Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Demand Automakers Get Serious About Security

Posted by samzenpus on from the lock-it-down dept.

wiredmikey writes: In an open letter to Automotive CEOs, a group of security researchers has called on automobile industry executives to implement five security programs to improve car safety and build cyber-security safeguards inside the software systems powering various features in modern cars. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation. Vehicles are "computers on wheels," said Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the letter (PDF). The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

22 of 120 comments (clear)

  1. deaf ears by Anonymous Coward · · Score: 3, Interesting

    Nothing is going to happen until they get sued.

    1. Re:deaf ears by Z00L00K · · Score: 4, Interesting

      Nothing is going to happen until a serious mishap occurs.

      Meanwhile the automakers looks into strange hacks instead of proper physical segmentation and gatewaying. They do have a gateway, but it is just a gateway between different IP address series on the same physical net in some cases - in order to save money on hardware. So a rogue unit can just look at the different series and fake it being a different type of unit causing interesting things to happen.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:deaf ears by mlts · · Score: 4, Insightful

      What I am afraid of is what happens after. There is a difference between security from remote attackers, and security from "jailbreakers". For example, my Android phone is just as secure rooted as not.

      My fear is that what steps would be taken would force the car into the shop for any minor issue. Already, one automaker, if you change the battery out, the vehicle will refuse to start until the vehicle goes into the dealership and the battery is "registered" into the ECM.

      Automakers should just keep stuff isolated. The radio should not have access to the brakes. Hell, the radio should not even be on the CAN. It should just be vital components, and have the doodads be stuck on another bus that can be "dirty".

    3. Re:deaf ears by Etherwalk · · Score: 2

      Nothing is going to happen until they get sued.

      Nothing is going to happen until (1) a senior officer at GM has his car hacked, (2) a very public hacking makes security a point on which automakers compete, or (3) they get sued.

  2. Easier to parallel park a train by disposable60 · · Score: 4, Insightful

    Getting the automakers to make any kind of substantive change requires either legislation or expensive PR disasters like a Pinto or Firestone/Explorer event.

    --
    You're looking for quotes? See my journal.
    1. Re:Easier to parallel park a train by Virtucon · · Score: 2

      Or GM Ignition Switches?

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
  3. if this goes the same way as the computer desktop by Anonymous Coward · · Score: 2, Insightful

    it won't be long before we are forced to install antivirus in our cars : /

  4. Hackers by just_another_sean · · Score: 3, Insightful

    So is it "Hackers" demanding better security or is it "a group of security researchers"? Because the inflammatory headline surely conjures the modern, media definition of Hacker and not "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary". And the headline certainly doesn't make me think of security experts at all!

    Come on /. , you can do better than that...

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    1. Re:Hackers by just_another_sean · · Score: 2

      Yeah, I noticed that after I posted. You'd think I'd learn to RTFA before posting!

      Security Week can do better than that! :-)

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    2. Re:Hackers by mwvdlee · · Score: 2

      You prefer the media continue to bastardize the word "hacker" into some sort of evil-doer?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  5. Re:if this goes the same way as the computer deskt by Chrisq · · Score: 3, Funny

    it won't be long before we are forced to install antivirus in our cars : /

    Lets hope it doesn't make them run significantly slower ;-)

  6. Shouldn't be necessary, but if it is... by Anonymous+Brave+Guy · · Score: 4, Interesting

    It's kinda terrifying that the people making fast, heavy lumps of metal with computerised control systems don't already routinely isolate those control systems from any other computerised technologies in the vehicle, particularly any that can interact remotely. They shouldn't need to be publicly admonished about the dangers of these situations. Don't these organisations employ actual engineers any more?

    But given that it does seem to be necessary to make a public display of this -- which presumably removes any plausible deniability if the auto makers do get sued after an accident later, so I can believe it will at least get their attention -- I'm glad it seems to be a responsible group with the right motivations who are starting the ball rolling. If it were just a bunch of lawyers or insurers, the general public could write the campaign off as the signatories just looking out for their own interests.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:Shouldn't be necessary, but if it is... by Anonymous Coward · · Score: 5, Interesting

      My 2002 Jetta's stock stereo system is wired to the CAN bus. This means when I run an in-car-diagnostic with the little dongle connected to the computer port in the driver's seat, that the stereo system is part of the diagnostics. It actually told me one of the speakers was broken/disconnected which I was able to leverage another $100 off the price when I bought it used. ... Turned out, it was literally disconnected. Easy DIY fix ;)

      Anyway, my car has not internet connectivity. But I bet the newer models have stereos that integrate GPS, Satellite Radio, and internet services. Theoretically, both satellite radio and web services are potential attack vectors into the stereo, and if you can manipulate the firmware on the stereo to be a CAN bus master, you can now talk to anything in the car.

      So either take the entertainment stuff off the CAN bus, or install some sort of CAN router/firewall, that allows the rest of the car to talk to the stereo, but doesn't let the stereo talk to the rest of the car.

    2. Re:Shouldn't be necessary, but if it is... by Anonymous Coward · · Score: 2, Insightful

      You are totally ignoring the base issue: The fact that its so easy to get access to any part of the system.

      Reflashing a "faulty" component isn't what people are worried about. It's the combination of Wifi/remote accessable parts of a system, that once gotten into leads to total control.

      Imagine a virus that is able to jump from car to car once cars are able to simply mesh-hotspot to each other.

      Reflashing the stereo means nothing when the entire system is compromised at 80mph.

    3. Re:Shouldn't be necessary, but if it is... by sjames · · Score: 2

      Don't worry, they'll implement the encryption to keep the owner locked out so they can continue charging high fees for simple things like turning the service engine light off. They'll make sure it provides no actual security from infections spreading from a DVD to the engine controller or ABS to make it easier for someone who has paid them the appropriate annual 'certification' fees to diagnose the car.

    4. Re:Shouldn't be necessary, but if it is... by Anonymous+Brave+Guy · · Score: 2

      And in the winter, I'd love to be able to warm the engine and the interior from inside my house while I gather my things for work.

      This is clearly a case of prioritising convenience over security, which you're welcome to do as your own personal preference but I would never choose myself.

      This data is used to help triage the severity of the crash before the EMTs roll out.

      Well that's probably the single most disturbing thing I've seen in this whole discussion. Are you really telling me that in the event of a known road traffic accident, which is severe enough that no-one on the scene can immediately respond to verbal contact, they don't routinely send the full works where you are?

      In any case, I would point out that this is purely status reporting, i.e., read-only data. There is no need for anyone to control anything remotely in this situation.

      Also, in extreme cases, the OnStar / Bluelink / et al. system can actively end a felon's joyride by cutting throttle, braking, or cutting the engine entirely. Then it can honk and flash the lights to attract the authorities' attention.

      This is my main problem with the whole debate: any system that can do this kind of thing can also be used for less welcome purposes.

      Car theft is essentially a solved problem without any remote control needed. Technologies like immobilisers have become so good that stealing the car keys has been the preferred technique for some time. Trackers, which need no integration with any control system, provide an effective deterrent and means for police to locate a vehicle that has literally been put on the back of a lorry.

      Again, YMMV, but personally I would rather be careful about where I keep my keys than risk a hostile party, or simply a human error or software bug, doing something like cutting the engine and applying the brakes when I'm driving at high speed or through a hazardous area.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  7. An easier solution by smooth+wombat · · Score: 4, Insightful

    Don't put this crap in cars in the first place.

    I know, I know, simplicity is such an ugly word. It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:An easier solution by Anonymous+Brave+Guy · · Score: 3, Insightful

      It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.

      No doubt, but it would be more horrible if modern systems for things like braking and traction control went away. People who've grown up with cars that are full of three-letter technologies like ABS and EBD might not appreciate how much more skill is required to drive a car safely at the same speeds and in the same environments without these driver aids.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:An easier solution by drinkypoo · · Score: 3, Insightful

      For him as well because he would have to be stuffed up under the dashboard to do his hacking, therefore he will probably die in the accident.

      These vehicles overwhelmingly share a single bus between everything including powertrain and infotainment. If you can control the infotainment system you can control the diagnostic bus. The infotainment system now commonly includes internet access, so it's not even necessary to be near the vehicle to gain attack surface.

      Has anyone in fact demonstrated such a hack, so far? Nope. Does that mean it's not a realistic threat? Also nope. Indeed, it's becoming a more realistic threat as more internet-connected features are being added to autos.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:An easier solution by Charliemopps · · Score: 3, Informative

      Don't put this crap in cars in the first place.

      I know, I know, simplicity is such an ugly word. It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.

      What's even crazier is, you don't even need what they are doing to get the the same services. Just give the car radio bluetooth and be done with it. I've got an after market headunit in my car that cost me less than $150 and it can stream, do audio calls, shows my contacts in the head unit, I can use voice activation to say "Call home" and my phone will dial... etc... for another $50 I could have even gotten an LCD screen and streamed movies if I wanted. The last thing I want is to buy a car with some proprietary system in it that I wont be able to upgrade for the next 15yrs until I trade the car in.

      The last car I bought had "Ford Sync" in it, and it was a pain in the butt to take out. The entire dashes electronics were integrated into the radio. WHY?!?! I had to purchase an after market computer module to replace the functions of that head-unit so I could put in a real radio. What a joke.

  8. A Modest Proposal by VernonNemitz · · Score: 4, Interesting

    One of the simplest ways to lock down a computer is to physically lock it away from access. Originally car-makers did that --you needed physical access to the computer (usually inside locked hood compartment) to do anything to it. Now they have connected it to radio waves. That is the main security hole. Go back to a solid wired-only connection, with the connection point(s) behind locked doors, and a significant chunk of the security problems goes away.

  9. Re:Shouldn't be necessary, but NOT NEEDED by Anonymous Coward · · Score: 2, Interesting

    1). Not needed since it will add to the cost of the car.
    2). The Computer is not accessible via wireless to change the program (stand still or not) - no issue
    3). How to eleiminate insurance company access to impact data
    4). The whole hobby market would be eliminated i.e. tuner groups, and the DIY since besides just encrypting or isoalting the internal computer, it would be taken to the next step to encrypt the communications such that 3rd party tools couldn't access the data or they would have to pay a license
    5) The people who are suggesting this are just trying to create business for themselves to milk the car industry of an un-needed thing. Since they would be the self-proclaimed standards body and that all testing by the car manufacturers would have to come through them for a high price per car to get their seal of approval, let alone any recerts.

    6). I'd prefer to to be more open sourced and transparent so that I could figure out how to make a 3rd party tool to diagnose the car.