasing degree of computerized control also brings with

it a corresponding array of potential threats.

Compounding this issue, the attack surface for modern

automobiles is growing swiftly as more sophisticated services

and communications features are incorporated into

vehicles. In the United States, the federally-mandated On-

Board Diagnostics (OBD-II) port, under the dash in virtually

all modern vehicles, provides direct and standard

access to internal automotive networks. User-upgradable

subsystems such as audio players are routinely attached to

these same internal networks, as are a variety of shortrange

wireless devices (Bluetooth, wireless tire pressure

sensors, etc.). Telematics systems, exemplified by General

Motors’ (GM’s) OnStar, provide value-added features such

as automatic crash response, remote diagnostics, and stolen

vehicle recovery over a long-range wireless link. To do

so, these telematics systems integrate internal automotive

subsystems with a remote command center via a widearea

cellular connection. Some have taken this concept

even further—proposing a “car as a platform” model for

third-party development. Hughes Telematics has described

plans for developing an “App Store” for automotive applications

[22] while Ford recently announced that it will

open its Sync telematics system as a platform for third-party

applications [14]. Finally, proposed future vehicle-to-vehicle

(V2V) and vehicle-to-infrastructure (V2X) communications

systems [5], [6], [7], [25] will only broaden the attack

surface further.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 1

Overall, these trends suggest that a wide range of vectors

will be available by which an attacker might compromise a

component and gain access to internal vehicular networks—

with unknown consequences. Unfortunately, while previous

research efforts have largely considered vehicular security

risks in the abstract, very little is publicly known about the

practical security issues in automobiles on the road today.

Our research aims to fill this gap.

This paper investigates these issues through an empirical

lens—with active experiments against two late-model

passenger cars (same make and model). We test these

cars’ components in isolation in the lab, as a complete

system in a controlled setting (with the car elevated on

jacks), and in live road tests on a closed course. We have

endeavored to comprehensively assess how much resilience a

conventional automobile has against a digital attack mounted

against its internal components. Our findings suggest that,

unfortunately, the answer is “little.”

Indeed, we have demonstrated the ability to systematically

control a wide array of components including engine,

brakes, heating and cooling, lights, instrument panel, radio,

locks, and so on. Combining these we have been able to

mount attacks that represent potentially significant threats

to personal safety. For example, we are able to forcibly and

completely disengage the brakes while driving, making it

difficult for the driver to stop. Conversely, we are able to

forcibly activate the brakes, lurching the driver forward and

causing the car to stop suddenly.

Rather than focus just on individual attacks, we conduct a

comprehensive analysis of our cars’ digital components and

internal networks. We experimentally evaluate the security

properties of each of the key components within our cars,

and we analyze the security properties of the underlying

network substrate. Beyond measuring the real threats against

the computerized components within modern cars, as well

as the fundamental reasons those threats are possible, we

explore considerations and directions for reconciling the

tension between strategies for better security and the broader

context surrounding automobiles.

II. BACKGROUND

There are over 250 million registered passenger automobiles

in the United States [4]. The vast majority of these

are computer controlled to a significant degree and virtually

all new cars are now pervasively computerized. However,

in spite of their prevalence, the structure of these systems,

the functionality they provide and the networks they use

internally are largely unfamiliar to the computer security

community. In this section, we provide basic background

context concerning automotive embedded systems architecture

in general and an overview of prior related work

concerning automotive security.

A. Automotive Embedded Systems

Digital control, in the form of self-contained embedded

systems called Engine Control Units (ECUs), entered US

production vehicles in the late 1970s, largely due to requirements

of the California Clean Air Act (and subsequent

federal legislation) and pressure from increasing gasoline

prices [21]. By dynamically measuring the oxygen present

in exhaust fumes, the ECU could then adjust the fuel/oxygen

mixture before combustion, thereby improving efficiency

and reducing pollutants. Since then, such systems have been

integrated into virtually every aspect of a car’s functioning

and diagnostics, including the throttle, transmission, brakes,

passenger climate and lighting controls, external lights,

entertainment, and so on, causing the term ECU to be

generalized to Electronic Control Units. Thus, over the last

few decades the amount of software in luxury sedans has

grown from virtually nothing to tens of millions of lines of

code, spread across 50–70 independent ECUs [8].

ECU Coupling. Many features require complex interactions

across ECUs. For example, modern Electronic

Stability Control (ESC) systems monitor individual wheel

speed, steering angle, throttle position, and various accelerometers.

The ESC automatically modulates engine

torque and wheel speed to increase traction when the car’s

line stops following the steering angle (i.e., a skid). If

brakes are applied they must also interact with the Antilock

Braking System (ABS). More advanced versions also

offer Roll Stability Control (RSC), which may also apply

brakes, reduce the throttle, and modulate the steering angle

to prevent the car from rolling over. Active Cruise Control

(ACC) systems scan the road ahead and automatically increase

or decrease the throttle (about some pre-programmed

cruising speed) depending on the presence of slower vehicles

in the path (e.g., the Audi Q7 will automatically apply

brakes, completely stopping the vehicle if necessary, with no

user input). Versions of this technology also provide “precrash”

features in some cars including pre-charging brakes

and pre-tensioning seat belts. Some new luxury sedans (e.g.,

the Lexus LS460) even offer automated parallel parking

features in which steering is completely subsumed. These

trends are further accelerated by electric-driven vehicles that

require precise software control over power management

and regenerative braking to achieve high efficiency, by a

slew of emerging safety features, such as VW’s Lane Assist

system, and by a wide range of proposed entertainment and

communications features (e.g., it was recently announced

that GM’s OnStar will offer integration with Twitter [10]).

Even full “steer-by-wire” functionality has been seen in a

range of concept cars including GM’s widely publicized Hywire

fuel cell vehicle [12].

While some early systems used one-off designs and

bilateral physical wire connections for such interactions

(e.g., between different sensors and an ECU), this approach

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 2

does not scale. A combination of time-to-market pressures,

wiring overhead, interaction complexity, and economy of

scale pressures have driven manufacturers and suppliers to

standardize on a few key digital buses, such as Controller

Area Network (CAN) and FlexRay, and software technology

platforms (cf. Autosar [1]) shared across component manufacturers

and vendors. Indeed, the distributed nature of the

automotive manufacturing sector has effectively mandated

such an approach—few manufacturers can afford the overhead

of full soup-to-nuts designs anymore.

Thus, the typical car contains multiple buses (generally

based on the CAN standard) covering different component

groups (e.g., a high-speed bus may interconnect powertrain

components that generate real-time telemetry while

a separate low-speed bus might control binary actuators

like lights and doors). While it seems that such buses

could be physically isolated (e.g., safety critical systems

on one, entertainment on the other), in practice they are

“bridged” to support subtle interaction requirements. For

example, consider a car’s Central Locking Systems (CLS),

which controls the power door locking mechanism. Clearly

this system must monitor the physical door lock switches,

wireless input from any remote key fob (for keyless entry),

and remote telematics commands to open the doors.

However, unintuitively, the CLS must also be interconnected

with safety critical systems such as crash detection to ensure

that car locks are disengaged after airbags are deployed to

facilitate exit or rescue.

Telematics. Starting in the mid-1990’s automotive

manufacturers started marrying more powerful ECUs—

providing full Unix-like environments—with peripherals

such as Global Positioning Systems (GPS), and adding a

“reach-back” component using cellular back-haul links. By

far the best known and most innovative of such systems

is GM’s OnStar, which—now in its 8th generation—

provides a myriad of services. An OnStar-equipped car

can, for example, analyze the car’s On Board Diagnostics

(OBD) as it is being driven, proactively detect likely

vehicle problems, and notify the driver that a trip to the

repair shop is warranted. OnStar ECUs monitor crash sensors

and will automatically place emergency calls, provide

audio-links between passengers and emergency personnel,

and relay GPS-based locations. These systems even enable

properly authorized OnStar personnel to remotely unlock

cars, track the cars’ locations and, starting with some

2009 model years, remotely stop them (for the purposes

of recovery in case of theft) purportedly by stopping the

flow of fuel to the engines. To perform these functions,

OnStar units routinely bridge all important buses in the

automobile, thereby maximizing flexibility, and implement

an on-demand link to the Internet via Verizon’s digital

cellular service. However, GM is by no means unique and

virtually every manufacturer now has a significant telematics

package in their lineup (e.g., Ford’s Sync, Chrysler’s

UConnect, BMW’s Connected Drive, and Lexus’s Enform),

frequently provided in collaboration with third-party

specialist vendors such as Hughes Telematics and ATX

Group.

Taken together, ubiquitous computer control, distributed

internal connectivity, and telematics interfaces increasingly

combine to provide an application software platform with

external network access. There are thus ample reasons to

reconsider the state of vehicular computer security.

B. Related Work

Indeed, we are not the first to observe the potential

fragility of the automotive environment. In the academic

context, several groups have described potential vulnerabilities

in automotive systems, e.g., [19], [24], [26], [27],

[28]. They provide valuable contributions toward framing

the vehicle security and privacy problem space—notably

in outlining the security limitations of the popular CAN bus

protocol—as well as possible directions for securing vehicle

components. With some exceptions, e.g., [15], most of these

efforts consider threats abstractly; considering “what-if”

questions about a hypothetical attacker. Part of our paper’s

contribution is to make this framing concrete by providing

comprehensive experimental results assessing the behavior

of real automobiles and automotive components in response

to specific attacks.

Further afield, a broad array of researchers have considered

the security problems of vehicle-to-vehicle (V2V)

systems (sometimes also called vehicular ad-hoc networks,

or VANETs); see [18] for a survey. Indeed, this work is

critical, as such future networks will otherwise present yet

another entry point by which attackers might infiltrate a

vehicle. However, our work is focused squarely on the

possibilities after any such infiltration. That is, what are the

security issues within a car, rather than external to it.

Still others have focused on theft-related access control

mechanisms, including successful attacks against vehicle

keyless entry systems [11], [16] and vehicle immobilizers

[3].

Outside the academic realm, there is a small but vibrant

“tuner” subculture of automobile enthusiasts who employ

specialized software to improve performance (e.g., by removing

electronic RPM limitations or changing spark timings,

fuel ignition parameters, or valve timings) frequently

at the expense of regulatory compliance [20], [23]. These

groups are not adversaries; their modifications are done to

improve and personalize their own cars, not to cause harm.

In our work, we consider how an adversary with malicious

motives might disrupt or modify automotive systems.

Finally, we point out that while there is an emerging

effort focused on designing fully autonomous vehicles

(e.g., DARPA Grand Challenge [9]), these are specifically

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 3

designed to be robotically controlled. While such vehicles

would undoubtedly introduce yet new security concerns,

in this paper we concern ourselves solely with the

vulnerabilities in today’s commercially-available automobiles.

C. Threat Model

In this paper we intentionally and explicitly skirt the

question of a “threat model.” Instead, we focus primarily

on what an attacker could do to a car if she was able to

maliciously communicate on the car’s internal network. That

said, this does beg the question of how she might be able

to gain such access.

While we leave a full analysis of the modern automobile’s

attack surface to future research, we briefly describe here the

two “kinds” of vectors by which one might gain access to

a car’s internal networks.

The first is physical access. Someone—such as a mechanic,

a valet, a person who rents a car, an ex-friend, a

disgruntled family member, or the car owner—can, with

even momentary access to the vehicle, insert a malicious

component into a car’s internal network via the ubiquitous

OBD-II port (typically under the dash). The attacker may

leave the malicious component permanently attached to the

car’s internal network or, as we show in this paper, they

may use a brief period of connectivity to embed the malware

within the car’s existing components and then disconnect. A

similar entry point is presented by counterfeit or malicious

components entering the vehicle parts supply chain—either

before the vehicle is sent to the dealer, or with a car owner’s

purchase of an aftermarket third-party component (such as

a counterfeit FM radio).

The other vector is via the numerous wireless interfaces

implemented in the modern automobile. In our car we

identified no fewer than five kinds of digital radio interfaces

accepting outside input, some over only a short range and

others over indefinite distance. While outside the scope of

this paper, we wish to be clear that vulnerabilities in such

services are not purely theoretical. We have developed the

ability to remotely compromise key ECUs in our car via

externally-facing vulnerabilities, amplify the impact of these

remote compromises using the results in this paper, and

ultimately monitor and control our car remotely over the

Internet.

III. EXPERIMENTAL ENVIRONMENT

Our experimental analyses focus on two 2009 automobiles

of the same make and model.1 We selected our particular

vehicle because it contained both a large number of

1We believe the risks identified in this paper arise from the architecture

of the modern automobile and not simply from design decisions made by

any single manufacturer. For this reason, we have chosen not to identify

the particular make and model used in our tests. We believe that other

automobile manufacturers and models with similar features may have

similar security properties.

electronically-controlled components (necessitated by complex

safety features such as anti-lock brakes and stability

control) and a sophisticated telematics system. We purchased

two vehicles to allow differential testing and to validate that

our results were not tied to one individual vehicle. At times

we also purchased individual replacement ECUs via thirdparty

dealers to allow additional testing. Table I lists some

of the most important ECUs in our car.

We experimented with these cars—and their internal

components—in three principal settings:

• Bench. We physically extracted hardware from the

car for analysis in our lab. As with most automobile

manufacturers, our vehicles use a variant of the

Controller Area Network (CAN) protocol for communicating

among vehicle components (in our case

both a high-speed and low-speed variant as well as

a variety of proprietary higher-layer network management

services). Through this protocol, any component

can be accessed and interrogated in isolation in

the lab. Figure 1 shows an example setup, with the

Electronic Brake Control Module (EBCM) hooked up

to a power supply, a CAN-to-USB converter, and an

oscilloscope.

• Stationary car. We conducted most of our in-car experiments

with the car stationary. For both safety and

convenience, we elevated the car on jack stands for

experiments that required the car to be “at speed”; see

Figure 3.

Figure 2 shows the experimental setup inside the car.

For these experiments, we connected a laptop to the

car’s standard On-Board Diagnostics II (OBD-II) port.

We used an off-the-shelf CAN-to-USB interface (the

CANCapture ECOM cable) to interact with the car’s

high-speed CAN network, and an Atmel AT90CAN128

development board (the Olimex AVR-CAN) with custom

firmware to interact with the car’s low-speed

CAN network. The laptop ran our custom CARSHARK

program (see below).

• On the road. To obtain full experimental fidelity, for

some of our results we experimented at speed while on

a closed course.

We exercised numerous precautions to protect the

safety of both our car’s driver and any third parties. For

example, we used the runway of a de-commissioned

airport because the runway is long and straight, giving

us additional time to respond should an emergency

situation arise (see Figure 7).

For these experiments, one of us drove the car while

three others drove a chase car on a parallel service road;

one person drove the chase car, one documented much

of the process on video, and one wirelessly controlled

the test car via an 802.11 ad hoc connection to a laptop

in the test car that in turn accessed its CAN bus.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 4

Low-Speed High-Speed

Component Functionality Comm. Bus Comm. Bus

ECM Engine Control Module

Controls the engine using information from sensors to determine the amount

of fuel, ignition timing, and other engine parameters.

X

EBCM Electronic Brake Control Module

Controls the Antilock Brake System (ABS) pump motor and valves, preventing

brakes from locking up and skidding by regulating hydraulic pressure.

X

TCM Transmission Control Module

Controls electronic transmission using data from sensors and from the ECM

to determine when and how to change gears.

X

BCM Body Control Module

Controls various vehicle functions, provides information to occupants, and

acts as a firewall between the two subnets.

X X

Telematics Telematics Module

Enables remote data communication with the vehicle via cellular link.

X X

RCDLR Remote Control Door Lock Receiver

Receives the signal from the car’s key fob to lock/unlock the doors and

the trunk. It also receives data wirelessly from the Tire Pressure Monitoring

System sensors.

X

HVAC Heating, Ventilation, Air Conditioning

Controls cabin environment.

X

SDM Inflatable Restraint Sensing and Diagnostic Module

Controls airbags and seat belt pretensioners.

X

IPC/DIC Instrument Panel Cluster/Driver Information Center

Displays information to the driver about speed, fuel level, and various alerts

about the car’s status.

X

Radio Radio

In addition to regular radio functions, funnels and generates most of the incabin

sounds (beeps, buzzes, chimes).

X

TDM Theft Deterrent Module

Prevents vehicle from starting without a legitimate key.

X

Table I. Key Electronic Control Units (ECUs) within our cars, their roles, and which CAN buses they are on.

The CARSHARK Tool. To facilitate our experimental

analysis, we wrote CARSHARK—a custom CAN bus analyzer

and packet injection tool (see Figure 4). While there

exist commercially available CAN sniffers, none were appropriate

for our use. First, we needed the ability to process

and manipulate our vendor’s proprietary extensions to the

CAN protocol. Second, while we could have performed

limited testing using a commercial CAN sniffer coupled

with a manufacturer-specific diagnostic service tool, this

combination still doesn’t offer the flexibility to support our

full range of attack explorations, including reading out ECU

memory, loading custom code into ECUs, or generating

fuzz-testing packets over the CAN interface.

IV. INTRA-VEHICLE NETWORK SECURITY

Before experimentally evaluating the security of individual

car components, we assess the security properties

of the CAN bus in general, which we describe below.

We do so by first considering weaknesses inherent to the

protocol stack and then evaluating the degree to which

our car’s components comply with the standard’s specifications.

A. CAN Bus

There are a variety of protocols that can be implemented

on the vehicle bus, but starting in 2008 all cars sold in the

U.S. are required to implement the Controller Area Network

(CAN) bus (ISO 11898 [17]) for diagnostics. As a result,

CAN—roughly speaking, a link-layer data protocol—has

become the dominant communication network for in-car

networks (e.g., used by BMW, Ford, GM, Honda, and

Volkswagen).

A CAN packet (shown in Figure 5) does not include

addresses in the traditional sense and instead supports a

publish-and-subscribe communications model. The CAN ID

header is used to indicate the packet type, and each packet

is both physically and logically broadcast to all nodes,

which then decide for themselves whether to process the

packets.

The CAN variant for our car includes slight extensions

to framing (e.g., on the interpretation of certain CAN ID’s)

and two separate physical layers—a high-speed bus which

is differentially-signaled and primarily used by powertrain

systems and a low-speed bus (SAE J2411) using a single

wire and supporting less-demanding components. When

necessary, a gateway bridge can route selected data between

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 5

Figure 1. Example bench setup within our

lab. The Electronic Brake Control Module

(ECBM) is hooked up to a power supply, a

CAN-to-USB converter, and an oscilloscope.

Figure 2. Example experimental setup. The

laptop is running our custom CARSHARK

CAN network analyzer and attack tool. The

laptop is connected to the car’s OBD-II port.

Figure 3. To test ECU behavior in a

controlled environment, we immobilized the

car on jack stands while mounting attacks.

Figure 4. Screenshot of the CARSHARK interface. CARSHARK is being

used to sniff the CAN bus. Values that have been recently updated are in

yellow. The left panel lists all recognized nodes on high and low speed

subnets of the CAN bus and has some action buttons. The demo panel on

the right provides some proof-of-concept demos.

the two buses. Finally, the protocol standards define a range

of services to be implemented by ECUs.

B. CAN Security Challenges

The underlying CAN protocol has a number of inherent

weaknesses that are common to any implementation. Key

among these:

Broadcast Nature. Since CAN packets are both physically

and logically broadcast to all nodes, a malicious

component on the network can easily snoop on all communications

or send packets to any other node on the

network. CARSHARK leverages this property, allowing us

to observe and reverse-engineer packets, as well as to inject

new packets to induce various actions.

Fragility to DoS. The CAN protocol is extremely

vulnerable to denial-of-service attacks. In addition to simple

packet flooding attacks, CAN’s priority-based arbitration

scheme allows a node to assert a “dominant” state on the

bus indefinitely and cause all other CAN nodes to back

off. While most controllers have logic to avoid accidentally

11 bits 18 bits 4 bits 0–8 bytes 15 bits 7 bits

Start-offrame

Substitute remote

request

Extended identifier

Reserved

2 bits

Data CRC

ACK

End-offrame

Identifier

Identifier

extension

Remote transmission

request

Data length

code

CRC delimiter

ACK

delimiter

Figure 5. CAN packet structure. Extended frame format is shown. Base

frame format is similar.

breaking the network this way, adversarially-controlled hardware

would not need to exercise such precautions.

No Authenticator Fields. CAN packets contain no

authenticator fields—or even any source identifier fields—

meaning that any component can indistinguishably send a

packet to any other component. This means that any single

compromised component can be used to control all of the

other components on that bus, provided those components

themselves do not implement defenses; we consider the

security of individual components in Section V.

Weak Access Control. The protocol standards for our

car specify a challenge-response sequence to protect ECUs

against certain actions without authorization. A given ECU

may participate in zero, one, or two challenge-response

pairs:

• Reflashing and memory protection. One challengeresponse

pair restricts access to reflashing the ECU and

reading out sensitive memory. By design, a service shop

might authenticate with this challenge-response pair in

order to upgrade the firmware on an ECU.

• Tester capabilities. Modern automobiles are complex

and thus diagnosing their problems requires significant

support. Thus, a major use of the CAN bus is in

providing diagnostic access to service technicians. In

particular, external test equipment (the “tester”) must

be able to interrogate the internal state of the car’s

components and, at times, manipulate this state as well.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 6

Our car implements this capability via the DeviceControl

service which is accessed in an RPC-like fashion

directly via CAN messages. In our car, the second

challenge-response pair described above is designed to

restrict access to the DeviceControl services.

Under the hood, ECUs are supposed to use a fixed challenge

(seed) for each of these challenge-response pairs; the corresponding

responses (keys) are also fixed and stored in these

ECUs. The motivation for using fixed seeds and keys is to

avoid storing the challenge-response algorithm in the ECU

firmware itself (since that firmware could be read out if an

external flash chip is used). Indeed, the associated reference

standard states “under no circumstances shall the encryption

algorithm ever reside in the node.” (The tester, however, does

have the algorithm and uses it to compute the key.) Different

ECUs should have different seeds and keys.

Despite these apparent security precautions, to the best of

our knowledge many of the seed-to-key algorithms in use

today are known by the car tuning community.

Furthermore, as described in the protocol standards, the

challenges (seeds) and responses (keys) are both just 16 bits.

Because the ECUs are required to allow a key attempt every

10 seconds, an attacker could crack one ECU key in a little

over seven and a half days. If an attacker has access to

the car’s network for this amount of time (such as through

another compromised component), any reflashable ECU can

be compromised. Multiple ECUs can be cracked in parallel,

so this is an upper bound on the amount of time it could take

to crack a key in every ECU in the vehicle. Furthermore,

if an attacker can physically remove a component from

the car, she can further reduce the time needed to crack

a component’s key to roughly three and a half days by

powercycling the component every two key attempts (we

used this approach to perform an exhaustive search for the

Electronic Brake Control Module (EBCM) key on one of

our cars, recovering the key in about a day and a half; see

Figure 1 for our experimental setup).

In effect, there are numerous realistic scenarios in which

the challenge-response sequences defined in the protocol

specification can be circumvented by a determined attacker.

ECU Firmware Updates and Open Diagnostic Control.

Given the generic weaknesses with the aforementioned

access control mechanisms, it is worth stepping back and

reconsidering the benefits and risks associated with exposing

ECUs to reflashing and diagnostic testing.

First, the ability to do software-only upgrades to ECUs

can be extremely valuable to vehicle manufacturers, who

might otherwise have to bear the cost of physically replacing

ECUs for trivial defects in the software. For example, one

of us recently received a letter from a car dealer, inviting us

to visit an auto shop in order to upgrade the firmware on

our personal car’s ECM to correctly meet certain emission

requirements. However, it is also well known that attackers

can use software updates to inject malicious code into

systems [2]. The challenge-response sequences alone are

not sufficient to protect against malicious firmware updates;

in subsequent sections we investigate whether additional

protection mechanisms are deployed at a higher level (such

as the cryptographically signed firmware updates).

Similarly, the DeviceControl service is a tremendously

powerful tool for assisting in the diagnosis of a car’s

components. But, given the generic weaknesses of the CAN

access control mechanisms, the DeviceControl capabilities

present enumerable opportunities to an attacker (indeed, a

great number of our attacks are built on DeviceControl).

In many ways this challenge parallels the security vs.

functionality tension presented by debuggers in conventional

operating systems; to be effective debuggers need to be able

to examine and manipulate all state, but if they can do that

they can do anything. However, while traditional operating

systems generally finesse this problem via access-control

rights on a per-user basis, there is no equivalent concept in

CAN. Given the weaknesses with the CAN access control

sequence, the role of “tester” is effectively open to any node

on the bus and thus to any attacker.

Worse, in Section IV-C below we find that many ECUs in

our car deviate from their own protocol standards, making

it even easier for an attacker to initiate firmware updates or

DeviceControl sequences—without even needing to bypass

the challenge-response protocols.

C. Deviations from Standards

In several cases, our car’s protocol standards do prescribe

risk-mitigation strategies with which components should

comply. However, our experimental findings revealed that

not all components in the car always follow these specifications.

Disabling Communications. For example, the standard

states that ECUs should reject the “disable CAN

communications” command when it is unsafe to accept and

act on it, such as when a car is moving. However, we

experimentally verified that this is not actually the case in

our car: we were able to disable communications to and from

all the ECUs in Table I even with the car’s wheels moving

at speed on jack stands and while driving on the closed road

course.

Reflashing ECUs While Driving. The standard also

states that ECUs should reject reflashing events if they deem

them unsafe. In fact, it states: “The engine control module

should reject a request to initiate a programming event if the

engine were running.” However, we experimentally verified

that we could place the Engine Control Module (ECM) and

Transmission Control Module (TCM) into reflashing mode

when our car was at speed on jack stands. When the ECM

enters this mode, the engine stops running. We also verified

that we could place the ECM into reflashing mode while

driving on the closed course.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 7

Noncompliant Access Control: Firmware and Memory.

The standard states that ECUs with emissions, anti-theft,

or safety functionality must be protected by a challengeresponse

access control protocol (as per Section IV-B).

Even disregarding the weakness of this protocol, we

found it was implemented less broadly than we would

have expected. For example, the telematics unit in our

car, which are connected to the car’s CAN buses, use a

hardcoded challenge and a hardcoded response common

to all similar units, seemingly in violation of the standard

(specifically, the standard states that “all nodes with the

same part number shall NOT have the same security seed”).

Even worse, the result of the challenge-response protocol

is never used anywhere; one can reflash the unit at any

time without completing the challenge-response protocol.

We verified experimentally that we can load our own code

onto our car’s telematics unit without authenticating.

Some access-controlled operations, such as reading sensitive

memory areas (such as the ECU’s program or keys)

may be outright denied if deemed too risky. For example,

the standard states that an ECU can define memory addresses

that “[it] will not allow a tester to read under any

circumstances (e.g., the addresses that contain the security

seed and key values).” However, in another instance of noncompliance,

we experimentally verified that we could read

the reflashing keys out of the BCM without authenticating,

and the DeviceControl keys for the ECM and TCM just by

authenticating with the reflashing key. We were also able to

extract the telematics units’ entire memory, including their

keys, without authentication.

Noncompliant Access Control: Device Overrides. Recall

that the DeviceControl service is used to override the

state of components. However, ECUs are expected to reject

unsafe DeviceControl override requests, such as releasing

the brakes when the car is in motion (an example mentioned

in the standard). Some of these unsafe overrides are needed

for testing during the manufacturing process, so those can be

enabled by authenticating with the DeviceControl key. However,

we found during our experiments that certain unsafe

device control operations succeeded without authenticating;

we summarize these in Tables II, V-A, and IV.

Imperfect Network Segregation. The standard implicitly

defines the high-speed network as more trusted than the

low-speed network. This difference is likely due to the fact

that the high-speed network includes the real-time safetycritical

components (e.g., engine, brakes), while the lowspeed

network commonly includes components less critical

to safety, like the radio and the HVAC system.

The standard states that gateways between the two networks

must only be re-programmable from the high-speed

network, presumably to prevent a low-speed device from

compromising a gateway to attack the high-speed network.

In our car, there are two ECUs which are on both buses and

can potentially bridge signals: the Body Controller Module

(BCM) and the telematics unit. While the telematics unit

is not technically a gateway, it connects to both networks

and can only be reprogrammed (against the spirit of the

standard) from the low-speed network, allowing a lowspeed

device to attack the high-speed network through the

telematics unit. We verified that we could bridge these

networks by uploading code to the telematics unit from the

low-speed network that, in turn, sent packets on the highspeed

network.

V. COMPONENT SECURITY

We now examine individual components on our car’s

CAN network, and what an attacker could do by communicating

with each one individually. We discuss compound

attacks involving multiple components in Section VI. We

omit certain details (such as complete packet payloads) to

prevent would-be attackers from using our results directly.

A. Attack Methodology

Recall that Table I gives an overview of our car’s critical

components, their functionality, and whether they are on

the car’s high-speed or low-speed CAN subnet. For each of

these components, our methodology for formulating attacks

consisted of some or all of the following three major

approaches, summarized below.

Packet Sniffing and Targeted Probing. To begin, we

used CARSHARK to observe traffic on the CAN buses

in order to determine how ECUs communicate with each

other. This also revealed to us which packets were sent as

we activated various components (such as turning on the

headlights). Through a combination of replay and informed

probing, we were able to discover how to control the radio,

the Instrument Panel Cluster (IPC), and a number of the

Body Control Module (BCM) functions, as we discuss

below. This approach worked well for packets that come

up during normal operation, but was less useful in mapping

the interface to safety-critical powertrain components.

Fuzzing. Much to our surprise, significant attacks do

not require a complete understanding or reverse-engineering

of even a single component of the car. In fact, because

the range of valid CAN packets is rather small, significant

damage can be done by simple fuzzing of packets (i.e.,

iterative testing of random or partially random packets). Indeed,

for attackers seeking indiscriminate disruption, fuzzing

is an effective attack by itself. (Unlike traditional uses of

fuzzing, we use fuzzing to aid in the reverse engineering of

functionality.)

As mentioned previously, the protocol standards for our

car define a CAN-based service called DeviceControl, which

allows testing devices (used during manufacturing quality

control or by mechanics) to override the normal output

functionality of an ECU or reset some learned internal

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 8

state. The DeviceControl service takes an argument called

a Control Packet Identifier (CPID), which specifies a group

of controls to override. Each CPID can take up to five bytes

as parameters, specifying which controls in the group are

being overridden, and how to override them. For example,

the Body Control Module (BCM) exports controls for the

various external lights (headlights, brakelights, etc.) and their

associated brightness can be set via the parameter data.

We discovered many of the DeviceControl functions

for select ECUs (specifically, those controlling the engine

(ECM), body components (BCM), brakes (EBCM), and

heating and air conditioning (HVAC) systems) largely by

fuzz testing. After enumerating all supported CPIDs for each

ECU, we sent random data as an argument to valid CPIDs

and correlated input bits with behaviors.

Reverse-Engineering. For a small subset of ECUs

(notably the telematics unit, for which we obtained multiple

instances via Internet-based used parts resellers) we dumped

their code via the CAN ReadMemory service and used a

third-party debugger (IDA Pro) to explicitly understand how

certain hardware features were controlled. This approach

is essential for attacks that require new functionality to be

added (e.g., bridging low and high-speed buses) rather than

simply manipulating existing software capabilities.

B. Stationary Testing

We now describe the results of our experiments with

controlling critical components of the car. All initial experiments

were done with the car stationary, in many cases

immobilized on jack stands for safety, as shown in Figure 3.

Some of our results are summarized in Tables II, V-A,

and IV for fuzzing, and in Table V for other results.

Tables II, V-A, and IV indicate the packet that was sent

to the corresponding module, the resulting action, and four

additional pieces of information: (1) Can the result of this

packet be overridden manually, such as by pulling the

physical door unlock knob, pushing on the brakes, or some

other action? A No in this column means that we have found

no way to manually override the result. (2) Does this packet

have the same effect when the car is at speed? For this

column, “at speed” means when the car was up on jack

stands but the throttle was applied to bring the wheel speed

to 40 MPH. (3) Does the module in question need to be

unlocked with its DeviceControl key before these packets

can elicit results? The fourth (4) additional column reflects

our experiments during a live road test, which we will turn

to in subsection V-C. Table V is similar, except that only

the Kill Engine result is caused by a DeviceControl packet;

we did not need to unlock the ECU before initiating this

DeviceControl packet.

All of the controlled experiments were initially conducted

on one car, and then all were repeated on our second car

(road tests were only performed with the first car).

Figure 6. Displaying an arbitrary message and a false speedometer reading

on the Driver Information Center. Note that the car is in Park.

Radio. One of the first attacks we discovered was how

to control the radio and its display. We were able to completely

control—and disable user control of—the radio,

and to display arbitrary messages. For example, we were

able to consistently increase the volume and prevent the user

from resetting it. As the radio is also the component which

controls various car sounds (e.g., turn signal clicks and seat

belt warning chimes), we were also able to produce clicks

and chimes at arbitrary frequencies, for various durations,

and at different intervals. Table V presents some of these

results.

Instrument Panel Cluster. We were able to fully control

the Instrument Panel Cluster (IPC). We were able to

display arbitrary messages, falsify the fuel level and the

speedometer reading, adjust the illumination of instruments,

and so on (also shown in Table V). For example, Figure 6

shows the instrument panel display with a message that

we set by sending the appropriate packets over the CAN

network. We discuss a more sophisticated attack using our

control over the speedometer in Section VI.

Body Controller. Control of the BCM’s function is

split across the low-speed and high-speed buses. By reverseengineering

packets sent on the low-speed bus (Table V) and

by fuzzing packets on the high-speed bus (as summarized

in Table II), we were able to control essentially all of the

BCM’s functions. This means that we were able to discover

packets to: lock and unlock the doors; jam the door locks

by continually activating the lock relay; pop the trunk;

adjust interior and exterior lighting levels; honk the horn

(indefinitely and at varying frequencies); disable and enable

the window relays; disable and enable the windshield wipers;

continuously shoot windshield fluid; and disable the key lock

relay to lock the key in the ignition.

Engine. Most of the attacks against the engine were

found by fuzzing DeviceControl requests to the ECM. These

findings are summarized in Table V-A. We were able to

boost the engine RPM temporarily, disturb engine timing by

resetting the learned crankshaft angle sensor error, disable

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 9

Manual At Need to Tested on

Packet Result Override Speed Unlock Runway

07 AE ... 1F 87 Continuously Activates Lock Relay Yes Yes No X

07 AE ... C1 A8 Windshield Wipers On Continuously No Yes No X

07 AE ... 77 09 Pops Trunk No Yes No X

07 AE ... 80 1B Releases Shift Lock Solenoid No Yes No

07 AE ... D8 7D Unlocks All Doors Yes Yes No

07 AE ... 9A F2 Permanently Activates Horn No Yes No X

07 AE ... CE 26 Disables Headlights in Auto Light Control Yes Yes No X

07 AE ... 34 5F All Auxiliary Lights Off No Yes No

07 AE ... F9 46 Disables Window and Key Lock Relays No Yes No

07 AE ... F8 2C Windshield Fluid Shoots Continuously No Yes No X

07 AE ... 15 A2 Controls Horn Frequency No Yes No

07 AE ... 15 A2 Controls Dome Light Brightness No Yes No

07 AE ... 22 7A Controls Instrument Brightness No Yes No

07 AE ... 00 00 All Brake/Auxiliary Lights Off No Yes No X

07 AE ... 1D 1D Forces Wipers Off and Shoots Windshield Fluid Continuously Yes† Yes No X

Table II. Body Control Module (BCM) DeviceControl Packet Analysis. This table shows BCM DeviceControl packets and their effects that we discovered

during fuzz testing with one of our cars on jack stands. A Xin the last column indicates that we also tested the corresponding packet with the driving on a

runway. A “Yes” or “No” in the columns “Manual Override,” “At Speed,” and “Need to Unlock” indicate whether or not (1) the results could be manually

overridden by a car occupant, (2) the same effect was observed with the car at speed (the wheels spinning at about 40 MPH and/or on the runway), and

(3) the BCM needed to be unlocked with its DeviceControl key.

†The highest setting for the windshield wipers cannot be disabled and serves as a manual override.

Manual At Need to Tested on

Packet Result Override Speed Unlock Runway

07 AE ... E5 EA Initiate Crankshaft Re-learn; Disturb Timing Yes Yes Yes

07 AE ... CE 32 Temporary RPM Increase No Yes Yes X

07 AE ... 5E BD Disable Cylinders, Power Steering/Brakes Yes Yes Yes

07 AE ... 95 DC Kill Engine, Cause Knocking on Restart Yes Yes Yes X

07 AE ... 8D C8 Grind Starter No Yes Yes

07 AE ... 00 00 Increase Idle RPM No Yes Yes X

Table III. Engine Control Module (ECM) DeviceControl Packet Analysis. This table is similar to Table II.

Manual At Need to Tested on

Packet Result Override Speed Unlock† Runway

07 AE ... 25 2B Engages Front Left Brake No Yes Yes X

07 AE ... 20 88 Engages Front Right Brake/Unlocks Front Left No Yes Yes X

07 AE ... 86 07 Unevenly Engages Right Brakes No Yes Yes X

07 AE ... FF FF Releases Brakes, Prevents Braking No Yes Yes X

Table IV. Electronic Brake Control Module (EBCM) DeviceControl Packet Analysis. This table is similar to Table II.

†The EBCM did not need to be unlocked with its DeviceControl key when the car was on jack stands. Later, when we tested these packets on the runway,

we discovered that the EBCM rejected these commands when the speed of the car exceeded 5 MPH without being unlocked.

Destination Manual At Tested on

ECU Packet Result Override Speed Runway

IPC 00 00 ... 00 00 Falsify Speedometer Reading No Yes X

Radio 04 00 ... 00 00 Increase Radio Volume No Yes

Radio 63 01 ... 39 00 Change Radio Display No Yes

IPC 00 02 ... 00 00 Change DIC Display No Yes

27 01 ... 65 00

BCM 04 03 Unlock Car† Yes Yes

BCM 04 01 Lock Car† Yes Yes

BCM 04 0B Remote Start Car† No No

BCM 04 0E Car Alarm Honk† No No

Radio 83 32 ... 00 00 Ticking Sound No Yes

ECM AE 0E ... 00 7E Kill Engine No Yes

Table V. Other Example Packets. This table shows packets, their recipients, and their effects that we discovered via observation and reverse-engineering.

In contrast to the DeviceControl packets in Tables II, V-A and IV, these packets may be sent during normal operation of the car; we simply exploited the

broadcast nature of the CAN bus to send them from CARSHARK instead of their normal sources. For this reason, we did not test most of them at the

runway, since they are naturally “tested” during normal operation.

†As ordinarily done by the key fob.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 10

all cylinders simultaneously (even with the car’s wheels

spinning at 40 MPH when on jack stands), and disable the

engine such that it knocks excessively when restarted, or

cannot be restarted at all. Additionally, we can forge a packet

with the “airbag deployed" bit set to disable the engine.

Finally, we also discovered a packet that will adjust the

engine’s idle RPM.

Brakes. Our fuzzing of the Electronic Brake Control

Module (see Table IV) allowed us to discover how to lock

individual brakes and sets of brakes, notably without needing

to unlock the EBCM with its DeviceControl key. In one case,

we sent a random packet which not only engaged the front

left brake, but locked it resistant to manual override even

through a power cycle and battery removal. To remedy this,

we had to resort to continued fuzzing to find a packet that

would reverse this effect. Surprisingly, also without needing

to unlock the EBCM, we were also able to release the brakes

and prevent them from being enabled, even with car’s wheels

spinning at 40 MPH while on jack stands.

HVAC. We were able to control the cabin environment

via the HVAC system: we discovered packets to turn on and

off the fans, the A/C, and the heat, in some cases with no

manual override possible.

Generic Denial of Service. In another set of experiments,

we disabled the communication of individual components

on the CAN bus. This was possible at arbitrary times,

even with the car’s wheels spinning at speeds of 40 MPH

when up on jack stands. Disabling communication to/from

the ECM when the wheels are spinning at 40 MPH reduces

the car’s reported speed immediately to 0 MPH. Disabling

communication to/from the BCM freezes the instrument

panel cluster in its current state (e.g., if communication is

disabled when the car is going 40 MPH, the speedometer

will continue to report 40 MPH). The car can be turned off

in this state, but without re-enabling communication to/from

the BCM, the engine cannot be turned on again.

Thus, we were able to easily prevent a car from turning

on. We were also able to prevent the car from being turned

off: while the car was on, we caused the BCM to activate

its ignition output. This output is connected in a wired-OR

configuration with the ignition switch, so even if the switch

is turned to off and the key removed, the car will still run.

We can override the key lock solenoid, allowing the key to

be removed while the car is in drive, or preventing the key

from being removed at all.

C. Road Testing

Comprehensive and safe testing of these and other attacks

requires an open area where individuals and property are at

minimal risk. Fortunately, we were able to obtain access

to the runway of a de-commissioned airport to re-evaluate

many of the attacks we had identified with the car up on

jack stands. To maximize safety, we used a second, chase

Figure 7. Road testing on a closed course (a de-commissioned airport

runway). The experimented-on car, with our driver wearing a helmet, is in

the background; the chase car is in the foreground. Photo courtesy of Mike

Haslip.

car in addition to the experimental vehicle; see Figure 7.

This allowed us to have all but one person outside of the

experimented-on car. The experimented-on car was controlled

via a laptop running CARSHARK and connected to

the CAN bus via the OBD-II port. We in turn controlled this

laptop remotely via a wireless link to another laptop in the

chase car. To maintain the wireless connection between the

laptops, we drove the chase car parallel to the experimentedon

car, which also allowed us to capture these experiments

on video.

Our experimental protocol was as follows: we started

the cars down the runway at the same time, transmitted

one or more packets on the experimented-on car’s CAN

network (indirectly through a command sent from the laptop

in the chase car), waited for our driver’s verbal confirmation/

description (using walkie-talkies to communicate

between the cars), and then sent one or more cancellation

packets. Had something gone wrong, our driver would

have yanked on a cord attached to the CAN cable and

pulled the laptop out of the OBD-II. As we verified in

preparatory safety tests, this disconnect would have caused

the car to revert back to normal within a few seconds;

fortunately, our driver never needed to make use of this

precaution.

Our allotted time at the airport prevented us from reverifying

all of our attacks while driving, and hence we

experimentally re-tested a selected subset of those attacks;

the final column of Tables II, V-A, IV, and V contain a

check mark for the experiments that we re-evaluated while

driving. Most our results while driving were identical to our

results on jack stands, except that the EBCM needed to be

unlocked to issue DeviceControl packets when the car was

traveling over 5 MPH. This a minor caveat from an actual

attack perspective; as noted earlier, attack hardware attached

to the car’s CAN bus can recover the credentials necessary

to unlock the EBCM.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 11

Even at speeds of up to 40 MPH on the runway, the attack

packets had their intended effect, whether it was honking the

horn, killing the engine, preventing the car from restarting,

or blasting the heat. Most dramatic were the effects of DeviceControl

packets to the Electronic Brake Control Module

(EBCM)—the full effect of which we had previously not

been able to observe. In particular, we were able to release

the brakes and actually prevent our driver from braking; no

amount of pressure on the brake pedal was able to activate

the brakes. Even though we expected this effect, reversed it

quickly, and had a safety mechanism in place, it was still a

frightening experience for our driver. With another packet,

we were able to instantaneously lock the brakes unevenly;

this could have been dangerous at higher speeds. We sent

the same packet when the car was stationary (but still on

the closed road course), which prevented us from moving it

at all even by flooring the accelerator while in first gear.

These live road tests are effectively the “gold standard” for

our attacks as they represent realistic conditions (unlike our

controlled stationary environment). For example, we were

never able to completely characterize the brake behavior

until the car was on the road; the fact that the back wheels

were stationary when the car was on jack stands provided

additional input to the EBCM which resulted in illogical

behavior. The fact that many of these safety-critical attacks

are still effective in the road setting suggests that few

DeviceControl functions are actually disabled when the car

is at speed while driving, despite the clear capability and

intention in the standard to do so.

VI. MULTI-COMPONENT INTERACTIONS

The previous section focused on assessing what an attacker

might be able to do by controlling individual devices.

We now take a step back to discuss possible scenarios in

which multiple components are exploited in a composite

attack. The results in this section emphasize that the issue

of vehicle security is not simply a matter of securing

individual components; the car’s network is a heterogeneous

environment of interacting components, and must be viewed

and secured as such.

A. Composite Attacks

Numerous composite attacks exist. Below we describe a

few that we implemented and experimentally verified.

Speedometer. In one attack, we manipulate the speedometer

to display an arbitrary speed or an arbitrary offset

of the current speed—such as 10 MPH less than the actual

speed (halving the displayed speed up to a real speed of

20 MPH in order to minimize obvious anomalies to the

driver). This is a composite attack because it requires both

intercepting actual speed update packets on the low speed

CAN bus (sent by the BCM) and transmitting maliciouslycrafted

speed update packets with the falsified speed. Such

an attack could, for example, trick a driver into driving

too fast. We implemented this attack both as a CARSHARK

module and as custom firmware for the AVR-CAN board.

The custom firmware consisted of 105 lines of C code.

We tested this attack by comparing the displayed speed of

one of our cars with the car’s actual speed while driving

on a closed course and measuring the speed with a radar

gun.

Lights Out. Our analysis in Section V uncovered

packets that can disable certain interior and exterior lights

on the car. We combined these packets to disable all of the

car’s lights when the car is traveling at speeds of 40 MPH

or more, which is particularly dangerous when driving in

the dark. This includes the headlights, the brake lights, the

auxiliary lights, the interior dome light, and the illumination

of the instrument panel cluster and other display lights inside

the car. This attack requires the lighting control system to

be in the “automatic” setting, which is the default setting for

most drivers. One can imagine this attack to be extremely

dangerous in a situation where a victim is driving at high

speeds at night in a dark environment; the driver would not

be able to see the the road ahead, nor the speedometer, and

people in other cars would not be able to see the victim

car’s brake lights. We conducted this experiment on both

cars while they were on jack stands and while driving on a

closed course.

Self-Destruct. Combining our control over various

BCM components, we created a “Self-Destruct” demo in

which a 60-second count-down is displayed on the Driver

Information Center (the dash), accompanied by clicks at an

increasing rate and horn honks in the last few seconds. In our

demo, this sequence culminated with killing the engine and

activating the door lock relay (preventing the occupant from

using the electronic door unlock button). This demo, which

we tested on both cars, required fewer than 200 lines of code

added to CARSHARK, most of them for timing the clicking

and the count-down. One could also extend this sequence to

include any of the other actions we learned how to control:

releasing or slamming the brakes, extinguishing the lights,

locking the doors, and so on.

B. Bridging Internal CAN Networks

Multiple components—including a wealth of aftermarket

devices like radios—are attached to or could be attached to

a car’s low-speed CAN bus. Critical components, like the

EBCM brake controller, are connected to the separate highspeed

bus, with the Body Control Module (BCM) regulating

access between the two buses. One might therefore assume

that the devices attached to the low-speed bus, including

aftermarket devices, will not be able to adversely impact

critical components on the high-speed bus.

Our experiments and analyses found this assumption

to be false. Our car’s telematics unit is also connected

to both buses. We were able to successfully reprogram

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 12

our car’s telematics unit from a device connected to the

car’s low-speed bus (in our experiments, a laptop running

CARSHARK). Once reprogrammed, our telematics

unit acts as a bridge, relaying packets from the lowspeed

bus onto the high-speed bus. This demonstrates that

any device attached to the low-speed bus can bypass the

BCM gateway and influence the operation of the safetycritical

components. Such a situation is particularly concerning

given the abundance of potential aftermarket addons

available for the low-speed bus. Our complete attack

consisted of only the following two steps: initiate a reprogramming

request to the telematics unit via the lowspeed

bus; and then upload 1184 bytes of binary code (291

instructions) to the telematics unit’s RAM via the low-speed

bus.

C. Hosting Code; Wiping Code

This method for injecting code into our car’s telematics

unit, while sufficient for demonstrating that a lowspeed

CAN device could compromise a high-speed CAN

device via the telematics unit, is also limiting. Specifically,

while that attack code is running, the telematics service is

not. A more sophisticated attack could implant malicious

code within the telematics environment itself (either in

RAM or by re-flashing the unit). Doing so would allow

the malicious code to co-exist with the existing telematics

software (we have built such code in the lab). The

result provides the attack software with a rich Unix-like

environment (our car’s telematics unit uses the QNX Neutrino

Real-Time Operating System) and provides standard

interfaces to additional hardware capabilities (e.g., GPS,

audio capture, cellular link) and software libraries (e.g.,

OpenSSL).

Hosting our own code within a car’s ECU enables yet

another extension to our attacks: complicating detection

and forensic evaluations following any malicious action.

For example, the attack code on the telematics unit could

perform some action (such as locking the brakes after

detecting a speed of over 80 MPH). The attack code could

then erase any evidence of its existence on the device. If

the attack code was installed per the method described in

Section VI-B, then it would be sufficient to simply reboot

the telematics unit, with the only evidence of something

potentially amiss being the lack of telematics records during

the time of the attack. If the attack code was implanted

within the telematics environment itself, then more sophisticated

techniques may be necessary to erase evidence of

the attack code’s existence. In either case, such an attack

could complicate (or even prevent) a forensic investigation

of a crash scene. We have experimentally verified the

efficacy of a safe version of this attack while driving on

a runway: after the car reaches 20 MPH, the attack code on

the telematics unit forces the car’s windshield fluid pump

and wipers on. After the car stops, the attack code forces

the telematics unit to reboot, erasing any evidence of its

existence.

VII. DISCUSSION AND CONCLUSIONS

Although we are not the first to observe that computerized

automotive systems may present new risks, our empirical

approach has given us a unique perspective to reflect on the

actual vulnerabilities of modern cars as they are built and

deployed today. We summarize these findings here and then

discuss the complex challenges in addressing them within

the existing automotive ecosystem.

• Extent of Damage. Past work, e.g., [19], [24], [26],

[27], [28], discuss potential risks to cyber-physical

vehicles and thus we knew that adversaries might be

able to do damage by attacking the components within

cars. We did not, however, anticipate that we would be

able to directly manipulate safety critical ECUs (indeed,

all ECUs that we tested) or that we would be allowed

to create unsafe conditions of such magnitude.

• Ease of Attack. In starting this project we expected

to spend significant effort reverse-engineering, with

non-trivial effort to identify and exploit each subtle

vulnerability. However, we found existing automotive

systems—at least those we tested—to be tremendously

fragile. Indeed, our simple fuzzing infrastructure

was very effective and to our surprise, a large fraction

of the random packets we sent resulted in changes

to the state of our car. Based on this experience, we

believe that a fuzzer itself is likely be a universal

attack for disrupting arbitrary automobiles (similar to

how the “crashme” program that fuzzed system calls

was effective in crashing operating systems before the

syscall interface was hardened).

• Unenforced Access Controls. While we believe that

standard access controls are weak, we were surprised

at the extent to which the controls that did exist were

frequently unused. For example, the firmware on an

ECU controls all of its critical functionality and thus the

standard for our car’s CAN protocol variant describes

methods for ECUs to protect against unauthorized

firmware updates. We were therefore surprised that

we could load firmware onto some key ECUs, like

our telematics unit (a critical ECU) and our Remote

Control Door Lock Receiver (RCDLR), without any

such authentication. Similarly, the protocol standard

also makes an earnest attempt to restrict access to

DeviceControl diagnostic capabilities. We were therefore

also surprised to find that critical ECUs in our

car would respond to DeviceControl packets without

authentication first.

• Attack Amplification. We found multiple opportunities

for attackers to amplify their capabilities—either in

reach or in stealth. For example, while the designated

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 13

gateway node between the car’s low-speed and highspeed

networks (the BCM) should not expose any

interface that would let a low-speed node compromise

the high-speed network, we found that we could

maliciously bridge these networks through a compromised

telematics unit. Thus, the compromise of any

ECU becomes sufficient to manipulate safety-critical

components such as the EBCM. As more and more

components integrate into vehicles, it may become

increasingly difficult to properly secure all bridging

points.

Finally, we also found that, in addition to being able

to load custom code onto an ECU via the CAN network,

it is straightforward to design this code to completely

erase any evidence of itself after executing its attack.

Thus, absent any such forensic trail, it may be infeasible

to determine if a particular crash is caused by an attack

or not. While a seemingly minor point, we believe

that this is in fact a very dangerous capability as it

minimizes the possibility of any law enforcement action

that might deter individuals from using such attacks.2

In reflecting on our overall experiences, we observe that

while automotive components are clearly and explicitly designed

to safely tolerate failures—responding appropriately

when components are prevented from communicating—it

seems clear that tolerating attacks has not been part of the

same design criteria. Given our results and the observations

thus far, we consider below several potential defensive

directions and the tensions inherent in them.

To frame the following discussion, we once again stress

that the focus of this paper has been on analyzing the

security implications if an attacker is able to maliciously

compromise a car’s internal communication’s network, not

on how an attacker might be able to do so. While we

can demonstrably access our car’s internal networks via

several means (e.g., via devices physically attached to the

car’s internal network, such as a tiny “attack iPod” that

we implemented, or via a remote wireless vulnerability

that we uncovered), we defer a complete consideration of

entry points to future work. Although we consider some

specific entry points below (such as malicious aftermarket

components), our discussion below is framed broadly and

seeks to be as agnostic as possible to the potential entry

vector.

Diagnostic and Reflashing Services. Many of the vulnerabilities

we discovered were made possible by weak

or unenforced protections of the diagnostic and reflashing

services. Because these services are never intended for

use during normal operation of the vehicle, it is tempting

to address these issues by completely locking down such

capabilities after the car leaves manufacturing. While it

2As an aside, the lack of a strong forensic trail also creates the possibility

for a driver to, after an accident, blame the car’s computers for driver error.

is clearly unsafe for arbitrary ECUs to issue diagnostic

and reflashing commands, locking down these capabilities

ignores the needs of various stakeholders.

For instance, individuals desire and should be able to

do certain things to tune their own car (but not others).

Similarly, how could mechanics service and replace components

in a “locked-down” automotive environment? Would

they receive special capabilities? If so, which mechanics and

why should they be trusted? Consider the recently proposed

“Motor Vehicle Owners’ Right to Repair Act” (H.R. 2057),

which would require manufacturers to provide diagnostic information

and tools to vehicle owners and service providers,

and to provide information to aftermarket tool vendors that

enables them to make functionally-equivalent tools. The

motivation for this legislation is clear: encouraging healthy

competition within the broader automotive industry. Even

simple security mechanisms (including some we support,

such as signed firmware updates) can be at odds with the

vision of the proposed legislation. Indeed, providing smaller

and independent auto shops with the ability to service and

diagnose vehicles without letting adversaries co-opt those

same abilities appears to be a fundamental challenge.

The core problem is lack of access control for the use

of these services. Thus, we see desirable properties of a

solution to be threefold: arbitrary ECUs should not be able to

issue diagnostic and reflashing commands, such commands

can only be issued with some validation, and physical access

to the car should be required before issuing dangerous

commands.

Aftermarket Components. Even with diagnostic and

reflashing services secured, packets that appear on the vehicle

bus during normal operation can still be spoofed by

third-party ECUs connected to the bus. Today a modern

automobile leaves the factory containing multiple third-party

ECUs, and owners often add aftermarket components (like

radios or alarms) to their car’s buses. This creates a tension

that, in the extreme, manifests itself as the need to either trust

all third-party components, or to lock down a car’s network

so that no third-party components—whether adversarial or

benign—can influence the state of the car.

One potential intermediate (and backwards compatible)

solution we envision is to allow owners to connect an

external filtering device between an untrusted component

(such as a radio) and the vehicle bus to function as a trusted

mediator, ensuring that the component sends and receives

only approved packets.

Detection Versus Prevention. More broadly, certain

considerations unique to cyber-physical vehicles raise the

possibility of security via detection and correction of anomalies,

rather than prevention and locking down of capabilities.

For example, the operational and economic realities of

automotive design and manufacturing are stringent. Manufacturers

must swiftly integrate parts from different suppliers

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 14

(changing as needed to second and third source suppliers) in

order to quickly reach market and at low cost. Competitive

pressures drive vendors to reuse designs and thus engenders

significant heterogeneity. It is common that each ECU

may use a different processor and/or software architecture

and some cars may even use different communications

architectures—one grafted onto the other to integrate a

vendor assembly and bring the car to market in time. Today

the challenges of integration have become enormous and

manufacturers seek to reduce these overheads at all costs—

a natural obstacle for instituting strict security policies.

In addition, many of an automobile’s functions are safety

critical, and introducing additional delay into the processing

of, say, brake commands, may be unsafe.

These considerations raise the possibility of exploring the

tradeoff between preventing and correcting malicious actions:

if rigorous prevention is too expensive, perhaps a quick

reversal is sufficient for certain classes of vulnerabilities.

Several questions come with this approach: Can anomalous

behavior be detected early enough, before any dangerous

packets are sent? Can a fail-safe mode or last safe state

be identified and safely reverted to? It is also unclear what

constitutes abnormal behavior on the bus in the first place, as

attacks can be staged entirely with packets that also appear

during normal vehicle operation.

Toward Security. These are just a few of many potential

defensive directions and associated tensions. There

are deep-rooted tussles surrounding the security of cyberphysical

vehicles, and it is not yet clear what the “right”

solution for security is or even if a single “right” solution

exists. More likely, there is a spectrum of solutions that each

trade off critical values (like security vs. support for independent

auto shops). Thus, we argue that the future research

agenda for securing cyber-physical vehicles is not merely to

consider the necessary technical mechanisms, but to also

inform these designs by what is feasible practically and

compatible with the interests of a broader set of stakeholders.

This work serves as a critical piece in the puzzle, providing

the first experimentally guided study into the real security

risks with a modern automobile.

ACKNOWLEDGMENTS

We thank Mike Haslip, Gary Tomsic, and the City of

Blaine, Washington, for their support and for providing access

to the Blaine decommissioned airport runway and Mike

Haslip specifically for providing Figure 7. We thank Ingolf

Krueger for his guidance on understanding automotive architectures,

Cheryl Hile and Melody Kadenko for their support

on all aspects of the project, and Iva Dermendjieva, Dan

Halperin, Geoff Voelker and the anonymous reviewers for

comments on earlier versions of this paper. Portions of this

work was supported by NSF grants CNS-0722000, CNS-

0831532, CNS-0846065, CNS-0905384, CNS-0963695, and

CNS-0963702, by a MURI grant administered by the Air

Force Office of Scientific Research, by a CCC-CRA-NSF

Computing Innovation Fellowship, by a Marilyn Fries Endowed

Regental Fellowship, and by an Alfred P. Sloan

Research Fellowship.

REFERENCES

[1] Autosar: Automotive open system architecture. http://www.

autosar.org/.

[2] A. Bellissimo, J. Burgess, and K. Fu. Secure software

updates: Disappointments and new challenges. In Proceedings

of HotSec 2006, pages 37–43. USENIX, July 2006.

[3] S. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin,

and M. Szydlo. Security analysis of a cryptographicallyenabled

RFID device. In P. McDaniel, editor, Proceedings

of USENIX Security 2005. USENIX, Aug. 2005.

[4] Bureau of Transportation Statistics. National Transportation

Statistics (Table 1-11: Number of U.S. Aircraft,

Vehicles, Vessels, and Other Conveyances), 2008.

http://www.bts.gov/publications/national_transportation_

statistics/html/table_01_11.html.

[5] CAMP Vehicle Safety Communications 2 Consortium.

Cooperative intersection collision avoidance system

limited to stop sign and traffic signal violations

midterm phase i report, Oct. 2008. Online:

http://www.nhtsa.dot.gov/staticfiles/DOT/NHTSA/NRD/

Multimedia/PDFs/Crash%20Avoidance/2008/811048.pdf.

[6] CAMP Vehicle Safety Communications 2 Consortium. Vehicle

safety communications — applications first annual

report, Sept. 2008. Online: http://www.intellidriveusa.org/

documents/09042008-vsc-a-report.pdf.

[7] CAMP Vehicle Safety Communications Consortium. Vehicle

safety communications project task 3 final report,

Mar. 2005. Online: http://www.intellidriveusa.org/documents/

vehicle-safety.pdf.

[8] R. Charette. This car runs on code. Online: http://www.

spectrum.ieee.org/feb09/7649, Feb. 2009.

[9] DARPA. Grand challenge. http://www.darpa.mil/

grandchallenge/index.asp.

[10] A. Edwards. Exclusive: Twitter integration coming to

OnStar. Online: http://www.gearlive.com/news/article/

q109-exclusive-twitter-integration-coming-to-onstar/, Mar.

2009.

[11] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh,

and M. Manzuri Shalmani. On the power of power

analysis in the real world: A complete break of the KeeLoq

code hopping scheme. In D. Wagner, editor, Proceedings of

Crypto 2008, volume 5157 of LNCS, pages 203–20. Springer-

Verlag, Aug. 2008.

[12] P. Eisenstein. GM Hy-Wire drive-by-wire hybrid fuel cell vehicle.

Online: http://www.popularmechanics.com/automotive/

new_cars/1266806.html, Aug. 2002.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 15

[13] B. Emaus. Hitchhiker’s Guide to the Automotive Embedded

Software Universe, 2005. Keynote Presentation at SEAS’05

Workshop, available at: http://www.inf.ethz.ch/personal/

pretscha/events/seas05/bruce_emaus_keynote_050521.pdf.

[14] A. Goodwin. Ford Unveils Open-Source Sync Developer

Platform. Online: http://reviews.cnet.com/8301-13746_

7-10385619-48.html, Oct. 2009.

[15] T. Hoppe, S. Kiltz, and J. Dittmann. Security threats to

automotive CAN networks – practical examples and selected

short-term countermeasures. In SAFECOMP, 2008.

[16] S. Indesteege, N. Keller, O. Dunkelman, E. Biham, and

B. Preneel. A practical attack on KeeLoq. In N. Smart, editor,

Proceedings of Eurocrypt 2008, volume 4965 of LNCS, pages

1–18. Springer-Verlag, Apr. 2008.

[17] ISO. ISO 11898-1:2003 - Road vehicles – Controller area

network. International Organization for Standardization,

Geneva, Switzerland, 2003.

[18] F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, E. Schoch,

B. Wiedersheim, T.-V. Thong, G. Calandriello, A. Held,

A. Kung, and J.-P. Hubaux. Secure vehicular communication

systems: implementation, performance, and research

challenges. IEEE Communications Magazine, 46(11):110–

118, 2008.

[19] U. E. Larson and D. K. Nilsson. Securing vehicles against

cyber attacks. In CSIIRW ’08: Proceedings of the 4th annual

workshop on Cyber security and information intelligence

research, pages 1–3, New York, NY, USA, 2008. ACM.

[20] M. Mansur. TunerPro - Professional Automobile Tuning

Software. http://www.tunerpro.net/.

[21] M. Melosi. The automobile and the environment in American

history. Online: http://www.autolife.umd.umich.edu/

Environment/E_Overview/E_Overview.htm, 2004.

[22] S. Mollman. From cars to TVs, apps are spreading to the real

world. Online: http://www.cnn.com/2009/TECH/10/08/apps.

realworld/, Oct. 2009.

[23] L. E. M. Systems. PCLink - Link ECU Tuning Software.

http://www.linkecu.com/pclink/PCLink.

[24] P. R. Thorn and C. A. MacCarley. A spy under the hood:

Controlling risk and automotive EDR. Risk Management,

February 2008.

[25] Virginia Tech Transportation Institute. Intersection collision

avoidance — violation task 5 final report, Apr.

2007. Online: http://www.intellidriveusa.org/documents/

final-report-04-2007.pdf.

[26] M. Wolf, A. Weimerskirch, and C. Paar. Security in automotive

bus systems. In Proceedings of the Workshop on

Embedded Security in Cars 2004, 2004.

[27] M. Wolf, A. Weimerskirch, and T. Wollinger. State of the

art: Embedding security in vehicles. EURASIP Journal on

Embedded Systems, 2007.

[28] Y. Zhao. Telematics: safe and fun driving. Intelligent Systems,

IEEE, 17(1):10–14, Jan/Feb 2002.

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 16