The Shoddy State of Automotive Wireless Security

← Back to Stories (view on slashdot.org)

The Shoddy State of Automotive Wireless Security

Posted by Soulskill on Monday August 9, 2010 @07:54PM from the can't-wait-for-toyota-two-point-oh dept.

angry tapir writes "Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged. While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study. The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington DC."

18 of 260 comments (clear)

Probably the right design choice by Beryllium+Sphere(tm) · 2010-08-09 20:02 · Score: 4, Insightful

If the potential for misuse is minimal, then it's only common sense to make the tire communications simple and easy to troubleshoot, and to assign the security people to work on something that matters.
1. Re:Probably the right design choice by pwagland · 2010-08-09 20:24 · Score: 5, Informative
  
  That is a valid point about the communications, however, from the article, if incorrect data is sent by something pretending to be the tire gauge, it was enough to corrupt the controller to the point where even a simple reboot was not enough to fix it. It had to be replaced by the dealer. Certainly resources need to be allocated wisely however when the device crashes due to invalid inputs, that is at best annoying, at worst very expensive to repair.
2. Re:Probably the right design choice by DDLKermit007 · 2010-08-09 21:15 · Score: 4, Informative
  
  Actually this is all old hat at this point. This guy is just stealing from a Def Con talk which needs attribution to Mike Hertzfeld. I was at the talk that first brought this about. It was a little jaw dropping. He came up with ways to track people around cities using the information from the systems. That in itself isn't so bad since almost everyone has Bluetooth and/or active wireless scanning enabled on their phones, but I digress (the police use this method already since it requires no court order). The really meat & potatoes was where if he flooded the system with garbage data over the wireless something interesting happened, the car shut off. Thats the real crazy part to me, that the system is that vulnerable.
Re:If you've got a toll tag... by Anonymous Coward · 2010-08-09 20:27 · Score: 5, Funny

Hell, your cell phone will give you up.
At least Rick Astley won't give you up, nor will he let you down.
Re:Disconnected from reality... by Yvanhoe · 2010-08-09 20:28 · Score: 4, Insightful

By the way someone who wants to track a car can use these very convenient numbered plaques visible in front and in the back of the car with only a cheap camera and on-the-shelf software.

I wonder however if a bad pressure signal could be forged, forcing the car to stop ?

--
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Lets skip to the heart of the matter by CdBee · 2010-08-09 20:33 · Score: 4, Informative

Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected. I believe this system is moderately effective and not subject to radio spoofing.

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

--
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
1. Re:Lets skip to the heart of the matter by Thanshin · 2010-08-09 20:59 · Score: 5, Informative
  
  Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.
  I'd rather have airbags than a decent stereo.
  However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
2. Re:Lets skip to the heart of the matter by Thanshin · 2010-08-09 21:02 · Score: 5, Funny
  
  Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.
  I'd rather have airbags than a decent stereo.
  However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
  Wheels are a nice feature too.
3. Re:Lets skip to the heart of the matter by Gordonjcp · 2010-08-09 21:20 · Score: 4, Interesting
  
  You can use the ABS sensors to detect a soft tyre. Some Volkswagens can actually have a soft tyre warning added, by a firmware update!
  Basically what you do is you measure the output of all four wheel sensors (as the ABS unit does anyway), and see if one is consistently a higher speed than the others. Soft tyre == smaller rolling radius == faster rotation for the same road speed. It won't catch if all your tyres are equally flat.
4. Re:Lets skip to the heart of the matter by zippthorne · 2010-08-09 22:53 · Score: 5, Insightful
  
  You might think you don't need ABS, but as another driver on the road, I'd prefer you had it. I'd prefer it a lot.
  I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.
  If the only danger was you sliding off a curve into a a tree or ravine after losing your steering, I'd say, "Go for it, we can always use less people." But it's not. There's also the danger of you not being able to avoid an accident with me, and I like being alive!.
  Please be considerate of your other drivers.
  
  --
  Can you be Even More Awesome?!
5. Re:Lets skip to the heart of the matter by nacturation · 2010-08-10 00:05 · Score: 4, Funny
  
  "a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "
  Is that the system that is unable to differentiate between gas and breaks in a Toyota?
  In some cases, this non-electronic system called "THE DRIVER" is unable to distinguish between brakes and breaks.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
6. Re:Lets skip to the heart of the matter by boring,+tired · 2010-08-10 00:24 · Score: 4, Informative
  
  My last car did this. Driving on snow or very wet roads would trigger the low tire pressure warning. It did detect an actual low tire once but there were so many false positives that I learned to ignore it. One good thing is that it forced me to keep a pressure gauge in the car so I could check the tires and reset the warning light.
7. Re:Lets skip to the heart of the matter by MiniMike · 2010-08-10 01:08 · Score: 4, Funny
  
  Brakes are nice too. unless you're planning to go slow enough to brake with your foot.
  His ideal car doesn't have a transmission or wheels, so unless he's on a steep enough hill that his lightweight but strong aluminum body can skid down it, he'll just be sitting in his driveway going 'vroom vroom' anyway. If his ideal house has a driveway, that is. As his ideal car also doesn't have a floor pan, he'll have no trouble using his feet to pretend to brake.
8. Re:Lets skip to the heart of the matter by gad_zuki! · 2010-08-10 01:55 · Score: 4, Insightful
  
  I hate this neo-luddite position people take when any little thing goes wrong. Your dream car is my nightmare death-trap car. I want airbags, ABS, wireless tire gauges, proximity sensors, ability to pull codes from computer, etc. I suspect most people do. If you want a specialized custom car, then built it yourself, but don't pretend your simplistic car needs speak for anyone else but yourself.
  Not to mention its foolish to throw the baby out with the bathwater. I remember people like you when the web started to become popular. "Oh who needs this crap, I already have TV and the newspaper!"
  I'm probably older than you and I certainly remember the PITA carburetors were compared to fuel injectors. Heck, my dad had to deal with vapor lock. When was the last time you needed to rebuild a carburetor or wait out vapor lock? I think you're just spoiled by the technology you decry.
9. Re:Lets skip to the heart of the matter by camperdave · 2010-08-10 02:38 · Score: 4, Insightful
  
  you slam them on when you absolutely have to, they start 'chattering', and won't stop you in time.
  
  If you had regular brakes, the wheels would have locked and you would not be able to steer at all. You would have slid into the other car. You only have control when the tire is gripping the road.
  
  --
  When our name is on the back of your car, we're behind you all the way!
This is a suprise.... How? by Platinumrat · 2010-08-09 21:02 · Score: 4, Interesting

Typically, I find that the engineers that work in these industries (automotive/transport/white goods/manufacturing) have very little motivation to think about security. The pressure is all on building features into products. They are generally led by electrical or mechanical engineering managers, who are pushed with limited budgets and time-to-market constraints to get something out the door. So they do the most limited research on how to add widget X to the product. As engineers, their dangerous enough to think they know how to program, when most of their experience is microcontrollers or some simple scripting. Security is something that just adds cost in most of their minds.
what about ELEVATORS? by orange47 · 2010-08-09 21:37 · Score: 4, Funny

I mean, anyone can program them to go to 20000th floor and we could end up in orbit or something.
Re:Disconnected from reality... by tweak13 · 2010-08-09 22:46 · Score: 5, Informative

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips
As someone who sold tires for years, I can tell you that there's a foolproof way to get tires without giving out your name. I realize it's crafty and devious, which is why you may not have thought of it. Here it is: Make something up. Wild, I know, but there's about a 99% chance it will work because nobody gives a shit. Seriously, take off the tinfoil hat.

When I was working for a major chain selling tires, I asked for a name for one and only one reason. Our software wouldn't let me make an invoice without a name. It also required a few other things, but it's just as easy to make up a phone number too. If you lied to me at any point, how the hell would I know? It's not like I asked people to present ID to get tires.