The Shoddy State of Automotive Wireless Security

← Back to Stories (view on slashdot.org)

The Shoddy State of Automotive Wireless Security

Posted by Soulskill on Monday August 9, 2010 @07:54PM from the can't-wait-for-toyota-two-point-oh dept.

angry tapir writes "Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged. While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study. The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington DC."

45 of 260 comments (clear)

Probably the right design choice by Beryllium+Sphere(tm) · 2010-08-09 20:02 · Score: 4, Insightful

If the potential for misuse is minimal, then it's only common sense to make the tire communications simple and easy to troubleshoot, and to assign the security people to work on something that matters.
1. Re:Probably the right design choice by pwagland · 2010-08-09 20:24 · Score: 5, Informative
  
  That is a valid point about the communications, however, from the article, if incorrect data is sent by something pretending to be the tire gauge, it was enough to corrupt the controller to the point where even a simple reboot was not enough to fix it. It had to be replaced by the dealer. Certainly resources need to be allocated wisely however when the device crashes due to invalid inputs, that is at best annoying, at worst very expensive to repair.
2. Re:Probably the right design choice by DDLKermit007 · 2010-08-09 21:15 · Score: 4, Informative
  
  Actually this is all old hat at this point. This guy is just stealing from a Def Con talk which needs attribution to Mike Hertzfeld. I was at the talk that first brought this about. It was a little jaw dropping. He came up with ways to track people around cities using the information from the systems. That in itself isn't so bad since almost everyone has Bluetooth and/or active wireless scanning enabled on their phones, but I digress (the police use this method already since it requires no court order). The really meat & potatoes was where if he flooded the system with garbage data over the wireless something interesting happened, the car shut off. Thats the real crazy part to me, that the system is that vulnerable.
3. Re:Probably the right design choice by AK+Marc · 2010-08-09 21:36 · Score: 3, Insightful
  
  And that goes back to input checking. Never trust your inputs. It's possible that interference could create the same pattern, so they should filter the inputs. But, security isn't needed. Just high school level programming basics. (security could reduce the possibility of bad inputs, but never assume valid inputs when you could just as easily check them)
  
  --
  Learn to love Alaska
4. Re:Probably the right design choice by mcgrew · 2010-08-10 01:49 · Score: 2, Insightful
  
  Certainly resources need to be allocated wisely however when the device crashes due to invalid inputs, that is at best annoying, at worst very expensive to repair.
  
  Never attribute to incompetence that which can be explained by greedy self-interest. The auto manufacturers and dealeer make money off these defective devices. I call foul.
  
  --
  Free Martian Whores!
5. Re:Probably the right design choice by MachDelta · 2010-08-10 04:08 · Score: 2, Funny
  
  Any vehicle sold in the US after September 1, 2007 is supposed to have a TPMS (tire pressure monitoring system) as mandated by the TREAD act.
  Why? Because no one knows how to check the air pressure in their tires anymore.
  That and the whole Firestone fiasco.
Disconnected from reality... by http · 2010-08-09 20:11 · Score: 3, Interesting

FTFA:

Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. "Someone would have to invest money at putting receivers at different locations," she said. Also multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost US$1,500.

Oh yeah, good thing RFID detectors are so freaking expensive. Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure.

--
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
1. Re:Disconnected from reality... by Yvanhoe · 2010-08-09 20:28 · Score: 4, Insightful
  
  By the way someone who wants to track a car can use these very convenient numbered plaques visible in front and in the back of the car with only a cheap camera and on-the-shelf software.
  
  I wonder however if a bad pressure signal could be forged, forcing the car to stop ?
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
2. Re:Disconnected from reality... by Anachragnome · 2010-08-09 20:54 · Score: 3, Interesting
  
  "Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure."
  I think you fail to recognize the seriousness of the capabilities of a simple RFID system.
  Most people do not think much about the RFID chips in their tires until they realize (are told) that EVERY stoplight out there has multiple sensor grids built right into the roadbed (to sense the presence of cars and be able to control the lights accordingly). The looks on their faces usually change the moment comprehension dawns on them.
  Those very same grids can be used to detect the RFID chips in your tires. In short, any car with tires made since 2000 can be tracked by the very roadbeds they ride upon.
  Seriously. All this technology to check your TIRE PRESSURE? Who the fuck is kidding who?
  Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips, and usually ask for all sorts of additional info--for "warranty reasons". Even paying with cash, they will argue with you about not giving them a name (but usually crumble when you say you'll just shop elsewhere). Why is it SO important they have a name? So they can help you join the next class-action against a tire manufacturer?
  Media jumped all over the Firestone story, fear-mongered it into something bigger and we end up with this. Tracking tags in our cars. More security theater. Yay.
3. Re:Disconnected from reality... by marten_77 · 2010-08-09 21:28 · Score: 3, Interesting
  
  It should be pointed out that sometimes these tracking features (such as OnStar) can be used in ways that actually do not serve the interests of the government. For instance, in my jurisdiction, police recently set up a sting operation designed to catch car thieves. Undercover agents set up a storefront for purchasing stolen cars, and collected dozens of vehicles over about a half-year period. When car thieves would come in to sell the cars, they would be paid in marked bills, and the undercover agents would drive the cars into a hidden parking deck. The agents didn't want to blow their cover early, though, so they didn't immediately return the stolen cars. (After all, in their minds, catching criminals was considerably more important than returning stolen property.) They left the vast majority of the recovered vehicles in the hidden parking deck for months, without ever notifying the victims that their property had been recovered. This, of course, translated into a significant financial loss for the victims (and their insurance companies). There was one class of victims, however, who got their cars back in short order -- the ones whose vehicles were equipped with OnStar. When asked by law enforcement to keep the operation secret from the vehicle owners so as not to hinder the sting operation, OnStar flatly refused, notifying police that they would immediately provide the GPS coordinates of the missing vehicles to their customers so that the customers could begin legal actions to recover them. Faced with this problem, the undercovers immediately drove the OnStar-equipped cars out to an abandoned lot and then anonymously notified local law enforcement that they had been discovered. The cars that were not so equipped sat in the hidden deck until after the entire sting operation had concluded.
4. Re:Disconnected from reality... by tweak13 · 2010-08-09 22:46 · Score: 5, Informative
  
  Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips
  As someone who sold tires for years, I can tell you that there's a foolproof way to get tires without giving out your name. I realize it's crafty and devious, which is why you may not have thought of it. Here it is: Make something up. Wild, I know, but there's about a 99% chance it will work because nobody gives a shit. Seriously, take off the tinfoil hat.
  
  When I was working for a major chain selling tires, I asked for a name for one and only one reason. Our software wouldn't let me make an invoice without a name. It also required a few other things, but it's just as easy to make up a phone number too. If you lied to me at any point, how the hell would I know? It's not like I asked people to present ID to get tires.
This is onstar! by Anonymous Coward · 2010-08-09 20:16 · Score: 3, Funny

We currently show you driving 95 miles an hour with four flat tires. Would you like to be routed to a service station?
If you've got a toll tag... by pongo000 · 2010-08-09 20:16 · Score: 3, Interesting

...the government is tracking you already (where I live, toll tag transponders can be seen on telephone poles miles from the toll roads). If you have OnStar (even if it's "disabled"), GM can still locate your vehicle. I suspect it's even possible to monitor a vehicle's CANBUS for unique signatures that would identify a specific vehicle. Hell, your cell phone will give you up.
For some reason, I'm not too worried about the RFID tags on my tire valve stems.
1. Re:If you've got a toll tag... by Anonymous Coward · 2010-08-09 20:27 · Score: 5, Funny
  
  Hell, your cell phone will give you up.
  At least Rick Astley won't give you up, nor will he let you down.
2. Re:If you've got a toll tag... by TheLink · 2010-08-09 20:32 · Score: 2, Informative
  
  If you carry a cellphone with you and are within "coverage", you're already tracked.
  
  They can find out which towers your phone has been talking to and thus figure out where you've been.
  --
  
  Too many replies beneath your current threshold
Lets skip to the heart of the matter by CdBee · 2010-08-09 20:33 · Score: 4, Informative

Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected. I believe this system is moderately effective and not subject to radio spoofing.

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

--
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
1. Re:Lets skip to the heart of the matter by Thanshin · 2010-08-09 20:59 · Score: 5, Informative
  
  Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.
  I'd rather have airbags than a decent stereo.
  However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
2. Re:Lets skip to the heart of the matter by Thanshin · 2010-08-09 21:02 · Score: 5, Funny
  
  Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.
  I'd rather have airbags than a decent stereo.
  However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
  Wheels are a nice feature too.
3. Re:Lets skip to the heart of the matter by Gordonjcp · 2010-08-09 21:20 · Score: 4, Interesting
  
  You can use the ABS sensors to detect a soft tyre. Some Volkswagens can actually have a soft tyre warning added, by a firmware update!
  Basically what you do is you measure the output of all four wheel sensors (as the ABS unit does anyway), and see if one is consistently a higher speed than the others. Soft tyre == smaller rolling radius == faster rotation for the same road speed. It won't catch if all your tyres are equally flat.
4. Re:Lets skip to the heart of the matter by nospam007 · 2010-08-09 22:06 · Score: 3, Insightful
  
  "a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "
  Is that the system that is unable to differentiate between gas and breaks in a Toyota?
5. Re:Lets skip to the heart of the matter by AlecC · 2010-08-09 22:18 · Score: 2, Insightful
  
  Over past decades there has been a continuous fall in fatalities per mile driven. This is, to a large extent, due to continuous small improvements, of which this is one. Of course you may be savvy enough to keep your tires properly inflated - but the average Joe Public isn't - or at least 10% of Joe Public. And properly inflated tires reduce the risk of accidents, in which Joe Public can kill not only himself but also you. You may, indeed, be an above average driver (like 90% of the population, in their opinion) but most people (in real tests) are not.
  Incidentally, you didn't specify synchromesh, windscreen wipers, indicators, damped suspension, automatic ignition timing... Once upon a time, cars didn't have these. Have you ever driven a car from the 1920s? Would you know how to double-declutch and when to use the ignition advance retard? What you are saying is that cars don't need the improvements since you started driving - a version of the "Good Old Days" fallacy.
  
  --
  Consciousness is an illusion caused by an excess of self consciousness.
6. Re:Lets skip to the heart of the matter by The+Mighty+Buzzard · 2010-08-09 22:40 · Score: 2, Funny
  
  Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.
  I'd rather have airbags than a decent stereo.
  However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
  Wheels are a nice feature too.
  Nah, they're just a fad.
  
  --
  Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
7. Re:Lets skip to the heart of the matter by zippthorne · 2010-08-09 22:53 · Score: 5, Insightful
  
  You might think you don't need ABS, but as another driver on the road, I'd prefer you had it. I'd prefer it a lot.
  I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.
  If the only danger was you sliding off a curve into a a tree or ravine after losing your steering, I'd say, "Go for it, we can always use less people." But it's not. There's also the danger of you not being able to avoid an accident with me, and I like being alive!.
  Please be considerate of your other drivers.
  
  --
  Can you be Even More Awesome?!
8. Re:Lets skip to the heart of the matter by Beyond_GoodandEvil · 2010-08-09 23:59 · Score: 3, Informative
  
  I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.
  Not sure why parent is a troll, since he is correct modern ABS can brake each wheel individually allowing for maximum control under braking. So unless you're driving the McLaren MP4/12, ABS can do a better job braking each wheel then you can.
  
  --
  I laughed at the weak who considered themselves good because they lacked claws.
9. Re:Lets skip to the heart of the matter by nacturation · 2010-08-10 00:05 · Score: 4, Funny
  
  "a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "
  Is that the system that is unable to differentiate between gas and breaks in a Toyota?
  In some cases, this non-electronic system called "THE DRIVER" is unable to distinguish between brakes and breaks.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
10. Re:Lets skip to the heart of the matter by boring,+tired · 2010-08-10 00:24 · Score: 4, Informative
  
  My last car did this. Driving on snow or very wet roads would trigger the low tire pressure warning. It did detect an actual low tire once but there were so many false positives that I learned to ignore it. One good thing is that it forced me to keep a pressure gauge in the car so I could check the tires and reset the warning light.
11. Re:Lets skip to the heart of the matter by MiniMike · 2010-08-10 01:08 · Score: 4, Funny
  
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
  His ideal car doesn't have a transmission or wheels, so unless he's on a steep enough hill that his lightweight but strong aluminum body can skid down it, he'll just be sitting in his driveway going 'vroom vroom' anyway. If his ideal house has a driveway, that is. As his ideal car also doesn't have a floor pan, he'll have no trouble using his feet to pretend to brake.
12. Re:Lets skip to the heart of the matter by drinkypoo · 2010-08-10 01:22 · Score: 2, Insightful
  
  This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected.
  Your strategy is fine for racing vehicles, but ABS provides additional safety to those who do not believe it to be magical and disable switches are very easy to implement since all ABS fails to simple brakes. Meanwhile, we have run-flat tires that can go flat so graciously that you don't even notice until you try to make a 90 mph curve on one, and they CERTAINLY enhance vehicle safety (being less vulnerable to blowouts, let alone leaving you stranded on the uphill of the Bay Bridge in the left lane or something like that.
  Airbags save lives, and events beyond your control happen all the time in motoring. You can be as cocky as you like, but suggesting that these safety features are unuseful is ridiculous at best. And as to your decent stereo, doesn't that interfere with your monitoring of a car that has no monitoring equipment?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
13. Re:Lets skip to the heart of the matter by cayenne8 · 2010-08-10 01:30 · Score: 2, Funny
  
  "All of which are required by law, and would obviously be features. In all fairness, though, cars do need many of the sensors in order to keep the engine running at peak efficiency, thanks to fuel injection. And if you say you'd rather have carburettors anyway, you've clearly never owned a carburetted vehicle for any length of time. Ultimately, data is good, and more sensors means more data."
  I'm still with the GP on one thing...I just HATE ABS. I just never feel in control with those damned things...you slam them on when you absolutely have to, they start 'chattering', and won't stop you in time. If not for some good steering on my part, not to mention luck at the time with a place to go without hitting another car, those things would have cost me money in damages.
  I liked my old '86 911 Turbo. That thing would handle when you needed it, and no ABS (hell, no airbag either)....one time I had to slam the brakes on that thing at high speed, it locked up, slowed to where I had to be speed wise to make a manuver, and I could then steer and re-accelerate to get out of the situation. It worked. Of course, I have 4 bald spots...one on each tire which I'd locked it up, but that's the price you pay. I just bought new tires, and was on my way, no wreck, no body shop.
  Granted, this car was a special case, but in any car I've had, I just cannot get used to ABS. I feel they take too much control away from me.
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
14. Re:Lets skip to the heart of the matter by gad_zuki! · 2010-08-10 01:55 · Score: 4, Insightful
  
  I hate this neo-luddite position people take when any little thing goes wrong. Your dream car is my nightmare death-trap car. I want airbags, ABS, wireless tire gauges, proximity sensors, ability to pull codes from computer, etc. I suspect most people do. If you want a specialized custom car, then built it yourself, but don't pretend your simplistic car needs speak for anyone else but yourself.
  Not to mention its foolish to throw the baby out with the bathwater. I remember people like you when the web started to become popular. "Oh who needs this crap, I already have TV and the newspaper!"
  I'm probably older than you and I certainly remember the PITA carburetors were compared to fuel injectors. Heck, my dad had to deal with vapor lock. When was the last time you needed to rebuild a carburetor or wait out vapor lock? I think you're just spoiled by the technology you decry.
15. Re:Lets skip to the heart of the matter by camperdave · 2010-08-10 02:28 · Score: 2, Informative
  
  This exact comment has already been posted. Try to be more original...
  
  So why isn't it showing up?
  
  In order to deal with the massive volume of readers, Slashdot periodically builds a static page. This is what gets served to you when you read Slashdot, not an on-the-fly dynamic page built from the comments database. It takes a few minutes for your comments to become part of the static pages. I think it even says that when you hit submit.
  
  --
  When our name is on the back of your car, we're behind you all the way!
16. Re:Lets skip to the heart of the matter by Xacid · 2010-08-10 02:37 · Score: 2, Informative
  
  But then they let women drive... /obligatory mysogyny.
17. Re:Lets skip to the heart of the matter by camperdave · 2010-08-10 02:38 · Score: 4, Insightful
  
  you slam them on when you absolutely have to, they start 'chattering', and won't stop you in time.
  
  If you had regular brakes, the wheels would have locked and you would not be able to steer at all. You would have slid into the other car. You only have control when the tire is gripping the road.
  
  --
  When our name is on the back of your car, we're behind you all the way!
18. Re:Lets skip to the heart of the matter by phoenix321 · 2010-08-10 07:41 · Score: 2, Insightful
  
  A good driver cannot ever hope to lock and unlock the brakes with full force faster than the ABS computer.
  Claiming to be able to do otherwise would win the "hubris of the millenium" prize.
  A proper ABS computer and system can not only lock and unlock the wheels within milliseconds (which would be suboptimal anyway) but keep the whole car at THE maximum brake power that is physically possible while keeping the vehicle able to steer - during the whole process, on all surfaces, at 4am, after a 10-hour work shift in the factory, with no startle response, not scared to fully apply all power available.
  Maybe I've just never met a "good" driver by your standards, but chances are the guy in that car sliding into you wasn't one, either.
  Please don't blame it on the ABS if you're approaching the intersection too fast for the given road condition. This would only show you're probably not a good driver and/or unaware of the http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Turn off the brakes by drop+table+user · 2010-08-09 20:36 · Score: 2, Interesting

Why bother with the tire pressure when you can make instruments give false readings, kill a car engine remotely or turn off the brakes ?
1. Re:Turn off the brakes by drop+table+user · 2010-08-09 22:50 · Score: 2, Interesting
  
  All of this requires physical access to the car
  
  That used to be true. While some hacks still require physical access, others can be executed remotely. Cars are getting online and the security problems go with it.
This is a suprise.... How? by Platinumrat · 2010-08-09 21:02 · Score: 4, Interesting

Typically, I find that the engineers that work in these industries (automotive/transport/white goods/manufacturing) have very little motivation to think about security. The pressure is all on building features into products. They are generally led by electrical or mechanical engineering managers, who are pushed with limited budgets and time-to-market constraints to get something out the door. So they do the most limited research on how to add widget X to the product. As engineers, their dangerous enough to think they know how to program, when most of their experience is microcontrollers or some simple scripting. Security is something that just adds cost in most of their minds.
Re:Sudo by 16Chapel · 2010-08-09 21:35 · Score: 3, Funny

I dunno about you, but I'd rather tell my wheels to brake.
what about ELEVATORS? by orange47 · 2010-08-09 21:37 · Score: 4, Funny

I mean, anyone can program them to go to 20000th floor and we could end up in orbit or something.
Tracking is NOT an issue by Mr.+Freeman · 2010-08-09 21:41 · Score: 3, Insightful

"If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs,"

The issue described in the article is that you can identify the tires by their RFID tag. This means that you could track cars. The article completely fails to mention that you ALREADY HAVE A FUCKING LICENSE PLATE ATTACHED TO YOUR CAR! The license plate is a unique identifier required by law on all motor vehicles. Anyone who wants to prove you visited location XYZ is simply going to use a $20 camera and get a shot of your license plate. Yeah, getting readings with RFID is a little easier then setting up a camera and some plate scanning software, but neither one is very hard for someone who wants to track you.

As for "confounding" the control unit, that's not a problem with security, that's a problem with the fucking control unit. The article mentions that once they sent false data to it, they couldn't get the thing to work correctly even after rebooting it. Any device that can't handle junk data is worse than useless. Something being intolerant of noise is not a security problem, it's a stupid engineer problem. Sure, it might not function while you're jamming it with garbage, but if it fails to work after a reboot then you've done something seriously wrong.

--
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
Tire sensors must last years on battery by gmueckl · 2010-08-09 21:53 · Score: 3, Informative

Tire sensors are built to run on battery for years. You can't easily get to them and change the battery, so these things are extreme low power devices. Each line of code for these controllers costs real world battery lifetime and shortens maintenance cycles. The same goes for extra crypto hardware: every transistor costs. So I'm not surprised that the protocol is not secured to oblivion. There simply isn't room for that unless battery storage capacities rise by an order of magnitude or two. So, a part of me wonders whether this researcher has had a look at the constraints of these systems and understood them before he tried to make the news.
Still, this is no excuse for being able to corrupt the receiving controller irreparably by some protocol error. These errors can occur normally as transmission errors, not just through deliberate attacks. This is where the sloppy engineering exists and the only part of the story that is actually newsworthy.

--
http://www.moonlight3d.eu/
Relevant experience by AlecC · 2010-08-09 22:26 · Score: 3, Interesting

A colleague recently got a call from his wife: her car dash had lit up with warning lights. After about half an hour he traced it to a single fault: an under-inflated tire, presumably reported (correctly) by one of the sensors described in TFO. One tire warning light - OK so far.But the tire warning system had talked to the ABS system, which had decided for inscrutable reasons that it wouldn't work with an underinflated tire. And that had talked to the central monitoring system, which had turned on the "Safety Critical Fault" light. And maybe a few other things. The result was, like Three Mile Island, a single underlying fault had turned into a christmas tree of warnings that an unskilled interpreter (the wife) was terrified of and a skilled engineer (my colleague, a very good hardware engineer) took half an hour to troubleshoot.
The point being that there is a possibility for a dangerous prank here. By fooling cars into thinking their tires are dangerously underinflated, you can give the driver a serious fright - with possibilities comic to the simple minded, but potentially dangerous if the driver is distracted or does something unexpected like braking to a sudden halt.

--
Consciousness is an illusion caused by an excess of self consciousness.
It's all FUD by a researcher trying to get noticed by Lumpy · 2010-08-10 00:00 · Score: 3, Interesting

Sorry but you will not figure out how to bomb a embassy by reading the tire pressure in my front left tire. All this is nothing but FUD and fear-mongering by a researcher that is late on the scene to automotive hacking. Many of us in the automotive hacking circles have done this stuff for well over 30 years. Now suddenly just because one guy who decided to make a lot of noise about it it's a problem?
it is not a problem, ignore this attention whore.
You cant send a virus down the tire pressure comms channel to the ECM and cause the car to explode or disable the brakes. (Except for toyota cars... JOKING!) and his demos with wirelessly changing the dashboard and other "hacks" are via a 3rd party wireless device he installed in the car.
If I buy a new windows server and install VNC without a password can I demonstrate to the world how horribly insecure the newest windows server release is? It's the same thing. Everyone glosses over the fact that none of his hacks are possible without having the target's car for a few days and installing a lot of gear in it.
The ONLY wireless OEM hack I have ever seen is the one where you blast mp3 files to bluetooth devices with the codes set to 0000 or 1234.. and that was to a BMW. Unfortunately it did not allow me to take control and steer the car or control the brakes. It did allow us to play audi adverts to the guy.

--
Do not look at laser with remaining good eye.
The A380 Runs on WEP by static416 · 2010-08-10 00:47 · Score: 2, Interesting

Well the entire A380 doesn't run on WEP, but the entire cabin entertainment system does.
And having been involved in other parts of the A380 design, I can tell you that data security problems were not even on the product development radar. Non-IT engineering companies view IT the same way that the rest of the world does and generally doesn't design against malicious uses, only accidental failures.
Re:This is a suprise.... How? by sjames · 2010-08-10 04:01 · Score: 2, Interesting

That's the real problem. Until they started adding wireless, the cars were perfectly secured by simple physical means. Security on the wire was irrelevant since the wire was entirely within the car. If you could access the wire, you could just add a tracking device or cut the brake line.
Now that they're going wireless, security in the communication is starting to actually matter but they have no experience there.