Slashdot Mirror
Least Secure Cars Revealed At Black Hat
Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).
my apologies to the drivers. i thought it was them.
Because if it starts at all it may very catch on fire.
They did not hack anything, this is just speculation based on documentation. BlackHat used to offer more serious stuff.
They're on the same network, which is a broadcast network.
Everything can talk to everything else.
A CAN bus is not a switched network. Same goes with Flexray and all other automotive networks.
I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.
That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.
Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).
Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.
Bullshit.
They might be on the same network, but that doesn't mean they can talk to each other.
Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks: http://en.wikipedia.org/wiki/B...
All devices send and receive on the same wire. So every device can talk to every other device on the network, all the time.
This works as long as all devices on the network are trusted devices... but then you add bluetooth and wifi? Now you have a network of implicitly trusted devices with a giant hole in it.
If the radio integrates media controls into the steering wheel and has song titles next to your speedometer, you're screwed. That bluetooth device has full access to the entire network. Now if it treats the bluetooth device like an audio input, and the only wires going into the "bluetooth PCB" are 12vdc, ground, and left and right outputs, then you're probobly ok. But there's no way most consumers are going to know which it is.
I personally dismantled the radio integration into my Fords CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features. Why the hell is the head unit for my stereo controlling major functionality in my car?!!?!
What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.
What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.
Automakers agree to 'right to repair' deal
http://www.autonews.com/article/20140125/RETAIL05/301279936/automakers-agree-to-right-to-repair-deal
January 25, 2014
Last week, two trade groups representing automakers -- the Alliance of Automobile Manufacturers and the Association of Global Automakers -- announced an agreement with independent garages and retailers to make Massachusetts' law a national standard.
[...]
Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year, as the Massachusetts law requires. In return, lobbying groups for repair shops and parts retailers would refrain from pursuing state-by-state legislation.
You couldn't be more wrong.
[Fuck Beta]
o0t!
Yup. Are the brakes actually controllable via CAN though? If the pedal just operates a transducer which relays instructions via CAN, that seems a bit risky to me. I wouldn't want even a single PHYSICAL linkage as a point of failure for the brakes, let alone an electronic one.
Granted, even if they have a cable backup, having a trojan apply full brakes without warning at highway speed would not be a fun experience (especially if it could disable ABS - which might or might not be possible but since ABS has self-diagnostics that need to report back to the dash it seems plausible that it could be tampered with). A cable backup would only prevent software from disabling your brakes - not prevent it from applying brakes.
Really, something like a radio should not be on the same network as safety-critical devices. Heck, do you really want to even do the necessary rigor to ensure that a faulty radio design doesn't cause a safety issue? Nothing should be plugged into a safety-critical bus without serious testing and design controls.
I bought a 99 Volvo S80 and it has the fancy auto dimming rear view mirror. The car was used so of course expensive mirror no longer dims. You can't even swap out a junked mirror because of the address bullshit. You have to keep the circuitry from your mirror and swap only the mirror itself. Otherwise you need the dealer software to reprogram the main computer.
Only the State obtains its revenue by coercion. - Murray Rothbard
Yup. Are the brakes actually controllable via CAN though?
Old school brakes, like you'd find in a mid-70's muscle car? Nope.
Modern anti-lock brakes, that depend on computer control? You bet your ass they can be fucked with through the onboard computer.
I'm an old-school geek. I've been fascinated and excited by technology for over 40 years now. But in the last half decade, I've been noticing that we're growing way, WAY too fast. We're implementing things and putting them out in the real world as soon as we "can do it". We're not waiting until "we can do it safely".
It's consumer culture gone wild.
Everything was fine until OnStar...
With OTA updates and the rest of the systems in the car using the CAN bus for diagnostic messages and reprogramming, you've got problems.
I haven't RTFA but I would assume the Honda Accord isn't as 'hackable' is because they use a separate K-Line bus for diagnostics instead of doing it over the CAN bus. Other than that, every single system in the Accord is connected in some way. The audio bus connects the radio to the aircon unit., The aircon unit is also connected to the body CAN bus (you'd need to reprogram it to make a bridge though). The gauge cluster connects to both the body CAN and the powertrain CAN bus. The ECU, ABS, Traction Control, Air bags, etc are all on the powertrain bus.
If you took control of the powertrain bus, you could speed the car off down the street (thanks drive-by-wire), lock up the wheels on one side of the car and spin it sideways into a wall (traction control), while setting off the side airbags on the wrong side of the car to increase the impact the occupants receive (not sure if the airbags can be triggered from the CAN though, I doubt it. Can probably disable them though)...
Everything was fine until OnStar...
Well, yeah, now that I think about it, I'd have to agree....
There's absolutely nothing wrong with these systems in your vehicle being able to communicate with each other. I think most of us can agree that there are many benefits to it.
The problems only arise when the systems gain the ability to communicate to systems outside of your car. And especially when they can do it without your consent, or even knowledge. And OnStar was the first and most obvious example of that ability.
The first time I ever really noticed OnStar was back when it first came out. A buddy of mine was driving, and we made a stop and he locked his keys in. This was "back in the day" so I immediately started trying to figure out where I could get my hands on a wire coat hanger. He pulled a card out of his wallet, called an 800 number, and a few seconds later all 4 doors unlocked. My initial reaction was "Damn! That's fuckin' cool!"
About 10 seconds later I thought "Damn! That's fuckin' creepy!"
And now it's not just OnStar that can do that. Now cars have bluetooth and WiFi, so if it's not secure (and they don't build them with security in mind"), any smart guy with a cell phone and access to Google can do similarly creepy things....
SIDE NOTE: There's an alley at work where we all go to smoke (yes, I'm a smoker, get over it). On the other side of the alley is another company's parking lot. There are two nearly identical GM SUV's that park in that lot. One has a broken off OnStar antenna, the other has an intact OnStar antenna. All of us refer to the two vehicles as "the smart one" and "the dumb one".
I guess the wrangler didn't make the list, but it can hardly count as hacking when the hood doesn't even lock closed.
you type faster than me ;-)
I just said the same thing. lol
Also, CAN Buss is not new. It's been in Semis for a very long time.
I think the real question is: How much Buss would a CAN Buss Bus if a CAN Bus can CAN Can?
My ism, it's full of beliefs.
I work at an OEM... I know for a fact The Dodge Viper and the Jeep Cherokee share the same line-up of head units and the CAN architecture is identical.
How are they both the most and least secure?
(Also, the Radio can't talk to the brakes, as much as they'd like you to think - I'd know, because I wrote the code for the interface that talks on the CAN network.)