The researchers claim that they have developed a system that can assume control of the different control systems in a car and force the vehicle to break and/or accelerating against the driver's will.
The reason why car electronic computer units (ECUs) are open to attack by hackers, says Fortify Software, is that security issues were ignored at the car electronics software design stage.
In addition, says Fortify, the software security assurance specialist, with the latest cars now coming with as many as 50 or more interconnected computer systems – controlling everything from the brakes to the door locks and ignition system – now that the vehicles are becoming wirelessly-enabled, they are a lot easier to electronically hack into.
"It's interesting to see that the researchers have identified that most cars built since the late 1990s have a computer diagnostic port, since this port needs direct physical access to operate and therefore hack", said Barmak Meftah, Fortify Software's chief products officer.
"But now these systems are being wirelessly enabled and held together with several tens of megabytes of code, it's a relatively small step to modify the code and allow hackers an easy and wireless back door into a car's computer system", he added.
The hacking project was, says Meftah, no theoretical exercise, as the researchers were able to load new firmware onto their own circuitboard and, by plugging the board into the car's internal network, translate the data flowing between the vehicle and a laptop.
This reverse engineering process allowed the researchers to develop a customised vehicle network interface and effectively take control of the car's electronic nervous system.
So far, so normal, the Fortify chief products officer says, but the killer hack was when the researchers were able to generate network commands wirelessly from another car.
"In theory this will eventually allow a wireless drive-by attack on the firmware of a car, to the point where it's central locking and ignition protection systems can be disabled. A professional thief can then saunter up, open the car and simply drive off," he explained.
According to Meftah, car manufacturers should have foreseen the development of hacking attacks on their vehicle computer systems and built security safeguards into the firmware to stop this type of electronic hacking.
"It's all very well saying that the manufacturers should enhance the security of their car computer networks and the protocols used, but this potential fiasco could be have been avoided if car developers had built security in from the ground up on a vehicle's electronics systems", he said.
"That way, if someone were to hack into the electronics, the car's central nervous system would realise it was under attack and take appropriate action, such as immobilising the vehicle", he added.
Meftah says that, when you consider the high standard of IT defences that a typical office server has built in, it seems strange that something like a car – which costs ten times the price of a server, and then some – does not have similar levels of protection.