Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Team Takes On Car Hackers

Posted by samzenpus on from the who's-driving dept.

nk497 writes "Intel has set up a team of McAfee researchers to protect computer systems in cars, hiring Barnaby Jack — the researcher who forced ATMs to spit out cash and cause medical pumps to release lethal doses of insulin. Bruce Snell, a McAfee executive who oversees his company's research on car security, said the car industry was concerned about the potential for cyber attacks because of the frightening repercussions. 'If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening,' he said. 'I don't think people need to panic now. But the future is really scary.' The move comes as Ford and other car makers start to invest in ways to keep car code secure."

14 of 153 comments (clear)

  1. Interesting readings by Anonymous Coward · · Score: 4, Informative

    http://www.autosec.org/publications.html

  2. Boy, does this have the potential for bad by Scareduck · · Score: 5, Insightful

    Don't like the government-mandated shutdown of your vehicle in certain areas (i.e. your self-driving car will refuse certain destinations)? We'll make sure you can't hack the nav system.

    --

    Dog is my co-pilot.

    1. Re:Boy, does this have the potential for bad by Trepidity · · Score: 4, Interesting

      A more likely short-term motivation is that they want exclusive ability to sell expensive repairs and required-for-maintenance devices.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    2. Re:Boy, does this have the potential for bad by Miamicanes · · Score: 4, Informative

      Not to mention the ability to charge for different levels of performance using the same underlying hardware, kind of like ATI & Nvidia do, and Intel was planning to do with their value-priced CPUs.

      Here's an easy way to tell whether they're doing it for "safety", or just to increase their own profits -- if they give copies of the security key to end users, their motives are probably good. If they won't even give the code to mechanics, and force field replacement of expensive parts that could be repaired if the mechanic had the code, then they're doing it for their own benefit. It's just like UEFI. If I have a copy of the key, it's awesome. If the only copy of my key is held by Microsoft or Sony, it's a shameless pwnage of my consumer rights whose physical and political defeat is a moral imperative.

    3. Re:Boy, does this have the potential for bad by CanHasDIY · · Score: 4, Interesting

      Here's an easy way to tell whether they're doing it for "safety", or just to increase their own profits -- if they give copies of the security key to end users, their motives are probably good. If they won't even give the code to mechanics, and force field replacement of expensive parts that could be repaired if the mechanic had the code, then they're doing it for their own benefit.

      Oh, they'll give it to the mechanic's, alright - that is, the one's who work for their dealership.

      Cars have actually been going that way for years, in a shameless attempt to kill of independent shops and shadetree mechanics; the process goes like this:

      - new model of Car X comes out
      - new model requires a special tool for trivial adjustment, i.e. toe adjustment on the steering wheels
      - manufacturer patents the tool, so only they can make/sell it
      - manufacturer refuses to sell the tool to anyone other than one of their own branded shops
      - customers are forced to take Car X to the manufacturer branded dealership to have trivial repair made, at more than double what it would cost for an independent shop to make the same repair

      Source: One of my many trades (one, specifically, that I actually have an education in) is 'auto mechanic.')

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    4. Re:Boy, does this have the potential for bad by orgelspieler · · Score: 4, Funny

      I think this is the first time I've seen anybody do a computer:car analogy in reverse on this forum.

  3. CAN is cool, but... by iamgnat · · Score: 5, Insightful

    I played with having a computer in my car for a few years and it is shocking what you can do once you have access to the CAN bus. I mean it's cool that I can plug a device in and program it so that it will catch the commands from my window switches and have them instead activate my blinkers, but that (theoretically as far as I know) a compromised update to your radio could let it do the same thing is a bad thing and that there is a growing trend for cars to be more connected (e.g. wifi hotspots, etc..) is outright scary.

    Maybe they could start by separating networks for the critical functions and entertainment systems. The only possible access to the critical systems should be by a physical connection. They don't need (bad) software security experts to help solve this problem. They need good network architects. It shouldn't simply be a matter of the engine verifying that the "more gas" command came from the ECU and not the radio. The radio should simply never be able to get a message to the engine without wiring changes.

    1. Re:CAN is cool, but... by vlm · · Score: 3, Informative

      The radio should simply never be able to get a message to the engine without wiring changes.

      My father's decade old SUV talked to the transmission to control radio volume based on road speed.

      The hard part is making a single RW bus read only in the proper direction at all times.

      Thankfully it didn't run windows so there's no virus issue. But radios and engine/transmission computers have been talking for quite awhile.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:CAN is cool, but... by slim · · Score: 4, Interesting

      Not just theoretically -- University of Washington researchers crafted an MP3 that let them at the CAN via the MP3 player: http://www.newscientist.com/blogs/onepercent/2011/03/how-an-mp3-can-be-used-to-hack.html

    3. Re:CAN is cool, but... by enbody · · Score: 3, Insightful

      Maybe they could start by separating networks for the critical functions and entertainment systems.

      Cars used to have multiple busses, but they unified them to save weight to improve fuel efficiency.

      That is, they chose fuel efficiency over security. Remember, right now fuel efficiency will sell more cars than a more nebulous "security" that few can appreciate (until something really bad happens).

  4. I hope it's not band-aid by slim · · Score: 3, Interesting

    McAfee makes me think of AV, and AV makes me think band-aid. Please, please let's not end up with a situation where cars are susceptible to viruses, therefore an AV application scans for viruses. Cars (or at least, the important bits of them) should be secure from the ground up.

    The problem has been that the designers have given computer security no thought *whatsoever*, and applied techniques already well known to security people, too late for some victims.

    For example, the first remote keys were susceptible to replay attacks. Anyone with half a clue about computer security already knew at that time that needed a challenge/response scheme. But keys with challenge/response came later. And keys with sufficiently secure crypto algorithms came later still.

    For example, it's common to have the audio system, the ignition, the satnav, etc. all on the same data bus, with no authentication. From a security point of view, that's a disaster waiting to happen. Researchers have already demonstrated hacking the MP3 player to unlock the doors -- pointing out it's not much of a stretch to having hacked cars unlock themselves and email their GPS location to the attacker.

  5. Stupid stuff again by Compaqt · · Score: 4, Informative

    Why do car companies feel the need to hook their CD players or whatever into the critical systems of the car?

    How about this: Just mount an iPad (or Galaxy) into the console.

    Done.

    But, no, they want to show you the oil level on a touchscreen instead of in front of the steering wheel. Meaning they have to hook it into the engine computer. Giving attackers an in.

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Stupid stuff again by slim · · Score: 3, Insightful

      Why do car companies feel the need to hook their CD players or whatever into the critical systems of the car?

      Because it's the cheapest way to provide features that customers want, and competitors will deliver.

  6. Re:A revolutionary idea by slim · · Score: 4, Informative

    Don't make the car computer have a wi-fi antenna.

    There are plenty of other vectors. The keyless ignition system. The remote central locking. The MP3 decoder. The digital radio. With physical access -- direct connection to the bus.