No kidding, apparently, with most new cars that are based on electronic management of car functions, it's possible to reprogram the 'on-board firmware' of these functions. This shouldn't come as a surprise of course, as 'true hardware' functions are extremely rare these days (with very good reason btw), but somehow it still struck me as surprising. On the other side, it's also quite funny, yet at the same time quite disturbing, how easily this is done. All that is needed is knowledge of the protocols (which are publicly available), a brain that can handle and figure out what you're supposed to do (there are no online how-to-wreck-your-friends-car walkthroughs yet) and physical access to the car (thank god they haven't gone wireless yet, though it wouldn't surprise me if they did in a few years time).
Once you're there, basically anything is possible, disable the breaks on the car once it exceeds 50 mph, no problem (this might not seem like a big deal to a manually shifted car if you find out soon enough, but fairly devastating to an automatic), turn on the heating once the external temperature goes above 20°C, permanently lock the doors once you turn the ignition, make the car go faster if you press the break and slow it down if you press the throttle, you name it anything goes...
source: http://arstechnica.com/security/news/2010/05/car-hacks-could-turn-commutes-into-a-scene-from-speed.arsResearchers at the University of Washington and University of California-San Diego have examined the multitudinous computer systems that run modern cars, discovering that they're easily broken into with alarming results. Hackers can disable the brakes of moving vehicles, lock the key in the ignition to prevent the engine from being turned off, jam all the door locks, and make the engine run faster. Less dangerously, they can control the radio, heating, and air conditioning, or just endlessly honk the horn.
...
About the only thing it seemed they couldn't do was steer the car, and even that may be possible in high-end vehicles with self-parking capabilities.
The research makes clear that the embedded computer systems within cars, and the specifications they are built on, simply aren't designed with security in mind. The CAN protocol requires only minimal security, and the car and component manufacturers have done a poor job of implementing it. Even if they had done their job properly, however, many of the attacks are likely to have been successful anyway.
...
The researchers' dependence on physical access certainly reduces the scope of the attacks (though thanks to the convenience of the OBD part, not beyond what a valet or disgruntled spouse could achieve), but there's bad news on that front too: the researchers found that the wireless access to their car (like many, it had integrated Bluetooth and similar capabilities) was inadequately secure, and they could break in that way, too.
Figurative drive-by hacks where a system is exploited just by visiting a malicious webpage are commonplace. With research like this, it looks like they might be taking a turn for the literal. What a terrifying prospect.
