Slashdot Mirror
Least Secure Cars Revealed At Black Hat
Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).
my apologies to the drivers. i thought it was them.
Because if it starts at all it may very catch on fire.
Bullshit.
They might be on the same network, but that doesn't mean they can talk to each other.
We've been here before. Two days ago.
Are we to stop driving and start using the bicycle?
They did not hack anything, this is just speculation based on documentation. BlackHat used to offer more serious stuff.
That was an article saying they will share their findings at Black Hat
This is one about their findings they shared at Black Hat
that's right. http://bit.ly/1qOrXX0
pure speculation, http://bit.ly/1qOrXX0
I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.
That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.
Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).
Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.
Well, the criminal then gets to pay for the damage he caused to the car.
If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated. It does not matter that that something is not worth tens of thousands of dollars - it's still my money and my item.
Now, whether it is worth to the public - yes, most likely. While I would probably be OK with the government buying me an identical car after the cops refuse to recover the stolen one, the number of car thefts would increase. After all, if you steal a car that's cheap enough, the police won't chase you, so you get a free car.
Next time the brakes fail on my 93 Ford Escort Wagon, I'll rest easy in the knowledge that it was a simple mechanical failure and not hacked!
#DeleteChrome
Simply letting him get away would be horrible, because of the prevention aspect. If that were standard practice on the part of the cops, then the rate of car theft would certainly go way up.
But there is another possibility besides letting him go and flying off in a risky high speed chase. There's this old-school police technique called a 'tail' where you follow at a distance and let the target think he's getting away (while of course using your radio to get ahead of him.) Much less chance of injury or death that way. Too old-school for US cops these days, but in some backwards jurisdictions it might still be used.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I bought a 99 Volvo S80 and it has the fancy auto dimming rear view mirror. The car was used so of course expensive mirror no longer dims. You can't even swap out a junked mirror because of the address bullshit. You have to keep the circuitry from your mirror and swap only the mirror itself. Otherwise you need the dealer software to reprogram the main computer.
Only the State obtains its revenue by coercion. - Murray Rothbard
The brakes are controllable on cars with collision avoidance.
Only the State obtains its revenue by coercion. - Murray Rothbard
I can't understand it either. If they are accusing so many car makes of having vulnerabilities, they should have been able to get access to at least one to formulate an actual attack. If everything on the same network was considered vulnerable by default - the Internet would be vulnerable.
@_jeff_nelson +jeffnelsonjeffnelson
I guess the wrangler didn't make the list, but it can hardly count as hacking when the hood doesn't even lock closed.
Well, we all like to whack off, don't we? Oh, I'm sorry, what was the question? Do our little automakers need some more free press? If the damn computer is more reliable than good old mechanics, then stick with the black boxes and hope for the best. We're just rolling the dice (get it?) anyway.
“He’s not deformed, he’s just drunk!”
Yep, there's not too many cars that can outrun a Motorola...
“He’s not deformed, he’s just drunk!”
considering most car thefts are committed by a very small number of people, anytime one of those little buggers gets tossed in the clink, we're all better off.
.. german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway.
A separate CAN(N)BUS for each system? But the original POINT of the bus was to replace the expensive, custom, wiring harness - a bundle of special-purpose wires as thick as your wrist - with a power line and a pair of signal wires. One big party line with everything talking on it. Now you're bringing back the harness AND adding an extra box.
(The above is only half facetious.)
Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).
Which, of course, is the downside of the system.
An alternative to restoring the bundle is for each user of the "big party line" to "recognize the voice" of those who can give it instructions - and have a list of what instructions each can give it. I won't go into details, but there is ample room for design here. An interloper would be reduced to trying to "mimic the voice" of a talker with enough authority to command the action, or DOSing by "shouting over" legitimate commands.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Well, the criminal then gets to pay for the damage he caused to the car.
Awww, it's so cute you think rich people are stealing old Astra's.
If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated.
This is what we call "Insurance".
In Australia people are taking to stealing keys as immobilisers have become so common and effective it's easier to break into a house and flog the keys before taking the car. I dont really care that much if they do this and steal my 14 yr old Nissan... It's insured for $13,500. Sure it would be a shame as it's a mint condition Silvia S15 but in the end it's a car I have properly insured.*
If you dont have your car insured, that's your problem. As for getting it back, well considering the kind of people who steal cars I'm not sure I'd want that either (the first thing Police do on recovered cars is a sharps check, a check for used needles. Insurers will do the same to make sure the cops didn't miss any).
* I drive a manual, these days that's enough to stop most thieves in their tracks.
Calling someone a "hater" only means you can not rationally rebut their argument.
Thieves, like the majority of the motoring public, generally have limited, if any experience driving a standard transmission. The stick has become the Linux of transmissions.
According to the article, and that number seems about right, only about 10% of cars are sold with a stick.
I needed to transport my 1997 Camaro across town after an emergency surgery that coincided with a move. I had a hell of a time finding someone who could both drive a stick and was willing to drive the car. Most who sit in it are freaked out that your front vision ends at the windshield and you simply cannot see the hood at all. That seems to make most people a bit squeamish about driving it.
On the plus side, no one EVER asks to borrow my car,
Donald Trump, on a crusade to make Nixon look respectable
http://www.huffingtonpost.com/2014/06/25/teens-steel-car-cant-drive-stick_n_5530996.html
I know, I. R. A. Idiot.....
Donald Trump, on a crusade to make Nixon look respectable
Only in the Northern America and apparently Australia. In Europe, you can bet that everyone can drive sticks. Technically, you can do your driving license on a automatic, but it usually reserved for the physically disabled and you only are allowed to drive automatics with such a license.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Well, if high end cars are vulnerable, I doubt that the security in lower end cars is better.
Donald Trump, on a crusade to make Nixon look respectable
In my country high speed chases in cities or highly populated areas are prohibited due to the high risk of collateral damage. It's far better to let the car thieves get away than to kill some innocent bystanders.
considering most car thefts are committed by a very small number of people, anytime one of those little buggers gets tossed in the clink, we're all better off.
Well, better off until you realise how much its costing you to toss them in the clink, of course...
http://blog.nexusuk.org
Well, better off until you realise how much its costing you to toss them in the clink, of course...
Then just shoot them. I'll be glad to pay for the cost of the bullet. It's a win-win for everyone. Another criminal off the street and the taxpayer doesn't have to pay to coddle them by keeping them in jail.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Not a problem, they just keep crashing runaway Piruses into your pickup truck. Sure, it may take more than one.
Well, better off until you realise how much its costing you to toss them in the clink, of course...
Then just shoot them. I'll be glad to pay for the cost of the bullet. It's a win-win for everyone. Another criminal off the street and the taxpayer doesn't have to pay to coddle them by keeping them in jail.
Yeah, removing due process could never result in abuses or miscarriages of justice so it's a pretty good idea.
http://blog.nexusuk.org
Who said anything about removing due process? If the folks who stole the car are duly convicted by the evidence, then we can shoot them.
They obviously don't care about abiding by the basic rules of society so why should the taxpayers have to pay to keep them around?
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
I didn't say we're superior. I said "in Europe every one can drive stick". That is fact, not superiority or anything. You interpret it that way. That says more about you than about me.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
safe? no. hack proof? yes.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
I work at an OEM... I know for a fact The Dodge Viper and the Jeep Cherokee share the same line-up of head units and the CAN architecture is identical.
How are they both the most and least secure?
(Also, the Radio can't talk to the brakes, as much as they'd like you to think - I'd know, because I wrote the code for the interface that talks on the CAN network.)
Doesn't it actually mean that they're just too poor to afford automatics?
They obviously don't care about abiding by the basic rules of society so why should the taxpayers have to pay to keep them around?
Yeah, capital punishment for car theft, that's a fantastic idea. How about drunk drivers, they don't care about following society's rules either, right? Might as well kill them for a first offense. Take care of that problem. Jaywalkers should probably be shot and killed also. And if someone lets their grass grow too long and violates a city ordinance, well, might as well take them out too. The same goes for anyone convicted of a speeding offense, if they can't follow the rules then we should just go ahead and kill them.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Well if the radio/stereo was hooked in, how about hacking by overpowering the source signal and broadcasting some nasty parameters to take advantage of an exploit...?
Yeah, I actually knew that standards were more popular in Europe, I didn't know why however, but I do recall that in some (most?) EU countries it is more difficult and expensive to obtain your general license than the states. Here, if you have a pulse, you can pretty much drive a car.
Interestingly enough, that is very similar to N. American CDL* licensing where everyone learns a stick unless physical disabilities prevent it. Of course if you fall into the latter category, there are very few transporters who run automatic transmission fleets, so Owner Operator is generally the best way to go if you can't physically drive a stick. (I train CDL drivers).
*CDL = Commercial Drivers License
Donald Trump, on a crusade to make Nixon look respectable
Yes, most countries make it hard and expensive to get a license. It gets expensive quick if you flunk a few times, and since there is a theoretical part and a practical part you can flunk on both... Most people I know have flunked either one at least once. I know, I did...
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
>If you dont have your car insured, that's your problem.
So, if someone steals your stuff, they can just call "no insurance" and it's okay?
No, it means you dont understand what "its your problem" means.
If you dont have insurance and your car gets stolen, you're on your own. It's your problem to deal with.
Whether you get theft insurance is your choice, I choose to because I'm smart enough to know that thieves are out there. Besides this, high speed chases almost always bring cars back as burnt out, crushed shells. So again, if you've got no insurance you're pretty much stuffed.
Calling someone a "hater" only means you can not rationally rebut their argument.
Ahh the old Europe is superior to US because they drive stick argument. I love it when people become overly proud of a talent that pretty much anyone can learn in a few hours at a Walmart parking lot.
Amazing that most Americans lack this "talent pretty much anyone can learn in a few hours at a Walmart parking lot" given it's so simple to aquire.
Manual (stick) drivers are better because they are proactive, rather than reactive. Automatic drivers wait for the car to do something, then react. This translates into other disciplines necessary for driving such as hazard detection and risk avoidance, they wait for the hazard to become a risk, then try to mitigate it. Manual drivers on the other hand constantly have to think 5 seconds ahead of what the car is doing, so they see hazards earlier and mitigate potential risks earlier.
Beyond this, manuals are just more fun to drive.
Calling someone a "hater" only means you can not rationally rebut their argument.
This is actually false, frame is less robust design as far as car crashes go. The only reason it might do better in a crash is because frame of a truck would sit higher than bumper of a passenger car, and truck would have more mass. Take two comparable cars, one with a frame and another with unibody and crash them into eachother - people in the frame-design car design would likely horribly die while unibody would walk away with minor bruises. Crumple zones, force dissipation into entire unibody, and rigid cage are just THAT GOOD at protecting passengers.