Slashdot Mirror

← Back to Stories (view on slashdot.org)

In Letter To 20 Automakers, Senator Demands Answers On Cybersecurity

Posted by Soulskill on from the no-mr.-bond,-i-expect-you-to-die dept.

chicksdaddy writes "Cyber attacks on 'connected vehicles' are still in the proof of concept stage. But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter to 20 major auto manufacturers (PDF) asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles. Markey's letter, dated December 2, cites recent reports of 'commands...sent through a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks,' and references research conducted by Charlie Miller and Chris Valasek (PDF) on the Toyota Prius and Ford Escape. 'Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN) ... Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another,' Markey wrote. Among the questions Markey wants answers to: What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points? What are automakers' methods for testing for vulnerabilities in technologies it deploys — including third pressure technologies? Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar). What third party penetration testing is conducted on vehicles (and any results)? What intrusion detection features exist for critical components like controller area network (CAN) buses on connected vehicles?"

50 of 80 comments (clear)

  1. Grumpy? by bob_super · · Score: 2, Funny

    There, get your ... campaign contribution... and stop asking questions.
    Just trust us, we know how to build cars and we know how to keep them safe. We're Totally and Extremely Professional and Competent Organizations, you can trust us with stuff that goes boom.

    1. Re:Grumpy? by iiiears · · Score: 3, Informative

      Have you read what researchers have written about the firmware for phones, your television, your router?

      A little poking around Blackhat Convention videos, Bruce Schnier posts and OpenWRT You bet your life it's well worth a few minutes of your time and a letter of support.

        Industry Average: "about 15 - 50 errors per 1000 lines of delivered code. Source www.forbes.com

       

      --
      15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
    2. Re:Grumpy? by bob_super · · Score: 1

      I know this is a scary issue that needs to be properly addressed before I can't by a dummy car anymore (I'm currently 100% immune to remote hacking).

      I also realize that the senator has an election to win in 11 months.

    3. Re:Grumpy? by Austrian+Anarchy · · Score: 1

      I know this is a scary issue that needs to be properly addressed before I can't by a dummy car anymore (I'm currently 100% immune to remote hacking).

      I also realize that the senator has an election to win in 11 months.

      My vehicles are in the same category as yours. When I get that '72 Charger back on the road it might have some fancy stuff throughout the vehicle, but it will not have any go/stop systems that need to phone home for anything. Hopefully the government will stay out of my life enough to keep it that way too.

      --
      Time Bomber the Book coming soon.
    4. Re:Grumpy? by Mspangler · · Score: 2

      I feel your pain. I bought a second-hand truck with On-Star. They were really eager to turn it on for the three month free trial. then I read the Terms of Service. It was of the type "All possible liabilities shall accrue to you, and any possible benefits shall accrue to us."

      It too longer to find the box than it took to pull every connector off of it. Now the terms of service are "You leave me alone and I'll leave you alone." Much more acceptable. Still too much gadgetry on the truck, but at least the remote access connection is no more.

      The truck also randomly locks it's own doors for no reason, though rain falling on the switch was clearly implicated once. I had to pop the door panel and apply the wire cutters to make that nonsense stop. And Off isn't off enough to the radio, which pulls down the battery in about 10 days, so now there is an "I mean off dammit" switch on that too. YO! GM! The truck might be parked for three months at a time! The battery should still be able to start it after that! I'll spot you 1 milliamp to run the clock, and that should be it.

    5. Re:Grumpy? by rogoshen1 · · Score: 1

      i see what you did there, sneakypants.

    6. Re:Grumpy? by drfreak · · Score: 1

      (I'm currently 100% immune to remote hacking)

      100% Immune, eh? Mind that air-gap!

    7. Re:Grumpy? by bob_super · · Score: 1

      No audio input either.
      I've got the least technology available in any car made in the US after 2010.
      Unless you somehow find it a worthwhile challenge to try to reprogram the injection or the gauges by tapping rhythmically on the hood, go and play with my neighbors' easy targets instead.

    8. Re:Grumpy? by semi-extrinsic · · Score: 1

      Out of curiosity, does anyone know how much microwave radiation you have to submit a modern car to before the ECU craps out? I know S-band radar, which is basically what microwave ovens use, can disable an ECU. There are law enforcement agencies using such devices. But I haven't seen any numbers on the mW/cm^2 needed. I do know that brief pulses of 10 mW/cm^2 is the human safety limit for ovens, so it's probably in that ballpark.

      So I'm thinking, with a $50 oven magnetron at 1100 W and a parabolic reflector, it shouldn't be hard nor expensive to drive around in an old pre-ECU car randomly disabling other vehicles. You might even be able to do it at a decent range!

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    9. Re:Grumpy? by AmiMoJo · · Score: 2

      Chances are the On-Star box did more than just contact On-Star. Probably controlled power management for the radio, and allowed remote locking of the vehicle. Since you pulled all the wires out the signals that control those features are now just floating (not connected to anything, subject to any EM interference that comes along) and so appear to randomly malfunction or simply not work at all.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:Grumpy? by mcgrew · · Score: 1

      The truck also randomly locks it's own doors for no reason

      My 2002 Chrysler does that, but it's by design -- when the car reaches 15 mph, the doors lock. However, unlike yours, I can easily unlock them.

      I know for a fact I couldn't leave mine for a month, the blinking LED on the dash to show that the alarm is armed alone would drag it down (never mind the actual alarm circuits).

      --
      Free Martian Whores!
  2. Stupid Senator by Ultra64 · · Score: 2, Interesting

    If you don't know the difference between "breaks" and "brakes", will you really understand the answers to your questions?

    1. Re:Stupid Senator by hey! · · Score: 4, Insightful

      Ah yes, the culture of "zing". It's much more important to catch a politician (or more likely, one of his staff) in a typo than to pay attention to the substance of what he's written.

      My hat's off to you. You, sir, are obviously a genius.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:Stupid Senator by CrimsonAvenger · · Score: 1

      Ah yes, the culture of "zing". It's much more important to catch a politician (or more likely, one of his staff) in a typo than to pay attention to the substance of what he's written.

      If either the pol or one of his staff is semi-literate, why should anyone take him seriously?

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    3. Re:Stupid Senator by hey! · · Score: 4, Interesting

      Ah yes, the culture of "zing". It's much more important to catch a politician (or more likely, one of his staff) in a typo than to pay attention to the substance of what he's written.

      If either the pol or one of his staff is semi-literate, why should anyone take him seriously?

      Well, that's begging the question. We don't *know* that Senator Markey or anyone on his staff are illiterate; we only know that they aren't as careful with proofreading as they could be.

      That said, I'll attempt to answer your question: because he (or his staff) is raising a serious, important point. That's not enough for you to listen to him? It's not enough that he served thirty years on the House Committee on Communications and Technology either? He (and his staff and the secretarial pool in his office) have to be *infallible* in matters of proofreading before you'll listen?

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    4. Re:Stupid Senator by umafuckit · · Score: 1

      If you don't know the difference between "breaks" and "brakes", will you really understand the answers to your questions?

      Why not? Typos, missed auto-corrects, or brain-farts aren't a reflection of one's intelligence. I'm sure the the senator knows how a car stops, despite his spelling mistake.

      --
      soylentnews.org
    5. Re:Stupid Senator by mcgrew · · Score: 1

      Shouldn't these bought dogs be looking to balance the budget?

      The deficit has been falling for years.

      --
      Free Martian Whores!
    6. Re:Stupid Senator by slick7 · · Score: 1

      Shouldn't these bought dogs be looking to balance the budget?

      The deficit has been falling for years.

      So has employment, buying power, intelligence levels compared to other countries. On the rise, unemployment, homelessness, death by war, death by starvation, death by out of control policy enforcers.

      --
      The mind conceives, the body achieves, the spirit manifests.
  3. Government would be wise to fear government by erroneus · · Score: 1, Informative

    After all, there are factions within government and if one doesn't agree with another, you may find yourself the victim of an unfortunate accident. Only a tiny minority of government gets the secret service and paramilitary police protecting them you know.

    Perhaps we are seeing some government players waking up to the reality that even THEY have good reason to fear the government they are participating in.

  4. Awesome by onyxruby · · Score: 3, Insightful

    Out do nothing congress is finally doing something useful. These are the kinds of questions we should be asking before problems start to occur and while there are chances to try to introduce standards. It's like the Toyota sudden acceleration thing, everyone assumed it was careless people until someone did a proper audit and discovered a complete lack of industry best practices that everyone assumed had been in place.

    1. Re:Awesome by sinij · · Score: 1

      It was determined in Toyota's case by low-level code analysis that under some very unlikely conditions ECU would lock up until brake pedal is completely released. Seeing how gear shifter is not mechanical, you can see the car not responding to shifting to N. If it happen to be accelerating at this point - well we know how that story ends.

      A lot of modern cars no longer have mechanical link to transmission. Buy a stick-shift if you want to be completely safe.

  5. Tell him to pound sand by alvinrod · · Score: 2, Insightful

    I'd tell him to pound sand until he can provide some answers about privacy protections and safeguards preventing the government from illegally spying on its citizens.

  6. Re:I hope by tipo159 · · Score: 3, Funny

    Follow the links to the actual letter on Markey's site. It really does say "kill the breaks".

  7. There is no such thing as security by WillAffleckUW · · Score: 1

    Now, here's a spoon.

    --
    -- Tigger warning: This post may contain tiggers! --
  8. How about senators self immolate? by JoeyRox · · Score: 1

    To prove their earnestness about cyber security.

  9. why not pass the buck and make the uses pay by Joe_Dragon · · Score: 1

    why not pass the buck and make the uses pay for the dealer to do the updates and lock out DIY'er and 3rd party shops.

  10. My reply would be by Anonymous Coward · · Score: 1

    Sir, our vehicles are just as secure as healthcare.gov.

  11. Take the NSA route by BringsApples · · Score: 1, Troll

    Just lie. There are no repercussions.

    --
    Politics; n. : A religion whereby man is god.
  12. If only Senator Markey... by Bartles · · Score: 1, Insightful

    ...showed as much interest in the security of Healthcare.gov, we might actually get somewhere. But of course, why worry about the security of a Big Government project, when you have some evil corporations to kick around.

  13. Re:Boston brakes. by ackthpt · · Score: 1

    I like manual brakes.

    If they were good enough for the Flintstones they're good enough for a Senator!

    Yeah, but it takes weeks to build up the callouses necessary for one trip to the quarry and home. You don't see all of Fred's down-time while he grows those callouses back.

    For my money, throwing a rock on a rope out the window is the last word in brake technology.

    --

    A feeling of having made the same mistake before: Deja Foobar
  14. Re:Boston brakes. by LifesABeach · · Score: 1, Flamebait

    Tesla wasn't on the list?! What is the Senator trying to say?

  15. Re:I hope by Anonymous Coward · · Score: 1

    Thanks for fact-checking that. I'm not sure I could drive more than 8 hours or so without breaks, so I'm glad the senator has my interests in mind.

  16. For fucks' sake... by acoustix · · Score: 2

    Stop calling everything computer related "cyber".

    --
    "A plan fiendishly clever in its intricacies"- Homer Simpson
    1. Re:For fucks' sake... by Virtucon · · Score: 1

      we shall now call it 'e' or 'i'. Wait, we've used those vowels. I suggest "y"

      yAttack..

      yDoit

      I like it.

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
  17. Somebody please explain... by c0lo · · Score: 1

    What the (bleep) third pressure technologies are? (car analogies welcomed)

    (don't blame the /. editors on this, one of TFA has used it

    --
    Questions raise, answers kill. Raise questions to stay alive.
    1. Re:Somebody please explain... by philip.paradis · · Score: 1

      Maybe it's an erroneous interpretation of the acronym TPMS, which is supposed to mean tire-pressure monitoring system. Alternately, it might be some new term meant to introduce tire pressure as a third metric for standard monitoring, in addition to oil and brake fluid pressure levels.

      --
      Write failed: Broken pipe
  18. Gimme a brake ! by Taco+Cowboy · · Score: 1

    If the senator thinks that "break" = "brake", we should send him the "Gimme a brake" email to remind him that as a role model (albeit a very crummy one) to the young people, at the very least he should be able to discern "break" from "brake".

    Now ... can someone gimme that senator's email address ?

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Gimme a brake ! by Wootery · · Score: 1

      Would've thought the politician would have thought of that, though...

  19. Re:Boston brakes. by pla · · Score: 2

    Tesla wasn't on the list?! What is the Senator trying to say?

    +500 insightful!

    Seriously, a senator wants to know about high-tech exploits, and doesn't ask the single highest tech auto manufacturer in the US today about it? That just screams "Agenda!".

  20. are you an automaker shill? by Gravis+Zero · · Score: 1

    there wasn't a car analogy for healthcare.gov security. i'm guessing someone made a car analogy about his car.

    --
    Anons need not reply. Questions end with a question mark.
  21. Re:I hope by philip.paradis · · Score: 1

    Sure you could. Heck, an astronaut has even proven the technology works great for long road trips.

    --
    Write failed: Broken pipe
  22. Re:Boston brakes. by davester666 · · Score: 1

    Tesla MIGHT be the single highest tech auto manufacturer in the US, but they are insignificant [and will be for years] in terms of cars on the road [past, present and future].

    --
    Sleep your way to a whiter smile...date a dentist!
  23. 2 months is an unofficial industry standard by dutchwhizzman · · Score: 2

    Most car manufacturers dimension their batteries such, that a car parked with a full battery should be able to start after 2 months under normal circumstances. If your car only lasts ten days, either your battery or charging circuit isn't working properly, or you indeed have devices in the car that consume too much electricity in standby mode. If your radio is the culprit, it really needs to be replaced. Fortunately, car stereos follow an industry standard form factor and plugs, so replacing that should be easy. Oh wait, they all stopped using that because they wanted to integrate all the car computers with that thing.....

    You are forgetting that your engine ECU requires power too. They have quite a few dynamic parameters stored in RAM that you really don't want to store in flash because they are updated every few seconds if the engine is running and you need a quick and easy way to erase them. Maybe modern cars would be able to store them in flash, but the older generations didn't have that luxury and would need to relearn their ignition timing and fuel mixture every time you pulled the plug on them.

    --
    I was promised a flying car. Where is my flying car?
  24. Bean Counter Effect by ThatsNotPudding · · Score: 1

    I suspect - just like most industries providing consumer goods - the automotive engineers knew about and pointed out the potential of such vulnerabilities, only to be ignored by their PHBs and their R&D budgets for said issues zeroed-out by the true bosses: Bean Counters.

  25. 20 major car manufacturers? by Virtucon · · Score: 1

    let's see.. According to Forbes... In order of sales here's the largest 11 in the world.

    VW
    Toyota
    Daimler
    Ford
    BMW
    GM
    Nissan
    Honda
    Hyndai
    SAIC (Chinese)

    The top 10 up there represent the major manufacturers that sell cars in the US other than Tesla and Fisker is about dead anyway.. SAIC doesn't sell anything in the US, so really what's the other 8 on his list? Some guy in a garage building kit cars?

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:20 major car manufacturers? by PhloppyPhallus · · Score: 1

      That list omits a few more or less independent automarkers. For US market examples, where are Mazda, Subaru, Mitsubishi, Suzuki and Chrysler?

    2. Re:20 major car manufacturers? by Virtucon · · Score: 1

      Chrysler is now Fiat so they're not independent but I agree that the others aren't listed but again, that list was the top 10 worldwide. I'm thinking the good senator probably didn't realize that Chrysler and Fiat are one in the same (thanks to the current administration) and that Hyundai also owns Kia for example. I imagine there's a lot of duplication in his list. Having worked in software in automotive electronics for a short time awhile back (MSFT AutoPC... don't ask..) I can tell you that vulnerability testing wasn't considered until very late in the game and then the customer decided that it wasn't needed. Of course this was 13 years ago.

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
  26. Re:Automakers by Virtucon · · Score: 1

    Electrically heated seats are underrated. Now you can get cooling seats. All the rest, GPS, complicated, vendor-locked in car entertainment, OnStar (which I ripped out of my car) are all wastes of money. It's getting so that you can't find cars (except very small, low-end models) that have hand crank windows.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  27. Silly question... by Dcnjoe60 · · Score: 1

    Among the questions Markey wants answers to: What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points?

    Zero, all cars have wireless entry points. They are called windows, doors and vents and probably a few others.

  28. Re:Boston brakes. by mcgrew · · Score: 1

    Uh, guys, the GP AC was making fun of the semiliterate summary: a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks

    What is it with you guys and homophones? If you write code like you write English, no wonder software is so buggy.

    That said, though, don't blame the slashdot editor or submitter -- it was cut and pasted from the fucking article. Remind me that "the security ledger," being run by aliterates who obviously never finished high school, is NOT a good source of information about anything more important than lolcats. That kind of mistake is forgivable in a slashdot comment or summary, but it is certainly unforgivable by a so-called "professional" writer. I would expect a professional to at least have a BA in English, and what kind of institution will give an English degree to someone who doesn't know the difference between brake and break?

    What, are they outsourcing writing, editing, and proofreading now? Or are those professions now obsolete, since nobody reads any more?

    --
    Free Martian Whores!