Slashdot Mirror

← Back to Stories (view on slashdot.org)

The World's Most Hackable Cars

Posted by Soulskill on from the cylons-were-created-by-man dept.

ancientribe writes: If you're wondering whether the most tech-loaded vehicles are also the most vulnerable to hackers, there is now research that shows it. Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of security intelligence at IOActive, studied modern auto models and concluded that the 2014 Jeep Cherokee, the 2014 Infiniti Q50, and the 2015 Escalade are the most likely to get hacked. The key is whether their networked features that can communicate outside the vehicle are on the same network as the car's automated physical functions. They also name the least-hackable cars, and will share the details of their new findings next week at Black Hat USA in Las Vegas.

12 of 53 comments (clear)

  1. Results versus extrapolation by TWX · · Score: 2

    Given that this is something that can be tested, I'd like to see real-world results before jumping to too much conclusion. Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact. At the moment the Cherokee, Q50, and then new-model Escalade aren't in much demand for parts, and given that none of them are massively-high-volume sellers it's unlikely that theft-for-parts will ever be a big deal with these models.

    The most stolen vehicles are the Honda Accord, Honda Civic, Toyota Corolla, and the full-sized trucks from American manufacturers. All high-volume, all in-demand for stock parts.

    --
    Do not look into laser with remaining eye.
    1. Re: Results versus extrapolation by augahyde · · Score: 2

      Don't know where you get your facts, but you might want to check out the California Highway Patrol's website. In the trucks section of the report, it comes in at #35 with 137 stolen in 2013. Compared to Honda Civics and Accords with ~20,000 thefts, that's nothing.

    2. Re:Results versus extrapolation by drinkypoo · · Score: 2

      Given that this is something that can be tested, I'd like to see real-world results before jumping to too much conclusion. Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact.

      Auto theft is big business. It's often carried out literally, with a car carrier. As such, the hackability of the car is less interesting than you might imagine. They're going to pick up the car and take it away anyay, so that they can pick it apart at their leisure.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. These are not HACKABLE, these are INSECURE by coder111 · · Score: 5, Insightful

    Slashdot of all places should know the difference.

    Hackable- I can install Debian on it and tweak the engine to play mp3s.

    Insecure- Some asshat will ruin your day because the vendor doesn't provide timely patches, or the patches they provide make things worse so you cannot install them, or there is no way to patch things at all, or it's so tedious nobody does it.

    --Coder

    1. Re:These are not HACKABLE, these are INSECURE by Zero__Kelvin · · Score: 2

      Not exactly. If I take advantage of a security hole to add functionality, such as rooting my phone to install a custom ROM, I have hacked it, not cracked it.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:These are not HACKABLE, these are INSECURE by TWX · · Score: 4, Insightful

      We get that you're still upset that the media has managed to take the term "hacker" and turn it into a pejorative, but I don't think that you're ever going to get it back. Probably time to just let it go move on.

      How's educating those new Usenet users since September 1993 going?

      --
      Do not look into laser with remaining eye.
    3. Re:These are not HACKABLE, these are INSECURE by Dutch+Gun · · Score: 4, Insightful

      I saw the article headline and immediately thought "Cool! Someone figured out how to do neat things with the hardware in the car?" I thought maybe even the car companies were cool enough to enable truly extensible functionality with their entertainment systems or whatnot (wouldn't that be something?). However, in this case, "insecure" wouldn't have been enough, since that would probably refer to their physical security.

      I'm not naive - the masses will never use the admittedly ridiculous term "crackers" rather than "hackers" - it just doesn't have the same ring to it. Personally, I love applying the term "script kiddies" to anyone who does harm, even if it doesn't technically apply, since it's rather demeaning. Anyhow, that battle has long since been over. But Slashdot is not a site for the masses. I thought at least "hacking" here was still a term mostly used for clever if sometimes unofficially unauthorized use of one's own hardware in interesting ways. You know, hacking a videogame's cameras or input devices, for instance...

      We're getting old, aren't we? Sigh...

      --
      Irony: Agile development has too much intertia to be abandoned now.
  3. The Next Step in Remotely Controlling a Car by Fnord666 · · Score: 4, Interesting
    So this is just a basic attack surface analysis of a networked system. According to the article, the researchers are saying that these vehicles are vulnerable because operational components (brakes, etc.) are on the same network as non-operational components (radio, etc.).

    By contrast, the 2014 Jeep Cherokee runs the "cyber physical" features and remote access functions on the same network, Valasek notes. "We can't say for sure we can hack the Jeep and not the Audi, but... the radio can always talk to the brakes," and in the Jeep Cherokee, those two are on the same network, he says.

    This does tie in well with and extend their presentation last year where, given access to the car's network, they were able to manipulate its steering and braking systems. The trick will be to subvert one of the remotely accessible systems and then generate the necessary commands on the network in question using that subverted system. Maybe they are saving that presentation for 2015.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    1. Re:The Next Step in Remotely Controlling a Car by Anonymous Coward · · Score: 2, Informative

      If by 2015, you mean 2011, then yes. UW and UCSD demonstrated hacking a car via its cellular connection and disabling its brakes, among other things. There's no discussion of taking control of the steering, so maybe the car they worked with didn't have drive-by-wire steering.

  4. VW Beetle by Bing+Tsher+E · · Score: 4, Insightful

    The most hackable car would probably be the VW Beetle. So many cool addons and mods exist. I am talking about the original Beetle, of course, not the rounded-Rabbit.

    Hacking is supposed to be good stuff here, right? Or did something change?

    1. Re:VW Beetle by bmo · · Score: 2

      Hacking is supposed to be good stuff here, right? Or did something change?

      Yes, something changed.

      An Internet media "giant" bought Slashdot. Thus the "media" definition of hack, not ours. Jerks.

      Our definition of hack would relate more to hot-rodding instead of this system-smashing claptrap.

      >vw beetle

      I agree.

      --
      BMO

  5. I have a fully networked car by viperidaenz · · Score: 2

    Doubt its very hackable though

    The keyless entry system is on the body-can network which accepts RF signals.
    The keyless start system is too, which accepts RFID.
    The body-can is connected via a bridge to the fast-can, which carries all the ECU/Transmission/etc data.
    The satnav has a microwave antenna and IR receiver for VICS and is attached to the fast can.

    The important thing is, no diagnostics are done on the CAN bus. It's all done via a K-Line interface on the obd connector.

    Diagnostics should be on a separate physical network.