Cyber Attacks Demonstrated On Autonomous Ground Vehicles

← Back to Stories (view on slashdot.org)

Cyber Attacks Demonstrated On Autonomous Ground Vehicles

Posted by samzenpus on Wednesday January 14, 2015 @06:53AM from the mr-toad's-wild-ride dept.

An anonymous reader writes As vehicles increasingly rely on automation, software and technology enhancements to run basic functionality, those systems serve as a potential safety risk when under cyber attack. Mission Secure uses a proprietary methodology developed by the University of Virginia with the Department of Defense for identifying the most consequential and easy to carry out cyber attacks on any system that a defense capability must address. The goal of the pilot is to demonstrate how to identify vehicle safety threats malicious cyber attackers could use to easily compromise the vehicle's key control systems and how these attacks could be detected and protected.

52 comments

Min score:

Reason:

Sort:

Sounds like concentrated bullshit.... by gweihir · 2015-01-14 06:58 · Score: 4, Insightful

There is no need for any "proprietary method". You do what any competent security consultant does: You understand the system, you identify critical components and attack vectors. If needed, you consult with experts on the technology evaluated. You correlate the attack vectors and critical components, rate according to your experience and propose fixes. That is it. There is absolutely nothing new or surprising here. There are absolutely no new threats here. The whole article is sensationalist bullshit.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Sounds like concentrated bullshit.... by gurps_npc · 2015-01-14 07:04 · Score: 5, Insightful
  
  The author thought that people needed to be reminded that if we let computers control cars, then a hacker can hack your car. This might cause deaths.
  Apparently, they don't seem to understand that computers already control airplanes, submarines, other boats, trains, and nuclear missiles.
  Not to mention computer controls power plants (including nuclear power plants, dams, our traffic systems, etc.
  
  --
  excitingthingstodo.blogspot.com
2. Re:Sounds like concentrated bullshit.... by fustakrakich · 2015-01-14 07:13 · Score: 1
  
  "proprietary methodology"
  Somebody is trying to sell the electronic equivalent of 'distressed properties'.
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re:Sounds like concentrated bullshit.... by sribe · 2015-01-14 07:20 · Score: 1
  
  Well, much like dish soap, concentrated bullshit is better than regular-strength bullshit!
4. Re: Sounds like concentrated bullshit.... by Anonymous Coward · 2015-01-14 07:25 · Score: 0
  
  Well, much like dish soap, concentrated bullshit is better than regular-strength bullshit."
  Except... when you mix them together.
  May God have mercy on us all. It's shitmaggeddon.
5. Re:Sounds like concentrated bullshit.... by NoKaOi · 2015-01-14 08:09 · Score: 1
  
  And that an old carbureted vehicle without a single transistor can be carjacked with a gun and a mask. And can crash into other cars. The real question is: Is the risk of causing deaths higher for autonomous vehicles or human driven vehicles?
6. Re:Sounds like concentrated bullshit.... by meerling · 2015-01-14 08:18 · Score: 1
  
  Only if it can be remotely accessed, or if there is a physical access than can be utilized with greater ease than the rest of the vehicles security.
  If something like that is the case, your security 'expert' is most likely a brain damaged rhesus monkey, kind of like the guy that suggests you leave your loaded gun on the front porch.
7. Re:Sounds like concentrated bullshit.... by gweihir · 2015-01-14 08:19 · Score: 1
  
  Yes, sounds very much like it. I think we also already have seen demos last year about hackers engaging brakes remotely and starting engines.
  There is a drive to integrate everything, because a modern car has an inordinate amount of cabling, which is expensive and heavy. Just running power and data everywhere would be a lot cheaper. And, as you point out, it is done in a lot of other places already.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:Sounds like concentrated bullshit.... by gweihir · 2015-01-14 08:20 · Score: 1
  
  Well, if autonomous vehicles do not manage to be significantly better than human drivers, they will likely not take off. And once they are significantly better, it may eventually spell the end of humans driving in the long run.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
9. Re:Sounds like concentrated bullshit.... by gweihir · 2015-01-14 08:21 · Score: 1
  
  Indeed.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
10. Re: Sounds like concentrated bullshit.... by gweihir · 2015-01-14 08:21 · Score: 1
  
  Nice one! ;-)
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
11. Re:Sounds like concentrated bullshit.... by Vitriol+Angst · 2015-01-14 10:25 · Score: 1
  
  Yeah but can we all just agree that connecting some of these systems to the internet or a wireless network is a bad idea?
  I want a person who sees one screen with internet access, makes a decision, and presses a physical button on the controls for the nuclear power plant.
  So auto driving cars are great -- can be secured, but let's not be cavalier about "other things are computer controlled" -- there's going to be iPhone software that tweaks the car and that means 100X more access by script kiddies to mayhem.
  
  --
  >>"ad space available -- low rates!!!"
12. Re:Sounds like concentrated bullshit.... by Anonymous Coward · 2015-01-14 11:12 · Score: 1
  
  Indeed. And neither TFS nor TFA mentions any attack that's actually been "demonstrated", they're couched in purely theoretical/hypothetical terms. "Oh, if you pay us some stupid amount of money we can tell you what attacks you need to defend against. But no, we're not going to show you any for free, what do you take us for?"
13. Re:Sounds like concentrated bullshit.... by Anonymous Coward · 2015-01-14 12:46 · Score: 0
  
  There's a more important point: in additional to all of those things you list, computers already control cars, at least most of the ones made in the past several years. Some (most?) of those have remote access. Some of those have remote exploits that allow remote control of the brakes. This isn't sensationalism; this is published research (note that control of steering was not demonstrated, presumably due to the attacked car not actually having computer-controlled steering, although some do). These attacks, importantly, have nothing to do with autonomous cars. That part is just fear mongering.
14. Re:Sounds like concentrated bullshit.... by gurps_npc · 2015-01-15 02:38 · Score: 1
  
  No there does not need to be iphone software that tweaks the car. That itself would be a stupid idea.
  I predict that the cars in question will have no wireless connection from the controlling computer. There will be a wired plug, just like in current cars.
  Because adding wireless capacity to the part of the car that controls fuel injection is a moronic idea - as you pointed out.
  
  --
  excitingthingstodo.blogspot.com
15. Re:Sounds like concentrated bullshit.... by Anonymous Coward · 2015-01-15 03:49 · Score: 0
  
  But to 'carjack with a gun and a mask' a million cars, you need a million people, a million guns, and a million masks.
  To hack a million autonomous cars, you need ONE exploit.
Development process is just as important by jtara · 2015-01-14 07:10 · Score: 3, Interesting

I interviewed for a job working on an autonomous vehicle project, many years ago. Oh, to clarify, this was an autonomous MILITARY vehicle. I see this is just about cars.
My job would have been to do retro-documentation.
That's a violation of the approved development process. I turned the job down.
There is an annoyingly-complicated process that is supposed to be followed. And then there is how things are ACTUALLY done.
Based on this, I suspect your auto-parking Lexus may well be less susceptible than some driverless tank. :( Auto companies don't have to follow standards so ridiculously-difficult to follow that they aren't followed, and then go through the motions after the project is completed.
1. Re:Development process is just as important by Anonymous Coward · 2015-01-14 09:39 · Score: 0
  
  "My job would have been to do retro-documentation - That's a violation of the approved development process" Can you explain? Would that be fraud? Is there some middle ground or.. none?
2. Re:Development process is just as important by jtara · 2015-01-14 11:47 · Score: 1
  
  A requirement of the approved development process is that certain documentation be produce in advance of or commensurate with development. Not after-the-fact. You're not supposed to do a skunk-works project and then later go through the motions of producing the required lifecycle documentation. (And, presumably, back-dating it...)
  I believe this was the standard in place at the time (and still is?):
  http://en.wikipedia.org/wiki/M...
3. Re:Development process is just as important by Anonymous Coward · 2015-01-15 01:33 · Score: 0
  
  Every place I've I've worked in the past 10 years has LOVED touting their "Agile development"...mainly because it pretty much means NO documentation will ever be written. At all.
  Another buzzword is "rapid prototype" as an excuse to bypass SDLC requirements.
  Being a Configuration Manager in such organizations is a nightmare.
Be Concerned About More than Computer Hack by mrlinux11 · 2015-01-14 07:20 · Score: 1

Someone with Ham Radio and a directional antenna could probably cause the crash. I have seen a car alarm go off , unlock the doors and pop open it's trunk using just legal Ham Radio Equipment.
1. Re:Be Concerned About More than Computer Hack by __aaclcg7560 · 2015-01-14 07:42 · Score: 3, Interesting
  
  An old roommate had a red Toyota Corolla. One day he lost his car in a big parking lot, found it, unlocked it, and started the engine before he realized that it wasn't his. Turned out there were ~20 unique keys for his particular model. He got "lucky" with finding an exact same car that used his particular key.
2. Re:Be Concerned About More than Computer Hack by Applehu+Akbar · 2015-01-14 08:18 · Score: 1
  
  So what was your friend's next move: check the glove box for the name of the person who was at that moment driving his car?
3. Re:Be Concerned About More than Computer Hack by meerling · 2015-01-14 08:38 · Score: 1
  
  I remember the car alarms in San Antonio going off all the time. (Virtually everyone had car alarms in San Antonio.) They'd go off if someone honked their horn, walked by the car, or in one case, used the neighbors doorbell.
  On a pet peeve note, the cars with alarms that would tell me to "step away from the car" when I walked past on the sidewalk always went off, but that was because I would reply by jumping on the bumper to set it off. You may own your car douchebag, but you don't own the space around it. (Excluding the property you own, but that's not where your car was parked idiot.)
4. Re:Be Concerned About More than Computer Hack by __aaclcg7560 · 2015-01-14 08:44 · Score: 1
  
  He locked the car up and found his own. If I wasn't there with him, he might have gotten other ideas.
5. Re:Be Concerned About More than Computer Hack by Anonymous Coward · 2015-01-14 11:36 · Score: 0
  
  I remember the car alarms in San Antonio going off all the time. (Virtually everyone had car alarms in San Antonio.) They'd go off if someone honked their horn, walked by the car, or in one case, used the neighbors doorbell.
  On a pet peeve note, the cars with alarms that would tell me to "step away from the car" when I walked past on the sidewalk always went off, but that was because I would reply by jumping on the bumper to set it off. You may own your car douchebag, but you don't own the space around it. (Excluding the property you own, but that's not where your car was parked idiot.)
  Nice, you pissed off everyone working and living near the car while the owner just comes back later and sees a blinking red light on his dash.
6. Re:Be Concerned About More than Computer Hack by antdude · 2015-01-14 12:42 · Score: 1
  
  "And then?"
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
7. Re:Be Concerned About More than Computer Hack by JimSadler · 2015-01-15 00:49 · Score: 2
  
  I had family members who drove a 1947 Chevy home from the movies. It was identical to their own. The other people made the same error and took our Chevy home. My aunt discovered the problem two days later when she opened the glove compartment. She called the police and they tracked down the car and arranged the swap.
8. Re: Be Concerned About More than Computer Hack by tbuskey · 2015-01-16 07:09 · Score: 1
  
  Most of us learned to ignore car alarms.
  In college, our dorm was next to the parking lot. One night, some car alarm malfunctioned & went off with a the car horn on continuously. It woke us up at 2am. After 20 minutes we went out to try to shut it off. We were not willing to break things & couldn't pop the hood to disconnect the batt. So we tried to go to sleep. 2 hours later, the horn's 2nd tone stopped. In 20 minutes it was quiet as the battery died & we cheered.
  Now the owner had a dead battery & a dorm of students pissed at them. We could have done anything to that car w/o the owner knowing until morning.
  Nobody does car alarms like that anymore.
9. Re:Be Concerned About More than Computer Hack by Anonymous Coward · 2015-01-17 09:40 · Score: 0
  
  Swapped sandals in Jamaica similarly.
10. Re:Be Concerned About More than Computer Hack by Anonymous Coward · 2015-01-17 13:11 · Score: 0
  
  Had a car in the 90s which the remote, outside a fast food restaurant, unlocked my car and the one two cars over. I locked, they both locked. Apparently we had the same remote code. (Didn't check the glove box.)
What a future you have here... by __aaclcg7560 · 2015-01-14 07:21 · Score: 1

The second episode of Ghost in The Shell: Arise featured a former military general seizing control of the Traffic Control AI to trap 20 million people in their vehicles and holding them for ransom.
Against, I hope by Anonymous Coward · 2015-01-14 07:29 · Score: 0

...how these attacks could be detected and protected.
There's your problem. Rather than worrying about how to protect the attacks, they you should be focusing on protecting against them...
imagined threats by iggymanz · 2015-01-14 07:36 · Score: 1

meanwhile the tried and true methods of bombs planted on vehicles, tampering with brakes, shooting drivers, etc. continue to get body count
"I don't need no high tech shit to whack somebody" -- Vinny "Dago Football" Bartoli
1. Re:imagined threats by Anonymous Coward · 2015-01-14 08:12 · Score: 0
  
  yeah, right. This is going to be the choice method of assassination in the future -- simply upload some hack onto target's car. If the hack can delete itself after the job's done, it will look like an accident.
2. Re:imagined threats by iggymanz · 2015-01-14 08:28 · Score: 1
  
  you watch too many movies, the majority of assassins don't mind the world knowing their target was assassinated; the acknowledgement and recognition that an assassination has occurred is normally part of the agenda of the party with motive.
Just like the Viper Mark VII by smooth+wombat · 2015-01-14 07:39 · Score: 1

The Cylons were able to defeat the new, shiny, electronically controlled Vipers while the older Mark II Vipers were impervious to cyber attacks.
Once again, analog is better than digital.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
1. Re:Just like the Viper Mark VII by __aaclcg7560 · 2015-01-14 07:53 · Score: 2
  
  Once again, analog is better than digital.
  Not quite. Being networked together was a major vulnerability for the colonial fleet. A patch sent out from the defense mainframe prior to the attack created an opening for the Cylons to exploit by shutting the navigation systems for the battlesars and vipers in battle. Battlestar Galactica survived because it's computers weren't networked together and the patch wasn't installed.
2. Re:Just like the Viper Mark VII by smooth+wombat · 2015-01-14 08:25 · Score: 1
  
  Actually, it is the same since (some) cars, such as Tesla, can be remotely updated. They don't have to go to a shop to get their software changed.
  While in BSG they installed a patch to the mainframe first, there is nothing to say a similar process couldn't be done or found to compromise vehicles which allow this operation.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
3. Re:Just like the Viper Mark VII by smooth+wombat · 2015-01-14 08:48 · Score: 1
  
  As a follow up, see this article which mentions cars talking to one another. That's another term for networking.
  
  Imagine someone able to hack this type of system and the chaos they could cause.
  
  Again, analog is better than digital.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
4. Re:Just like the Viper Mark VII by Fire_Wraith · 2015-01-14 08:55 · Score: 1
  
  Correct - once they fixed the backdoor, the Mk VII Vipers, and all the other newer/digital systems, were all safe to use once again.
  
  Galactica was being retired, and thus wasn't slated to receive the upgrades (and Adama was opposed to network systems anyway). The Battlestar Pegasus had the Command Navigation Program, but it was offline for maintenance since Pegasus was in dock at the time of the attack, and thus Pegasus was unaffected.
  
  The lesson is that patch management and updates are seriously important to keep secure. If you can pwn the patch management system, you can infect pretty much everyone that updates.
Works for UAVs too. So what... by Anonymous Coward · 2015-01-14 07:39 · Score: 0

Apologies for the old meme, but:
1. Buy insurance against a target or short-sell some stock.
2. Find computer that controls something kinetic or energetic.
3. Gain control and give new instructions to computer without owner knowing until last mile/minute.
4. Direct computer to guide UAV/UGV into target.
5. Profit!
But... by Anonymous Coward · 2015-01-14 07:48 · Score: 0

Cars need webservers and telnet interfaces too
1. Re:But... by __aaclcg7560 · 2015-01-14 08:00 · Score: 1
  
  Need to make it easier for the dealership to repossess the car. No more "hide the car in the garage" nonsense.
Does it have a computer and field range interface? by WillAffleckUW · 2015-01-14 07:54 · Score: 1

Then it can be hacked.
This is why you don't trust computers.
Says the guy who has worked in computers since the 80s and rolled his own in the 70s.

--
-- Tigger warning: This post may contain tiggers! --
Re:Works for UAVs too. So what... by __aaclcg7560 · 2015-01-14 08:06 · Score: 1

If you have to apologize for an old meme, you're not doing it right. Doesn't help that you're missing "???" before the "Profit!" statement.
I like to cyber by Anonymous Coward · 2015-01-14 08:18 · Score: 0

can we cyber?
Re: Does it have a computer and field range interf by Anonymous Coward · 2015-01-14 08:28 · Score: 0

i am inclined to sympathize with your theory. full proof will entail the bricking of the entire a380 and b787 fleets. theorettically speaking we could stop being computer whores and actually proof hw and sw correct. we only need money and leadership backing.
my money is on the long range recon brigade to enable said things. wars, fathers , things etc.
Re: Does it have a computer and field range interf by WillAffleckUW · 2015-01-14 08:35 · Score: 1

Wish it wasn't a theory.
There are three methods of dealing with it.
1. ability to disconnect and reset systems in case of hacks.
2. surprise (difficult in a rich EM environment)
3. more highly independent systems, so you can isolate one and still function.

--
-- Tigger warning: This post may contain tiggers! --
car spam. by xmousex · 2015-01-14 08:50 · Score: 2

you will find your car pulling into the nearest walmart, telling you there is a sale on things you like to buy, that your friends are already there shopping, and you must sit in this parking lot for at least 10 minutes before going home or pay the unlock fee on various 3rd party apps your car installed for you at 2am this morning.
Google self-driving car by Anonymous Coward · 2015-01-14 09:13 · Score: 0

(Holds up 60mph speed limit sign in a 20mph zone)
Fake news by Anonymous Coward · 2015-01-14 23:42 · Score: 0

The linked article is 100% propaganda and 0% description of actual cyber attacks. No cyber attacks whatsoever. So, fake news.-Ignacio AgullÃ