Report: Automakers Fail To Fully Protect Against Hacking

An anonymous reader writes with news about a report by Senator Edward Markey on the security of new vehicles. "Automakers are cramming cars with wireless technology, but they have failed to adequately protect those features against the real possibility that hackers could take control of vehicles or steal personal data, a member of the U.S. Senate is asserting. Basing his argument on information provided by manufacturer, Sen. Edward Markey has concluded that "many in the automotive industry really don't understand what the implications are of moving to this new computer-based era" of the automobile. The Massachusetts Democrat has asked automakers a series of questions about the technologies — and any safeguards against hackers — that may or may not have been built into the latest models of their vehicles. He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."

Automaker just as incompetent as anybody else...

[gweihir]

...with regard to IT security. What a shocker. This really is not surprise at all. Hopefully their customers will react a bit less forgiving that the mindless masses that cheer for insecure OSes and applications. But I somehow doubt it.

Love my old car

I love my old car. No 3G connection, no wifi. Runs fine.

Re:Love my old car

[magsol]

My abacus works just fine, too. Doesn't mean it's reached the ultimate apex of utility.

Re:Love my old car

[neoritter]

Do you need your calculator hooked up to the network of networks to function properly though?

Re:Love my old car

[Drethon]

Well Apple told me the latest update to my calculator app will make it run 0.00000001% faster on all calculations!

How do you fully prevent hacking?

[jellomizer]

We have armies of security specialist working on securing systems across the globe, and still we get issues where data is broken in.

If there is a lock, that can be unlocked, someone will find a way to unlock it without their permission.

Automotive advantage to security is the fact that the access point is always moving, so it would be difficult to maintain a consistent connection. However its disadvantage is there is such a large lage in automotive design that the computers are already out of date by the time the car is released, and updates are not current.

Re:How do you fully prevent hacking?

Yeah, fully is the word descriptive word.

Actually. Bother to. Consider. Attempt.

Any of those would be easy to substitute and express it much better.

Re:How do you fully prevent hacking?

They're working to fix the lack up updating issue with OTA updates. This could be used to push critical security fixes even for customers who to buy into the "your car needs a cell phone plan too" philosophy, but I'm not sure if it's being done or not.

Re:How do you fully prevent hacking?

[neoritter]

The most I expect from car makers, or really any engineers for this stuff, is to recognize they're going to lose. So, with that in mind, design their cars to lose gracefully, or more importantly, safely. When I hear that cars can be turned off remotely, etc (think OnStar). I'd say their failing that. I don't need some intelligent hackers turning off my car while I'm running from them and jacking me while I try to figure out why my car isn't working anymore.

Re:How do you fully prevent hacking?

[Whatanut]

Solving one problem by creating another, in my opinion. Maybe not. But a car that's always attached to a network seems a whole lot more hackable than one that is not.

Re:How do you fully prevent hacking?

[the_B0fh]

No we don't. We have armies of wannabes saying they are working on this. But I guarantee you most of them have no clue. I get stupid questions like "why is not having a password insecure?" to "must I patch?" to "but it's not on the internet" to all kinds of nonsense.

I guarantee you there wasn't anyone security related, whose sole function was security, working on these things, because they are unencrypted and have been for years.

Again, duh ...

[gstoddart]

And until there are legal penalties for companies who fail to implement proper security, or to keep personal information safe ... this will continue to happen.

When a company can sell your private data (because they embedded something in an EULA), or has no consequences for being incompetent, they'll just say "oops, bummer" and keep doing it.

So until there are real data protection laws, with real consequences ... just assume these companies are incompetent, indifferent, and not accountable.

Because, let's face it, they are.

But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.

All products which have marketing driving features probably have ZERO security. Because marketing all need a kick to the head and don't understand security, and explicitly don't WANT security or constraints, because that limits how they can make money with and would mean they need to do a better job of engineering.

Most modern tech is rushed out the door, with zero thought of security and privacy. And since it doesn't matter if they suck at both, they'll continue to do it.

Re:Again, duh ...

[bill_mcgonigle]

But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.

That's the whole purpose of corporations - to remove accountability. In fact, it meshes perfectly with the very purposes of government - to socialize losses and privatize gains, and if, in exchange, corporations can funnel nearly unlimited money to political campaigns to satisfy politicians' thirst for power, you have a nearly perfect arrangement as far as most of the concentrated-interest players are concerned. No-plead deals have become all the rage with prosecutors over the past two decades, super-charging corporate malfeasance.

Just look at Wall Street before and after the partnerships reorganized as corporations for a case study of how it works. Or even better, the public benefit corporations prior to Reconstruction (when JD Rockefeller bribed Congress to let him make Standard Oil into a permanent corporation) fulfilling the very mercantalist nightmare the former Colonists tried hard to avoid recreating.

"Corporations are People, my friend" - special people who never die, can handle unlimited resources, face no penalties for their behavior, and encourage corruption without remorse. Stan Lee would call those kinds of people "supervillains".

Re:Again, duh ...

[dpidcoe]

But for some reason people seem to think it's unnatural to make companies accountable.

Not that I necessarily disagree with your overall point, but there's a fuzzy line between holding a company accountable and making them unreasonably liable for things. e.g. obviously my bank should be expected to keep my information safe, but what if I use a weak password? Or if an attacker wins the lottery and randomly guesses my password on the first try (because I'm old and can't comprehend how to use 2-factor authentication)? Or what if someone claiming to be me provides the appropriate credentials and goes through a password reset?

There are definitely things that companies should be held accountable for, but I think a lot of the resistance to it that you see is because that line is often prepetuated by people who want to stick it to the corporations no matter what the cost is to innocent bystanders (e.g. a smalltime bank that can't aqfford an army of lawyers to make sure they aren't liable when joe moron gives his account information to a nigerian prince). There obviously needs to be a reasonable and well defined line as to what a corporation is and isn't accountable for in terms of security

Re:Again, duh ...

[pr0fessor]

I don't know, auto manufactures recall and replace parts when it's a concern of safety. I've had working parts replaced for free because of designs flaws that might cause the breaks or seat belts to fail, the dealership even contacted me and scheduled it.

Re:Automaker just as incompetent as anybody else..

[Lab+Rat+Jason]

Exactly... as has been opined about dozens of times before... you can never fully protect against hacking, so automakers are always going to fail at it.

Politician trolling

- Senator from the party that controlled the Senate for 8 years announces he's concerned about [issue] now that his party is out of control.
- President whose party had 100% control of congress announces a huge new new tax plan with "help" for the middle class as soon his party loses control and can't be blamed when it never passes.

Re:Politician trolling

Nothing at all like a certain party gambling the credit rating (and therefore the economy) of the US government over basic funding repeatedly after losing control of congress and losing the presidency.
Or how a certain president presiding over a huge economic bubble for 8 years still managed to double the national debt to 9 trillion, but then blames the incoming president for "spiraling national debt" when he inherited a budget that had ran $500B+ deficits for years already. (Last one was $1T deficit)
Or how a certain party blocked almost all legislation for years, while at the same time blaming the other party for "not doing anything".

It's the same shit, just replace the names.

Re:Politician trolling

It's the same shit, just replace the names.
 
And that's the problem. As long as bozos like you keep track of the score by the mantra of "They did it too!" nothing is going to change. Just another tactic of the two-party scam goosesteppers.

Re: Politician trolling

lol @ goosesteppers. amazing word.

Sen Markey

[Virtucon]

We've had computers in cars for quite awhile. You are correct that these newer systems are more vulnerable to hacking and identity theft. The biggest question you should ask is why do we allow our information systems whether they be in cars, financial institutions or healthcare systems to be this vulnerable. The federal government is also slipshod when it comes to protecting information and it's time that was stop pointing fingers and produce legislation and a constitutional amendment that protects privacy.. The only way we'll change the behavior is to include penalties for not thinking about security and putting our PII and lives at risk.

Re:Sen Markey

[gstoddart]

The problem is there will be a whole bunch of people who will loudly proclaim that having penalties for corporations failing to protect this information is tantamount to socialism.

There are a lot of people who seem to think corporations should be free to do anything they want, and that if consumers want privacy they can choose to buy from companies who give it.

Of course, those people are morons who think the magical free market solves such problems.

As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.

And no idiotic "free market" will change that.

Re:Sen Markey

[Virtucon]

I believe I implied that. Regulation to some degree is necessary but with the assaults on our privacy and being hacked in ridiculously simple ways that needs to have some associated degree of pain. If a company loses your PII the FTC comes in and says "bad company" slaps them on the wrist with a fine and they go and promise not to do it again. In the meantime the victims are left scrambling around to recoup their credit ratings and lost assets without any assistance. That's one dimension to this problem. The other has to do with the assault on our privacy from all angles even if it isn't being hacked. You should have a constitutional right to privacy regardless of the media used, where it's stored or to whom it's conveyed. That means the Feds shouldn't be allowed to create back doors into systems, weaken encryption or deny it's use to anyone, for any purpose.

I'm for a free market but yes, sometimes you have to put some reins on to at least set some boundaries on how or what is put out there. A lot of this is fundamental consumer protection and I'm not talking overarching laws that turn us into a nanny state but shit if you're $40K car can be stolen with a couple of pulls on a parking break then that's a pretty big CPS issue.

Re:Sen Markey

Can you cite me the law that states that you, as a private person, are liable to criminal charges if I trust you with my data but it is shared due to lack of security on your part? If not then shut up.

Re:Sen Markey

[dpidcoe]

As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.

And no idiotic "free market" will change that.

So Impose a financial penalty for screwing up and let the free market do the rest?

Re:Sen Markey

> The biggest question you should ask is why do we allow our information systems whether they be in cars, financial institutions or healthcare systems to be this vulnerable.

They're designed to fail, else how is the government going to protect you from the terrorists. Or more likely, how is the government going to protect itself from you.

Re:Sen Markey

[bouldin]

What we're talking about here sounds more like civil law (e.g. lawsuits for product liability), not criminal law.

But, there is such a thing as criminal negligence: http://en.m.wikipedia.org/wiki...

good luck with that

[turkeydance]

seriously. i hope security is increased or connectivity decreased.

What about medical devices?

[forevermore]

Maybe this is a sign of politicians waking up to tech. Hopefully someone will start to ask these questions about medical devices, too. https://www.youtube.com/watch?...

Re:What about medical devices?

[gstoddart]

Or, how about data privacy and protection laws in general? You know, actually hold companies accountable for treating security and privacy as optional?

Start fining them 10's or 100's of millions of dollars for being clueless idiots, and they'll get the message.

Keep letting companies do nothing and bear no consequences ... nothing at all will change. If you're not hitting them where it counts, corporations won't start acting differently.

Re:What about medical devices?

[g0bshiTe]

I'm for this, now who gets the bill when the ACA gets hacked? We all know it's a matter of when not if.

Government! Start with thyselves!

[mi]

The good Senator can begin by introducing legislation, that bans from public roads any and all electronic payment systems, that do not offer the anonymous option.

One can buy a prepaid cell-phone anonymously, but not a prepaid "EZ-Pass", for some reason. One can add money to a payment card (such as phone- or tranist- one), but can not simply add value (cash) to an "EZ-Pass" account. Heck, you can't even take your EZ-Pass with you from one car to another — it is registered to a particular license-plate (the concept, that itself is a gross violation of privacy, but that's another story).

And, unlike car-makers, EZ-Pass and the like systems have government-backed monopoly — because our overlords haven't though about allowing multiple companies to compete in toll-collection.

Re:Government! Start with thyselves!

[Enry]

You're not required to take a toll road.

Re:Government! Start with thyselves!

[mi]

You're not required to take a toll road.

You are not required to buy a (new) car either.

Re:Government! Start with thyselves!

[Aereus]

I don't think they really enforce the Pass matching the plates though. I've used mine with rental cars, or along with my parents on a trip, etc. and never seen an issue with them claiming any sort of violations. I think it only comes into play if you report the Pass stolen.

Re:Government! Start with thyselves!

[Enry]

I'm not sure what you're getting at.

Re:Government! Start with thyselves!

[mi]

I don't think they really enforce the Pass matching the plates though.

You are violating your contract, if you use it with another vehicle. They may come down at you if they choose to — and, them being a monopoly, you'll have no option but to pay up whatever they decide to demand (a $50 "administrative fee" for a $0.50 payment is normal). And, being a government-backed monopoly, they will hold your driver-license or car-registration hostage until you pay up.

I think it only comes into play if you report the Pass stolen.

Not really relevant to my point about anonymity, is it?

Re:Government! Start with thyselves!

[mi]

I'm not sure what you're getting at.

TFA is about people buying new cars, which are, supposedly, loaded by remotely-explotaible electronics.

I — a crazy Libertarian — pointed out, that, as usual, the main threat to our privacy (as well as money) comes not from competing manufacturers, but from government and government-backed monopolies.

You objected to that by saying, taking a toll road is never a requirement. I countered that statement (not entirely accurate one, BTW), by reminding, that buying a car at all is not a requirement either and even if one feels compelled to buy one, one can choose a used one — without the dangerously fancy electronics.

Meaning that, if we are discussing flaws of new cars on the market, we've already allowed the "commonly used" and "required" to be interchangeable terms in our discussion.

Re:Government! Start with thyselves!

[Enry]

I countered that statement (not entirely accurate one, BTW),

Oh this should be good. Why is it not accurate?

Re:Government! Start with thyselves!

[mi]

Oh this should be good. Why is it not accurate?

Thank you for accepting all of my other points.

I'll surrender this one.

Re:Government! Start with thyselves!

[Enry]

I'm not accepting anything since you haven't really made any point. So thanks for at least admitting you were wrong.

Re: Government! Start with thyselves!

because it doesnt fucking matter whether we are required to take the toll road or not. our privacy is being invaded because they are tracking you thru easy pass which is a monopoly backed by govt and states. want easy pass but no tracking...to bad, no other company provides this service.

  these privacy invasions have been long going on as OP said with EZ Pass. Privacy invasion is privacy invasion . you cant move the goalpost to fit your argument.

Re:Government! Start with thyselves!

[mi]

I'm not accepting anything since you haven't really made any point.

Let me enumerate my points for the slower among the audience:

• The main threat to our money and privacy are not competing corporations like car-makers, but our government and, even worse:
• Corporations, which — like EZ-Pass — are given monopoly by the government.
• The government's threats against us evolve and aren't limited to the old known evil of unwarranted eavesdropping.
• The Senator in TFA is scoring cheap points by harking at car-manufacturers over imaginary threats from hypothetical hackers, rather than going after the clear and present dangers enumerated.

The only objectionable thing you found, was that it is possible to avoid toll roads. Wow...

Re:Government! Start with thyselves!

[Enry]

Corporations, which — like EZ-Pass — are given monopoly by the government.

The government gives monopolies to all sorts of companies. This is nothing new. Though in this case it's the state governments doing the granting rather than the feds. I thought your type was all states rights nonsense.

The government's threats against us evolve and aren't limited to the old known evil of unwarranted eavesdropping.

What that has to do with cars is beyond me.

The Senator in TFA is scoring cheap points by harking at car-manufacturers over imaginary threats from hypothetical hackers, rather than going after the clear and present dangers enumerated.

You mean the threat of your car being tracked by EZ-Pass? The threat you can avoid BY NOT TAKING TOLL ROADS.

Somewhere in Chicago a community is missing its organizer.

And you seem to be missing any sort of common sense. I'm done with you.

Re:Government! Start with thyselves!

Oh this should be good. Why is it not accurate?

Thank you for accepting all of my other points.

I'll surrender this one.

As someone claiming to know something about Chicago (in every single fucking post, no less) you really should know more about how pervasive the toll road system is in certain parts of the US.

Re:Government! Start with thyselves!

[mi]

I thought your type was all states rights nonsense.

In the context of this discussion, there is no difference between Federal and States' governments. Try to keep up.

What that has to do with cars is beyond me.

As you came to understand upon typing the next sentence below, I'm talking about tracking vehicle movement through de-facto mandatory EZ-Pass. That is, what it "has to do with cars".

You mean the threat of your car being tracked by EZ-Pass? The threat you can avoid BY NOT TAKING TOLL ROADS.

Yes, and the threat posed by hacking-prone car electronics, which are subject of TFA, can be avoided by not buying such cars. If we can talk about that avoidable threat, we can also talk about other threat our cars pose — even if, strictly speaking, it can be avoided too.

Because the threat is bigger and avoiding it is harder.

Re:Government! Start with thyselves!

[sjames]

You're not required to have a car (or feet) or a home, or eat. Yes, you are perfectly free to starve in the gutter if you like.

That poor dead horse has been whipped into a chunky sauce by now. Next lame excuse please!

Re:Government! Start with thyselves!

[Enry]

Oh please. You're comparing taking a toll road to having a house? Get real.

Re:Government! Start with thyselves!

[sjames]

Considering that the toll road almost inevitably relied on an exercise of eminent domain "for the public good", I would say that attaching loss of privacy to it's use is quite impermissible.

My argument was reducto ad absurdem.

My point stands, the ability to avoid a public resource with varying degrees of discomfort, inconvenience, or harm does not and can not excuse violation of privacy or other rights. The horse is still dead.

Re:Government! Start with thyselves!

[Enry]

My argument was reducto ad absurdem.[sic]

Hey, you said it.

Those bugs are all fixed in the next release...

... Roboticar 5.0 "Suckerpop" has all those security fixes, they're not backporting them to older releases.
Oh, whats that, you have a *2013* model car? Sorry, we're not coming out with an update for that, you're stuck on Roboticar 4.2 "Coffee Bean", unless some 3rd party group of hackers comes out with an update for your older model car.

Incant the demon that is APK

CLEARLY, the fix for all these problems is a good HOSTS FILE MANAGER

Re:Incant the demon that is APK

No, no, CLEARLY the fix for all of these problems is to integrate all your car's features into systemd, and ensure that all car vendors adopt systemd.

Self-driving

Think this is scary now, just wait 'til we have self-driving cars which will also be built by purely profit-driven organizations who want do anymore than pay lip service to security until they get sued for it.

Re:Automaker just as incompetent as anybody else..

Not true, they're not as incompetent as the slashdot editors -- this is the third article about this topic in less than seven days.

Easy fix...

[mlts]

This is fixed pretty easily:

Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.

One CAN for the basic stuff that is vital to life safety. As for wanting to turn the climate control system on and off via an app? How about no. Automobiles are dangerous, and there is a point where you just can't let the entire Internet have access to a vehicle, in the name of security.

Even things like OnStar are disasters waiting to happen. If/when it gets breached an attacker can turn an evacuation into an epic disaster by disabling all GM cars trying to get out of an area that is about to get nailed by a hurricane. A microcosm of this happened in Austin when a car dealer's immobilization system (the buyers of cars had to type in a code each week or else their vehicle was disabled) got "hacked" (by an ex-employee who knew the manager's user info), and all cars that were in that dealer's system shut off and made to honk until their batteries died.

I hope car makers have sense, and don't take the IoT bait. It will mean certain loss of life in the future, when some intruder disables the power brakes on vehicles at random (for example.) Or for cars that are totally drive by wire, just disable the steering wheel, or have it turn randomly. Nobody could prove that it was anyone's fault but the driver's in that condition.

Re: Easy fix...

You are on the wrong subject here - the device you are speaking of in the "Austin incident" is an after-market device that is installed by the dealer, not something that was installed at the factory or even remotely related to the auto maker. "Buy here pay here" lots (they don't even sell new cars) use these devices to insure people make their payments - when a scheduled payment is made the customer gets a code to enter into this device that keeps the vehicle from being disabled until the next payment is due. If the next payment isn't made, the customer gets no code, the vehicle is disabled and located by the installed device, and promptly repo'd. Has absolutely nothing to do with GM or any other manufacturer. The device is available from many different electronics manufacturers and can be installed on almost any vehicle.

Re:Easy fix...

But then you'd need a CAN firewall... the reason they all go on the bus is because they use that information to do things; eg:
    Automatically adjust the radio volume depending on your driving speed -- and this ties into other systems like your phone --
    Adjust the A/C load based on speed
    Adjust the fan speed based on coolant temperature and knob

Then again, if you made the bridge components more intelligent (err... the radio should not allow a phone to send a can message)...

Then again, again... I have a Bluetooth OBD2 in my truck...

Re:Easy fix...

[frank_adrian314159]

Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.But then how would I get my downloadable security software upgrades into the components on different CANs without duplicating my download mechanism across both CANs? That might cost me as much as a couple dollars per car - the horror! (I'm not being that sarcastic here about the cost - in the volumes these guys deal in, a nickle cost savings can translate to millions of dollars on the company's bottom line). Whether it would be worth the cost to the company to replicate software upgrade paths in the face of the inevitable security risks will eventually be left to the free market unless short-circuited by legislation like that proposed. I would put in snarky comment about free market, blah, blah, blah, but I figure most folks can infer it already, as well as most conservative rejoinders. So, unless it's some new or important valuation function change to consider or particularly non-obvious philosophical rejoinder, please spare us all - we've heard them before and your writing style isn't that special.

Re:Easy fix...

[mlts]

What is needed is a data diode with a CAN firewall. This way, there can be two CANs, one for the data that can crash the vehicle, and one for the gewgaws. This way, the radio can know how fast one is going and so on, but can't decide to interrupt spark plug timing.

Easy in theory, but can this be done by companies, even auto makers? Hopefully, but not many companies have a good reputation for security when heavily attacked.

Re:Easy fix...

[sjames]

Right, so you need a device sitting on the essential bus that copies that traffic onto the auxiliary bus but never the other direction. Ideally it does it with 2 back to back controllers linked only by an opto-isolator that connects tx on the secure bus controller to rx on the auxiliary bus controller.

Re: Easy fix...

[gnunick]

Interesting and perhaps even informative, but nothing in the post you're replying to was on the "wrong subject"--unless you conflate the ideas of "car dealer" and "car manufacturer". There's no reason the same disastrous sort of scenario couldn't apply to a factory-installed system.

Re:Easy fix...

Disclaimer: I am a Volkswagen engineer.

Our cars already have exactly what you are describing and have had it for a long time (like dating back over 10 years). It is called a CAN gateway.

There are several different CAN busses (up to 5 or 6 or so) inside our vehicles, e.g. one for infotainment, one for steering, one for most body control functions like wipers and lights etc. The data which can pass from one bus to the other and into which direction is controlled by the central CAN gateway ECU which connects them. So just as you explained for example the current speed information from an ECU on the steering CAN is routed to the infotainment CAN for display, but you could not send the same message from the infotainment CAN to any other CAN. This severely limits the impact a hacked online unit could have on your car.

Most German cars have this kind of architecture in one way or another. I always have a good laugh when self-proclaimed hackers "hack" a car by attaching some kind of device onto the OBD port. This does not work for our cars because all you get is access to the diagnosis CAN. Good luck doing anything useful on it except for diagnosis commands. You won't be able to disable the brakes or change the speed or whatever cheap tricks have been shown recently.

Asian and American cars however usually only have one single bus connecting everything and these are always the premier display cars for the newest "hacks". Their OBD port gives access to everything.

By the way, the original reasons for introducing the CAN gateway were data load and safety. Routing all messages would clog up the different busses, so routing is very carefully limited. Malfunctioning ECUs could bring down the whole system, so logically separating them by domain was the obvious move to make safety assessments easier. The resulting security aspect was more or less accidental.

Re:Easy fix...

[gweihir]

And there you describe a simple zone concept, like the ones usually presented in one of the first lectures of a course on secure system architecture. Apparently they either did not have those basic knowledge, or management did override the experts.

Re:Easy fix...

[gweihir]

There are no working "data diodes" on network level. That is a marketing-construct. If you need working data diodes, what you do is burn to write-once media on one side, carry it over, then destroy the medium.

Re:Easy fix...

[gweihir]

Indeed. An application-level firewall (in Internet-terminology, CAN is likely a bit different) is what you need here and it needs to be hardened. Not magic at all, but you need to know what you are doing and it does cost some money.

Re:Easy fix...

[mlts]

I've made them before, although not truly network level. Two PCs, each on separate subnets connected to each other with a serial cable that had the Rx line cut. Data on the secure network would hit the first PC and go out the serial port to the second PC that would spool the data to disk. Nothing is 100%, but barring physical access, it would be extremely hard for an intruder to try to affect the PC on the secure network in any way, even if the machine on the receiving network was completely rooted.

Re:Easy fix...

[mlts]

The problem is that separation of function and defense in depth tends to be set aside because it costs money to implement, and in my experience, "security has no ROI" is quite a mantra for some PHBs... just because there are little to no consequences that will happen to a company if there is a breach.

The VW engineer is enlightening. It is actually surprising to me to find a company engineering security, as opposed to strapping it on after everything else is done as a token gesture. Now, if VW could start making Crafters here in the US, it would be quite a nice thing.

Ugh

Here I found out 2 days ago my car is dying and have been looking online at other vehicles. Granted I love computers and all, when it comes to cars I'm more of a minimalist - less shit that can break and go wrong. The last thing I want is for my CAR to get hacked!

Funny timing on this article, though...

[happyslayer]

...that it came out right after the one on farmers being blocked out of their "own" equipment by hard system protections.

Conspiracy theorists, discuss amongst yourselves...

</ tinfoil>

Incant the demon that is APK

What have you done?!

Protections you say?

[GameboyRMH]

He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."

Same as in the tech industry - somewhere between "absolutely none" and "we intentionally use it in a harmful or invasive manner, that's our business model...and the NSA demands access too."

and you trip to Canada or just near the border can

and you trip to Canada or just near the border can cost you $15-$20 a meg just hope that there is no update at the time and a 500 MB update is 7.5K to 10K in data fees.

Demo of such on 60 Minutes 2/8/15

[peter303]

DARPA has a car-hacking app. The 60 Minutes correspondant was driving a new car in an empty parking lot. The DARPA rep turned the brakes off, the accelerator off, the wipers on at various times from a Wifi enabled laptop. The driver was flustered.

dem haxxorz

As long as we keep on refusing to name the problem, preferring to use words meticulously stripped of any meaning save sensationalist claptrap, we certainly won't be able to talk meaningfully about improving the situation. But the hat-wearing bunch will be happy to "consult", prolonging the problem. So, keep talking, suckers.

Self-Driving Cars, yay!

[davydagger]

Like many other ideas, self-driving cars seem cool, until you realize how shit like this applies to them.

Welcome to the next generation of theft, rape, murder, and kidnapping done by cyber assaliants hijacking self-driving cars.

Re:Self-Driving Cars, yay!

[Crypto+Cavedweller]

Welcome to '69 Mustangs being cooler than ever.

Re:Self-Driving Cars, yay!

Like many other ideas, self-driving cars seem cool, until you realize how shit like this applies to them.

Welcome to the next generation of theft, rape, murder, and kidnapping done by cyber assaliants hijacking self-driving cars.

Given that they don't exist yet (in any consumer ready form) it's impossible to say how a driverless car would fare under attack from hackers, but given the focus on software vs hardware (the opposite of what big automakers currently take) it might turn out that new driverless cars are more security-aware and resistant to simple hacks like CANbus takeover, compared to current cars.

Re:Self-Driving Cars, yay!

[davydagger]

no, but we can guess, because we can take a pretty well educated guess at the computers and computer networks they will be running, because primative forms exist today

No computer part is simply made in a vacuum, from operating systems, to CPUs, to HDs. all components have slowly evolved over time.

It is very much unlikely that any radical leap in technology is going to power the first self driving cars. Its simply putting together what we have today. Its very likely self-driving cars will be mostly technology we are already familiar with, such as back up cameras, bumper sensors, and of course very familiar either ARM or x86 intel chips with your pick of QNX, GNU or Android Linux, or MS Windows. Those are the only four operating systems up to the task, and perhaps FreeBSD out of the blue if someone wants to put a lot of time getting it into shape. The "Self Driving" will all be in software. It will most likely be the same computer that for a dollar more contains wifi and bluetooth, and a penny USB controller for syncing your infotainment on your smart phone.

Of course they could segergate it, but that would cost money, another computer, as opposed to bolting on $10 of hardware. It will be web 2.0 ready to post on your facebook to make your friends jealous, and it will have a name to make you identify with it. Something again, a week of programming by the non-rate in the office while the real hackers did the self-driving part. Its also the part that gets the virus,

Then we have the culture of ethics which ships insecure software. This culture has been noted for over 20 years in history, and what would need to be a complete reversal of culture is not in the works. Very unlikely.

Give me market choices ...

[Crypto+Cavedweller]

... because I'll never choose a vehicle that sends a single byte of data about itself or me to the Cloud.

Re:Give me market choices ...

And you'll never get insurance unless they know everything about how you drive.

Re:Automaker just as incompetent as anybody else..

[Jawnn]

Exactly... as has been opined about dozens of times before... you can never fully protect against hacking, so automakers are always going to fail at it.

Yeah, but...
Though TFA is pretty short on details, it's a safe bet that the auto makers have made only a half-assed attempt at security, at best. Time will tell, of course, but I've got money to wager that within the next few years, we're going to see just how little those companies knew and/or cared about security.

Re:Automaker just as incompetent as anybody else..

[cayenne8]

Well they could go a LONG way in letting users secure their own cars, by allowing a SIMPLE method for de-activating all this un-needed wireless connectivity. I have a phone/gps I don't need my fscking car wired to the fscking internet.

Lord, I'm really about to start upping my efforts to buy a restored 70's muscle car. No excess computers, nothing connecting to anything, basically a nice beefy engine, a drivetrain, possibly no catalytic converter (depends on the year)...simple and fun to drive.

Ok, I will update the suspension, and swap out the 8-track for a bit more modern stereo, but seriously, I would rather have a simpler car that just MOVES and is fun. I don't need it to be a connected device that likely transmits far too much information about me and my driving habits for my comfort, and is a target for hackers.

What customers are actually ASKING for all this shit in cars today? Seriously?

So obviously DRM is the answer

[caseih]

The sad thing is, the obvious answer the car industry is going to come up with is to encrypt the canbus and use DRM to control access to the bus. This will provide a (false) sense of security, while locking out those pesky people that want to mod their vehicles and add all those cheaper after market parts like remote starts. And in the end this is bad thing for all of us.

Why?

[MagickalMyst]

Why do we need wireless services in our cars? GPS I can understand (although I don't use it myself). Wireless? Internet? Why?

Self driving, Internet-ready cars are a really bad idea, imho.

I can just see some 13-year old script kiddie 'hacking' into your car and controlling it with his racing wheel. Better yet, testing his script on your car in an effort to work out the real-world bugs...

No thanks.

Who the hell keeps asking for these features?

My car doesnt need wifi or bluetooth.

I dont remember ever thinking "gee i wish my car had wifi & bluetooth, thatd be great!"

Suits me

insurance is a fucking ripoff anyway.

Demo of such on 60 Minutes 2/8/15

How many of those vulnerabilities were deliberately left in by the NSA?

Interesting juxtaposition...

[WoodstockJeff]

Between this story about the need to secure on board systems against hacking, and Friday's story about the NEED to hack farm equipment....

http://tech.slashdot.org/story...

In other breaking news...

[jmcvetta]

Fish found to be good at swimming! News at 11!

Socialist computing vulnerabilities?

[lippydude]

@gstoddart: "The problem is there will be a whole bunch of people who will loudly proclaim that having penalties for corporations failing to protect this information is tantamount to socialism."

It isn't down to the corporations that our computing infrastructure is so insecure, but our own Governments. As in order to protect us they need to keep us under constant surveillance. Some of us might still be able to recall when the NSA helped Microsoft secure Skype. See also where your Bitlocker keys are stored safely in the Cloud. The socialist East German Stasi could only dream of such technology :)

Re:Socialist computing vulnerabilities?

The problem is not the governments either. The issue is once information gets passed to another entity, by the vary nature of the information's existence, that entity is free to do with it whatever they please, regardless if that entity is an individual, group, some legal construct, etc. it does not matter.

Therefore the real problem is the people who the information pertains to, and their willingness to not ACTIVELY defend it:
Put your passwords in a credential storage application?
Better hope no-one finds out your master password, or finds an exploit.

Upload all of your documents to the cloud?
Better hope the people running the server hardware have better targets in mind than you.

Constantly use the various store-loyalty cards?
Better hope your OK with EVERY SINGLE PURCHASE you make (right down to individual item, amount, price, time and location of purchase) being logged for future reference and sold to the highest bidder for eternity.

Carry a cellphone of any type everywhere you go?
Better hope that your logged travels don't make you an enemy of the state by association at any point in the future.

Use social media like a twitter-sh****?
Better hope you don't say something that will get you fired from your job even if it's out of context.

Constantly post information about your kids to the net or let them do it themselves without supervision?
Better hope when they are in their 20s they will be able to find a job. Or have any form of privacy at all.

Hook up your home automation system to the net?
Better hope those appliances get their needed updates or you could have your oven catch your house on fire, after the doors were opened and alarms disabled remotely to allow the thieves in to steel all of your valuables, after using the security cameras to make sure you were not home after your furnace "malfunctioned" in the dead of winter. (Seriously WOW... WTF makes people think a single point of TOTAL CONTROL over a house connected to the internet is a good idea???)

Have all of your medical information stored online in the health insurance company's database?
Better hope they don't get hacked http://yro.slashdot.org/story/..., and your info used to create fake lines of credit in your name. Or that information used to get free health care on your expense. (More dangerous than it sounds, false medical data created by a scam artist can be the cause of a misdiagnosis because the doctor did not know that information was bad. Now imagine if you are unconscious and near death in the hospital, and the doctor cannot locate any next-of-kin to help filter bad information out. If that doctor does the wrong thing it could kill you. Or prevent him from using some procedure / treatment / medicine that had a higher chance of success.)

Basically at the end of the day, until people are willing to ACTIVELY defend their information, not permit these abuses (by force if needed), even if it means their lives are not 100% convenient, then these issues will never be resolved.

It is the nature of PURE INFORMATION that it can be copied indefinitely, without degrading the original copy. DRM providers, book burners, government agents, criminal organizations, individuals, etc. have all tried and FAILED for centuries to prevent the nature of pure information from working against them and their interests. The best they or anyone can do is destroy any and all hard copies that they can find, and kill anyone who they do not consider trustworthy of having knowledge of that information. The underlying issue, cannot be fixed. So if you as an individual or as a society want your information to be protected and secure, you must defend it yourselves. For as long as there is someone willing to abuse your information and has access to it, you will be abused, you will be victimized, and you will be taken advantage of EVERY SINGLE TIME. As all that prevents the damage from being done, is the willingness of the perpetrator to commit the crime.

false concern

[samantha]

The government is hacking every router, server, and computerized device in the country. Yet they will lean "for our protection" on car manufacturers and vehicle computerization. I don't believe this is nearly as much concern. You want better security? Open the sources and especially open what the government is doing to subvert and work around security measures and end them. Otherwise? STFU.

Michael Hastings

[WolfWithoutAClause]

It has been claimed that Michael Hastings might have been assassinated by hacking his car:

https://en.wikipedia.org/wiki/...

I'm not sure whether he actually died that way, but it's theoretically possible, if you've pissed sufficiently rich and powerful people off enough, and he may have done.

Re:Automaker just as incompetent as anybody else..

[mjwx]

What customers are actually ASKING for all this shit in cars today? Seriously?

Most of them.

Nowdays people expect connectivity from a base model Korean hatchback. Its more important to buyers than airbags and seatbelts. All you have to do is look at the ads for a Ford Fiesta to realise their marketed as fashion accessories for a chic lifestyle with their iwhotsits connectivity, bluetooth, satellite navigation. Having their phone play music through the speakers is more important than a car that actually works. It started with BMWs and Mercs in the early 00's, now its expected in a Kia.

People who shop for a car with decent performance or handling as priorities are in the extreme minority these days. Most people buy a BMW M3 or a WRX STI because of the reputation, not because they're exceptional cars.

I dont mind some computers in the car. Engine management systems, traction control, adjustable suspension and AWD systems are quite nice, especially when you can fettle with them yourself. However I expect that these systems will be disconnected from the "infotainment" unit. However a lot of manufacturers are integrating it into the infotainment system. In this case, I'd rather not have things like adjustable suspension because it means someone from outside my car could fiddle with it.

Eventually its going to backfire and manufacturers are going to have to backpedal connectivity as the cost of people making warranty claims and law suits for hacked cars increases.

Re:Automaker just as incompetent as anybody else..

Well they could go a LONG way in letting users secure their own cars, by allowing a SIMPLE method for de-activating all this un-needed wireless connectivity. I have a phone/gps I don't need my fscking car wired to the fscking internet.

Lord, I'm really about to start upping my efforts to buy a restored 70's muscle car. No excess computers, nothing connecting to anything, basically a nice beefy engine, a drivetrain, possibly no catalytic converter (depends on the year)...simple and fun to drive.

Ok, I will update the suspension, and swap out the 8-track for a bit more modern stereo, but seriously, I would rather have a simpler car that just MOVES and is fun. I don't need it to be a connected device that likely transmits far too much information about me and my driving habits for my comfort, and is a target for hackers.

What customers are actually ASKING for all this shit in cars today? Seriously?

Well, if you can afford it, maybe convert that gas tank to a lead acid battery. If for no other reason, you don't want to get a fine for outputting too much smog.

Silly subject...

Report: Everyone fails to fully protect against hacking
Report: Matter fails to cease attracting other matter
Report: Slashdot...sucks?

Re:Automaker just as incompetent as anybody else..

[gweihir]

That is exactly not what I am saying. What I am saying is that they went cheap and did not have independent outside evaluation. Of course that will almost always fail. You can make these things secure enough that nobody will hack them (because it is too much effort), but that costs money.

Re:Automaker just as incompetent as anybody else..

[gweihir]

Half-assed, incompetent and on the cheap is probably the best way to describe it.

Re:Automaker just as incompetent as anybody else..

[cayenne8]

Well, if you can afford it, maybe convert that gas tank to a lead acid battery. If for no other reason, you don't want to get a fine for outputting too much smog.

Not a problem.

Old cars are grandfathered in for pollution levels.

That and I live in a state where they don't do any "sniff" tests on inspections. Hell, not all states even require inspections at all.