Slashdot Mirror
Hackers Reveal Nasty New Car Attacks
schwit1 writes "Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV's chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day's experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn't so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems before malicious hackers get under the hoods of unsuspecting drivers."
The mere fact that this has been announced has already started the wrong people working on it. At this point, releasing at Def-Con is the right thing to do, because not only will that patch get fixed, but others will come to similar conclusions and keep an eye out for peers who are going to exploit this. Black hats have family too.
Here's to hot beer, cold women, and Glaswegian kisses for all.
While they're at it - I don't think anyone has really discovered what the deal was with the Accura/Honda remote-control doorlock gadget that thieves were reportedly using to effortlessly break into cars. All the article said was "police are stumped" (duh).
You mean like if there was some embedded computer plugged into the same CANbus as the OBD port, that had a cellular radio on it that was already shown to be vulnerable to attack? One sold on every new car from a certain major manufacturer?
Yeah, in the future, when OnStar exists, there will be serious issues. Wait, was "future" the right word?
The underlying problem is that CANbus was designed by automotive engineers and not network security people.
To enter the Pad Service Mode, perform the following with the vehicle stationary:
1. Place the vehicle in Park and turn the ignition to the ON position.
2. Apply the brake pedal.
3. Turn the ignition OFF, then ON three times and then release the brake pedal. The total time elapsed for the three ignition cycles and brake release must be less than 3 seconds.
That's how you replace the brake pads. If they figured out how to do it through the OBD connector, whooptie do.
I have one of these vehicles. Fly-by-wire regenerative brakes are a little creepy, but supposedly if something goes wrong and you mash the pedal all the way to the floor, there's a hydraulic backup down there somewhere. I haven't had to try it.
Oh, and all this is no different than your holier-than-thou Toyota Prius, so don't blame Ford.
So they had hard-wired physical access to the car's data network and they were able to cause trouble? News at 11! (aka so what?)
So what? So I could bump key my way into your car, trojan one of the devices sitting on your car area network, and cause you to crash and burn on the highway with no meaningful evidence that anything was amiss.
(RIP Michael Hastings)
Honda and Accura nav systems are also apparently hooking into the OBD port. They report codes on the nav screen, can't (or won't) clear them.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Or, even worse "OMG! YOU'RE GONNA HIT SOMETHING! EMERGENCY STOP!" to all the cars you pass.
I had something kinda like that 20 years ago. A microwave transmitter from an automatic door opener sensor. $15. A battery. $1. A switch. $1.
Watching the tail lights light up on all the cars that have just zipped past you on the freeway as the radar detectors in those cars start squawking. Priceless. Passing them as they slow to well below the speed limit. Priceless. Watching them zip past again, slam on brakes again, get passed again. Priceless.
As for me, I'm going to stick to buying cars in which the brake master cylinder is physically depressed by the pedal, and in which the emergency brake lever is physically connected with a mechanical cable....
I drove a rental car the other day with an electronic emergency brake. I've never been more uncomfortable driving a vehicle. Besides having "safety" features that made it really clumsy to drive (you can't release the emergency brake unless your foot is on the brake pedal, for example, which doesn't make any real sense if the vehicle is in a flat parking space, with the transmission in Park), I just can't see myself ever trusting a car in which a computer failure could kill the emergency brake entirely, and in which there's no way to apply more force on the emergency brake in the event of an actual emergency. That design pretty much defeats the whole purpose of having an emergency brake.
Ugh.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The board of directors do not have a requirement to "maximise shareholder value." Most companies could acheive this by liquidating their assets and investing a another company which is doing better.
The board of directors do have a requirement to uphold the company charter. Many charters include wording like "maximise shareholder value" but it is also clear that they intend to do this by providing goods and/or services to people, not by kidnapping college students and selling their kidneys.
Is 1563649 a prime number?
Then you've never heard of the CAN bus, which is in use on every car produced since 1996. You'd have to avoid anything with obvious wireless access, which means no lock/unlock/panic/remote start systems, and likely not even a car radio since many are on the bus as well.
No, ODB-II was mandated on every new car sold in the US starting in 1996. CAN didn't gain mass adoption for quite a while yet (I have a 2001 with out it and just replaced a 2004 not too long ago that didn't have it).
All of the things you listed as not being possible without CAN were also around long before CAN (and well before ODB-II (though entirely unrelated) was mandated).
Even for the cars that are built today, there are still a fair number that do not have any wireless access to the bus (e.g. cars without OnSTAR or the like). I just bought one in fact. The wireless access was his concern and he still has plenty of options to avoid that while still having all the other benefits of a CAN based car.
For the details, see http://www.autosec.org/pubs/cars-usenixsec2011.pdf. (Pretty scary reading. In this case they are also able to disable the brakes and they are also able to engage the brakes on only one of the front wheels for all sorts of "fun"...)
Apparently in their test case, the telematics unit did have access to all 3 speeds of network. That's really goofy since it shouldn't need access to all the networks. Basically CAN buses have 3 speeds of network, a low, medium and high speed network with different types of data on each. TPMS for example is generally low, ABS is normally high speed and your typical error codes and car locks and a lot of the status reporting is on the medium speed. Many ODBII connectors won't connect to multiple of the networks unless you get more expensive units and internally not all components in the vehicle are capable of talking on all of the networks.
AJ Henderson
CANbus is quite old, originally specified back in 1986. It is designed primarily for robustness in a noisy automotive environment. Back then there was no OBD, no internet, no mobile phone network. It's hard to see how the designers could have predicted all that and designed in security based on algorithms that had not been invented at the time.
Security could be added now but it would push up costs a lot. Most CANbus devices are very simple embedded systems, and there are hundreds of them in a modern car.
The problem is that the CANbus and everything attached to it should never have been made externally accessible. Forget physical access, once you have that there is nothing you can really do, it's the systems like OnStar that allow remote access which are the problem.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC