Johannesburg, 03 Mar 2014
On the agenda at the forthcoming ITWeb Security Summit, to be held in Sandton, in May, is a car hacking demonstration by Charlie Miller, security engineer at Twitter and four-time winner of the CanSecWest Pwn2Own competition, and Chris Valasek, director of security intelligence at IOActive. They will describe the controller area network (CAN) architecture present in most vehicles today, and show how it is possible to manipulate the systems to control a vehicle. In the demonstration at DefCon in Las Vegas last year, they proved it is possible to hack a vehicle to cause it to accelerate, brake - or not brake - or even take control of the steering, lights or fuel gauge.
Miller told DefCon that the car hack project had stemmed from research papers published from 2010, which claimed it would be possible to remotely access vehicle CAN buses through the car's Bluetooth stack, or by inserting a CD that exploited a vulnerability in the sound system. Miller and Valasek aimed to replicate the research with a view to releasing their findings.
Miller said: "It was actually super-hard." They bought two cars - one capable of parking assist, which controls the steering wheel, and one equipped with lane keep assist, a pre-collision system and intelligence park assist. They managed to remotely control aspects of both vehicles. "The scariest thing for me was the steering," he said. With the right combination of instructions, it is possible to confuse the vehicle's safety checks and interfere with the steering, even at high speed. "The more electronics in the car, the more we can do as attackers," he explained.
A 100-page paper released after the hacking project outlined the vulnerabilities that Miller and Valasek found.
Now in its ninth year, the ITWeb Security Summit is southern Africa's premier information security event for IT and business professionals. The Security Summit is endorsed by ISACA and (ISC)^2 Gauteng Chapter and will be staged at the Sandton Convention Centre from 27 - 29 May.
In over 30 sessions presented in tracks for either senior business management or IT security professionals, information security professionals will examine the risks facing enterprise information systems today, and the strategies and technologies needed to counter them. In-depth workshops will also be presented on day three of the event, offering practical training on security status reporting and testing Web applications for security vulnerabilities.
For more information, go to www.securitysummit.co.za. Join the conversation on Twitter #itwebsec.
Share