Slashdot Mirror
Hackers Reveal Nasty New Car Attacks
schwit1 writes "Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV's chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day's experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn't so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems before malicious hackers get under the hoods of unsuspecting drivers."
"The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry's security problems"
As a security researcher who believes in the spirit of the open release of vulnerabilities, I feel that this is irresponsible behavior on the part of these security researchers. We're not talking about releasing a vulnerability that will compromise someone's e-mail. We're talking about a high risk vulnerability that could cost some random person their life. These two gentleman should take a deep breath before releasing this information to the computer industry first rather than the auto industry. The auto industry may not have a tradition of attending these types of conferences and so by releasing the information at Def-con you're giving the wrong people a head start. Sure, the auto industry already knows about these problems, but you have to try to give them the benefit of the doubt when you confront them about the problems that they will try to fix it.
I can appreciate applying Anti Tamper and other IA techniques to 'harden' cars, but I hope this doesn't return us to where only ''licensed' repair facilities can work on cars.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
OF COURSE if you give real-time access to the OBD-II port, you can have all kinds of shenanigans. So don't do that!
How many people would notice an ODB-II Bluetooth adapter plugged into the port? http://www.amazon.com/Soliport-Bluetooth-OBDII-Diagnostic-Scanner/dp/B004KL0I9I
So
if I'm sitting in your car, plugged in to the canbus, I can control things on the canbus....
Yeppers....
Just like if I have access to your laptop for long enough, I can get whatever is on it. (encryption will slow it down, but like I said, given time and access?)
But you'll probably notice me sitting in your car, plugging a cord into the port before I take the time to crash your car, with me riding in it.....
While this is amusing, I'm not that nervous about "security through not having some donkey plug his laptop in your car with a death wish while you are hurtling down the highway"
Having them use the "open" canbus specs, you can add aftermarket devices, and not have to take your car to the dealer for any service.
If they fully lock it down, the dealer will be the ONLY place that could work on it. And the ONLY parts you could add to your car.
I am 31337 or something.
While they're at it - I don't think anyone has really discovered what the deal was with the Accura/Honda remote-control doorlock gadget that thieves were reportedly using to effortlessly break into cars. All the article said was "police are stumped" (duh).
To enter the Pad Service Mode, perform the following with the vehicle stationary:
1. Place the vehicle in Park and turn the ignition to the ON position.
2. Apply the brake pedal.
3. Turn the ignition OFF, then ON three times and then release the brake pedal. The total time elapsed for the three ignition cycles and brake release must be less than 3 seconds.
That's how you replace the brake pads. If they figured out how to do it through the OBD connector, whooptie do.
I have one of these vehicles. Fly-by-wire regenerative brakes are a little creepy, but supposedly if something goes wrong and you mash the pedal all the way to the floor, there's a hydraulic backup down there somewhere. I haven't had to try it.
Oh, and all this is no different than your holier-than-thou Toyota Prius, so don't blame Ford.
So they had hard-wired physical access to the car's data network and they were able to cause trouble? News at 11! (aka so what?)
So what? So I could bump key my way into your car, trojan one of the devices sitting on your car area network, and cause you to crash and burn on the highway with no meaningful evidence that anything was amiss.
(RIP Michael Hastings)
Are you sure about that? Many head units are hooked into the CAN bus.
So you think. Stock stereo on a recent car? Very possibly untrue.
"We systematically synthesize a set of possible external attack vectors as a function of the attackerâ(TM)s ability to deliver malicious input via particular modalities: indirect physical access, short-range wireless access, and long-range wireless access. .. In each case we find the existence of practically exploitable vulnerabilities that permit arbitrary automotive control without requiring direct physical access." [emphasis in original]
Turns out that car manufactures have been very naughty. And while radios are sort of on a separate bus from actual automotive controls, there are also (compromisable) devices that sit across busses, so there's not a complete air gap.
In that paper, they were able to obtain control over the car's critical automotive systems using techniques ranging from the OBD port (very old news) to CDs with mal-crafted "audio" files put into the stereo to bluetooth connections with the stereo to cellular connections like are used for OnStar.
... can some one explain it to me with a car analogy?
This is precisely the kind of attack I thought of when they started talking about auto computer security this week. These attack vectors will not be used by hax0rs to make a political statement or spam people's dashboards. They will be used by cartels and spy agencies for targeted assassinations and ransom.
Imagine getting a voice-scrambled message on your phone telling you transfer $50,000 to this account or your wife's car will go out of control on her way home with the kids this evening. Or a prominent diplomat dies in an unexplained crash, triggered by a chip installed months earlier when the car was in for maintenance. It's exactly the kind of thing they would do on the show Burn Notice, for example.
Can you imagine where the motherfuckers would have hidden the plug had they not been told more or less where it had to go?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Or a reporter (Michael Hastings) whose award winning work caused Stanley McChrystal's resignation mysteriously dying in a single car accident with a tree; without skid marks and the engine winding up 200 feet away...
Or, even worse "OMG! YOU'RE GONNA HIT SOMETHING! EMERGENCY STOP!" to all the cars you pass.
I had something kinda like that 20 years ago. A microwave transmitter from an automatic door opener sensor. $15. A battery. $1. A switch. $1.
Watching the tail lights light up on all the cars that have just zipped past you on the freeway as the radar detectors in those cars start squawking. Priceless. Passing them as they slow to well below the speed limit. Priceless. Watching them zip past again, slam on brakes again, get passed again. Priceless.
If only because their helmsmen are required, by law, to maximise shareholder value. Nothing else. In fact: senior management can be sued if they don't set policy to that effect.
The upshot is that no publicly traded company can really afford a moral or ethical compass. What passes for ethics in companies is usually nothing but well-understood self-interest (as in: avoidance of PR damage and a resulting slump in sales through bad publicity).
Whilst I'm against releasing any kind of software vulnerabilities before the responsible parties have had a decent chance to fix it, I'm just as skeptical as most regarding the inclination of e.g. car manufacturers to improve security unless there is a massive PR debacle. For massive PR debacle read: a nasty and widely covered crash involving a photogenic celebrity (ugly celebrities won't cut it) and his/her children, that can be traced unequivocally to the lax security of a car's on-board datacommunication infrastructure.
That's the main thing I can see as getting their attention and lending the issue any kind or urgency. If only because of CYA considerations on part of top management. The only alternative would (in my view) be compulsory network safety standards for cars.
Yes I can, it would be on the back of the engine and would require a special tool only sold by the dealer to open the door and would likely require the removal of the starter motor and timing belt/chain to access and for bonus points someone like Porsche would require removal of the head gasket to reach the port.
Putting it within 2 feet of the driver was smart, it should have had the additional requirement to be within 6 inches of both the radio and climate controls because if they had everyone would notice some strange object plugged into the port.
For the details, see http://www.autosec.org/pubs/cars-usenixsec2011.pdf. (Pretty scary reading. In this case they are also able to disable the brakes and they are also able to engage the brakes on only one of the front wheels for all sorts of "fun"...)
Correct. On this type of hybrid vehicle, there is a regenerative braking system.
Under normal driving conditions, while the vehicle is in motion, the motor/generator will be used to retard the vehicle. The brake pedal is connected to a electronic pressure sensor, and also mechanically to a hydraulic master cylinder.
Unlike on conventional vehicles, there is no vacuum powered booster, instead the master cylinder hydraulics are used to operate an electro-hydraulic servo, with electronic override. This way, under emergency braking, you get full hydraulic force applied to the wheel cylinders with minimal pedal effort. The electronic hydraulic control will also apply hydraulic pressure when the vehicle is stationary and the brake pedal depressed, and also periodically applies hydraulic pressure when the vehicle is stopped and the transmission in P (for self-test purposes) and when the vehicle is powered on.
The hydraulic servo mechanism can be disabled in order to permit brake maintenance (this releases hydraulic pressure in the booster and prevents automatic application of pressure to the wheel cylinders), permitting access to maintain the friction surfaces. It appears that this hack, merely consisted of transmitting the CAN bus command to put the hydraulic servo system into maintenance mode.
At low speeds, when the electrical regen isn't operative, this will result in the brake pedal travelling further than expected and loss of power assistance. However, with sufficient pedal pressure, it should be possible to slow the car using unboosted pressure.
It's not a matter of being stronger or weaker, it's a matter of the connection. It'd be reasonable to say that in any sane car design there's a physical connection between the brake pedal and the actual wheels -- but this isn't necessarily the case any more. It's still rare according to Wikipedia, but cars are starting to be produced without it and with systems that have computer-controlled brakes instead. Even without a fully brake-by-wire car, the computer still has significant control over the braking system because of anti-lock brakes.
Compromise the brakes so they don't activate in the first place and it doesn't matter how strong they are.
I have not read TFA yet, will do so later, so my apology if I'm in error, but....
Why the hell are engineers designing, or being allowed to design, a life-critical system like brakes on a car so that the system lacks a direct, non interruptible physical connection between the driver and the brakes? Any mechanism can fail. Putting electronics between the driver and the brakes increases the number of failure modes as well as the probability of failure. State monitoring, fine. Computed intervention that applies the brakes when the car's AI thinks it's necessary, OK. But selling a car that cannot be stopped when the driver mashes the brake pedal? NFW.
This is simply incompetent engineering. Product liability will attach, as it should.
Meanwhile, I know what to investigate and what not to buy for my next car.