April 20, 2007 3:20 PM PDT
Don't let your navigation system fool you
Two Italian hackers have figured out how to send fake traffic information to navigation systems that use a data feature of FM radio for real-time traffic information. Using cheap, off-the-shelf hardware, they can broadcast traffic data that will be picked up by cars in about a one-mile radius, the hackers said during a presentation at the CanSecWest event here.
"We can create queues, bad weather, full car parks, overcrowded service areas, accidents, roadwork and so on," Andrea Barisani, chief security engineer at Inverse Path, a security company. "Traffic information displayed on satellite navigation systems is trusted by drivers. Normal people do not think that you can do nasty things."
Barisani and hardware hacker Daniele Bianco discovered that the system used by many navigation aides to get traffic data isn't secured. The data is sent using the Traffic Message Channel (TMC) of the Radio Data System (RDS), a standard way of transmitting data over FM radio also used to display station names and program titles.
With TMC, each traffic incident is sent as a TMC message that consists of an event code, location code and time details. The system is used throughout Western Europe, the U.S. and Australia.
The hackers wrote a program to decode the RDS data. "As far as we know it is the first open-source tool that tries to fully decode RDS information," Barisani said. They then figured out how to create their own TMC messages and broadcast those using an RDS encoder, an FM transmitter, an antenna and some other tools.
Barisani and Bianco found that navigation systems display different alerts based on codes sent via RDS. "The event table supports a number of security-related messages; we doubt anyone has used them so far," Barisani said. Those alerts include air raid, bomb alert, air crash and terrorist incident.
"Oh my God, World War III is happening on my way home," Barisani said after displaying a video in which the navigation system in his 2006 Honda Civic warned him of mayhem while he was on the way to Trieste, Italy.
The pair tested their work on a 2006 Honda Civic sold in Europe, but Barisani said navigation systems sold in Europe and around the world use the same method to get traffic data. A receiver inside the navigation system continuously scans radio frequencies for the information, he said.
TMC is also supported over digital and satellite radio, but it is harder for a hacker to send out data using those technologies compared with FM, Barisani said.
A new technology called TPEG, or transport protocol experts group, is ready to replace TMC, however that also doesn't support encryption for additional security, Barisani said. A more secure way of transmitting the data is provided in the U.S. by Microsoft, which operates DirectBand, a wireless datacast network that uses FM radio, Barisani said.
"We want to increase awareness about this," he said. "This is not the end of the world, but it is a nasty thing."
4 commentsJoin the conversation! Add your comment