Hacking a Car With Music

itwbennett writes "Researchers at the University of California, San Diego, and the University of Washington have identified a handful of ways a hacker could break into a car, including attacks over the car's Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops. But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. 'It's hard to think of something more innocuous than a song,' said Stefan Savage, a professor at the University of California."

Hackers can turn your home computer into a bomb!

[mykos]

http://www.mopo.ca/2007/08/hackers-can-turn-your-home-computer.html

Why stop at a CD?

Some stereos are bluetooth, why not try to upload an mp3 to an attached iPod via a strong bluetooth signal from nearby? You'd have to scan for the link signal of course.

Uh, what?

[gman003]

I can accept malicious data taking over the stereo system. That's believable. What I find impossible is going from there to the rest of the car. I installed my own stereo system - the only wires involved were power and output to the speakers. That's it. Unless they can find an exploit in a 12v battery, they literally cannot get to anything automotive.

Maybe newer cars, where everything is "integrated", are different. In which case, I'm glad I bought a used '99 Talon rather than a brand-new anything.

Re:Uh, what?

Newer cars with integrated stereos hook them up to the car's CAN bus. From there all bets are off.

Re:Uh, what?

[drinkypoo]

Maybe newer cars, where everything is "integrated", are different. In which case, I'm glad I bought a used '99 Talon rather than a brand-new anything.

If your car uses the CAN-bus for stereo controls, and has only a single CAN-bus, then yeah, you can probably hack the security, which is integrated into the PCM, from the stereo.

Re:Uh, what?

[Osgeld]

can bus

http://en.wikipedia.org/wiki/Controller_area_network

course it all depends on what your car has in it, my 06 kia not a big deal as my stereo is not connected to it, much like you mention above, my mom's 2011 jeep on the other hand, you cant even unlock a door without talking on it

Re:Uh, what?

Yeah, it's for the more integrated systems I suppose. I had a few cars over the years that the factory deck held at least part of the "brains" too, so I couldn't just mash in any ol' after market unit.

Especially at risk would be something like the Ford Sync systems. But, this CD with magic code method would require the ne'r do weller to be *in* the car, presumably with the ignition at least in ACC, to pull off. The bluetooth hacks are more ominous. If someone could send a malformed BT packet storm and pop the locks on a car in a lot, there will be a lot more folks looking for pre '00 cars.

Re:Uh, what?

[pitchpipe]

I think that the attack would have to be very specific. Might work as a targeted attack, but as a general exploit it would probably run up against too many versions/variations in hardware/firmware/software.

Offtopic: I love Republicans/Regressives!

Re:Uh, what?

'99 Talon rather than a brand-new anything.

Plus those things are friggin sweet.

Re:Uh, what?

And this is bad design, despite how convenient it seems at first. Anything considered critical should be kept isolated. All we need is somebody figuring a vulnerability that allows access to a sending module for cruise-control or power-steering and people may have a ticking time-bomb on their hands.

Anyhow, I still like my old car, even if it comes up a bit short on the gadgetry. And not just because of its lack of gadgetry. Ironically many newer cars I've been in don't seem to have much of the good driver-focused ergonomics that my older car has. Making things "chunky" or "shapes" does not equal good tactile sense or give them reasonable spacing within reach.

Re:Uh, what?

[jonwil]

These days, car stereos are not car stereos, they are stereos + MP3 players + iPod docks + navigation systems + bluetooth car kits + emergency help systems and more.

And a lot of this stuff needs to talk to the cars sensors and systems (e.g. these systems may require knowing how fast the car is going or the like)

Re:Uh, what?

[billcopc]

It's not a big stretch to assume their electronics are designed by the lowest bidder.

The fact that such a device would run arbitrary code from a music file, that tells me today's programmers really are as idiotic and useless as I assumed. It's music, decoded by some type of finite state machine. There is no dynamic execution, it should treat "trojan code" like any other bits in the input stream and play them as static noise, or skip them if the checksum fails. The decoder shouldn't even be capable of smashing the stack and then executing it.

That's almost as dumb as granting this device bidirectional, unrestricted access to the car's management bus. If they're going to start building computers and networks inside our cars, they need to treat them like any other network: trust nothing, authenticate everything else.

Re:Uh, what?

[MacGyver2210]

Even from the CAN bus your largest attack would be messing with fuel economy. The communications on the CAN bus are usually quite secluded from any form of digital engine control.

For example, the Oxygen and MAP sensors might broadcast on the CAN bus, and you may be able to spoof them so in the ECU it causes an engine light or bad fuel economy. Beyond that, the CAN bus is pretty much just information being sent about the status of things. There is usually no control taking place via those connections. All control based on those messages comes from the ECU directly.

Re:Uh, what?

[MacGyver2210]

I've never seen a keyless entry system connected to a CAN bus.

I have in no way worked on all cars out there, but that would be what we with common sense call 'poor system design'.

Re:Uh, what?

[Gordonjcp]

The fact that such a device would run arbitrary code from a music file,

It can't. There is *no possible way* that you can send a malicious audio track to mess about with the car's electronics. The article is totally on crack.

What you can do on most cars with multiplexed (CANBus) electronics is put new firmware onto various systems from a CD. Rather than recall a batch of cars to do an update, you can just pop a CD in the post. It speeds things up at the workshop, too - when my van needed an update the guy from Mercedes was able to come out to me, but I dropped by the garage since I was working nearby. Pop in a disk, turn the ignition on with the right combination of buttons held down on the stereo, and it updates the various ECUs.

My own car (1988 CitroÃn CX) has absolutely no electronics at all, except the clock on the dashboard - and that doesn't work anyway.

Re:Uh, what?

[jimicus]

But, this CD with magic code method would require the ne'r do weller to be *in* the car, presumably with the ignition at least in ACC, to pull off.

What TFA doesn't say is if the hacked music file was an MP3 (which many modern car stereos can play directly) or a plain audio CD. A hacked MP3 could be pushed out on a p2p network.

Granted you'd need a bit of a perfect storm - someone who uses P2P to download the hacked MP3, to burn it direct to a CD for in-car listening and to have the exact model and revision of parts in their car necessary. I can't see it being terribly likely on its own.

Re:Uh, what?

You are very wrong. You should read the posted paper.

Re:Uh, what?

[drinkypoo]

In virtually all cases the factory security is integrated into or at least closely with the PCM so that it can control starting (or not) at the source. This is especially true when the car has a special key required for starting. The PCM is on the CAN bus. QED.

Re:Uh, what?

How about those commercials showing GM's OnStar able to be so helpful doing such services as remotely unlocking a car for some poor hapless motorist who locked the keys in the car? (Not recalling any specific commercial since I hardly ever watch TV, but my recollection is to that effect...). Seems that shows some extensive integration of remote control with the rest of the car's systems.

RO

Re:Uh, what?

[bhtooefr]

Newer VWs have the following things all on a single CAN bus (and there actually is a justification for it):

Engine control unit
Transmission control unit
Anti-lock brakes/traction/stability control (and these can actually command the ECU to accelerate or decelerate)
Instrument cluster (this one can command the ECU to shut down, if it thinks the car is stolen)
Radio
Climate control
Central convenience module (handles remote locks, power windows, and things like that)
Airbags
Electric power steering

So, the reason for them all being connected... let's say you get into a crash.

Airbags deploy. This sends a message to the ECU to shut down, the instrument cluster that there's an airbag issue, the radio to shut down, the central convenience module to turn on the flashers, roll down the windows, and unlock the doors.

If you're not worried about malware, that makes sense, and the thought of malware attacking a radio is generally insane.

Re:Uh, what?

[Enleth]

And they actually share the address space without any network segmentation and routing? You know, CAN has something between a NAT and a network bridge - can't remember the term used by the spec right now - which was designed to allow controlled routing between parallel networks precisely for such things as this. I can't believe they wouldn't use that. For example, new Citroen C5s use such routing to separate vital and non-vital networking while allowing certain devices to communicate cross-network for reasons very similar to those you cited. They will even try to use the Bluetooth-connected handset (which is handled by the stereo, so that the music volume goes down when you get a call and the caller is heard in the in-car speakers) to call emergency services after a crash.

Re:Uh, what?

[PseudonymousBraveguy]

That's simply wrong. Lots of safety relevant systems, like ESP, communicate via CAN (or FlexRey in more modern cars). So, in theory, if you hijacked the whole bus you could pretty easily kill everyone inside the car. In praxis, however, it's not quite that simple. e.g. the bus driver of a FlexRay bus will electrically prevent sending any data outside of your designated timeslot, so you can't override data send by other ECUs. (Not to mention that the only place data from the entertainment system and from safety related systems will meet is probably the dashboard, and that's pretty much a dead end).

Re:Uh, what?

I wonder if it's possible to burn them on CD your own, and distribute those under windscreen wipers.

I don't think there would be a use to infect random strangers if you have to find their car later.

Re:Uh, what?

And they actually share the address space without any network segmentation and routing? You know, CAN has something between a NAT and a network bridge - can't remember the term used by the spec right now.

What is employes in most cars are CAN Gateways, which are able to route Messages between different Networks or even different Bus systems (think CAN/LIN gateway).
On a single bus, the Messages (read: Packets) go to every device on the bus, where local acceptance filters decide whether to accept it or not. These filters are usually defined in Software so if I can take control of the Stereos CAN Stack, I am able to listen to every device on the Bus, as well as to mimic every other device. Since CAN Messages have only the receivers address in them, this cannot be detected.
Possible Attack Vectors:
-jam the bus by message stuffing to disable the car or some systems
-mimic the OBD Interface/Gateway and reconfigure other systems, e.g. how the remote locks work
-mimic the Stability control /antilock brakes to make the ECU accelerate / decelerate this would probably make the system raise an error because you fould -interfer with the regular comm to that ECU but you could hav told the real SC/ALB to shut down beforehand
-hijack the bluetooth handsfree connection and get data from the handset/call expensive numbers /etc (make it respond to *any* key, e.g.)
-even better: scan for a specific Bluetooth Device ID (e.g. the hackers phone) and unlock the doors/ disable security when it comes in range

Re:Uh, what?

[gomiam]

Too many variations? Erm... Audi/Volkswagen/Seat use basically the same control software, for example, even if different revisions of it. And i'ts not like you can't put several attack vectors inside a 3-4MB file, right?

Re:Uh, what?

[drinkypoo]

And they actually share the address space without any network segmentation and routing?

You mean like early computer networks? Network segmentation and routing isn't enough to keep you secure, so now we even have firewalling. A programmer who is CAN-savvy could probably make some money right now rolling a portable firewalling framework.

Re:Uh, what?

[Enleth]

The thing is, that those "gateways" can be smart and only allow certain packet types between certain senders and receivers. It is a kind of a very simple firewall, actually. In a C5, it most likely restricts communications only to those packets that were intended to be used by design, so it should let the airbag controller send a 112 request to the stereo, but not let the stereo deploy airbags spontaneously, even if the controller actualy does support triggering over CAN (I have no idea wether it does). I did not poke too much in the "vital" network even through the gateway and I certainly did not try making anything perform some action, only passive queries and some traffic sniffing, so I can't be sure, though. BTW, a CAN gateway also protects from network failure - even if a device gets a short on the bus lines or goes bonkers and floods out all the communication with some crap, or even gets taken over and distrupts it deliberately, the network on the other side of a gateway will still operate properly. Gateways must be prepared for this by design. In a car, this becomes pretty important during a crash - physical damage might short out communication lines and disable whole networks. Thus, we have another good reason to use network separation, or at least signal-level repeaters immune to shorts and noise.

Re:Uh, what?

[Osgeld]

agreed, I had a 94 talon turbo and a 2000 eclipse GS

Re:Uh, what?

[camg188]

From the article:

They found lots of ways to break in. In fact, attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. "The easiest way remains what we did in our first paper: Plug into the car and do it," he said.

and

Car hacking is "unlikely to happen in the future," said Tadayoshi Kohno, an assistant professor with the University of Washington who worked on the project. "But I think the average customer will want to know whether the car they buy in five years ... will have these issues mitigated."

Re:Uh, what?

[drinkypoo]

The thing is, that those "gateways" can be smart and only allow certain packet types between certain senders and receivers. It is a kind of a very simple firewall, actually.

Sure, that's the idea, but I don't think those gateways are very smart yet.

Thus, we have another good reason to use network separation, or at least signal-level repeaters immune to shorts and noise.

To my mind, it makes zero sense to use such an approach, and it makes more sense to simply have multiple CAN (or other) buses, and either actually route messages (with firewalling) inside the relevant module, or not use CAN in such a way. Cars are not yet so complicated that this will lead to a significant increase in cost. I DO anticipate that eventually every sensor will be a computer (really a microcontroller and as little else as possible) and a bus will run around picking up those signals and providing power, which potentially reduces both weight and susceptibility to noise.

Re:Uh, what?

[X0563511]

My stereo is integrated with my navigation system. The nav system is (read only I hope, come on) able to get data from the EC, such as current speed. I suppose that is one path.

Re:Uh, what?

More detail here: http://www.technologyreview.com/computing/35094/

Re:Uh, what?

[kasperd]

You should read the posted paper.

It turns out that the links in the article don't actually take you to the paper. So, where is the paper? The article is too short on detail to find out what this is really about?

Re:Uh, what?

[kasperd]

But, this CD with magic code

Nice way to put it. I find it hard to believe that there could be a flaw in handling of uncompressed audio data that could be used to take control over the CD player in the first place. If we are talking about the standard stereo 16 bits per sample audio, then it is unlikely to have a flaw in the code to handle it for too reasons. It is ******* simple. There are no possibility of the code to handle it having forgotten to check for invalid inputs, as every possible combination of the bits is a valid input.

If the flaw is in how the metadata or ECC on the CD is handled, then you can't exploit it by somebody downloading the files from the internet and burning it on a CD. Because this metadata isn't downloaded from the internet in the first place. It is produced after whatever was downloaded has been turned into an uncompressed stream. You'd have to first exploit the computer in order to then exploit the CD burner to produce the malformed CD in the first place.

If OTOH we are not talking about an audio CD, but rather about a data CD with mp3 files, and the CD player in the car can decode mp3s, then it is more likely that there is a vulnerability that could be used to exploit the CD player.

Re:Uh, what?

OnStar

Re:Uh, what?

[plover]

From one point of view, it is isolated. The car is not connected to any other devices.

From another, the components are not isolated from each other for all kinds of reasons. The CAN bus hosts all kinds of things that might care about each other. Door locks talk to lighting systems. The tire pressure sensors talk to the dashboard. The speedometer talks to the stability controls. The stability controls tie into the braking systems. The stereo shuts off when the doors open. The stereo could even increase audio volume as speed goes up to kind of "Dolby over" the vehicle's noise. Crash detection ties in the sensors, engine, signals and lighting, braking, passenger restraints, and even tells the audio system to call 911 on the owner's Bluetooth phone, using the navigation system to tell the operator where the accident occurred.

Just about anything in a car might have a legitimate reason to communicate to another in certain situations: some for convenience, some for comfort, some for safety. And safety comes in various flavors: accident avoidance through traction control and suspension systems, crash response systems, and vehicle security (door locks) . Do you compromise one aspect of safety (crash response) by isolating some components you deem "more critical", such as anti-lock brakes? And in response to which threats? Is vehicle security really more important than crash response?

We're dealing with unknowns and supposed threats with the hacking described in TFA. So far, no hacker has caused a car's left side brakes to lock up at 80 MPH, causing the vehicle to spin and crash. But we know the number of air-bags that go off daily, we know the survival rates for various kinds of crashes have gone down, and we know how many deaths those systems have prevented.

What TFA provides is a really strong argument that security needs to be placed on every input. Just like web design, auto software engineers have to take nothing for granted, and have to distrust everything from MP3 files to tire pressure sensors.

Re:Uh, what?

[billcopc]

OnStar, sure... but the stereo ? I'm a tech freak, and I still can't think of a use for unlocking my car doors by inserting a CD.

Pirated music.

Any relation to this? Though I'm smelling BS from both stories. http://www.reddit.com/r/technology/comments/fj04r/reddit_the_dealership_told_me_that_pirated_music/

Re:Pirated music.

[Shikaku]

Slightly interesting, but I'd say it's still full of crap.

There's too much noise/static and lossy compression from mp3/$foo to even think about trying to infect a machine through line-in. Yes the audio may be digitally processed, but you'd have to find such a noise that would work and give you a full blown infection, that works compressed, can handle line-in static, for a specific make of a car radio system.

But it's slightly off-topic, since there wouldn't be static/errors in an audio cd unless it was scratched, which this story is about.

Re:Pirated music.

[228e2]

Wow . . . just wow. And I thought headlight fluid was bad

more innocuous than a song

[countertrolling]

until you bump into the RIAA..

Just make sure not to play the stereo loud enough for anybody to hear it.

Re:more innocuous than a song

[X0563511]

OT / sig reply:

Hey, what's the story about that craft? Was it ever reported? I can't find a report anywhere to satisfy my curiosity :P (assuming the tail number is N717T)

Re:Bad Programmers

One letter: C.

Dunno why anyone acts surprised about audio codec vulnerabilities.

Predicted...

[yoblin]

The x-files has come true... does anyone remember the episode where some cars got hacked/unlocked by a 'genius' with a special CD played in the stereo? I remember thinking man, these writers are stupid! ...

Re:Predicted...

Actually it was a CD containing a "Kill Switch" (and the episode name) that was left the the laptop of a dead programmer. Of course Mulder loves 'stealing' evidence. The CD contained a virus designed to kill an AI; one that was built by said dead programmer. The song that was played was "Twilight Time". Though it basically just flashed the lights. Yes, I watched the 'X-Files' a FEW times.

Re:Predicted...

[ArcticBunny]

silly, took these guys that long to watch the X-files episode? Lame!

Attacks

[import]

This is a follow-up to http://www.autosec.org/pubs/cars-oakland2010.pdf where they demonstrate various attacks of varying levels of danger from relatively innocuous (turn the horn on permanently) to kind of scary (disable brakes and power steering). In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.

Re:Attacks

[StefanSavage]

> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).

Re:Attacks

[ShakaUVM]

I just wanted to chime in and say that my friends and I always found your talks and papers to be awesome. =) I attended your DOS backscatter talk (in the old AP&M building) when I was getting my Masters at UCSD. (I worked with Scott Baden, and Fran Berman a bit.)

Re:Attacks

[import]

Thanks for clearing that up, it was indeed not claimed. I believe you said you would be surprised if it wasn't possible.

Re:Hackers can turn your home computer into a bomb

[tonyreadsnews]

LOL, funniest part about that story:

When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade

Sony/BMG sponsoring this research?

I seem to remember Sony/BMG installing rootkits on computers with their CD's (http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)... perhaps they're going to go after the wheels of "music pirates" next?

Re:Bad Programmers

[NotQuiteReal]

Why are the most ubiquitous products the most buggy?

Maybe because they (products) need to be cheap and quick to market to become ubiquitous?

Remember the old "joke"?
* Cheap
* Good
* Fast
Pick 2


There are a lot of folks who just by the latest (fast) stuff they can afford (cheap). Quality (good) doesn't enter into the equation.

DUH it's DRM

DUH... this is just SONY's newest form of "Digital Rights Management" Installing "what would otherwise be called spyware"-software onto the car so that no copyright infringement could occur... b/c the car fried it's own engine

Re:Bad Programmers

[Imrik]

Because they receive the most post-release testing to detect bugs.

Re:Bad Programmers

[cayenne8]

Which cd's could help you steal a car more often?

Rap

Notice I didn't say music....'cause the terms 'rap' and 'music ' are pretty much exclusive terms....

:)

That's it!

[celle]

Back to the horse and buggy everyone.
Or at least to pre '80s cars with a dumb ignition/electrical system instead of this newer butt-kissing junk.

"The more they try to overtake the plumbing, the easier it is to stuff up the drain. "
Scotty -- Star Trek III:The Search for Spock. (or was it "search for more money"?)

Re:That's it!

[billcopc]

If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.

Yeah, the auto industry is taking its cues from Wall Street: more bullshit = more money.

Re:That's it!

[ShakaUVM]

If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.

Pfft. You're stuck in the 80s.

My Nissan and my wife's Honda dealership both charge ~$24 for an oil change. I actually bought a lifetime (for the ownership of the car) all-you-can-eat oil change plan (with Synthetic) for $400, which includes oil filters, air filters, etc. It cost me $18 to have my wheels rotated, which I guess is a bit more than Walmart. /shrug.

I just put in an aftermarket stereo system (I drive 25k miles a year, and a good audio system with XM radio has become essential to me). Putting in four good speakers + head unit + XM radio + integration with steering wheel audio controls cost about $900. I quite like the result I got, but I'd have preferred getting the factory installed package. Better integration with XM radio, better reception, and a 9-speaker system. Most dealerships charge about $1000 for this, and it comes factory installed.

But my car only had XM radio installed in a mega-package that included leather heated seats, moonroof, etc., so I just did it myself.

Re:That's it!

You actually think it's reasonable that a stereo should cost more than a computer? Snap out of it.

Re:That's it!

[h00manist]

If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.

Yeah, the auto industry is taking its cues from Wall Street: more bullshit = more money.

Careful there, you're sounding a bit too anticapitalist. Perhaps rethink your values. Or perhaps various lawsuits, tax audits, rumors, and accidents might occur.

Re:That's it!

[ShakaUVM]

>>You actually think it's reasonable that a stereo should cost more than a computer? Snap out of it.

The head unit costs a few hundred bucks, a XM radio costs more money, and good speakers cost even more.

The point the GGP was trying to make was that dealerships screw you on car audio systems, but I found they were reasonably comparative with DIY.

Though there are pros and cons on each side, I could see a reasonable person choosing to do it either way.

Re:That's it!

[SuperMonkeyCube]

Instead of suggesting that 'billcopc' was being anticapitalist when I think all that was intended was an emotional outburst, perhaps we should suggest that he has discovered an unfilled market niche and he should build his own cars to fill said niche. That way, it would be quite hard to accuse him of anticapitalism.

Re:That's it!

Back to the horse and buggy everyone.
Or at least to pre '80s cars with a dumb ignition/electrical system instead of this newer butt-kissing junk.

Yep, you can't beat a battery, points, coil, distributor and spark plugs for simplicity. That said, tuning an engine like that is like riding a unicycle - you can learn it in an afternoon, but it'll take a lifetime to master.

Frankly, though, after a lifetime of totally shite cars (the only reliable car I've ever owned was a 1975 Australian assembled Bedford van with a factory fitted Holden engine, that puppy's still bombing around the streets, jeez I regret ever selling that.), I've given up on them altogether. The best vehicle ever invented (at least in a city like Melbourne, with decent public transport and great cycle lanes on most major roads) is the bicycle. Five times more efficient than walking, faster than a car in peak hour traffic, good for you and totally unhackable by a malicious outsider.

Re:That's it!

[coinreturn]

My Nissan and my wife's Honda dealership both charge ~$24 for an oil change. I actually bought a lifetime (for the ownership of the car) all-you-can-eat oil change plan (with Synthetic) for $400, which includes oil filters, air filters, etc.

I think they dropped oil change prices as a loss leader to more costly stuff.

But I've got you beat...My Subaru dealer gives me free every other oil changes (paid for ones are $25), and they recently sent me two $25 certificates for an "inconvenient" factory recall I had done while getting an oil change. While using one of these certificates for a $25 oil change, they handed me a promotional $35 gift card. I am MAKING money on oil changes.

Re:That's it!

[ShakaUVM]

Heh, that's hilarious.

You're right, of course, about them wanting to keep you coming into the dealership hoping to get more expensive repairs made / keep a good relationship for buying a new car in 5 years, but one very nice thing about getting oil changes at the dealership is that they have records of all your oil changes, which are required for car warranties these days. We got a pretty good price on a 7 year bumper to bumper on my wife's Honda, so it all works out pretty well.

Re:That's it!

[billcopc]

When I bought my new car (ten years ago), the sales guy was trying to hype up the "premium" factory stereo, so I popped in my own CD, pointed out the distorted mess coming out of the speakers, and turned it off. A week later, I tore all that crap out of my doors and dashboard, and replaced it with about $700 worth of aftermarket equipment (no subwoofer yet). Even though it was "cheap" gear, the difference was night-and-day.

Full disclosure: I am an audiophile, as you had probably guessed, but I am also a hobbyist mixing/mastering guy, so I am considerate of the average stereos and average hearing. Heck, my wife has trouble telling good sound from bad, unless I point out the details (or lack thereof). There's nothing wrong with that. What offends me is when car dealers itemize a thousand-dollar stereo when really it's a handful of 99 cent construction-paper cones and a head unit worse than Wal-mart's $49 offerings. It is yet another thinly-veiled fraud to cover up the fact that the american auto industry itself is unprofitable. If it were indeed a $1000-value stereo, I would at least expect it to perform comparably to my $700 aftermarket kit, and be marketed to the same kind of customer. My mother wouldn't blow $1000 on a stereo, so why should her car include one ?

Re:That's it!

[billcopc]

A "reasonable" stereo ? No. Here's what I think a modest, or bang-for-the-buck stereo would be:

$129 head unit
$69 front speakers
$49 rear speakers
$100 installation

So under $350 installed, or $250 if you DIY (an hour or two with a screwdriver and socket wrench). I think that setup would satisfy about 95% of motorists out there. Where things get hairy is if you want a subwoofer. Even a $200 active sub is still pretty terrible, you generally have to set aside $500 or more for anything remotely decent.

Ten years ago when I bought a new car, I considered my first setup quite decent at roughly $1100 for a bi-amplified setup with a 10" sub, all entry-level Clarion gear. A music lover without my audiophile disorder could stop there and be very happy, but this is far beyond reasonable for the average person.

I later upgraded that thing to a ludicrous mobile PA/studio setup, but that's way off-topic. Point being, a "reasonable" system costs less than what most automakers charge for tinny garbage.

Re:That's it!

[ShakaUVM]

A "reasonable" stereo ? No. Here's what I think a modest, or bang-for-the-buck stereo would be:

$129 head unit
$69 front speakers
$49 rear speakers
$100 installation

So under $350 installed, or $250 if you DIY (an hour or two with a screwdriver and socket wrench). I think that setup would satisfy about 95% of motorists out there. Where things get hairy is if you want a subwoofer. Even a $200 active sub is still pretty terrible, you generally have to set aside $500 or more for anything remotely decent.

Ten years ago when I bought a new car, I considered my first setup quite decent at roughly $1100 for a bi-amplified setup with a 10" sub, all entry-level Clarion gear. A music lover without my audiophile disorder could stop there and be very happy, but this is far beyond reasonable for the average person.

I later upgraded that thing to a ludicrous mobile PA/studio setup, but that's way off-topic. Point being, a "reasonable" system costs less than what most automakers charge for tinny garbage.

A $1000 factory installed system will have XM audio, integration with car audio controls, and a 9 speaker system. I've only had it on one car (inherited from my grandfather), and the sound quality was actually really good. Spoiled me enough that I went crazy with the default audio system on my new Altima. The new system was so muddled I couldn't hear entire instruments when listening to classical.

So with those requirements, I don't think you're going to get anywhere near $350 for an installed system.

The integrated XM audio alone is going to be somewhere around $100-$200, with a more expensive head unit to handle it (call it $300). You also need a harness to integrate with the car audio controls.

And if you're paying fifty bucks for two 4x6s, I can't imagine how bad the sound quality is going to sound. I think 3-way speakers are essential. My fosgates were something like $80/speaker, so with 4 speakers that's $320 alone.

Re:That's it!

[billcopc]

There's not much I can tell you, other than "I was once like you". There is a whole world of audio beyond the five brands you'll find in most car-audio and big-box stores. They frown on 3-way speakers for the same reasons I do: off-axis positioning, space-constrained 2nd order crossovers and unfixable group delay. The result is muddy mid-bass and very uneven tweeter response. Some people don't notice or care, especially if they stick to popular music where those specific weaknesses may be harder to detect.

Typical 3-way car speakers are built for practicality, not performance. A car is about the farthest thing from an ideal listening room: it's small and noisy, with lots of obstructions that wreak havoc with mid-high frequencies. There is nothing optimal about cramming three drivers in front of each other, in a metallic door that acts as a highly reactive, highly compliant half-baffle. Anyone with basic knowledge of speaker design can tell you that is one very compromised setup, and it can partly be explained with pure common sense: we have two ears and two channels of audio, so ideally we should have two speakers. In practice, it's impossible to build such a perfect speaker that will flawlessly reproduce the entire audible frequency range, so the nearest approximation is two drivers per side.

All that to say: if you think 3-way speakers are so great, you should try a 2-way setup, preferably round 6.5" woofers with separate 1" tweeters. You mount these in custom kick panels so the drivers are farther away and aimed directly at the listeners, for greatly improved stereo balance and imaging. Infinity Kappa is a good option under $200, or Polk in the $600-800 range if your ears can justify the expense (shop around!). And if you don't want to spend $200 per pair, try Pioneer. They will trounce your 3-way speakers, sounding a lot more like a properly positioned and toed-in home stereo with great stereo detail and less reflections.

Things like factory-installed 9 speaker systems work very hard to ignore all this acoustic science, instead taking the Bose approach: trash the soundstage so thoroughly that everything sounds "live". Some people like this effect, but to my ears it's absolute hogwash. I'd rather take what they spent on 9 speakers, and buy 2 really good ones instead.

Re:That's it!

[ShakaUVM]

I listen very closely to music, especially when listening to classical when there's a lot of different instruments playing at once.

Between my 2.1 speaker setup on my computer, 9-speaker system in one car, and the new system I had put in, all of them are comparable though differences are indeed noticeable. I haven't noticed any of the specific complaints you made about the three-axis speakers, but I *have* heard lots of problems with two-axis speakers (I spent hours at a specialty audio store listening to my sample music) - if you don't have a crossovered woofer, their frequency response suffers either in the mids or lows.

The speakers I bought actually sound very good in the mids and highs, but they get breathy in the lows. Some people like having big kicky lows, but I care more about sound quality, so I leave my bass unboosted in the EQ.

All I can say is that I listened to all the speakers they had there, and picked the one that sounded the best across Dvorak, Metallica and Juno Reactor.

A Bunny

A bunny is more innocuous than a song. He clearly didn't think very hard.

Re:A Bunny

[sjames]

Yeah, Jimmy Carter used to think that.

Sony!

[Jah-Wren+Ryel]

Great, so now Sony doesn't have to stop with rooting your PC, they can also root your car. All in the name of copy protection, natch!

Re:Sony!

[SuperMonkeyCube]

Came for 'Sony + root' comments, was not disappointed.

Simple solution

[Dee+Ann_1]

I drive a car that's over 20 years old. It has no computers in it that could be hacked to do anything more harmful than cause me to have poor gas mileage.
I could leave the keys laying on the hood in the parking lot of Walmart and no one would bother with it.

I don't care about luxury, I care about a simple old car that will get me 5 miles a month to the grocery store twice a month.
I care that it's old and simple enough that I can find someone besides a NASA scientist to work on it if it breaks.

You want to drive tomorrow's technology? Go for it..
I'll stick with old faithful that no one wants to bother with. Best of all, it's long since paid for and I'm not in debt to ANYONE for ANYTHING.

Re:Simple solution

[c6gunner]

So, how hard is it to access Slashdot on your Commodore 64?

Re:Simple solution

http://jinx.etv.cx/media/contiki-eyecandy-slashdot-contiki.png

Re:Simple solution

So can you still find someone who knows how to gap the points (or even knows what it means)?

Re:Simple solution

20 year old cars don't have points, 40 year old cars and older do. I still have a tach/dwell meter....;) and a Commodore 64 and 1541 drive (not my main machine though). ;)

Re:Hackers can turn your home computer into a bomb

This is exactly why anti-bomb-virus software is paramount!

Moore's law states that we double the power of process every two years. That means modern processors hold about 12 times the explosive power!

Back to the abacus and slide rule for me.

More innocuous than a song?

Lord Dolza warned us about songs! Breetai should have listened, but he was a fool!

Music is dangerous! Music and all Micronians must die!

Are car stereos so different now?

[unitron]

What kind of CD player is designed to do anything with what's on the cd other than run it through the D/A converters?

Even if it's supposed to read CD-ROMs to get map/navigating info, wouldn't it treat it all as data rather than instructions?

Re:Are car stereos so different now?

[DMUTPeregrine]

MP3 decoders are common in CD players.
Buffer overflow attacks are just one way to get a system to treat data as executable code.

used to work in Windows

[dltaylor]

Microsoft Windows products have been known to scan media streams for executables, either deliberately (for installing gov't keyloggers, for example) or accidentally:

http://www.iss.net/security_center/reference/vuln/RIFF_Codec_Overflow.htm

Re:used to work in Windows

They don't "scan" for executables. This is just some shoddy, insecure code that trusts the input data too much, and accidentially copies executable code included in the media file to places where it doesn't belong or "resumes" execution in places where it shouldn't (i.e. parts of the media file just loaded into memory).

Please Do

[dmomo]

If it will disable bass boomers in my neighborhood.

But Cynics and other realists.

[Chas]

* Cheap
* Good
* Fast

Pick ONE.

Re:But Cynics and other realists.

[amicusNYCL]

Your customers are getting shafted.

It's easy enough to build something quickly that works well, but it won't be cheap.
It's easy enough to build something quickly that doesn't cost a lot, but it won't work well.
It's easy enough to build something that works well and doesn't cost a lot, but it won't be done quickly.

Re:Hackers can turn your home computer into a bomb

I think it's worth disclosing that this is from weekly world news :p

Sounds like my AV receiver

[tlhIngan]

After obtaining a service manual for my AV Receiver, firmware updates are done by using a CD player with digital out, and hooking it to the TOSlink input on the front.

Put it in a special service mode, put a specially burned CD in the CD player, and hit play. The AV receiver grabs the firmware update information off the digital input.

Presumably there's safeguards to ensure that the firmware is transferred correctly, as well as various sync signals to ensure that if you accidentally seeked at the beginning or the player skipped it would be detected.

Probably not a simple modulated audio stream since that'll be quite slow.

Re:Sounds like my AV receiver

[MacGyver2210]

1. Terrible update design. Someone needs to be fired.

2. Audio streams transmit (via normal CD) at 44.1kbps, with dual channel, for a total of about 88.2kbps. A healthy virus can take less than one kB to get started (about 1/5th of a second of audio)..

Re:Sounds like my AV receiver

[RobbieThe1st]

Looks like you missed the part about "service mode". Provided you have to physically flip a swich or press a series of buttons, it's perfectly safe - Unless the user decides to update with a virus cd that just -happens- to be signed and encrypted correctly, nothing will happen.
And, if it's not in service mode, it should just play as bad data.

Re:Sounds like my AV receiver

That's a very interesting method of updating. What is the make/model of your AV receiver?

Re:Sounds like my AV receiver

[slackito]

CD quality audio is 44.1 KHz, not kbps. As each audio sample is 16 bit wide, the total bit rate in a CD audio stream is 1411.2kbps (44.1 * 2 channels * 16).

Re:Sounds like my AV receiver

1. Remind me to never employ you for any Consumer Electronics design job. This is a rather excellent design, in my opinion, for a device that is from a time before every AV Receiver had Ethernet based internet connectivity or at least an USB port. It's still an excellent design decision for any device that targets non-tech savvy customers and a method to distribute CDs, which is certainly true for audio dealers.

2. The Important point is that it doesn't have to be modulated. It's actually 44.1kHz * 2 bytes/Sample * 2 Channels, about 1.4 Megabits per second. I wouldn't use the 2 or 3 highest value bits of every sample to keep the noise down if the disc is accidentially played on a system that fails to mute non-audio data. Some more will be lost to extensive error correction, and the whole firmware should be repeated multiple times, since the Receiver has no control over the order of the stream.

3. Lots of cable boxes and sattelite receivers get their firmware updates over the air. I can't recall any major problems with this. As a matter of fact, the audio CD via SP/DIF is better, since the user can just press Stop + Play again if something went wrong - the firmware bits responsible should be separate from the regular Firmware (i.e. the Service Mode mentioned above)

You wouldn't download a car

[dutchwhizzman]

Well, it appears closed source and copyrights have yet gotten me one step closer to being able to do just that.

Re:You wouldn't download a car

Fuck you, I would if I could.

Re:Hackers can turn your home computer into a bomb

[Sulphur]

LOL, funniest part about that story:

When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade

And turn into a cloud.

Meh

Not really surprised that infotainment software has shoddy quality but even if get total control over such an ECU being able to control anything safety-relevant should be well beyond the scope of that attack vector.

1. Yes cars usually have various basic settings/adaption channels/codings but they are merely for configuration of some detail and not control. Though some manufacturers obviously are more creative in that department than others.
2. There is a login mechanism for such functions
3. Modern safety-relevant features use FlexRay instead of CAN which makes it much harder for one ECU to pretend like it is something else
4. Being able to remotely flash any ECU is rather hard even if have full access to the diagnostic bus as you would need something that resembles a valid flash container. Which is a daunting task just due to the sheer variety of manufacturers/hardware/software/bootloader versions.

Re:Hackers can turn your home computer into a bomb

[Mister+Transistor]

Would that be Mushroom Cloud computing?

Damn, I could have had prior art

Once upon a time I came up with the idea of burning CDs called "Extreme Bass Punishment - Can Your Subs Take It?" The content was to be a series of tracks of heavily juiced drums and bass, each one with more low-frequency information than the last. The final track was going to be either a 15 Hz square wave or just a pair of DC rails....couldn't decide. The hope was that it would become an underground fad, spread virally and cause the demise of thousands of car stereos. Nothing like the smell of burnt voice coils in the morning....

You are experiencing a car accident

I just want to get from point A to point B. I do not want cellular radios tracking my vechicles every move nor do I want RF spewing keys tied to push button ignitions.

It is not possible to purchase a fricking cell phone worth a damned today unless it comes with at least one camera... Tomorrow am I going to go car shopping only to find I can't just buy a car without all of this useless crap I don't need or want and still have to live with the attack vectors and privacy invasion they introduce?

I went to buy a maglite the other day and was pretty pissed off when I got home and realized if you turn it on and off too quickly it causes it to cycle thru a series of useless modes which dim the light and then strobe and finally flash in an sos pattern...WTF.. I just wanted a goddamn flashlight with an on/off button. So fustrating dealing with useless crap. Transisters, XML and violence sadly have much in common.

Explain

[Fizzl]

... car's stereo system, giving attackers an entry point to change other components on the car...

Explain?
Wtf? This is just silly.

Re:Explain

All the components talk over the same tubes. No, it's not silly, it's just cost-efficient and insecure.

Re:Explain

My Audi A5's stereo is hooked up to all kinds of things. I can change settings for the power locks, control the behaviour of the power windows, read out the oil level, configure the dashboard instrument cluster, set up the heating/AC, etc all from the central console. I also know from car diag documentation that the same bus that controls these things is connected to the airbag, ABS and power steering electronics... so if you manage to get into my stereo, you potentially have an access point to the rest.

Re:Uh, what? Nonsense!

My car - a toyota - has 2 can buses which are isolated. The stereo/satnav sits on one, vital systems sit on the other - never the twain shall meet. Sensationalist reporting as usual...

Namshub for cars

[egork]

http://en.wikipedia.org/wiki/Namcub
How long does it take before there is a hotkey combination for Emacs? And until it is applicable to humans?

My lyrics and unexpected concenquences

Looks like someone might see all that junk in my trunk...

Re:Hackers can turn your home computer into a bomb

[Tx-0]

Sometimes I'd wish it could be true: that would make people think twice before opening email attachments!

Bad dsign.

Due to bad design. Some should not work with engineering.

i'd rather...

[bball99]

hack a bicycle

silly cagers

Re:Bad Programmers

[maxwell+demon]

Well, I'd not be surprised that much about audio codec vulnerabilities than about the possibility to use the radio to attack other parts of the car. The radio should be a self-contained unit which apart from speaker cables and power supply has no connection to the rest of the car.

Hmm...

This could be a problem for Automan.

Cars are the new assassins?

[h00manist]

Via Bluetooth, CD, or maintenance port in the garage, the car is now a great weapon. What I take away from this is that car accidents are now potentially car "accidents", depending on the position of the victims. National intelligence agencies are in ideal positions to take advantage of things like this, and now are surely all working on it. Gaining actual access to the software maintenance ports on vehicles is not that hard for them. If Gaddafi's car were today to drive off the road suddenly and onto some strip of land covered in mines, nobody would know if it was an accident, the rebels, the driver, or the power steering that did it.

Re:Uh, what? Nonsense!

[PseudonymousBraveguy]

Your car will probably have a lot more then just two busses. It will probably even have ECUs that are conected to more then two busses. However, I'd guess that in theroy the network of ECUs and busses will be fully connected, e.g. most systems report data to the dashboard, so that will be a point where many busses will meet. (Not that this would help taking over the bus or safety relevant systems in any relevant way)

Dig those sweet dulcet tones!

[funkyjunkman]

Yeah I love rocking out to the sounds of, what sounds to me like white noise and bursts of random screeching. Just because you COULD run this hack doesn't mean it is in any way plausible.

Makes you wonder...

[_0xd0ad]

Why is everyone so easily convinced that Toyota's problems are "user error"?

Well, it makes me wonder that, anyway.

Slightly offtopic, I guess. Oh well.

Re:Bad Programmers

[netsharc]

Unfortunately, that's not the case. Let's see how the radio (or to be exact, the stereo system) can be wired up to other systems:

- it can be wired to the engine RPM-reader/speedometer to detect approximately how loud the environment will be, and turn its volume accordingly.
- It might want to display the current song title in the one display available in the car
- Wheel-mounted Volume/FF/Rewind/Play/Pause/Next/Prev Track controls anyone? And since that'll be a lot of buttons, they might replace it with a general 4-way joystick which do other things as well depending on the current task (car settings, navigation, stereo system)
- If a phone is attached via Bluetooth, silence/pause the current track when a call comes in/when the user wants to make a call.

Of course, all dangerous and non-essential extensions to what a car is supposed to do, but all high-end cars have them, because, well, the customer likes features!

If I were designing a car, the audio codec would get its own CPU, so any exploits would just crash/reboot that mechanism. The only critical output would be the "display song title on screen", but does the CPU that control the display also control the whole car (alarm system, etc?).

But then again, cars with navigation systems can talk, and they need another codec to decode the lady's "turn left" ogg file, and if it's "cost-savings!" they're interested in, they'd think, "oh since we already have an audio part here, let's bodge the stereo system into the equation.", and there you go, MP3 decoding being done on the system that controls the central locking.

Sensationalist title

A better one would have been "Hacking a car through its stereo with a specially crafted audio file". We expect accuracy, not sensationalism from you, Slashdot. Please?

so maybe ford wasn't lying to that kid.

[steak]

a few weeks back there was this story of a kid who was told by ford that he had infected his parent's car stereo with a virus by playing a pirated mp3 through his ipod.

http://www.reddit.com/r/technology/comments/fj04r/reddit_the_dealership_told_me_that_pirated_music/

apparently there was a kernel of truth in that mechanic's bullsht.

Re:Bad Programmers

[darkpixel2k]

Well, I'd not be surprised that much about audio codec vulnerabilities than about the possibility to use the radio to attack other parts of the car. The radio should be a self-contained unit which apart from speaker cables and power supply has no connection to the rest of the car.

See--this is why I run Linux^H^H^H^Hconvert all my downloaded to music to .wav files. It filters out the viruses from all that high-tech new-fangled high tech MP3 stuff.

Re:Hackers can turn your home computer into a bomb

[Sulphur]

Would that be Mushroom Cloud computing?

One more hot number and it goes up like Hiroshima.

Re:Hackers can turn your home computer into a bomb

[ZorroXXX]

What a bizarre article. My first thought was "how old is this article?", because the computer have a 5.25" floppy drive and the screen is quite small, perhaps 13-14". So the computer is from the eighties, but then the article mentions amazon and ebay, so it cannot be that old.

Perfect

giving attackers an entry point to change other components on the car.

Please check the oil levels....oh and by the way, you could also change the tires...they're a bit used...

For God's sake don't tell the RIAA

Next thing you'll know we'll be listening to scrambled tracks and our cars will be driving us to the nearest courthouse to plead guilty to file sharing.

Well I RTFA...

[Vegeta99]

And I won't be trusting a word of it.

"In fact, attacks over Bluetooth, the cellular network [...]"

Shit, I can barely get my headphones to work properly with my phone in my pocket when I'm out jogging. How the hell do I get it to go 25km to the base station?

Re:Hackers can turn your home computer into a bomb

[wgoodman]

Keep in mind the source.

It's actually a Weekly World News article

[Penguinisto]

It originally comes from these guys, back when they still did print

Re:Hackers can turn your home computer into a bomb

[RockDoctor]

I was still using a 5¼ floppy well into the '90s, and recently had to re-build a unit with one, to search some "archived" data (yes, I know, which is why the "archiver" was asking me to help him out of a bind). And 14"/640x480 monitors are still functional, if inconveniently small. It makes good sense to continue using them where they are still appropriate, until they die.

Case in point : the development monkeys recently tested a product release on a 1280x1024 (or thereabouts) screen and passed it for release. On site, we "users" discovered that a critical dialog box was nearly impossible to use on the 640x480 laptop screen used for that server.
Lesson : be strict that your testing suite really is run on the minimum specification machine for that system, which will normally not be a machine in the development monkey's office.

where's my 8 track

iPhone crashes car stereos, Toyota warns
Dock distress down under
By Tony Smith

1st February 2011 12:24 GMT

Motor maker Toyota has warned Australian car dealers that iOS 4.1 devices can crash certain vehicles' sound systems.

Toyota made the claim in a "technical newsflash", local car site Drive reports [1]. The warning covers eight types of Fujitsu Ten-made car stereo fitted to Yaris, Corolla, Kluger, Prado, LandCruiser, HiLux and Prius models sold during 2009 and 2010.

The bug causes the hi-fi system to lock up when an iOS 4.1-based iPhone or iPod is plugged into a dock or cable connected to the stereo's USB interface.

The crash appears to be total: the unit displays nothing but "load..." on the screen.

iOS 4.1 was released back in September 2010, but the operating system has been updated several times since then. We're up to 4.2.1 now, and it's not clear whether it too has the same unfortunate effect on Fujitsu Ten's car radios.

As for ones that have already become locked up, Fujitsu Ten is working on a "field fix" solution, Toyota told its dealers.

Toyota UK told us there were no know issues of this kind of problem over here.

http://www.reghardware.com/2011/02/01/toyota_ios_car_hifi_crash_warning/