Slashdot Mirror
Intel Team Takes On Car Hackers
nk497 writes "Intel has set up a team of McAfee researchers to protect computer systems in cars, hiring Barnaby Jack — the researcher who forced ATMs to spit out cash and cause medical pumps to release lethal doses of insulin. Bruce Snell, a McAfee executive who oversees his company's research on car security, said the car industry was concerned about the potential for cyber attacks because of the frightening repercussions. 'If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening,' he said. 'I don't think people need to panic now. But the future is really scary.' The move comes as Ford and other car makers start to invest in ways to keep car code secure."
http://www.autosec.org/publications.html
Don't like the government-mandated shutdown of your vehicle in certain areas (i.e. your self-driving car will refuse certain destinations)? We'll make sure you can't hack the nav system.
Dog is my co-pilot.
The car will waste 20% of its engine capacity on keeping the computers running and an eventual update will delete the breaks...
Its almost as if you'd want a system that only ran signed code...
Your car's anti subscription has expired. Without this protection, your car may get viruses and cease to drive. You wouldn't want that, would you? You should pay the $199.99 fee to renew for three years to insure you car is properly protected.
not let a computer drive your car. They've been doing this for years, and it works pretty well. Problem solved.
Sounds like the auto makers are getting tired of individuals being able to change their own cars engine/transmission settings, and or, do fixes that usually require paying the dealer.
Congress mandated an open set of engine/car diagnostic codes due to them not releasing service information some years back. Sounds like they're investigating the possibility of re-imposing something similar via "security" concerns.
"Think of the children that could be put at risk if $evil-auto-hacker isn't protected against!"
Those that can hack these systems will hold their best exploits until they need them,
want to get famous, or just for the lulz. Nothing has changed, this was a problem from the beginning,
signed code or not (that is a step in the right direction though IMO).
I played with having a computer in my car for a few years and it is shocking what you can do once you have access to the CAN bus. I mean it's cool that I can plug a device in and program it so that it will catch the commands from my window switches and have them instead activate my blinkers, but that (theoretically as far as I know) a compromised update to your radio could let it do the same thing is a bad thing and that there is a growing trend for cars to be more connected (e.g. wifi hotspots, etc..) is outright scary.
Maybe they could start by separating networks for the critical functions and entertainment systems. The only possible access to the critical systems should be by a physical connection. They don't need (bad) software security experts to help solve this problem. They need good network architects. It shouldn't simply be a matter of the engine verifying that the "more gas" command came from the ECU and not the radio. The radio should simply never be able to get a message to the engine without wiring changes.
McAfee makes me think of AV, and AV makes me think band-aid. Please, please let's not end up with a situation where cars are susceptible to viruses, therefore an AV application scans for viruses. Cars (or at least, the important bits of them) should be secure from the ground up.
The problem has been that the designers have given computer security no thought *whatsoever*, and applied techniques already well known to security people, too late for some victims.
For example, the first remote keys were susceptible to replay attacks. Anyone with half a clue about computer security already knew at that time that needed a challenge/response scheme. But keys with challenge/response came later. And keys with sufficiently secure crypto algorithms came later still.
For example, it's common to have the audio system, the ignition, the satnav, etc. all on the same data bus, with no authentication. From a security point of view, that's a disaster waiting to happen. Researchers have already demonstrated hacking the MP3 player to unlock the doors -- pointing out it's not much of a stretch to having hacked cars unlock themselves and email their GPS location to the attacker.
Worked on some of the first Microsoft-based car nav radios, a Windows-CE based auto-specific system. MS was in the mode of "Hey, 3rd party apps are a feature!" and the auto companies were like, "Not gonna happen."
Not in the land of Congressional hearings and $100 million recalls. You think Facebook dodging the class action suit in that other thread is a big deal, imagine a lawyer trotting broken or dead bodies before the camera because one of the Big Three didn't properly vette Angry Birds: Cruisin' Down the Highway.
Viruses and malware are just a matter of time.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Needless to say, never connect the critical systems to the internet or to other computers connected to the net. Besides security concerns-- ever since consoles got internet connections/updates, what happened? It started a trend among publishers to have games were no longer tested as rigorously, pushed out the door, and depend on internet updates to fix any issues.
Here's a revolutionary way to combat illicit car hacking. It'll blow your mind away.
Ready?
Are you sure?
Don't make the car computer have a wi-fi antenna.
Groundbreaking, isn't it?
Why do car companies feel the need to hook their CD players or whatever into the critical systems of the car?
How about this: Just mount an iPad (or Galaxy) into the console.
Done.
But, no, they want to show you the oil level on a touchscreen instead of in front of the steering wheel. Meaning they have to hook it into the engine computer. Giving attackers an in.
I'm not a lawyer, but I play one on the Internet. Blog
stop the car by crashing it with carp bloated software.
and can only goto the dealer for services so you have no more jiffy lube or any other NON dealer plan to get car work done from the oil change level and up.
The car manufactures risk being held liable for people stealing their cars through remote exploits. For years now insurance claims have been denied for certain auto theft claims based on the theory that certain types of keys couldn't be replicated. During the interim of course hackers had figured out how hack the key systems and started stealing the cars without the keys.
Sooner or later the inevitable happened and they got caught on video doing so. I believe there was a story over the UK a few weeks ago about this. Now that the evidence is ironclad the issue has to be acknowledged and Intel is simply targeting a market that is newly available. There is no reason that other companies can't target this same market to provide security services either. To be frank I'm surprised nobodies 'stolen' a car at defcon or black hat yet for one of the demo's.
ever since consoles got internet connections/updates, what happened? It started a trend among publishers to have games were no longer tested as rigorously, pushed out the door, and depend on internet updates to fix any issues.
Most importantly an attempt to eliminate the resale market.
Perhaps in the future you'll have to register and buy annual (or more often) updates for your car from the app store, and you won't be allowed to change the owner of the car, why the heck would you be permitted to do that, are you some kind of car thief?
I'm sorry sir your engine computer hardware is yours, but the software that runs on it is only licensed to the original buyer. You can only buy an engine computer software license with the purchase of a new engine computer. A new engine computer is only $999.95 or you can buy a $125 month two year service contract and get a complimentary new engine computer for free. Its all to protect you from hackers, you see.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
few months back there was an article here about how car computers are ripe for hacking and everyone said the car companies suck for such crappy security
now that they are doing it the car companies suck for locking down their cars
I am very impressed with a person "who forced ATMs to ... cause medical pumps to release lethal doses of insulin." But why are ATMs and medical pumps connected to each other in the first place?
At least when I worked on these, there was one bus for the car systems brakes, engines etc.) and one for the systems like radio (more about traffic data transmitted as a sideband than a fancy display), DVD players and Net.
McAfee often crashes my computer (it causes a thread deadlock by linking two things never intended to be linked and locks the machine up). So I don't rate McAfee (or other virus vendors) for anything.
Better to have proper security like separate bus data, and secure OS's than some patch thrown on afterwards that pretends to catch things that have infected you machine.
Intel? No, some middle manager in Intel has made a bad choice, he should be sacked.
We need updates "over the air", without operator intervention! It's too inconvenient for owners to have to come into a dealer for updates, that's unreasonable!
And it won't allow us to do the updates as often as we like! We're always fixing bugs, so we need the ability to update the software every 6 hours... sometimes even less! Look at Firefox and Windows - how often do they update? It's an industry standard!
And encryption? That's haaaard! It takes time and effort to implement and it adds no value to the end product. We could better monitize our developer value by having them implement bells and whistles! More features is perceived as better value, making the left automatic window button work differently than the right one is seen as more valuable by the end user! Don't spend time on encryption, it's features all the way!
==============
Force the manufacturers to update once a year or less, this will help make sure that they get it right and only fix things that are needed.
Force the manufacturers to recall the vehicle for an update. Yes, it's inconvenient. Yes, it's necessary. Pro tip: Making it expensive to fix will encourage the manufacturer to get it right the first time.
Force the manufacturers to open the spec on the software, including the update channel. If a hacker can crack it, it's not secure enough.
This is not hard. Other products have figured this out already (for example, printer industry). When it's expensive to fix, it puts pressure on the manufacturer to get it right the first time.
Why would you be loading fishing software onto a car?
So that fiery CHIPS officer and his family in San Diego for whom no human amount of effort could save themselves from terror by electronic FAILUNDER comes down to ' its not our fault?' someone reprogrammed the blackboxen?
If you have physical access to the bus, it's already game over.
We don't accept that answer for Internet security, so we shouldn't accept that answer for critical control systems networks.
Imagine the heads rolling if reactor control servers had no security from bad devices on their building networks.
McAfee: "Warning! Very serious problem detected! McAfee has been compromised and cannot correct the problem. Please fix now. To upgrade to our more verbose warning messages, please click here now and make your credit card ready."
It's got two things going for it
(a) it's a manual
(b) it's a TVR
(for those that don't get (b), you really have to know what you are doing to start one, look up Top Gear for more info)
So rise up, all ye lost ones, as one, we'll claw the clouds.
Manufacturers standardise on a few engine types nowadays across their entire range, with power profiles being controlled by the ECU. Its common practice to upgrade an engine by "chipping" the ECU to give higher speed, remove artificially imposed maximum speeds, better acceleration and so on - think of it as overclocking your car!
Car makers are using security as a smokescreen to prevent owners from fiddling with those money-making parameters.
OK, I know that cheaper cars will have less effective brakes, less durable transmissions, not so well specified tires; these can be changed when you hot your car up, but the basic improvement in engine power output will no longer be available to the user if security is imposed. You want faster? Give us more money!!!
Stick with a dumb auto. The world is not ready for smart cars.
Is building up viably secure automotive computing platforms part of a push toward a fleet of automated teamsters?
That's the main thing. Devices that are irrelevant to essential system services, like sound systems, climate control, phone and WiFi, should be kept apart from the central processor.
If they need to communicate at all (I would argue no), it should be in one direction only: control signals from the main processor outward, with nothing in the other direction except for hard-wired feedback such as "Yes, I am turned on." By that I mean: they should be separate hardware systems with their own specialized software. Maybe a microcontroller, or some such. But one thing such peripheral systems should NOT be, is simply software subsystems running on the main processor.
The main processor should be limited in its communication/control of such devices. Feedback such as "Bluetooth is turned on" might be useful to some extent, but Bluetooth, WiFi, climate control, etc. should be offloaded from the main processor to subsystems of their own.
That simply eliminates most of the problem, and I know of no good reason they could not be designed that way. Just don't lump everything into a single system and OS. That's a big mistake.
I'll take the hackers, thank you--with them I at least have some chance of purging *their* malware from my computer system.
That is actually true in some cases.
One example is a certain car maker when it comes to making keys for its engine anti-theft system. If you lose eight keys (which might happen if there were multiple owners), you have to buy a new ECM that will be thousands.
Compare that to Ford's where if you lose all keys, you attach a terminal, wait 10 minutes (it has a delay), zero all keys out, add two keys, and one's vehicle is ready to go. Subsequent keys can be added without a programmer very easily.
So, for the added benefit of supposedly better security, one has to go to the dealer for any new keys and pay hundreds for the key, plus a few C-notes depending on how the dealer feels that day.
Old battles are renewed in new arena.
Proprietary interests will deny device owners access to their data with the excuse of protecting public safety.
Proprietary interests will claim that security by obscurity is better than proven network security standards.
Engineering implementers need the wise counsel of those who understand the Law.
http://www.slideshare.net/chaiken/alison-chaikenlibreplanet2012
Needless to say ? It can't be overstated, if you ask me. This is disaster waiting to happen, grab some popcorn after you secure yourself a 20+ year old car in good shape.
Can I light a sig ?
Strange that they left out biometrics[Ford], which is probably an imminent method of security in the future. WTF McAfee would be taking the lead in that, I don't know.
Forward! -- Emperor Norton, 2012
Really? McAfee researchers? This is the company that crashed millions of their business customers' systems with an untested update. As I write this there are 1000s of home McAfee customers who have lost Internet connectivity because of another untested update. These are the people you want to listen to when it comes to security? Oh Pulease!
and you won't be allowed to change the owner of the car,
That's pretty far fetched; unless all the car manufacturers did this at the same time, the sales for those cars with this 'feature' would drop through the floor since they would have no resale value. If all the car manufacturers *did* do it at the same time it would probably be some sort of cartel issue and illegal.
Much more likely is that you would have to officially update the registration with the manufacturer in order to carry on receiving necessary updates after a change of owner, and to do this you would have to pay a 'reasonable admin fee to cover costs' (as they would put it), which could be quite lucrative for the car manufacturers, but not seriously affect resale values if set at the 'right' level. This way they get a cut of all resales for doing virtually nothing.
I always wondered if this wasn't at least partly done to capture the customer's audio system spending.
Car makers traditionally have been way behind the times in terms of car audio, and even simple upgrades were always really expensive due to the highway robbery prices they charged (since they were nearly always a dealer add-on).
So you bought the base model radio and then went to Best Buy or wherever and bought a better model, speakers, power amp for less money than the car maker wanted.
At first car makers seemed to resist buy going double-DIN, but the carmakers fixed that with brackets, double-DIN stereos and other faceplate doodads.
Now with the integration, you can't do squat. My 2007 Volvo S80 uses the stereo for the car's menu system; even the dash stuff would be hard to work around; it's not a typical double-DIN setup. Even the speakers are used as part of the safety systems and backup sensor.
If you really wanted aftermarket audio, I think you'd almost need a completely remote system (maybe controlled by smartphone or some other touchscreen mounted separately like an aftermarket GPS or phone holder). And then there's the whole speaker issue...
McAfee does not equal trust in my book. I have been bitten too many times by either their updates or but what they do not protect against. After they are no longer a viable option, ever, and have not been in lots of years. I am actually quite surprised they have not gone belly-up.
Fool me once, shame on you. Fool me twice, shame on me.
http://xkcd.com/463/
Bonus points to the first person that talks their way out of a traffic ticket with the excuse that their car has been hacked.
Having McAfee running anything on your car will, at minimum, will add 3 seconds to your acceration times, and knock 5 mpg off your milage. You will also have to run the A/C more to offset the extra heat load on the CPU. Plus, about every fifth update, it will kill your car so dead, you will have to call AAA for a tow.
Here's my idea:
Have the car's systems completely separate from the entertainment system.
Do not allow keyless entry via remote (numeric buttons mounted on the door is more acceptable, as long as the system defaults to non-functional until a user-specified code is set)
Do not allow phone apps or whatnot that can unlock your car or trunk. (Wasn't there some sort of signal that used traditional cellphone frequencies and as such easily accessed).
Embed failsafes in all systems. (that is, not systems safe from failure, but systems that fail in a safe fashion) or make systems too simple to fail.
In short - do not allow anything external to interact with the car's system. Cars should be hardened like spacecraft in this regard - ensure that the system is tight and as practically free of potential bugs as possible.
As I see it, cars should have a limited number of inputs - accelerator, brake, clutch, shifter, and possibly some sort of sonar sensor on either end to prevent collisions, nothing else should be able to interact with the system outside of taking it to a garage. Manual controls for all key systems - keys and the like.
the highway goes right though there maybe the GPS is off and showing me on a local road that I was on the main road next to it.
Let's assume ENIAC and 1943 as the start date for modern computing. In nearly 70 years of computing one thing we should all know very well by now is that there is no such thing as secure code. If a user has access to the system it operates on it's inherently insecure.
I am Bennett Haselton! I am Bennett Haselton!
If the idiots who design these systems for cars were even vaguely competent, it will not be possible to hack your car.
DO NOT CONNECT IT TO ANYTHING THAT MAKES IT ACCESSIBLE FROM THE OUTSIDE. I know this is a concept that is very hard to understand nowadays, but it works. IF IT ISN'T CONNECTED, IT CAN'T BE ACCESSED. Sigh.
Most (more than 50%) of current security exploits are artifacts of C and C++. Buffer overrruns, bad pointers, double frees, uninitialized pointers, buffer underruns....
Here is an attempt to fix that: http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/manual.pdf?format=raw
..I can attest that automotive managers (even those with a CS degree) don't have the fucking slightest clue of security. I personally have access to a shitload of maintenance data and it is basically open to everybody in the corporate network. If one Chinese intern really wanted our data, he could get all of it in a single night, write it on a harddisk and throw that over the fence at a convenient place. Then they could even body-search him for it. It is known to management and they give a fuck. I doubt they even understand the issue.
..collision detection/avoidance systems. That is because the brake must be "primed" for the fastest possible brake action if the collision detection/avoidance system decides that it has to kick in an pull the brakes really hard.
Now, how do you know that collision avoidance Radar signal processing software cannot be hacked by that Guardrail aircraft (the most powerful ARMY aircraft, yeah ARMY, not airforce) circling 3 miles above ? Or those Mafia thugs in that Cessna or that other black SUV ?
That's great and all but we will still need you to take a day off of work and come down to the station so we can confirm this....
All the non-diagnostic interfaces are of most concern. Think CDs, iPods, wireless tyre pressure, wireless maintenance/emergency, radar distance measurement, maybe even image processing algorithms. Think of hacking a car by projecting a crafted image/video to its vision system (science fiction today, reality in ten years). The RDS system is a 2000 bit/s interface !! Think of "bricking" a whole class of cars in (say) Denver by launching a balloon and transmitting a virus via RDS. Even modest batteries can transmit at 5KW for ten seconds.
You CAN already wreak havoc by transmitting false RDS messages. Also, funny stuff such as "air raid alarm".
..we would not even know it happened, because I can't see the access logs and the bozos who can will be offended if I demand it from them.
..how do you know the ultrasound distance sensor is not running signal processing software that can be subverted ? A different kind of pulsetrain might contain the malware binary. From that, attack the brakes who might be linked to the distance sensors ( the maker will call it "SafeParking Brake" or similar idiotic).
At least for Radar collision avoidance, this scenario seems 100% plausible and it will require the full Radar signal processing software to be secure, because an emergency braking action is itself a quite dangerous thing in the "right" circumstances. Even if the brakes are unhackable, they have to trust the radar, if it commands them to engage.
Read the posts about radar and sonar distance measurement. Or those about RDS. Or about over-the-air diagnostics (which is already becoming a reality with ubiquitous wireless data networks).
fine my cost is $40 hr + all parking fees + $0.55 a mile
From a privacy and security aspect, they can start by stopping in-car wifi from broadcasting its SSID and probing unless initiated manually. Same thing with bluetooth. But, the cynic in me thinks that privacy isn't the #1 goal of the people who sell software that analyzes every file you have reports back anything it doesn't like. They sell security for the government, too.
It is downright depressing how familiar this discussion sounds. Like the concerns expressed by management when the internet was just starting to creep into financial services or plant operations or... But when decent security gets compromised over cutting costs on infrastructure and support... After all, it cannot happen to us! And besides, secure in their bonuses and distant from the real world, the pHbs knw that even if things did go wrong it wont affect them. Ah, for autodrive limos....
Anybody read Robopocalypse?
It also makes it harder to replace your stock deck with third-party alternatives.
Your third-party stereo may be better and cheaper, but will you install it if it breaks the integrated features (such as audio notifications that are pumped through the stereo system, or other stupid crap that doesn't need integration). If you do install it, then the cost of install goes up because of the complexity, making the overpriced manufacturer supplied/supported units seem like a better choice...
No need for the mileage charge, if you don't show, they'll come give you a ride for free. If you still resist, they'll throw in a few days of free room and board.