Slashdot Mirror
Lawsuit Claims Major Automakers Have Failed To Guard Against Hackers
Lucas123 writes: A Dallas-based law firm has filed a class-action lawsuit in the U.S. District Court for the Northern District of California claiming Ford, GM and Toyota all ignored basic electronic security measures that leave vehicles open to hackers who can take control of critical functions and endanger the safety of the driver and passengers. The suit, filed on behalf of three vehicle owners and "all others similarly situated" is seeking unspecified damages and an injunction that would force automakers to install proper firewalls or encryption in vehicle computer bus systems, which connect dozens of electronic control units. "Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," attorney Marc Stanley said. The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes." A study released last month by Sen. Edward Markey (D-Mass.) also claims automakers have fallen far short in their responsibility to secure their vehicles' electronics.
when the robots vote.
(Little girl jacks into your car's ecm) .... (Hack)....
This is a Unix system.... I know this....
(Next Driver)
Hang on to your butts!!!!
Clever girl....
Yay, more class action lawsuits. Car owners prepare to get your 30 cent rebate forms ready! Lawyers, buy a new vacation home!
They're suing because, theoretically, some third party could make them the victim of a crime? Good luck with that.
In a 2013 study that was funded by the Defense Advanced Research Projects Agency (DARPA), two researchers demonstrated their ability to connect a laptop to two different vehiclesâ(TM) computer systems using a cable, send commands to different ECUs through the CAN, and thereby control the engine, brakes, steering and other critical vehicle components
So you're telling me that if you have direct physical access to a car's ECU, you can issue commands to it? No shit sherlock. That is THE WHOLE POINT of the CAN bus. The only alternative would be to close down the bus and only allow "authorized" accessories to be connected to it - hello sky-high diagnostic fees and goodbye to useful bluetooth OBD connectors.
Call me when this can be done wirelessly. Oh and yes I did read the "What the companies failed to note is that the DARPA study built on prior research that demonstrated that one could remotely and wirelessly access a vehicleâ(TM)s CAN bus through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo" blurb - which still failed to materialize an actual working example of exploiting a CAN wirelessly.
Is there some reason that they can't completely isolate critical electronics for the brakes, steering, accelerator and associated vehicle features (collision detection, cruise control, etc.) from the rest of the vehicles electronics?
Wireless connectivity is used for what in most vehicles? Updating GPS/Navigation, and bluetooth for mobile the operators mobile phone (hands free, music, etc). They're nice features (mandatory for most) but they're not critical to the vehicles operation. Isolate the non-critical stuff and then try to secure it.
Now, on tv we'll have those.... If you or a loved one have had your car hacked, you may be entitled to compensation. Call the law firm of bla bla & bla bla.
Hackers have hacked into pacemakers and why the pacemaker patients don't sue?
Yet you don't see people demanding bomb sniffing technology to be added to all cars. If someone can get enough access to your vehicle to hook a cable into it, it's pretty much game over.
and I'll show you another wireless exploit.
Don't worry, NSA/CIA have already perfected the wireless exploit to require no physical contact.
these "lawyers" sure are incompetent selfish niggers.
People would still want to know how it all works so they aren't stuck going to the dealer for service. So how do you reconcile the two?
If automakers built cars that were as easily hijacked as Windows, everyone would be driving with body guards.
*** Don't be dull.***
Seriously, wasn't an article like out like a month ago?
The core problem is Hubris and not giving a shit about consequences of your actions. If it takes a lawsuit to get corporations to give a shit then so be it.
Sprawl of technology for technologies sake - endless tracking and spying on customers and bids to make cash from value-added subscription services is getting out of control.
Vehicles being hacked thru connected cellular radios, fobs and entertainment systems are valid concerns.. forcing the issue NOW thru lawsuit is better than dealing with an incident of viral propagation of havoc later.
If you specifically connect a Bluetooth interface to your ODBII or want to hack around yourself by plugging in a cable that's great everyone should absolutely be able to do these things if they want and should be willing to live with any consequences of the same. Obviously physical access = all bets off.
But when some clueless Shmoe goes and buys a car without even subscribing to shitstar... is it fair shitstar to record everywhere you go and sell the data? Is it fair that someone could hacks GSM radio or something fucked up goes down at shitstar that puts clueless Shmoe at risk for something he will never use or benefit from?
1. Segregate the parts of the computer with networked access from the portions of the car that actually involve driving. Brakes, acceleration, engine timing firmware, etc. All of that should be airgapped from the GPS OnStar stuff.
2. Make the storage media that those systems use both physically accessible from the inside of the car AND compatible with conventional computer technology. The internal storage of these systems should be on an SD card or a USB 3.0 Flash drive or a little SSD hard drive. The point is that if something goes wrong with my on board computer, I want to be able to pull its drive and re flash it with factory defaults. There is no reason for on chip storage the same way cell phones do it in a car. The reason you do that in a cell phone is to save space. In a car, you're not that hard up for space so you can make the storage media a little more bulky,
3. Install a firewall. Nothing fancy and let people configure it.
4. "What about people that want to start their car engine with a smart phone app?" Well, first I think this is a stupid feature. But assuming you want to keep it, you can have one way conditional communication across the airgap so long as that communication cannot pass executable code OR endanger the safety of the driver. So certain commands under specific circumstances should be fine. For example, if the engine is off, and the onstar system sends a "start engine command" that doesn't endanger the driver. If the engine is already on then the command will be ignored and so far as I know there are no other commands people want to issue to cars through their smartphones. If you want to mess with the headlights etc... perhaps have the condition that the transmission be in "park" or that the emergency brake is activated. If you put these conditions on very specific commands and only permit those commands to be passed. Then a hacker with total control of your onstar system won't be able to endanger you while you drive.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
So the car makers have taken the stand that sales takes priority over everything else. Imagine that. Its almost like they could have accepted the FCC's recommendations to include a bluetooth signal in the car that disables cell phone text and calling while the vehicle is in drive (thus saving millions of lives per year due to distracted driving), and yet none did. Its like "gee whiz" beats out "yo ride now belongz to usz Beotch". Remember the world famous Cherman enganeerink in ze Audi Five Sousand? They claimed that the "Shtoopit Amerigan driverss doont know how to drive za kar!" And they then added an interlock so you couldn't put the vehicle into any gear from park unless your foot was firmly on the brake. And one man said his foot was so firmly on the brake that he badly bruised the bottom of his foot. And they dismissed lawsuit after lawsuit until a 60 Minutes article with an electrical engineer, and a signal generator that produces signals similar to cell phones. And they took "za shuuperkar to za flat tesht fazility". And they started off normally, then the engineer turned on the signal generator, and the car started accelerating so hard that they couldn't stop it no matter how hard they braked, and couldn't even take it out of gear. They turned off the signal generator after the car was going over 140 miles per hour (they were both startled that it had managed to get going so fast in such a short amount of time, just a few seconds). Audi paid out in the low tens of millions in damages. And now we have an even more integrated control system that can be remotely controlled, and no security. Imagine that.
If companies can be sued for selling an insecure product, I need to dump my Microsoft stock ASAP.
If only we had encryption and firewalls on the internet, it would have been a safe place.
Just like many other industrial protocols(modbus DeviceNet RS485 CANopen etc) the various automotive CAN protocols trusts clients are who they say they are with no authentication.
If you build some sort of authentication scheme on top of the protocol, there's nothing stopping you from using some sort of salted hash as a checksum or whatever but that is exceptional behavior and does not conform to the standards as they are in place today.
If the lawyers want to beat the automotive manufacturers for using CAN they might as well go after ISPs for SMTP spoofing.
OBD-2 is both useful and required.
Hopefully this lawsuit will not limit OBD's ability to look at the vehicle state.
Touching the vehicle state is another matter.
Especially with wireless access.
An injunction preventing selling vehicles with wireless access paths would be interesting.
It would certainly get manufacturer's attention.
It would have to permit indended paths that the customer opts into, like wireless entry.
This mostly seems like a lawyer's wealth transfer operation.
Clearly some lawyer has some teenaged kids he's looking to put through school. But food for thought here. Having just gotten into analysing the ECMs in my car and figuring out how to analyse the performance characteristics of my car, I appreciate the ability to figure out what's going on with the vehicle without paying $1000's to the mechanic. That being said, I have serious doubts that a public/private key cryptographic authentication mechanism on the vehicle ECM would be shared with the consumer that purchased said vehicle and would ultimately eliminate the ability of people to work on their vehicles.
Select from tblFriends where interesting >= 4;
Seriously, I would rather see them sue the stores that continue to be cracked because they are running windows and outsourcing. Target; Home Depot; etc.
If class actions were taken against these companies, then quickly, companies would spend the money and secure themselves. So would companies like these car makers.
I prefer the "u" in honour as it seems to be missing these days.
Sorry that replacement oxygen sensor you bought has an encryption key that does not correspond to the one stored within the ECU. Please purchase a new oxygen sensor from your dealer for $1,000 dollars and a $250 dollar ECU rekeying fee.
I always suspected that automakers were amateurs. Real engineers use CMake.
If anyone is curious, the car DARPA demonstrated "hacking" to disable the brakes, was a Chevy Impala.