Car Hacking Concerns On the Rise

Pat Attack writes "I think most of the people who read Slashdot know that if it has circuitry, it can be hacked. Well, the good folks over at CNN have an article about the potential for your car to be hacked. This article lists the potential damage that could be done, proof of concept work, as well as a few scary scenarios. 'With vehicles taking up to three years to develop, [security strategist Brian Contos] says manufacturers will struggle to keep abreast of rapidly-evolving threats unless they organize regular software updates. Instead, he says, any installed technology should be given a so-called "white list" of permissible activities beyond which any procedures are blocked.' My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe."

Will be worse with self-driving cars

[MrEricSir]

Car hacking is bad. Botnets are bad. But what about a botnet of autonomous vehicles?

Imagine owning a botnet of cars you could command to drive anywhere at any time. You could effectively close a highway or a bridge, prevent emergency response teams from getting to a destination, or switch the cars into some kind of "Carmageddon" mode where they target pedestrians.

Yeah, we'd be pretty much fucked if this happened.

Re:Will be worse with self-driving cars

[TheRealMindChild]

Just because the software for a system can be compromised doesn't mean that you can make it grow legs and breath fire

Re:Will be worse with self-driving cars

[AarghVark]

It's called a Wall-of-Traffic. I believe it is a 10/5 artifact with Trample. Requires 8 mana of any color to cast.

The solution is #NO CARRIER#

[sunwukong]

My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe.

Assure her it's nonsense and that you even wear a Bluetooth headset.

Then scream, play a recording of Soundwave, and hang up.

Re:My 3rd party ECU is feeling better all the time

[stms]

The best solution is to have a manual overrid (that the computer cannot control) in all cars with self driving capabilities. That way if the driver notices anything funny they can go into manual mode. Of course that defeats the biggest benefit of self-driving cars you can't be sleeping, drunk ect. at the wheel.

A bigger threat

[dmomo]

Is how these updates will be applied:

1) Automatically via some wireless service. Bad idea. I'd hate to even go there.
2) In authorized service centers. This is scary because, the auto manufacturer will be able to warn us from going to non-authorized dealers, saying it's a security issue on top of a quality issue. We've already ran into these kinds of issues. It's come up before here on Slashdot.

Overhyped problem.

[silverhalide]

This article is crap. They only quote a CD-based infotainment attack which requires access to the vehicle, and an aftermarket system attack which was poorly engineered. They describe a TPMS DOS attack (RF interference from the sensors) that might make your check tires light come on. Boring.

Right now, if you car doesn't have a RF transceiver, there is nothing to worry about since gaining physical access to the network requires breaking into the vehicle.

If your car does have an RF link (bluetooth, cell phone), you're still relatively OK - infotainment systems as a rule are very segregated from the powertrain networks and usually only linked by a CAN bus that only supports some high level messaging. The Infotainment ECUs do not share the same CAN bus as the powertrain components and there is generally an ECU that acts as a "firewall" such that any DOS-style attacks on the infotainment CAN bus won't affect the other vehicle systems.

I will concede that vehicles with OnStar are a bit more concerning, as I think OnStar has more hooks into the rest of the systems, although I'm not sure how deep. So that is one to worry about...

There have been some attacks demonstrated against the outward facing systems where an attacker can mess with your radio, but the systems are architected such that an attacker needs physical access to the bus to do any real damage to a vehicle.

Here's a good discussion:
http://www.autosec.org/pubs/cars-usenixsec2011.pdf

Re:Overhyped problem.

[Pentium100]

From what I read, they needed to connect an additional device to the car, which requires physical access. It is stated that the tested car has at least 5 wireless interfaces, but no attempt to take over the car using them was made.

Still, every time I read about something like this, I start liking my 1982 car even more. The only computer in it is the microcontroller of the tape deck. The tape deck is connected to the car only for power, speakers and antenna, so, if the tape deck can be taken over (I doubt it), the worst that the attacker could do is turn off the music.

fearing lame tech is not Luddite

[dltaylor]

The Luddites were workers being displaced by machines.

Regarding all technological "innovation" (which may, or may not, be useful "progress") with suspicion is not Luddite behavior, just sane, healthy skepticism. Being locked into a BMW, unable to lower the windows, provide any powered ventilation, or drive the car (or Ford Explorer, as a recent tester found), is the result of larding cars with cheap electronic gizmos without being required to put them through some really stringent testing. A glitch in your car's MP3 player that only makes it skip some songs is mildly annoying; if the MP3 player happens to be in control of pretty much everything ('cause why pay for more CPUs?) and same glitch causes it to execute some exploit code embedded in the MP3 (DX8 or 9), then you've got an utterly untrustworthy vehicle that should be banned from public thoroughfares. With MS building the stacks for some of these, I wonder how many "snoop your ride (be careful what you say/do when it has an internal microphone/camera)" back doors are in those systems, not to mention (although I will) the OnStar-style snoops.

Thanks, fellow slashdotters!

[anubi]

This thread has been an interesting read. You have reconfirmed my apprehension for newer automotive technologies.

Two of them, ABS braking and fuel injection ( with OBD2 ), I am all for. The rest of 'em though seem to me a design from Rube Goldberg.

Don't get me wrong. I love driving aids, especially GPS, and I love OBD2 that lets me see how the Engine Control Unit is faring.

I am a "control freak". I feel responsible for what my machine does. I want the assurance of a steel rod running from my steering wheel to the rack-and-pinion gearing steering the front tires, and knowing there is no way for anyone to instruct my car to ignore my steering commands. Same with the brakes - hydraulics. And acceleration/fuel for the engine - a cable linkage.

These, I understand, and have an inner feel for when anything is amiss.

"Drive by Wire" scares the hell out of me.

This whole thread gives me comfort knowing that I said the right thing to the repair garage a few months ago when they told me it was going to cost right at one thousand dollars to re-do the entire braking system on my nearly 40 year old toyota, that has hauled me nearly a half a million miles. They advised me it was an old car and not worth all that much. Well, maybe not to them, but I have come to really have a love for the simplicity of that old car. I had them redo the whole shebang - every cylinder, caliper, shoe, and hose. By golly, I consider the brakes the most critical part of the car. If ANYTHING works, the brakes will,

As one of the other posters noted, it is a great fear of mine too that "pranksters" will discover access pathways into a fancy car and wreak havoc by remote control, anonymously, just for the fun of watching the crash. Its the same thing that made "Winnuke" so popular back in the early internet days, when we found out we could send just one malicious packet to someone to give them the blue screen of death. We'd do it for the pure fun of it.

Although I like the new car's interiors, for now I will consider them a "rich man's toy" because they are so expensive to maintain.

As a side note, its not the cost that kills my enthusiasm, rather it is my impression of quality. I believe in getting good value for my money. I have even been spending $15-$20 for flashlights... ( Ultrafire WF-502B's with various P60 LED engine cartridges - and only WF-502B ) because these lights are made to last, and being the owner of a few laptops, I have plenty of the Lithium 18650 cells these lights use. I am hooked on those 18650 cells giving their second life powering things on the cell level ( 3.6 to 4.2 volts per cell ) when the laptop battery pack fails. Meanwhile I have plenty of little dollar-store LED lights, and have retrofitted my old filament-based D-cell flashlights with LED's

Most of the time, newer technology is better, but its not always the case.

Sometimes its just not "done" yet and other times it wasn't such a good idea in the first place but some marketer saw a buck in it.

Well, anyway, that's my take.

Re:Thanks, fellow slashdotters!

[Rick17JJ]

I prefer the basic simplicity of the controls on many of the older vehicles. On my dad's old 1971 Volvo, I did not have to take my eyes off of the road to adjust the defroster, heater, air-conditioner, or radio. I knew where each knob and lever was, without looking, and could easily adjust them by feel.

I still drive a 20 year old pick-up truck which still runs reliably and looks like new. The controls are not as simple as the 1971 Volvo, but they are very simple compared to newer cars. My only criticism is that it has a few too many identical, closely spaced, buttons on the dash.

I do not have a GPS or On-Star. I open the door with a key. It has a 5-speed manual transmission, and I do not have power windows or power locks. The gauges are all analog. I can easily put it or out of 4 wheel drive or low range, by feel and sound, by using the lever on the floor (not buttons). The cruise control can be operated by feel, without looking.

I always wear my seatbelt, and I am not concerned about the lack of air-bags. Living in Arizona, where we do not get very much rain or snow, I am not concerned about the lack of ABS.

The AM/FM radio was unnecessarily complicated to operate while driving, so when it quit working about 15 years ago, I did not bother having it fixed. I preferred how, the radios in my two previous cars both had the far simpler old fashioned setup of just two large knobs and 5 push buttons. There was one push button for each of my favorite stations.

I have never owned a car with an automatic transmission and prefer having a stick shift. When driving an automatic, it bothers me, not having anything for my right arm and left foot to do when accelerating. It also makes driving boring when you can just press the gas peddle and the car or truck just goes.

Having just a large floor mat instead of carpeting is an advantage in the truck, because I can easily wipe away muddy footprints, with a damp cloth.

I hope to keep driving my simple old truck for many more years.

Re:I am not so worried about hacking

[biodata]

This. I have a friend in his mid 20s who has never driven a car without voice GPS, has never navigated in a car using only road signs and/or physical map, and wouldn't feel confident to drive anywhere he has never been before unless the GPS is working. I was shocked when he admitted this. It seems that giving control of something so fundamental as knowing where you are going over to something as inherently unreliable as a computer is dangerous, and I think the same is true of the vital mechanical functions of a car such as acceleration, deceleration and steering.

Re:eh... where is the logic?

[jc42]

Where is the logic in an automotive manufacture making the braking or acceleration functions remotely controlled? ...

Actually, the logic is quite simple, from a manufacturer's viewpoint. In much of the world, including the US, it's illegal (for about the past half century, depending on country) to make the mechanical parts a "black box" that can only be repaired by manufacturer-approved mechanics. But those laws don't apply to computerized equipment. So anything that can be computerized becomes a part that you must take to the dealer's shop for repairs. They'll tell you what's wrong, and how much you'll have to pay to get your car back in a usable condition. This means huge profits for the authorized dealers.

In another decade or so, new cars will be completely computer-controlled, independent auto mechanics will be out of business, and you'll be paying a lot more to keep your car running than you do now.

Check back in 10 years to see how much of a prophet I am. ;-)

(Actually, this isn't my prophecy at all. Lots of others have predicted the same thing. The auto makers aren't trying to deny it.)

Driving it is dangerous enough

[MrEricSir]

If I can set the car to drive anywhere I want and disable safety features, isn't that dangerous enough?

So far, those who have insisted their software's security is perfect have a very, very bad track record.

Re:eh... where is the logic?

[Pentium100]

And the dealers rip you off.

A 2003 Nissan Primera P12 (not mine) turned on the "check engine" light. As I am only familiar with my 1982 car (which is much different from the Nissan, there is no "check engine" light for one), the car was taken to the dealer. The dealer said that the timing chain is stretched (a common problem for these cars) and that it is cheaper to replace the whole engine. The cost: ~1500EUR. However, instead of paying it, we took the car to the mechanic that repairs the engine on my car when something breaks or the carburetor needs tuning or valves need adjustment. He found out that the crankshaft position sensor was broken, not the chain. Repair cost: ~180EUR, 150 of which was the cost of the sensor. Oh, and we had to pay 170EUR to the dealer for the diagnostic (which was wrong).

On the other hand, any mechanic who know how a carburetor works can repair my car, because most of the time problems will be simple - something bent, broken or worn out.

Re:Security versus features...

[viperidaenz]

I hope you replaced the reflectors in your headlights when you put in HID bulbs.