Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Computer Systems at Risk to Viruses

Posted by timothy on from the mine-sure-isn't dept.

datemenatalie writes "According to CNN, car computers are now at risk for potentially system-crippling viruses. According to the article, "The first mobile phone virus, Cabir, has spread to over 20 countries, ranging from the United States to Japan and from Finland to South Africa, using only Bluetooth." Though the problem isn't anything too serious yet, expect a slew of car anti-virus products to be lining the shelves before you know it."

42 comments

  1. Didn't we already get over this scare once? by bersl2 · · Score: 1

    Too lazy to go looking, but this feels like old news.

    1. Re:Didn't we already get over this scare once? by optikSmoke · · Score: 1

      You mean this?. They tried to infect a Prius with Cabir and managed only to run down the battery because they left the care on too long.

    2. Re:Didn't we already get over this scare once? by spectral · · Score: 1

      Yes. And, in fact, the Prius (and thus any Toyota/Lexus) was tested with everything thrown at it, and nothing infected it.

      Please people, just because something has bluetooth doesn't mean it's fucking retarded/broken.

      There was a bug in one vendor's support of bluetooth that allowed it to accept things without proper authentication/confirmation. One still had to RUN the program MANUALLY before it would 'infect' you and begin attempting to infect others.

      My car does not offer any way to get to the files stored on it. I don't THINK it accepts anything other than vcards, but I don't know for sure. So, I'm safe there as well.

      The fact that it would 1) have to be custom made for the hardware in each individual car system (though since they're standardized by auto manufacturer this doesn't create TOO much of a hassle), 2) exploit an 'auto execute' bug, 3) exploit a 'receive this without being told to' bug, 4) be right next to your car long enough to pair AND transfer, while your car is ON, causes this to be a VERY VERY VERY unlikely method of attack.

      And don't even get me started on antivirus shit. I've seen what Norton Antivirus does to my desktop PC (or at least did, back when it still was Norton.. maybe Symantec's cleaned up a bit), I'd rather trust my car to people I don't know rather than cripple it intentionally with something from someone I know can't be trusted with it.

    3. Re:Didn't we already get over this scare once? by Eivind · · Score: 1
      There was a bug in one vendor's support of bluetooth that allowed it to accept things without proper authentication/confirmation. One still had to RUN the program MANUALLY before it would 'infect' you and begin attempting to infect others.

      Yes, but it was coupled with a stupid design that virtually guaranteed that many would fall for it;

      • Alertbox comes up: "Do you want to accept ? [Yes] [No]"
      • User selects "No"
      • Two seconds later (since the infected device is still in range) the same alertbox comes again. And again. And again.

      People are used to those, they'll quickly get the idea that "No" doesn't work and only clicking "Yes" will make the pesky alertbox go away (which is what they want, they don't care what the box says or why it's there, they only want it to go away so they can go on with whatever they where doing)

    4. Re:Didn't we already get over this scare once? by spectral · · Score: 1

      That I didn't know. How annoying.

  2. The best defense... by rednip · · Score: 1
    expect a slew of car anti-virus products to be lining the shelves before you know it
    More like law schools/legal seminars gearing up for another angle to sue the car companies and a new defense against speeding tickets. "...because my client's car was infected by ...., he lost control and is not responable, but ... is responsable".
    --
    The force that blew the Big Bang continues to accelerate.
  3. another reason I can be snobbish! by ArmorFiend · · Score: 1

    Yet another reason not to drive. Wake me when they have bicycle virusues!

    1. Re:another reason I can be snobbish! by daeley · · Score: 1

      If they ever have bicycle viruses, I think I would prefer to be put to sleep. :)

      --
      I watched C-beams glitter in the dark near the Tannhauser gate.
    2. Re:another reason I can be snobbish! by Anonymous Coward · · Score: 0

      It makes the seat disappearing and it remainis only the pipe...

  4. This could be for real... by pdabbadabba · · Score: 1

    I drive a 2004 Saab 9-3. Since buying it a year ago, it has been back to the dealership three times. In all three of those cases, there has been nothing physically wrong with the car; the software on various parts of the car was just buggy and needed to be patched. That being said, I'm not sure how that sort of virus would spread. Maybe a car could infect the diagnostic computer at the dealership which would then infect other cars? Just a thought...

    --
    caritj.org
    1. Re:This could be for real... by Xetrov · · Score: 1

      Yeah... Or not.

      I bet you watched Independance Day and didn't have any problem with it.

    2. Re:This could be for real... by Anonymous Coward · · Score: 0

      You're right. The two are clearly the same.

    3. Re:This could be for real... by Grab · · Score: 1

      Yep, there are certainly bugs in engine control software. It's software, that's life. If this concerns you, I'd advise you not to buy any model of car within the first two years of it coming out. And note that's "model" - so a 1.6 litre is a different model from a 1.8 litre. It's not uncommon that the engine controllers for different sizes of engine will have been developed by different people - they don't necessarily share software or even hardware. So make sure the model of car you want has been around for a little while before you buy it, and by then it should be OK.

      If you don't, you can usually get free software upgrades as you need them (for definite if your car is still under warranty). If you've got a new model of car, it's a good idea to check this periodically anyway, even if you're not having problems with it at the time. The problems may be related to some specific case such as unusual environmental conditions, so it might run fine right up to the point it dies horribly in the middle of nowhere! :-/

      Grab.

    4. Re:This could be for real... by Eivind · · Score: 1

      or be like certain Octavias where a software-upgrade increased mileage at subzero temperatures from something like 30 mpg up to almost 40, a very worthwhile fix if you happen to live somewhere cold.

  5. Bull by Monte · · Score: 1

    Unlike software companies that have cutsie little "if it hoses you up beyond all hope that's just tough noogies for you" license agreements, car companies will be held liable for anything that goes wrong with a car due to hacking.

    Which is why, in the final analysis, this "vulnerability" is bullshit. Microsoft can get away scott free with releasing a shoddy product that's compromised 12 minutes after starting, General Motors can't.

    1. Re:Bull by Curmudgeonlyoldbloke · · Score: 1

      That's a very good point. Who's going to go into a car dealership and buy a new car "as is"?

  6. This can't be right by ReformedExCon · · Score: 1

    I was under the impression that cars typically had at least two computer systems. One for the in-cabin niceities like A/C and Audio, and another totally separate system for the engine. Has there been some sort of merging of these two systems recently?

    The "comfort" system may need Bluetooth to talk to personal devices to download music, among other tasks. But what possible reason could there be to have the engine system talking to the comfort system? They would seem to be two totally different areas without any relation to each other.

    The article is pretty vague about the consequences, but it does include a quote from a Symantec engineer who thinks it is possible that the engine system could be infected. I just don't see that happening.

    --
    Jesus saved me from my past. He can save you as well.
    1. Re:This can't be right by Goeland86 · · Score: 1

      I think there is at least one way communication. For one thing there's the annoying beeping when the driver's seatbelt isn't engaged, then there's the fact that the cabin lights switch off immediately when the doors are closed and the engine is running, whereas they'd stay on for a little bit if the engine is off. Or at night, when your lights are on, the "comfort panel" is turned on as well. So there's gotta be some communication at least one way. To imagine a two-way system isn't unimaginable either.
      At least to me it kinda looks possible, while not really justified.

      --
      ---- I am certain of only one thing : I know nothing else.
    2. Re:This can't be right by Curmudgeonlyoldbloke · · Score: 1

      Unless anyone can quote an example to the contrary, I can't see a situation where any in-car system allows code to be uploaded easily or by accident - or even how an attack such as a buffer overflow could be used to infect the engine management system et al.

      However, car manufacturers want to save money and using one data path through the car would do that.

      There were certainly similar concerns a few years ago (around the time that people started chipping Sierra Cosworths - that shows you how long ago this was) that since the ABS and engine management systems were interlinked, screwing around with the former (by remapping it) "could" (in the mind of some journo down the pub who needs to get some copy in by 4pm) affect the latter. Whether it ever did or not was a different matter.

      The cars that I'm familiar with are all highly modular all have audio that works independently of climate control, and independent again of control of stuff like the 4wd system, EMS, ABS, EBD and all the other TLAs that modern cars tend to have. The reason that it's all modular is simple - you can get different versions of the same car with or without 4wd or climate control. I know that some manufacturers in some models (BMW springs to mind) use embedded versions of Windows to control the in-car bits and bobs like sat nav etc, but I suspect that this has little connection with the EMS other than indicating "sport mode" etc. I don't have a BMW and so can't verify this, though.

      Also, engine management systems are designed to cope with analogue sensors that fail, and cope with "unexpected input" by moving to a "get you home" mode. Problems with other computer systems are often caused by failure to predict unexpected inputs.

      I suppose that it's feasible that a badly setup bluetooth phone could allow the radio volume to be turned off by an "attacker", but I can't see much else happenning.

    3. Re:This can't be right by Grab · · Score: 1

      "I am very sure that you will be still able to drive your car on your own," said Symantec Corp's mobile virus specialist Guido Sanchidrian.

      Are we reading the same article? ;-) The guy claiming things could be infected is Kaspersky, who apparently knows shit about automotive systems.

      FWIW, air-con is usually run by the engine control system. The simple reason for this is that to use air-con, you need the engine on. Also the air-con puts a significant load on the engine, so the engine controller needs to know how much extra fuel to add to keep the car idling smoothly, otherwise you'll get sudden dips in engine RPM at idle as air-con turns on and off. But you're right that there are always separate systems for engine control and random interior stuff.

      Re things talking, they'll only talk over a CAN bus (or MOST, LIN or something similar). Things do generally need to talk: a good example would be a car radio that turns the volume up as your speed increases. But they'll only talk using a protocol in which data is sent in packets and the meaning of every byte of the packet is defined *exactly*. There's no scope for random connections or uploading/downloading. As you say, it ain't happening.

      Grab.

  7. It's not quite black and white.... by 8086ed · · Score: 1

    It's not that simple, though. Microsoft isn't liable for peoples' lost property, time, financial status, jobs, etc, but car companies have always been liable for defects. Is a vulnerability a defect? Is it the infector's fault if they inadvertently infect the vehicle? And furthermore, what kind of true hacker would put people's LIVES in harm's way. That's just sick. As far as car anti-viral solutions, opening up the car to third party software like that would only make the problem worse; allowing third party apps that can control other systems is only ADVANCING the threat of viruses.

  8. Yes. by Saeed+al-Sahaf · · Score: 1

    And for the reasons that the parent talks about, though I am assuming out of my ass, I would guess that the car companies and their suppliers have much more rigerous code testing than the average (or in Microsoft's case, below average) software house.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  9. Why not keep the car's sytem stand-alone? by doc+modulo · · Score: 1

    A quote from the article:

    ""If the smartphones and on-board computers have the same channel to transfer the data ... sooner or later the hackers will find the vulnerability in the operating systems of on-board computers and ... will definitely use it," he added."

    Although that quote was a guy from Kaspersky, an anti-virus company which I've heard fearmongering on another subject.

    However, below that is this juicy bit:

    "Bluetooth is used in car electronics interfaces for monitoring and service.

    Carmakers say they use the most sophisticated protection for safety equipment such as airbags or motor controls, whereas infotainment systems so far have less stringent safeguards."

    I really really want the vehicle's automotive computer systems to stay stand-alone. I don't think there's any reason for, let's say, engine control to have a wireless interface to the outside world. Maybe only tire pressure sensors need wireless. I want the steering, accelleration and braking to be completely cut off from the outside world except for a physical port which is behind a panel with a lock.

    There's going to be more and more "drive by wire" in future cars and there'll come a day when braking isn't hydraulic and in direct connection to your foot anymore. I think some electric or hybrid cars already "brake" by using the electric engine as a dynamo. Great cover for an assasination hehe!

    Of course you'll want the minimum of feedback from the core systems for diagnostics or in case of an emergency, but the interface to those functions should be physical, like a button and a wired-up screen. Not a data connection like Bluetooth!

    Reminds me of this story about a very computerized car like a Prius or something going berserk and gunning the accelarator on it's own. The driver claimed that he burned out the brakes and after that could only weave to avoid traffic LOL. Later the story turned might have proven a hoax. I guess he was joyriding (after thinking up a good excuse), a negative-pr puppet hired to discredit the manufacturer or bought off to retract his story or whatever (forgive me, I've just read an episode of "Ghost in the Shell 2" hehe).

    So stand-alone automotive systems please. And none of this: "we'll just use the data cables for both the core- and the entertainment system" just to save on wiring (money) and don't even go near wireless!

    The only way I can see this happening is when EVERYBODY will point and laugh at the first sucker and manufacturer who's car has been infected by a virus. In other words a hugely negative PR effect in that case. Otherwise they might just put the risk into a giant bean-counter equation and calculate the cost of a fatality lawsuit compared to the savings on car wiring. Reminds me of "Fight Club". Screaming your lungs out while trapped in a burning car **shudder**

    --
    - -- Truth addict for life.
  10. To the virus friendliest OS and its addicted users by Device666 · · Score: 1

    Yeah, embedded Windows is playing with fire. Please put it in your car, please do all those stupid things. It doesn't matter if I would encourage Microsoft to make their crappy ill product that is so friendly to virusses, they will making it anyway. But when I know their would be a car that runs embedded GNU/Linux or GNU/FreeBSD (or in the future GNU's HURD) then I would buy a car. Now I simply and boldly refuse to do so.

  11. What OS'es are affected? by bergeron76 · · Score: 1

    We're running Linux on ours. I'm not being elitist here, I'm just wondering what OS'es are afflicted by this.

    I assume it's not a flaw in Bluetooth, because it would be much more pervasive. AFAIK, BMW's flakey iDrive system runs Windows - and I'm not saying it's flakey because it runs Windows. I'm saying it's flakey because of telematics industry reports about it. Any correlation is probably/likely just a coincidence.

    --
    Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
    1. Re:What OS'es are affected? by Spoing · · Score: 1

      Nice choice of icons :/

      http://www.dashpc.com/show_picture.php?id=2285

      Personally, I would have gone with one of these sets;

      http://art.gnome.org/themes/icon?sort_by=add_times tamp&thumbnails_per_page=1000&view=list&order=DESC

      http://kde-look.org/index.php?xsortmode=high&page= 0

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:What OS'es are affected? by gl4ss · · Score: 1

      NO FUCKING CAR IS REALLY AFFECTED BY CABIR. the article is about that something COULD happen IF the systems were interconnected.

      at worst it's bluetooth subsystem might accept the transfer, certainly it doesn't run symbian and autoinstall the application.

      the whole fucking article is bullshit - like 99% or phone and bluetooth virus articles. all they serve as is PR pieces for the antivirus industry - if you look at the article it's just fsecure and other av companies doing pr, MYSTIFYING VIRUSES is their business and bullshit is their weapon(why would they try to infect a prius with a symbian program? are they crazy or just wanting free publicity? yeah, publicity.).

      --
      world was created 5 seconds before this post as it is.
  12. Thanks by Anonymous Coward · · Score: 0

    I was worried this anti-Microsoft discussion was going to turn into one about how car computer systems are potentially vulnerable to viruses.

    Thanks a ton for steering us back on track.

    Here's a good Microsoft joke:

    Q: How much does Microsoft suck?
    A: Probably a lot!

    1. Re:Thanks by Anonymous Coward · · Score: 0
      I was worried this anti-Microsoft discussion was going to turn into one about how car computer systems are potentially vulnerable to viruses.

      Thanks a ton for steering us back on track.

      No problem, glad I could help.

  13. This is just stupid by Ridgelift · · Score: 1
    The worst that could happen is that the computer's control of engine performance and emissions, navigation and entertainment systems cease to function. That would probably mean an annoying trip to the repair shop or having to reboot the system.
    This is just stupid. Never happen. Car manufacturers who build cars that can be "infected" will be avoided like the plague in the marketplace.

    The public simply won't buy a car if it can be infected by a virus. In the PC world, people don't have a choice, they have to buy Microsoft Windows if they want to buy cheap and compatible. In the automotive industry it's a totally different situation.
    --
    Ruby on Rails Screencast
  14. Even technically inclined peole are just stupid by Anonymous Coward · · Score: 0

    Any number of leet brainy folks are willingly buying modern cars that can be remote controlled turned off and have the doors lock. The feds and cops really want that 'feature", and they sell it by calling it "security" for you. Pretty soon it will be mandatory for all new cars sold in the US. And other little gems like RFIDs in all the tires sold.

    Bottom line is, people purchase what is on the shelves or at the dealers. And if you are always buying new, you are getting pwned.

  15. Ladies and gentlemen of the jury, by Anonymous Coward · · Score: 0

    The evidence will show that the plaintiff could not possibly have sustained such serious neck and back injuries in a mere 30 mile-per-hour rear-end collision. More importantly, the evidence will show that my client was not negligent and did not cause the accident. Instead, the evidence will show that my client's vehicle acquired the GM.DriveTrain.A virus by merely driving past the Alexis Park Hotel on July 31, and this caused the gas pedal to floor unexpectedly at the intersection in question. How is this possible? you ask.....

  16. Absurdity by dalutong · · Score: 1

    This is absured.

    The first 9 stories on slashdot have 0 comments above a 3.

    And the first story that has a non-zero value has over 700 comments, and it only has 5!

    --

    What comes first, finding a teacher or becoming a student?
    1. Re:Absurdity by advocate_one · · Score: 1

      weird isn't it... it's as if they're seriously cutting back on the mod points...

      --
      Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
    2. Re:Absurdity by Spoing · · Score: 1
      weird isn't it... it's as if they're seriously cutting back on the mod points...

      While I don't have any now, I'm constantly getting mod points. 1-2x a week, usually.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  17. I don't think so. by Johnno74 · · Score: 1

    I'm guessing car makers will be putting in all sorts of restrictions in their cars to prevent you installing any unauthorised (by them) code.

    It will probably be something like today's consoles, where the code has to be signed by the manufacture, locking out any homebrew apps - and most likely enthusiasts will find ways to "mod" their cars to allow modifications & additions to the car's software that the manufacturer never intended.

    So the possibilities of code "accidentially" being run on your car will be remote.

  18. Relax by Anonymous Coward · · Score: 0

    It can't do anything serious. It can only crash the system. Oh wait...

  19. Beliefs by gidds · · Score: 1
    In the PC world, people don't have a choice, they have to buy Microsoft Windows if they want to buy cheap and compatible. In the automotive industry it's a totally different situation.

    That's a pretty big 'if' there. There are alternatives: Macs are at pretty comparable prices, and can do the majority of things people use PCs for; Linux isn't too complex for a fair proportion of people to install and use, and again, it can do a fair proportion of the things people use PCs for.

    Now, obviously, neither of those is a no-thought-needed drop-in replacement; either will need a minimum investment of time and brainpower learning how to drive the system and transfer data and tasks. But compared to their current userbase, a much greater number of people could manage to do so.

    The fact that they don't do so means that people aren't troubled by viruses, crashes, &c enough to put in that minimum investment; either they don't believe that things are significantly better on those other platforms (maybe they've come to believe that viruses and crashes are just part of How Computers Work), or they believe that the effort needed to switch is too great. Or they just haven't thought about it. Of course, to us geeks, it seems as if those beliefs are both completely unfounded and misguided; but maybe we should be putting more effort into working out why people have them, and whether/how we might change them?

    When it comes to cars, people value security and reliability, even over the latest, shiniest, fastest models. Why do they not apply the same values to computers?

    --

    Ceterum censeo subscriptionem esse delendam.

    1. Re:Beliefs by Anonymous Coward · · Score: 0

      but macs are no pcs

  20. Great... by jonadab · · Score: 1

    Cars were't dangerous enough otherwise.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  21. Slashdot is Broken by mkcmkc · · Score: 1

    Yeah, I noticed that, too. Slashdot is broken...

    --
    "Not an actor, but he plays one on TV."
  22. Not MY car by k4_pacific · · Score: 1

    You know, the more I hear about stuff like this, the more I like my '71 Ford. Sure I had to spend a week replacing the timing gear, and another week fixing the oil pump after it sucked up parts of the old timing gear, but it least it doesn't get viruses.

    --
    Unknown host pong.