Computer engineering major exposed security vulnerabilities in vehicles at Car Hacking Village presentation attended by senior U.S. government officials
The National Highway Traffic Safety Administration estimates the cost of vehicles stolen in the United States to be $7 billion. UMass Dartmouth computer engineering major Ayyappan Rajesh ’24 is working to reduce—and perhaps even prevent—those thefts from occurring.
For a cybersecurity whiz like Rajesh ‘24, looking for vulnerabilities in wireless and automotive systems can be fun and has led to scholarships and recognition at international cybersecurity conferences.
Rajesh ’24 presented his research on attacking vulnerabilities in remote keyless entry systems on cars at DEFCON, the world’s largest hacking conference that draws 25,000-30,000 attendees annually, including government agencies. The research began as a project for his Cyber Threats and Security Management (ECE 488) class with ECE Professor Hong Liu.
In his research presentation, “Security like the ‘80s: How I stole your RF,” Rajesh demonstrated the vulnerability of a 2018 Honda to several thousand attendees in the Car Hacking Village at DEFCON. Present were the Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and the National Cyber Director John C. Inglis, primary cybersecurity advisor to President Joe Biden, who gave Rajesh a challenge coin in appreciation for his expertise.
Using radio frequencies, a HackRFOne or Flipper Zero device enables competitors to capture the vehicle’s transmission and decode how it works. Once hackers determine how data is transmitted, they can look for vulnerabilities within the system and exploit them to their benefit. According to Rajesh, the ability to fix the vulnerability for this vehicle was developed 20 years ago but is not widely implemented. Several other brands are vulnerable to the same security attack.
At the Car Hacking Village, where hackers attempt to exploit vulnerabilities in cars to find hidden flags, Rajesh also contributed to the Capture the Flag Challenge. In this event, teams of hackers must reverse engineer through multiple challenges in order to get the flag. A team from General Motors won the challenge this year.
A native of Mumbai, India, Rajesh’s interest in cybersecurity developed years ago by watching DEFCON talks and Samy Kamkar’s videos, specifically the OpenSesame attack, where he opened certain garage doors in seconds. “While I did not understand how it worked back then, curiosity fueled me to learn how I could do the same,” Rajesh said.
“I'm passionate about wireless as well as automotive security,” he added. “I am currently collaborating with other researchers in the same field to build a database of every single vehicle affected worldwide. Given that there are several brands out there and the build and technology in them could vary from country to country, we are helping people who are interested in testing their own cars to report back to us. We get information on almost every car out there so that automakers could mitigate such security issues in the next generation of cars.”
Rajesh also received the student scholarship to attend the Black Hat USA 2022 conference in Las Vegas, where he was allowed access to the business presentations and the opportunity to interact and network with several executives from various cybersecurity companies. This month, his research was presented at the main stage of the virtual ROOTCON16 Conference, a security conference held in the Philippines. He will attend GRRCon and will continue to volunteer with the Car Hacking Village.
He serves as president of the UMassD Cyber Security Education Club (CSEC) 2022-2023 E-board, advised by Liu since it was founded in 2015.
“My experience here at UMassD and the College of Engineering has been nothing short of amazing,” said Rajesh. “The professors here are very supportive, knowledgeable, and approachable. I was able to get help from several of them such as Professors [Lance] Fiondella, [Dayalan] Kasalingam, [Hong] Liu, and [Ruolin] Zhou, who are experts in their fields. The curriculum has been very helpful as well and allows me to understand how things work so I could identify potential vulnerabilities in them.”
Rajesh’s future plans include researching more about weaknesses in autonomous vehicles. He plans to work in the cybersecurity industry. “Growing up a cybersecurity enthusiast, my dream has always been to make a significant contribution to the field,” he said.