Slashdot Mirror
The Shoddy State of Automotive Wireless Security
angry tapir writes "Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged. While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study. The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington DC."
If the potential for misuse is minimal, then it's only common sense to make the tire communications simple and easy to troubleshoot, and to assign the security people to work on something that matters.
break
break!!!
Oh... sudo break.
Oh yeah, good thing RFID detectors are so freaking expensive. Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
We currently show you driving 95 miles an hour with four flat tires. Would you like to be routed to a service station?
...the government is tracking you already (where I live, toll tag transponders can be seen on telephone poles miles from the toll roads). If you have OnStar (even if it's "disabled"), GM can still locate your vehicle. I suspect it's even possible to monitor a vehicle's CANBUS for unique signatures that would identify a specific vehicle. Hell, your cell phone will give you up.
For some reason, I'm not too worried about the RFID tags on my tire valve stems.
Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected. I believe this system is moderately effective and not subject to radio spoofing.
Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Why bother with the tire pressure when you can make instruments give false readings, kill a car engine remotely or turn off the brakes ?
Typically, I find that the engineers that work in these industries (automotive/transport/white goods/manufacturing) have very little motivation to think about security. The pressure is all on building features into products. They are generally led by electrical or mechanical engineering managers, who are pushed with limited budgets and time-to-market constraints to get something out the door. So they do the most limited research on how to add widget X to the product. As engineers, their dangerous enough to think they know how to program, when most of their experience is microcontrollers or some simple scripting. Security is something that just adds cost in most of their minds.
how about a scam where the type pressure reading is intercepted to make the car tell you the tyre is flat. you get out to check and get car jacked?
http://snappeh.com/blog/ - My Blog, not that any of you care...
It will only change when they get hit with some financial loss because of this.
For example, the all the ECU's tend to be insecure, so the interesting part is if the manufacturer will be hit with a high-$ civil suit after the first murder case committed by hacking a car's controllers to disable the brakes and airbags as soon as the speedometer hits 100mph.
They would want to know about changes so that they can guess where/when you have picked off or left off passagers or cargo.
FRA: STFU GTFO
Take the number of gadgets we expect to sell, A.
Multiply it by the probable rate of exploitation, B.
Multiply the result by the average out-of-court settlement, C.
A x B x C equals X.
If X is less than the cost of doing it properly, we do a half-arsed job instead.
I mean, anyone can program them to go to 20000th floor and we could end up in orbit or something.
"If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs,"
The issue described in the article is that you can identify the tires by their RFID tag. This means that you could track cars. The article completely fails to mention that you ALREADY HAVE A FUCKING LICENSE PLATE ATTACHED TO YOUR CAR! The license plate is a unique identifier required by law on all motor vehicles. Anyone who wants to prove you visited location XYZ is simply going to use a $20 camera and get a shot of your license plate. Yeah, getting readings with RFID is a little easier then setting up a camera and some plate scanning software, but neither one is very hard for someone who wants to track you.
As for "confounding" the control unit, that's not a problem with security, that's a problem with the fucking control unit. The article mentions that once they sent false data to it, they couldn't get the thing to work correctly even after rebooting it. Any device that can't handle junk data is worse than useless. Something being intolerant of noise is not a security problem, it's a stupid engineer problem. Sure, it might not function while you're jamming it with garbage, but if it fails to work after a reboot then you've done something seriously wrong.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Tire sensors are built to run on battery for years. You can't easily get to them and change the battery, so these things are extreme low power devices. Each line of code for these controllers costs real world battery lifetime and shortens maintenance cycles. The same goes for extra crypto hardware: every transistor costs. So I'm not surprised that the protocol is not secured to oblivion. There simply isn't room for that unless battery storage capacities rise by an order of magnitude or two. So, a part of me wonders whether this researcher has had a look at the constraints of these systems and understood them before he tried to make the news.
Still, this is no excuse for being able to corrupt the receiving controller irreparably by some protocol error. These errors can occur normally as transmission errors, not just through deliberate attacks. This is where the sloppy engineering exists and the only part of the story that is actually newsworthy.
http://www.moonlight3d.eu/
... wake me up , I might be concerned about potential interference from hackers.
But giving false readings to the tyre pressure unit? Meh, who cares. I don't trust mine anyway and always check the pressures with a proper physical meter.
What next , a scare story about the door ajar monitering system being compromised?
*yawn*
A colleague recently got a call from his wife: her car dash had lit up with warning lights. After about half an hour he traced it to a single fault: an under-inflated tire, presumably reported (correctly) by one of the sensors described in TFO. One tire warning light - OK so far.But the tire warning system had talked to the ABS system, which had decided for inscrutable reasons that it wouldn't work with an underinflated tire. And that had talked to the central monitoring system, which had turned on the "Safety Critical Fault" light. And maybe a few other things. The result was, like Three Mile Island, a single underlying fault had turned into a christmas tree of warnings that an unskilled interpreter (the wife) was terrified of and a skilled engineer (my colleague, a very good hardware engineer) took half an hour to troubleshoot.
The point being that there is a possibility for a dangerous prank here. By fooling cars into thinking their tires are dangerously underinflated, you can give the driver a serious fright - with possibilities comic to the simple minded, but potentially dangerous if the driver is distracted or does something unexpected like braking to a sudden halt.
Consciousness is an illusion caused by an excess of self consciousness.
A friend's wife had a problem with her car which caused the dashboard to light up with multiple warning lights. My friend, a highly skilled hardware engineer, traced the fault after half an hour's work: a single underinflated tire, presumably reported by the sensors referred to in TFA. The tire sensor had turned on its own warning light - so far so good. But it had also talked to the ABS, which had decided to turn itself off, producing another red warning. And this had talked to the central monitoring system, which had flagged up a safety critical fault and ordered her to a garage. And maybe some other faults.
So a malicious prankster could suddenly turn on a christmas tree of warning lights on many passing cars, with results comic to some but potentially dangerous if the driver is distracted and/or does something unexpected like an emergency stop or a swerve to the shoulder.
Consciousness is an illusion caused by an excess of self consciousness.
If this encrypted ID works like most password hashes, it'll always be the same sequence, which is just as good for tracking purposes.
The researchers will present their findings at the Usenix Security Symposium,
At first I read that as "Unisex Security Symposium" and wondered why they would have a technical symposium for only one gender. On closer inspection I saw that was not the case, but that only raises more questions, like why the hell would they give their symposium a name that's an anagram of unisex?
... and then they built the supercollider.
Do they also drop when you point out the 3" tall sequence of number on the front/back of their car is unique to that car and easily readable by roadside cameras, the police or passers-by using built-in organic sensors?
No sig today...
Surley the best solution to this is no security at all and just use a very low power signal. How far should it need to go between the tyre and a fixed point on a car (a few cm at the most I think). Would it even be possible for the sensor to be connected to the cars computer via a cable and just eliminate the wireless security hole. Then they just need to have the reciever ignore any signal with values outside the valid range.
Sorry but you will not figure out how to bomb a embassy by reading the tire pressure in my front left tire. All this is nothing but FUD and fear-mongering by a researcher that is late on the scene to automotive hacking. Many of us in the automotive hacking circles have done this stuff for well over 30 years. Now suddenly just because one guy who decided to make a lot of noise about it it's a problem?
it is not a problem, ignore this attention whore.
You cant send a virus down the tire pressure comms channel to the ECM and cause the car to explode or disable the brakes. (Except for toyota cars... JOKING!) and his demos with wirelessly changing the dashboard and other "hacks" are via a 3rd party wireless device he installed in the car.
If I buy a new windows server and install VNC without a password can I demonstrate to the world how horribly insecure the newest windows server release is? It's the same thing. Everyone glosses over the fact that none of his hacks are possible without having the target's car for a few days and installing a lot of gear in it.
The ONLY wireless OEM hack I have ever seen is the one where you blast mp3 files to bluetooth devices with the codes set to 0000 or 1234.. and that was to a BMW. Unfortunately it did not allow me to take control and steer the car or control the brakes. It did allow us to play audi adverts to the guy.
Do not look at laser with remaining good eye.
As engineers, their dangerous enough...
So just like how Slashdotters have little motivation to think about spelling?
Well the entire A380 doesn't run on WEP, but the entire cabin entertainment system does.
And having been involved in other parts of the A380 design, I can tell you that data security problems were not even on the product development radar. Non-IT engineering companies view IT the same way that the rest of the world does and generally doesn't design against malicious uses, only accidental failures.
It just means you won't be able to get in touch with the helpdesk to reset your password so's you can get into your car and actually start it, and you'll likely die of thirst on a Death Valley crossing or freeze to death in some Minnesota winter right outside Frostbite Falls.
we need to get rid of the dealer lock in and let any shop be able to fix the car.
This is the first time I have been rick-rolled in a text based fashion.
While it's true that ABS doesn't help, electronic traction control does indeed help significantly. It's also more expensive of course...
Actually, ABS doesn't always stop in a shorter distance. In gravel, sand, deep snow, and ice, ABS tends to increase stopping distance because locked wheels dig in and stop more quickly.
Studies were done in Munich comparing ABS and non-ABS taxicabs, and they found that accident rates were similar. It appears that the drivers with ABS took more risks. (http://psyc.queensu.ca/target/chapter07.html)
In 1996 the IIHS found that vehicles with ABS were less likely to be in accidents causing fatalities in other cars, and more likely to be in accidents causing fatalities in the car with ABS.
Electronic Stability Control on the other hand has been found to be effective at reducing accidents.
It's a lot cheaper to embed RFID readers in the roads as they get repaved then to install cameras at the same number of locations.
If I can shut your car off by sending it low-powered radio signals, that's a problem.
The ONLY wireless OEM hack I have ever seen is the one where you blast mp3 files to bluetooth devices with the codes set to 0000 or 1234.. and that was to a BMW. Unfortunately it did not allow me to take control and steer the car or control the brakes. It did allow us to play audi adverts to the guy.
Where'd you find a BMW with factory A2DP?
That's the real problem. Until they started adding wireless, the cars were perfectly secured by simple physical means. Security on the wire was irrelevant since the wire was entirely within the car. If you could access the wire, you could just add a tracking device or cut the brake line.
Now that they're going wireless, security in the communication is starting to actually matter but they have no experience there.
What you're missing is that you don't need to worry about security when no security is needed. If you have a stand-alone PC that isn't networked, all the security you need is a lock on the door. Making the "tire low" light come on could do no damage; no security is needed there, either.
The trouble with security researchers is they think our homes all need doors like bank vaults and unbreakable glass in the windows.
Free Martian Whores!
They have to be wireless because TPMS sensors are actually INSIDE the tire (mounted to the inside of the rim or the base of the valvestem). Also, cars usually only have one TPMS receiver so each sensor needs to be able to transmit at least a few feet to reach a central point on the vehicle. Keep in mind, the "40 meters" cited in TFA is a maximum and not an average. 10 meters is probably a better average.
I think you have the most insightful comment of all. The problem with security people is that they see everything as a big security flaw and they will try to sell the idea of insecurity. That's where they get money from.
Before it was that they hacked the car's interface. Cars don't need important systems wired to insecure networks. I'd be more concerned if I could actually deflate the tire from the wireless network, which in any case would have to be some quite fast actuator.
People here complains about security and I bet their houses have glass windows that can be easily cut open and if they have alarms, probably they have wooden walls that probably anyone can just cut through.
Of course, your Bluetooth hack is a bug in car's BT system. The system shouldn't be set to pairing mode unless it's manually initiated, so it shouldn't matter what the auth codes are. If the device wasn't previously paired, it shouldn't be accessible. Same issue as with the tires, it's not validating input properly because someone was lazy.
My blog. Good stuff (when I remember to update it). Read it.
The problem isn't with the engineers or their managers, it's with cost annalists that haggle over things as little as 1 cent or even 1/2 cent in cost to produce a part, all of which engineering time factors in to. Good design of most parts takes a back seat to small amounts of savings per part and it's the same across all car manufacturers that produce large amounts of cars. It's kowtowing to investors trying to extract every dollar of profit out of their investment.
Look under the hood of any car, truck or van produced in the pass 10 or 15 years and notice how compact everything is. That's not to improve handling or roll center. It's all to save as much material in building the car. If they could do it to the body of the cars they would, but they can't because it need to pass safety tests and people looking to mid and large sized vehicles are not going to buy them is they are too small.
All other things being equal, it'd be better to not have this vulnerability. Nevertheless, calling the state of automotive wireless security "shoddy" confuses the standards for security on the Internet and in our physical lives. Is the state of bike-locking security shoddy because someone with a few tools could strip off most of the value of the bike even if it's locked up, or that they can perform a DoS attack by beating the shit out of it with a crowbar? No, because in meatspace, trusting the people around us to be decent human beings is a key component of our security infrastructure. I don't walk around in laser-proof goggles just because someone might point a laser in my eyes; I just take a leap of faith and assume no one will do that. The calculus of security for the physical realm is utterly unlike that for the Internet. On the Internet, if there's something you're vulnerable to, there's an asshole willing to exploit that, and the fact that they are thousands of miles away doesn't prevent them from doing so; also, once someone goes to the trouble of writing, say, SSH, I can use that in place of telnet with no additional inconvenience, but countermeasures in physical life tend to incur expense and inconvenience (though this latter issue does not apply in the wireless tire case). E.g., bullet proof vests are not free, and they are bulky. So while using SSH instead of telnet on the Internet makes perfect sense, walking around in bullet proof vests does not, unless you are at some elevated risk of being shot at.
It all comes down to cost, security means more data to transmit. More things to transmit means more drain on the battery. More drain on the battery means a bigger battery is required. I personally don't want to have to take the tires off my car every year just to change the batteries in my TPMS sensors.
I would guess that your friend's car is a newer, probably upscale model - just the kind which might be desirable to carjackers. So, the M.O. would be something like: technically savvy carjackers cruise the freeway until they spot a target car, preferably one with just a driver (even better if female); apply a little remote hacking, leading to a confluence of dashboard warnings; driver is at least very concerned if not panicked, and pulls over at the next opportunity (bonus points if this is in the middle of nowhere); carjackers take car, and maybe engage in a little robbery/rape if it looks convenient to do so; in case of rape, maybe it's better not to leave a living witness (victim)...
Really, I'm not a bad person, I just play one online.
- T
Surely I'm not the only person who was shocked to learn that there are /wireless motherfucking sensors/ in the tires on new cars, with corresponding receiving equipment in the car itself.
Hell, I'm probably the tenth.
Still, it bears repeating: Why do we need /wireless motherfucking sensors/ inflating (hah) the cost of my tires and my car to tell me something I can check with a three dollar pressure gauge and three minutes?
There are plenty of mind-bogglingly stupid wastes of technology in existence, but this is the most outrageous I've encountered in weeks.
I'd assume the traction control system would correlate individual wheel drag with low-pressure tire information. Lower tire pressure = More drag. If it gets a reading that's very low, there should be noticeable drag.
Before we had pressure sensors in tires, we had traction control systems to let us know these things.
Who cares about security of tire pressure gauges sending to the car's receiver? Maybe it's such a nonsensical idea, that that's why there is no security. Surely there are better things to research in CS these days. Otherwise, I guess we can conclude that CS research is done and it's time to move on.