Slashdot Mirror

← Back to Stories (view on slashdot.org)

The World's Most Hackable Cars

Posted by Soulskill on from the cylons-were-created-by-man dept.

ancientribe writes: If you're wondering whether the most tech-loaded vehicles are also the most vulnerable to hackers, there is now research that shows it. Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of security intelligence at IOActive, studied modern auto models and concluded that the 2014 Jeep Cherokee, the 2014 Infiniti Q50, and the 2015 Escalade are the most likely to get hacked. The key is whether their networked features that can communicate outside the vehicle are on the same network as the car's automated physical functions. They also name the least-hackable cars, and will share the details of their new findings next week at Black Hat USA in Las Vegas.

53 comments

  1. Re:Jesus Christ by Anonymous Coward · · Score: 0

    I think your kind belongs on more pedestrian sites like offtopic or tumblr.

  2. Results versus extrapolation by TWX · · Score: 2

    Given that this is something that can be tested, I'd like to see real-world results before jumping to too much conclusion. Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact. At the moment the Cherokee, Q50, and then new-model Escalade aren't in much demand for parts, and given that none of them are massively-high-volume sellers it's unlikely that theft-for-parts will ever be a big deal with these models.

    The most stolen vehicles are the Honda Accord, Honda Civic, Toyota Corolla, and the full-sized trucks from American manufacturers. All high-volume, all in-demand for stock parts.

    --
    Do not look into laser with remaining eye.
    1. Re: Results versus extrapolation by Anonymous Coward · · Score: 1

      Don't know where you get your facts but in CA Escalades are one of the most stolen vehicles... I know people that stop owning them just because of this...

    2. Re: Results versus extrapolation by Anonymous Coward · · Score: 0

      It depends upon whether you're counting number stolen versus percentage of existing model stolen.
      The Escalade is high on the list percentage-wise, but there aren't that many of them on the road compared to Honda and Toyota products.

    3. Re: Results versus extrapolation by augahyde · · Score: 2

      Don't know where you get your facts, but you might want to check out the California Highway Patrol's website. In the trucks section of the report, it comes in at #35 with 137 stolen in 2013. Compared to Honda Civics and Accords with ~20,000 thefts, that's nothing.

    4. Re: Results versus extrapolation by TWX · · Score: 1

      I wish that they'd break-down their theft reports based on the platform generation of a vehicle, rather than based on model year, given that interchange usually is smooth between same-platform models across several years. A '94 Integra and an '01 Integra should be lumped-in together, and an '02 Dodge Ram should be lumped in with an '08.

      --
      Do not look into laser with remaining eye.
    5. Re: Results versus extrapolation by augahyde · · Score: 1

      I wish that they'd break-down their theft reports based on the platform generation of a vehicle, rather than based on model year, given that interchange usually is smooth between same-platform models across several years. A '94 Integra and an '01 Integra should be lumped-in together, and an '02 Dodge Ram should be lumped in with an '08.

      You're absolutely right about that. Though people would then want the generational differences annotated. And others would nitpick about what's a significant change. Eh, you can't please 'em all.

    6. Re:Results versus extrapolation by drinkypoo · · Score: 2

      Given that this is something that can be tested, I'd like to see real-world results before jumping to too much conclusion. Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact.

      Auto theft is big business. It's often carried out literally, with a car carrier. As such, the hackability of the car is less interesting than you might imagine. They're going to pick up the car and take it away anyay, so that they can pick it apart at their leisure.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Results versus extrapolation by mpe · · Score: 1

      Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact.

      It's possible for a vehicle to be worth more as parts than as a complete vehicle. As well as being less tracable in that form.
      Keeping a vehicle largely intact would probably require it to be given the identity of a scrapped one. So that would also tend to make popular models more likely to be stolen.

    8. Re: Results versus extrapolation by caveqat101 · · Score: 1

      Personally, I'm interested. But like hacking, their are two colors of hats, just like the the possibilities of a car remotely controlled to hurt/kill someone. And so I still wonder why? And where I live the reason someone steals a car, is to go somewhere. They,the crook left them unharmed, he needed a ride. The next was insurance to get a next better ride.

  3. These are not HACKABLE, these are INSECURE by coder111 · · Score: 5, Insightful

    Slashdot of all places should know the difference.

    Hackable- I can install Debian on it and tweak the engine to play mp3s.

    Insecure- Some asshat will ruin your day because the vendor doesn't provide timely patches, or the patches they provide make things worse so you cannot install them, or there is no way to patch things at all, or it's so tedious nobody does it.

    --Coder

    1. Re:These are not HACKABLE, these are INSECURE by Zero__Kelvin · · Score: 2

      Not exactly. If I take advantage of a security hole to add functionality, such as rooting my phone to install a custom ROM, I have hacked it, not cracked it.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:These are not HACKABLE, these are INSECURE by TWX · · Score: 4, Insightful

      We get that you're still upset that the media has managed to take the term "hacker" and turn it into a pejorative, but I don't think that you're ever going to get it back. Probably time to just let it go move on.

      How's educating those new Usenet users since September 1993 going?

      --
      Do not look into laser with remaining eye.
    3. Re:These are not HACKABLE, these are INSECURE by Anonymous Coward · · Score: 1

      Indeed man. Reading the title I thought this was about cars that have the best potential for modding.

    4. Re:These are not HACKABLE, these are INSECURE by Anonymous Coward · · Score: 1

      Doctors don't call plasma "blood" just because it's a common mislabeling.

      We are no more beholden to common misuse of terms by laypersons.

    5. Re:These are not HACKABLE, these are INSECURE by Dutch+Gun · · Score: 4, Insightful

      I saw the article headline and immediately thought "Cool! Someone figured out how to do neat things with the hardware in the car?" I thought maybe even the car companies were cool enough to enable truly extensible functionality with their entertainment systems or whatnot (wouldn't that be something?). However, in this case, "insecure" wouldn't have been enough, since that would probably refer to their physical security.

      I'm not naive - the masses will never use the admittedly ridiculous term "crackers" rather than "hackers" - it just doesn't have the same ring to it. Personally, I love applying the term "script kiddies" to anyone who does harm, even if it doesn't technically apply, since it's rather demeaning. Anyhow, that battle has long since been over. But Slashdot is not a site for the masses. I thought at least "hacking" here was still a term mostly used for clever if sometimes unofficially unauthorized use of one's own hardware in interesting ways. You know, hacking a videogame's cameras or input devices, for instance...

      We're getting old, aren't we? Sigh...

      --
      Irony: Agile development has too much intertia to be abandoned now.
    6. Re:These are not HACKABLE, these are INSECURE by Anonymous Coward · · Score: 0

      The hello world of hacking a connected car should be instructing it to make coffee while being connected to the Internet.

    7. Re:These are not HACKABLE, these are INSECURE by TWX · · Score: 1

      I would expect people with highly advanced degrees in a special discipline to have specific terms for very specific things that they use correctly.

      I don't expect a community slang term to necessarily be used correctly, if the nature of the evolution of slang even allows for a hard and fast definition.

      --
      Do not look into laser with remaining eye.
    8. Re:These are not HACKABLE, these are INSECURE by drinkypoo · · Score: 1

      Not exactly. If I take advantage of a security hole to add functionality, such as rooting my phone to install a custom ROM, I have hacked it, not cracked it.

      Someone else cracked it, so that you could hack it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:These are not HACKABLE, these are INSECURE by mpe · · Score: 1

      Doctors don't call plasma "blood" just because it's a common mislabeling.

      On the other hand plenty appear quite happy to call lipoproteins "cholesterol". Which is more or less exactly the same kind of mislabeling.

    10. Re:These are not HACKABLE, these are INSECURE by Zero__Kelvin · · Score: 1

      You don't know what cracking means.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    11. Re:These are not HACKABLE, these are INSECURE by xded · · Score: 1

      I guess we will have to find ourselves another term to replace "hack", like we did for the MiB. And we will cringe every time we read it.

    12. Re:These are not HACKABLE, these are INSECURE by Anonymous Coward · · Score: 0

      I wasn't aware car manufacturers had even implemented RFC 2324...

    13. Re:These are not HACKABLE, these are INSECURE by Anonymous Coward · · Score: 0

      Hopefully they'll get around implementing the follow up RFC 7168 before the 24th century.

  4. It's called a security landscape by Zero__Kelvin · · Score: 1

    Yes. I was totally wondering if increasing the vulnerability landscape created more vulnerabilities!

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  5. Oh yes, haxx0rz by Anonymous Coward · · Score: 0

    Cyberboogeymen, now in your car!

    Call me jaded, but anything with this sort of wording gets skipped without remorse.

  6. Correction by tehlinux · · Score: 1

    The 2014 "SRT" Viper

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
  7. The Next Step in Remotely Controlling a Car by Fnord666 · · Score: 4, Interesting
    So this is just a basic attack surface analysis of a networked system. According to the article, the researchers are saying that these vehicles are vulnerable because operational components (brakes, etc.) are on the same network as non-operational components (radio, etc.).

    By contrast, the 2014 Jeep Cherokee runs the "cyber physical" features and remote access functions on the same network, Valasek notes. "We can't say for sure we can hack the Jeep and not the Audi, but... the radio can always talk to the brakes," and in the Jeep Cherokee, those two are on the same network, he says.

    This does tie in well with and extend their presentation last year where, given access to the car's network, they were able to manipulate its steering and braking systems. The trick will be to subvert one of the remotely accessible systems and then generate the necessary commands on the network in question using that subverted system. Maybe they are saving that presentation for 2015.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    1. Re:The Next Step in Remotely Controlling a Car by Anonymous Coward · · Score: 2, Informative

      If by 2015, you mean 2011, then yes. UW and UCSD demonstrated hacking a car via its cellular connection and disabling its brakes, among other things. There's no discussion of taking control of the steering, so maybe the car they worked with didn't have drive-by-wire steering.

    2. Re:The Next Step in Remotely Controlling a Car by ihtoit · · Score: 1

      fucking about with the EMS via a remote exploit and killing the engine hence the power steering is taking control of the steering. Albeit, in a terminal sense.

      Not fun if you're chugging along at 80kph and your Alanis Morissette CD suddenly shoots out and bisects your fifth passenger at the waist.

      Blood is hard to get off a CD.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:The Next Step in Remotely Controlling a Car by Anonymous Coward · · Score: 0

      What kind of inhuman monster are you... you listen to Alanis Morissette CDs?

    4. Re:The Next Step in Remotely Controlling a Car by ihtoit · · Score: 1

      nah I use them to keep the rugrats in line.

      (because it's difficult to steer and polish the shotgun at the same time)

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    5. Re:The Next Step in Remotely Controlling a Car by Ungrounded+Lightning · · Score: 1

      maybe the car they worked with didn't have drive-by-wire steering.

      Don't need drive-by-wire steering (depending on definition, of course).

      Drive-by-wire steering (my understanding of the usage) would mean that the steering wheel sent messages to the steering gear electronically, rather than being physically connected, as the normal way of steering the car. Interfere with, or take over, these messages and you either disable or override the driver's input. I doubt the automakers are about to do that - especially over a general bus crowded with miscellaneous accessories programmed by other vendors, all chattering away - any time soon.

      However, other features can let the electronics perform steering operations by having the power steering take input from elsewhere - possibly over a general bus - and execute them IF a firm input from the mechanical steering connection doesn't override them. We see that already: with auto-park and lane-tracking features.

      So I'm not sure if we're talking definitions or if "take over the steering" couldn't be demonstrated because a hand on a mechanically-linked wheel trumps a command from a computer.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  8. well by sociocapitalist · · Score: 1

    This concept ought to make things interesting when combined with the trend towards self driving cars - a new meaning for the 'hot wiring' of a car (or truck, whatever) maybe.

    --
    blindly antisocialist = antisocial
  9. VW Beetle by Bing+Tsher+E · · Score: 4, Insightful

    The most hackable car would probably be the VW Beetle. So many cool addons and mods exist. I am talking about the original Beetle, of course, not the rounded-Rabbit.

    Hacking is supposed to be good stuff here, right? Or did something change?

    1. Re:VW Beetle by bmo · · Score: 2

      Hacking is supposed to be good stuff here, right? Or did something change?

      Yes, something changed.

      An Internet media "giant" bought Slashdot. Thus the "media" definition of hack, not ours. Jerks.

      Our definition of hack would relate more to hot-rodding instead of this system-smashing claptrap.

      >vw beetle

      I agree.

      --
      BMO

    2. Re:VW Beetle by Anonymous Coward · · Score: 0

      I thought hacking was what you did when your exhaust powered heater starts to leak.

  10. I have a fully networked car by viperidaenz · · Score: 2

    Doubt its very hackable though

    The keyless entry system is on the body-can network which accepts RF signals.
    The keyless start system is too, which accepts RFID.
    The body-can is connected via a bridge to the fast-can, which carries all the ECU/Transmission/etc data.
    The satnav has a microwave antenna and IR receiver for VICS and is attached to the fast can.

    The important thing is, no diagnostics are done on the CAN bus. It's all done via a K-Line interface on the obd connector.

    Diagnostics should be on a separate physical network.

    1. Re:I have a fully networked car by drinkypoo · · Score: 1

      Your car sounds like my latest car, a 1997 A8. The Radio in mine is the boring old Delta CC, and the RNS units this old don't have any internet connection (the predominant unit in the USA has a CDROM) so there's not much remote hack value there.

      As far as theft goes, however, a device which will read key codes from memory and program a new key is only $100-200. You drop the ignition switch from the column, slap a programmed key blank into the keylock so that its signal is picked up by the immobilizer antenna, and actuate the ignition switch by hand. The newer the vehicle, the more you have to spend on the device which programs the keys, but the procedure is pretty much the same for all vehicles with an immobilizer. For those without, of course, it's even easier.

      On my car, because it's not got RNS, there's no separate gateway module either. The information display in the center of the gauge cluster performs that function. If you can own that, you own the car. If you'd hidden a wifi to OBD-II interface in the vehicle (presumably, along with a wifi to cellular gateway) and connected it to the DLC wires, then you could do anything you liked remotely. But you could much more easily have done something else less likely to be detected in the case of an accident.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re: I have a fully networked car by caveqat101 · · Score: 1

      I would not to see at this conference the new paper circuitry miniaturized yet. Did enjoy the articles on paper capacitors and transistors. Maybe ic circuits next. Closer and closer to one time destroyable circuits.

  11. VW Beetle by Anonymous Coward · · Score: 0

    That or a Jeep. There are arguably more mods for a Jeep Wrangler than any other vehicle.

  12. Maybe by jklovanc · · Score: 1

    I think the issue with this article is that it concentrates too much on networks. It assumes that separating features into different networks is less hackable. Then it states this;

    "Each feature of the car is separated on a different network and connected by a gateway,"

    Here are two scenarios;
    1. All systems run on one network. The entry points to the network are very secure and almost impossible to crack. All entry points only allow specific commands to go through. For example the radio portal will not allow a brake command to pass.
    2. All systems run on different networks connected by a gateway. The entry point security is poor and the gateway security is poor. There is no filtering of commands from subsystems.

    Which one do you think is more hackable? If one can get in easily and talk between networks easily it is no different than a poorly secured single network.

    1. Re:Maybe by discomike · · Score: 1

      Well unless you take over the gateway it does indeed do filtering. It does not simply forward packets but decodes the data and repackages it for different networks. The frames that should be forwarded is statically configured, that is which frames (or individual "signals" from a frame) from which bus should go to where. So unless there exists a functionality for the infotainment system to send brake frames to the BCM already. You are left left with exploiting each gateway on the way to gain control.

    2. Re:Maybe by jklovanc · · Score: 1

      How do you know the inner workings of a gateway you have never seen? I agree that such a gateway should be programmed the way you describe but it is possible for a gateway to just forward messages along with no filtering. My point is that filtering can be done at the entry point just as well as the gateway.

    3. Re:Maybe by discomike · · Score: 1

      Ok, slashdot just lost my lengthy reply so I'll do it quick one (OK it got ranty torwards the end).

      Generally the industry follow standards such as MISRA/OSEK/AUTOSAR, these stipulate static configuration, to do that you use automatic tools, for cost reasons(big driving force in automotive) they optimize the frame packaging for each network so you use less memory and can use cheap parts.

      Due to limited bandwidth you have different frame packaging on different networks as well, so in a gatewaying scenario the com-stack will repackage the data, any unexpected frames will be ignored.

      I read the article now and according to it they put the radio on the same bus as the brakes, that's funny. I guess it's a can or flexray bus (I don't think they use ethernet yet) they you could just inject the frames directly (you might have to silence the original node first).

      I look forward to the talk and it will be interesting to see how they defeat (or if they use) features such as signing of data on the bus (used for safety critical stuff).

      If you want to have a look at how a typical automotive RTOS works you can check out an open source (GPLv2) implementation over at: http://www.arccore.com/develop...

      Some last euro-cents: at this level safety under normal and anticipated failure scenarios is considered, security and intentional manipulation is not so much.. if you want to kill someone you can always cut the brake hoses. There is no point in trying to secure the internal buses from intentional attack, and focus should be on separating safety critical stuff and anything with outside connectivity (infotainment system, phone etc). Put them on physically different buses and if they really need to exchange information use a very limited gateway that can be proven to have no exploits and does rate limiting etc as well to prevent DoS attacks and make sure nothing safety critical is dependent on this gatewaying actually working.

    4. Re: Maybe by caveqat101 · · Score: 1

      But cutting a hose leaves a mark, traceable. A paper circuit, a hack, a corrupted code doesn't. Both leave the brakes not working at the "worst/inopportune/correct" time. Get the Jon done, but if the car doesn't burn our mangle enough, there is visable evidence of a crime. Conjecture? Or fact, now provable to the court? But its getting closer.

  13. They also name the least-hackable cars, by The+Grim+Reefer · · Score: 1

    Anything that uses a distributor with points? Hell, anything that has a distributor has a very limited ECM at best, and certainly not one you can access wirelessly, or via a simple port of some kind.

  14. The know nothing about secure. by Anonymous Coward · · Score: 0

    I own the most unhackable car in the world, err wait I mean bicycle.

  15. OBD and Torque Android App by Anonymous Coward · · Score: 0

    If you have an OBD interface, you can have some fun with http://torqueloganalyzer.blogspot.com

  16. I like the Q50 by Anonymous Coward · · Score: 0

    but both other cars are utter heap of trash on four wheels. Go german.

  17. First auto-drive may be auto-car-theft. by Ungrounded+Lightning · · Score: 1

    ... a new meaning for the 'hot wiring ...

    We've already seen:
      - In the wild: A contactless box that opens the doors on parked cars. (Not clear whether this is spoofing the remote-door-unlock keyring fob receiver or getting on to the car's bus to issue unlock commands.)
      - Proof-of-concept demonstrations for getting on the bus by successful attacks on communication stack vulnerabilities in more than one of: Cellphone radio (remote help service), handsfree "car is the headset" bluetooth transceiver, door lock radio, security key-in-ignition detector, entertainment system, tire pressure sensors.
      - Using access to the general bus to issue such commands as unlock doors, start the engine, adjust engine speed, and apply or fail to apply the antilock brakes.
      - Getting a lane tracking / following distance near-autodrive to drive the car (in the same well-marked land) for miles by spoofing its "driver has his hands on the wheel" sensing.
    and so on.

    Seems to me that these could be combined with subverting the auto-park feature to build a full "car steels itself, untouched by human hands" system: Car starts, unparks, enters traffic, drives to a convenient place for the car thieves to take it over, and parks itself, drives into a chop-shop, or onto a carrier vehicle. Initially this might require a chase/lead car to give ongoing control in detail. If this becomes a lucrative criminal enterprise model, perhaps later a plugin to the bus or a malware download might orchestrate the process, even using the GPS navigation to let the car navigate itself from where the user parked it (or the crooks pulled it over and plugged in their device) to the crook's chosen destination.

    It also seems to me that this might be the FIRST general use of autodrive functionality: Auto makers have to worry about laws and risks. Car thieves can simply abandon the car, running in traffic, if anything goes wrong with their system or their situation. This would let them become early adopters.

    The ability to build an intrusion prevention system that plugs into the diagnostic port also hints at other possibilities: Could a similar device interfere with the use of Lojack/OnStar/Link/etc. to track or disable the car?

    Could such a system also be used by the owner OR a thief to disable intrusive surveillance by auto makers, rental agencies, or governments? Could it modify the entries being stored into post-crash black boxes or distance-based road tax systems? Could it disable stored or remote tracking of where the vehicle is or has been? Could it interfere with remote shutdown commands?

    Lots of possibilities here.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way