Slashdot Mirror
Car Hacking Concerns On the Rise
Pat Attack writes "I think most of the people who read Slashdot know that if it has circuitry, it can be hacked. Well, the good folks over at CNN have an article about the potential for your car to be hacked. This article lists the potential damage that could be done, proof of concept work, as well as a few scary scenarios. 'With vehicles taking up to three years to develop, [security strategist Brian Contos] says manufacturers will struggle to keep abreast of rapidly-evolving threats unless they organize regular software updates. Instead, he says, any installed technology should be given a so-called "white list" of permissible activities beyond which any procedures are blocked.' My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe."
Car hacking is bad. Botnets are bad. But what about a botnet of autonomous vehicles?
Imagine owning a botnet of cars you could command to drive anywhere at any time. You could effectively close a highway or a bridge, prevent emergency response teams from getting to a destination, or switch the cars into some kind of "Carmageddon" mode where they target pedestrians.
Yeah, we'd be pretty much fucked if this happened.
There's no -1 for "I don't get it."
My mom reads CNN and is a Luddite. I expect to hear from her today. She'll probably tell me my new car with bluetooth is unsafe.
Assure her it's nonsense and that you even wear a Bluetooth headset.
Then scream, play a recording of Soundwave, and hang up.
Is how these updates will be applied:
1) Automatically via some wireless service. Bad idea. I'd hate to even go there.
2) In authorized service centers. This is scary because, the auto manufacturer will be able to warn us from going to non-authorized dealers, saying it's a security issue on top of a quality issue. We've already ran into these kinds of issues. It's come up before here on Slashdot.
This article is crap. They only quote a CD-based infotainment attack which requires access to the vehicle, and an aftermarket system attack which was poorly engineered. They describe a TPMS DOS attack (RF interference from the sensors) that might make your check tires light come on. Boring.
Right now, if you car doesn't have a RF transceiver, there is nothing to worry about since gaining physical access to the network requires breaking into the vehicle.
If your car does have an RF link (bluetooth, cell phone), you're still relatively OK - infotainment systems as a rule are very segregated from the powertrain networks and usually only linked by a CAN bus that only supports some high level messaging. The Infotainment ECUs do not share the same CAN bus as the powertrain components and there is generally an ECU that acts as a "firewall" such that any DOS-style attacks on the infotainment CAN bus won't affect the other vehicle systems.
I will concede that vehicles with OnStar are a bit more concerning, as I think OnStar has more hooks into the rest of the systems, although I'm not sure how deep. So that is one to worry about...
There have been some attacks demonstrated against the outward facing systems where an attacker can mess with your radio, but the systems are architected such that an attacker needs physical access to the bus to do any real damage to a vehicle.
Here's a good discussion:
http://www.autosec.org/pubs/cars-usenixsec2011.pdf
If I can set the car to drive anywhere I want and disable safety features, isn't that dangerous enough?
So far, those who have insisted their software's security is perfect have a very, very bad track record.
There's no -1 for "I don't get it."