Testing Out Cell-Phone Viruses on a Prius

Mikko Hypponen writes "Couple of months ago there were rumours floating around that Bluetooth viruses could infect the on-board computers of some Lexus cars, or at least cause some visible effects on them. We took a Toyota Prius to an underground bunker and tested various Bluetooth mobile phone viruses and assorted Bluetooth attacks against the onboard computer. Results were somewhat surprising. It came as no surprise that we could not infect the car, but the Prius performed in the test even better than expected. No matter what we did the car did not react to the Bluetooth traffic at all. Cabir tried to send itself to the car and the car just did not allow the Bluetooth OBEX transfer to happen. Then, the whole car crashed (but not because of a virus)... Full story with pictures in our weblog."

what a shitty error message

[RevDobbs]

Granted, the transmission may not be working -- but there should be a diagnostic saying "OMFG Battery Voltage Low" first. If you lost your arms in an industrial accident you don't start by telling the doctor that you have a hard time holding pens...

Re:what a shitty error message

[Eivind]

From an automotive safety standpoint, a malfunctioning park interlock system is pretty close to the top of the list of bad things.

Agreed. So when it happens, it should probably be displayed, even if that means hiding other, less important error-messages.

However, this also means it *shouldn't* be happening as a result of something common. A low battery-voltage is a pretty common error-scenario. To have something dangerous happen as a result thereof is simply bad design.

If they do keep this bad design, then including the reason in the error-message would also be a good idea:

Warning: The low battery voltage causes the park-interlock system to behave abnormally ....

This would atleast give the driver some idea what is going on.

Re:Still At Risk

[RevDobbs]

Yes. Most cars in park with the key, accessories, and god know what else on -- but the engine not running -- will drain the battery eventually. It's called the "I locked my keys in the car"-DOS.

Re:Still At Risk

[RevDobbs]

It's a very interesting idea to DOS a car.

A much easier to execute Denial-of-Service would be to slash the tires, doncha think? Only takes about 45 seconds to get to all four of 'em, it isn't terribly noisy, and I've never been caught doing it.

I mean, it seems like that detection would be very unlikely.

Virus that pummels users into submission

[G4from128k]

TFA, further down the page, describes the user experience of a Cabir infection. The recipient must click "yes" a number of times to accept the unknown transmission, install the unknown file, and bypass a security warning about installing something from an unverified supplier. Why do people click "yes" to all this? Because if you click "No" the virus keeps trying to install itself and pester you with the messages.

Definitely reminds me of "Abort/Retry/Fail" error message of so long ago. The first time you ever see the message, you hit "retry" a few times hoping it will work. Eventually, the computer teaches you to never try "retry" because it only puts up the error message again.

This virus is social engineering at its best, just like the whiny kid in the grocery store. Keep pestering until they say "yes."

Re:Virus that pummels users into submission

[AdamWeeden]

This virus is social engineering at its best, just like the whiny kid in the grocery store. Keep pestering until they say "yes."

Except that you can't take the virus to the frozen foods aisle and beat it with a loaf of frozen bread to get it to shut up. :)

Crashed?

[SleepyHappyDoc]

Perhaps it's time to find a less ambiguous word to describe a system failure. I'm sure I wasn't the only one whose first glance at the article caught a much different meaning than was intended. Crash works fine in contexts where it doesn't already have a use, but when you refer to cars or planes, it does.

Re:Dumb and dumber...

[thegrassyknowl]

Trying to infect Prius with a Symbian "virus" is like trying to infect a tree with a choc chip cookie . Hey I can come up with a better one - it's like trying to infect shampoo with a book on eating disorders (now go picture that in your head for a second).

A lot of these embedded machines run Java-based software now. If it can run Java it doesn't matter what OS is underneath it. Sure, the JVM and the OS may have differing levels of protection depending on the device, but as I said... Java is the key.

From what I understand (from my limited reading becuase I don't really give a flying fuck... nothing I own has Bluetooth for a very good reason) these cellphone virii rely on the Java compatibility to work.

From the site:

In February we published an official statement from Toyota that Lexus does not use Symbian OS, and thus cannot be infected by any of the Cabir variants.

However a mobile worm infecting a car is a thought that one cannot let go easily, and even as we knew that the car cannot be infected, this was something that just had to be tested for real.

So they already knew it isn't possible to infect the car. That much is clear. Now, Toyota could have lied about the OS it runs, and the car may have been vulnerable. You never know for sure until you try these things.

It was still an interesting experiment because they discovered a few flaws in the Toyota Bluetooth system - the corrupted phone name that froze the display and the flat battery wasn't properly handled by the system.

So, saying this was a stupid experiment is really stupid in itself.

Re:Interesting...

[Fizzl]

It looked like a decomissioned military underground hangar. We have those here in Finland mined all over the bedrock. (And F-Secure is a Finnish company)