Slashdot Mirror

← Back to Stories (view on slashdot.org)

Report: Automakers Fail To Fully Protect Against Hacking

Posted by samzenpus on from the two-cyber-hands-on-the-wheel dept.

An anonymous reader writes with news about a report by Senator Edward Markey on the security of new vehicles. "Automakers are cramming cars with wireless technology, but they have failed to adequately protect those features against the real possibility that hackers could take control of vehicles or steal personal data, a member of the U.S. Senate is asserting. Basing his argument on information provided by manufacturer, Sen. Edward Markey has concluded that "many in the automotive industry really don't understand what the implications are of moving to this new computer-based era" of the automobile. The Massachusetts Democrat has asked automakers a series of questions about the technologies — and any safeguards against hackers — that may or may not have been built into the latest models of their vehicles. He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."

6 of 100 comments (clear)

  1. Again, duh ... by gstoddart · · Score: 3, Insightful

    And until there are legal penalties for companies who fail to implement proper security, or to keep personal information safe ... this will continue to happen.

    When a company can sell your private data (because they embedded something in an EULA), or has no consequences for being incompetent, they'll just say "oops, bummer" and keep doing it.

    So until there are real data protection laws, with real consequences ... just assume these companies are incompetent, indifferent, and not accountable.

    Because, let's face it, they are.

    But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.

    All products which have marketing driving features probably have ZERO security. Because marketing all need a kick to the head and don't understand security, and explicitly don't WANT security or constraints, because that limits how they can make money with and would mean they need to do a better job of engineering.

    Most modern tech is rushed out the door, with zero thought of security and privacy. And since it doesn't matter if they suck at both, they'll continue to do it.

    --
    Lost at C:>. Found at C.
    1. Re:Again, duh ... by bill_mcgonigle · · Score: 4, Insightful

      But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.

      That's the whole purpose of corporations - to remove accountability. In fact, it meshes perfectly with the very purposes of government - to socialize losses and privatize gains, and if, in exchange, corporations can funnel nearly unlimited money to political campaigns to satisfy politicians' thirst for power, you have a nearly perfect arrangement as far as most of the concentrated-interest players are concerned. No-plead deals have become all the rage with prosecutors over the past two decades, super-charging corporate malfeasance.

      Just look at Wall Street before and after the partnerships reorganized as corporations for a case study of how it works. Or even better, the public benefit corporations prior to Reconstruction (when JD Rockefeller bribed Congress to let him make Standard Oil into a permanent corporation) fulfilling the very mercantalist nightmare the former Colonists tried hard to avoid recreating.

      "Corporations are People, my friend" - special people who never die, can handle unlimited resources, face no penalties for their behavior, and encourage corruption without remorse. Stan Lee would call those kinds of people "supervillains".

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. Sen Markey by Virtucon · · Score: 4, Insightful

    We've had computers in cars for quite awhile. You are correct that these newer systems are more vulnerable to hacking and identity theft. The biggest question you should ask is why do we allow our information systems whether they be in cars, financial institutions or healthcare systems to be this vulnerable. The federal government is also slipshod when it comes to protecting information and it's time that was stop pointing fingers and produce legislation and a constitutional amendment that protects privacy.. The only way we'll change the behavior is to include penalties for not thinking about security and putting our PII and lives at risk.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Sen Markey by gstoddart · · Score: 4, Insightful

      The problem is there will be a whole bunch of people who will loudly proclaim that having penalties for corporations failing to protect this information is tantamount to socialism.

      There are a lot of people who seem to think corporations should be free to do anything they want, and that if consumers want privacy they can choose to buy from companies who give it.

      Of course, those people are morons who think the magical free market solves such problems.

      As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.

      And no idiotic "free market" will change that.

      --
      Lost at C:>. Found at C.
  3. Re:What about medical devices? by gstoddart · · Score: 3, Insightful

    Or, how about data privacy and protection laws in general? You know, actually hold companies accountable for treating security and privacy as optional?

    Start fining them 10's or 100's of millions of dollars for being clueless idiots, and they'll get the message.

    Keep letting companies do nothing and bear no consequences ... nothing at all will change. If you're not hitting them where it counts, corporations won't start acting differently.

    --
    Lost at C:>. Found at C.
  4. Easy fix... by mlts · · Score: 5, Insightful

    This is fixed pretty easily:

    Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.

    One CAN for the basic stuff that is vital to life safety. As for wanting to turn the climate control system on and off via an app? How about no. Automobiles are dangerous, and there is a point where you just can't let the entire Internet have access to a vehicle, in the name of security.

    Even things like OnStar are disasters waiting to happen. If/when it gets breached an attacker can turn an evacuation into an epic disaster by disabling all GM cars trying to get out of an area that is about to get nailed by a hurricane. A microcosm of this happened in Austin when a car dealer's immobilization system (the buyers of cars had to type in a code each week or else their vehicle was disabled) got "hacked" (by an ex-employee who knew the manager's user info), and all cars that were in that dealer's system shut off and made to honk until their batteries died.

    I hope car makers have sense, and don't take the IoT bait. It will mean certain loss of life in the future, when some intruder disables the power brakes on vehicles at random (for example.) Or for cars that are totally drive by wire, just disable the steering wheel, or have it turn randomly. Nobody could prove that it was anyone's fault but the driver's in that condition.