Slashdot Mirror
Intel Team Takes On Car Hackers
nk497 writes "Intel has set up a team of McAfee researchers to protect computer systems in cars, hiring Barnaby Jack — the researcher who forced ATMs to spit out cash and cause medical pumps to release lethal doses of insulin. Bruce Snell, a McAfee executive who oversees his company's research on car security, said the car industry was concerned about the potential for cyber attacks because of the frightening repercussions. 'If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening,' he said. 'I don't think people need to panic now. But the future is really scary.' The move comes as Ford and other car makers start to invest in ways to keep car code secure."
http://www.autosec.org/publications.html
Don't like the government-mandated shutdown of your vehicle in certain areas (i.e. your self-driving car will refuse certain destinations)? We'll make sure you can't hack the nav system.
Dog is my co-pilot.
Sounds like the auto makers are getting tired of individuals being able to change their own cars engine/transmission settings, and or, do fixes that usually require paying the dealer.
Congress mandated an open set of engine/car diagnostic codes due to them not releasing service information some years back. Sounds like they're investigating the possibility of re-imposing something similar via "security" concerns.
"Think of the children that could be put at risk if $evil-auto-hacker isn't protected against!"
I played with having a computer in my car for a few years and it is shocking what you can do once you have access to the CAN bus. I mean it's cool that I can plug a device in and program it so that it will catch the commands from my window switches and have them instead activate my blinkers, but that (theoretically as far as I know) a compromised update to your radio could let it do the same thing is a bad thing and that there is a growing trend for cars to be more connected (e.g. wifi hotspots, etc..) is outright scary.
Maybe they could start by separating networks for the critical functions and entertainment systems. The only possible access to the critical systems should be by a physical connection. They don't need (bad) software security experts to help solve this problem. They need good network architects. It shouldn't simply be a matter of the engine verifying that the "more gas" command came from the ECU and not the radio. The radio should simply never be able to get a message to the engine without wiring changes.
McAfee makes me think of AV, and AV makes me think band-aid. Please, please let's not end up with a situation where cars are susceptible to viruses, therefore an AV application scans for viruses. Cars (or at least, the important bits of them) should be secure from the ground up.
The problem has been that the designers have given computer security no thought *whatsoever*, and applied techniques already well known to security people, too late for some victims.
For example, the first remote keys were susceptible to replay attacks. Anyone with half a clue about computer security already knew at that time that needed a challenge/response scheme. But keys with challenge/response came later. And keys with sufficiently secure crypto algorithms came later still.
For example, it's common to have the audio system, the ignition, the satnav, etc. all on the same data bus, with no authentication. From a security point of view, that's a disaster waiting to happen. Researchers have already demonstrated hacking the MP3 player to unlock the doors -- pointing out it's not much of a stretch to having hacked cars unlock themselves and email their GPS location to the attacker.
Worked on some of the first Microsoft-based car nav radios, a Windows-CE based auto-specific system. MS was in the mode of "Hey, 3rd party apps are a feature!" and the auto companies were like, "Not gonna happen."
Not in the land of Congressional hearings and $100 million recalls. You think Facebook dodging the class action suit in that other thread is a big deal, imagine a lawyer trotting broken or dead bodies before the camera because one of the Big Three didn't properly vette Angry Birds: Cruisin' Down the Highway.
Viruses and malware are just a matter of time.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Needless to say, never connect the critical systems to the internet or to other computers connected to the net. Besides security concerns-- ever since consoles got internet connections/updates, what happened? It started a trend among publishers to have games were no longer tested as rigorously, pushed out the door, and depend on internet updates to fix any issues.
Why do car companies feel the need to hook their CD players or whatever into the critical systems of the car?
How about this: Just mount an iPad (or Galaxy) into the console.
Done.
But, no, they want to show you the oil level on a touchscreen instead of in front of the steering wheel. Meaning they have to hook it into the engine computer. Giving attackers an in.
I'm not a lawyer, but I play one on the Internet. Blog
Don't make the car computer have a wi-fi antenna.
There are plenty of other vectors. The keyless ignition system. The remote central locking. The MP3 decoder. The digital radio. With physical access -- direct connection to the bus.
I am very impressed with a person "who forced ATMs to ... cause medical pumps to release lethal doses of insulin." But why are ATMs and medical pumps connected to each other in the first place?
If you have physical access to the bus, it's already game over. The rest should all be segregated from the car's central computer, either through a one-way filter (aka a firewall) or simply by not being on the same network. There is no reason the radio should be able to start the car or unlock the doors, and for its part the keyless entry shouldn't be able to disengage the brakes or start the radio (but should be able to start the engine or unlock the car). The keyless system presumably has security already, so it shouldn't be a problem anyways.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Really? McAfee researchers? This is the company that crashed millions of their business customers' systems with an untested update. As I write this there are 1000s of home McAfee customers who have lost Internet connectivity because of another untested update. These are the people you want to listen to when it comes to security? Oh Pulease!
Bonus points to the first person that talks their way out of a traffic ticket with the excuse that their car has been hacked.
Having McAfee running anything on your car will, at minimum, will add 3 seconds to your acceration times, and knock 5 mpg off your milage. You will also have to run the A/C more to offset the extra heat load on the CPU. Plus, about every fifth update, it will kill your car so dead, you will have to call AAA for a tow.
McAfee, hmm? I even remember the good ol' days on Win98, when after installing McAfee the darn thing simply refused to boot.
Now you won't be able to turn on your engine, or what?
Well, one could argue that with WIn98, that was the appropriate response.
Faster! Faster! Faster would be better!
Call it the "Ford Paranoia" or the "Chevy Technophobe".
I find your ideas intriguing and would like to subscribe to your newsletter.
Faster! Faster! Faster would be better!