Lawsuit Claims Major Automakers Have Failed To Guard Against Hackers

Lucas123 writes: A Dallas-based law firm has filed a class-action lawsuit in the U.S. District Court for the Northern District of California claiming Ford, GM and Toyota all ignored basic electronic security measures that leave vehicles open to hackers who can take control of critical functions and endanger the safety of the driver and passengers. The suit, filed on behalf of three vehicle owners and "all others similarly situated" is seeking unspecified damages and an injunction that would force automakers to install proper firewalls or encryption in vehicle computer bus systems, which connect dozens of electronic control units. "Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," attorney Marc Stanley said. The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes." A study released last month by Sen. Edward Markey (D-Mass.) also claims automakers have fallen far short in their responsibility to secure their vehicles' electronics.

this will get fixed

[turkeydance]

when the robots vote.

Jurassic Park.....

(Little girl jacks into your car's ecm)
This is a Unix system.... I know this.... .... (Hack)....
(Next Driver)
Hang on to your butts!!!!
Clever girl....

Classless action.

Yay, more class action lawsuits. Car owners prepare to get your 30 cent rebate forms ready! Lawyers, buy a new vacation home!

Re:Classless action.

[TWX]

If I owned a car that was susceptible to this sort of problem I would much rather the lawsuit compel the automaker to fix the problem rather than give me money. Pay the lawyers, but just fix the damn problem as a recall.

Re:Classless action.

[ganjadude]

good luck showing damages. this isnt gonna go anywhere

Re:Classless action.

[Bruce66423]

True, but this suit offers a libertarian alternative to government regulation, and hopefully will achieve the same outcome.

Re:Classless action.

There will be no recall fix if they attempt to encrypt the CAN bus. Most of the processors on the bus are not powerful enough for software encryption. They have hardware CAN modules.
A typical Dodge has from 17 to 22 CAN nodes on three CAN buses. Each node is, of course, a processor. Just how powerful does the sunroof controller have to be, anyway? Many of the processors on the bus have 128-256K flash program memory and 34 to 96k ram.
Never gonna happen.

Re:Classless action.

[BLKMGK]

Sorry, but this is a complete bullshit lawsuit. Most of the hacks have required physical access to the CAN bus or have required modifications to the entertainment system to remove the firewalls in place - yes they have them on some I'm familiar with. A few jackasses have put out scary "hacks" and now this is the crap that we get to deal with? The CAN bus shouldn't be encrypted as not only will this drive cost up but it will also prevent some of the good stuff going on like replacement ECU in the performance industry and diagnostic tools for the home user.

Sorry, but this is complete and utter garbage and I hope it's tossed out damned fast.

Re:Classless action.

[Jane+Q.+Public]

If I owned a car that was susceptible to this sort of problem I would much rather the lawsuit compel the automaker to fix the problem rather than give me money. Pay the lawyers, but just fix the damn problem as a recall.

I warned several times over the last couple of years that this would happen. Nobody in their right minds (today, that is) runs the critical systems and navigation system on the same CPU. Much less the entertainment system or communications!

The data collection without permission issue has been around for a while, too.

I'm glad to see people getting after this finally.

Re:Classless action.

[Jane+Q.+Public]

By the way, I meant to make this point in my last comment:

In at least some cases, it will take more than your usual simple recall to handle this problem. There are some very very serious design problems in the electronics of many of today's cars.

Re:Classless action.

[aaarrrgggh]

There are likely easy paths and harder paths in. If you can't put a malicious CD or USB stick in and take control, you hit one level. If you can't plug a device into a port under the hood that can take over control, that is another hurdle. Ultimately though, you need to keep the system secure from the OnStar and its ilk being an attack vector. From fairly credible reports, this is not the case.

Re:Classless action.

[gnasher719]

If I owned a car that was susceptible to this sort of problem I would much rather the lawsuit compel the automaker to fix the problem rather than give me money. Pay the lawyers, but just fix the damn problem as a recall.

I'd prefer if any hacker attacking a car that way should go to jail according to the damage done or attempted. Like anyone trying to manipulate how the brakes on my car work should go to jail for attempted murder. (I'd prefer if that person doesn't go to jail for actual murder). But then, a person can do all kinds of damage, both expensive and dangerous, to a car without any hacking.

Re:Classless action.

[Impy+the+Impiuos+Imp]

Well, you can't wait for people to actually be harmed because at that point it's a rat race to sign them up, and your law firm probably won't win.

No, by preemptively suing for damages because you are so scared you might be hacked, they are playas!

Re:Classless action.

[Capt.Albatross]

True, but this suit offers a libertarian alternative to government regulation, and hopefully will achieve the same outcome.

Who or what runs the legal system? And why would the manufacturers respond with anything other than 'fuck off - we will do what we like' to a judgment against them?

This is not the libertarian alternative. That would be that you can choose not to buy a car until some manufacturer deigns to build one that is secure - or you can build one yourself.
 

Re:Classless action.

[BLKMGK]

OnStar has apparently got the ability to disable some cars, for it to have this "safety feature" it's going to have to have capability. I'm not a fan of OnStar for many many reasons but this is a feature so I can't bitch about it too much - you can however find the silly cell modem and remove it. The car will probably squeal like a stuck pig for your having done so...

Standing?

[bws111]

They're suing because, theoretically, some third party could make them the victim of a crime? Good luck with that.

Re:Standing?

[sumdumass]

This is kind of more of a consumer protection thing. In california you used to have telephone book lawsuites because someone used a product in ways it wasn't intended and got hurt somehow because there was no warning or instructions not to use it that way. Its the reason we have warnings to remove children from baby strollers before colapsing for storage and those instruction pictures showing how to suffocate someone on plastic bags. In theory, if a manufacturer can make reasonable changes to products or warn users of the dangers they have to- or face liability for selling defective or unsafe products.

Its probably still a long shot but even if they fail, it stands a good chance of showing the defectiveness of current practices which makes liability in the future much more likely. It may cause a shift anyways.

Re:Standing?

[bws111]

The key difference is that in those other cases someone (the person suing) was actually hurt. In this case, nobody has been hurt, but somebody thinks that theoretically somebody could maybe possibly be hurt somehow under some condition.

The examples you give are not 'consumer protection' things, they are manufacturer liability prevention. Yes, you should be smart enough to know this on your own, but even if you don't we warned you. An actual consumer protection example would be where a stroller was recalled because, in normal use, a child could get his finger caught in something.

In addition, the only proposed way that this supposed 'defect' would cause injury is if a CRIME has been committed. Ever hear of a glass manufacturer being sued (successfully) because it is possible a burglar could break one to rob a house? Or, to use your stroller example, let's sue Graco because, theoretically, someone could use one to kidnap a child, so clearly they are ingnoring this serious security problem with their product.

Re:Standing?

[gnasher719]

The key difference is that in those other cases someone (the person suing) was actually hurt. In this case, nobody has been hurt, but somebody thinks that theoretically somebody could maybe possibly be hurt somehow under some condition.

Not just "could possibly be hurt somehow", but "could possibly be hurt by a criminal causing intentional damage". It's one thing to complain if your pet dies inside the microwave because there was no written warning, it's something else if someone dies because a criminal put a pound of TNT in the microwave and turned it on. Or if someone dies because a clever criminal damages the microwave so that it will explode the next time it is used.

Re:Standing?

[bws111]

Exactly

Overblown Hyperbole

[brunes69]

In a 2013 study that was funded by the Defense Advanced Research Projects Agency (DARPA), two researchers demonstrated their ability to connect a laptop to two different vehiclesâ(TM) computer systems using a cable, send commands to different ECUs through the CAN, and thereby control the engine, brakes, steering and other critical vehicle components

So you're telling me that if you have direct physical access to a car's ECU, you can issue commands to it? No shit sherlock. That is THE WHOLE POINT of the CAN bus. The only alternative would be to close down the bus and only allow "authorized" accessories to be connected to it - hello sky-high diagnostic fees and goodbye to useful bluetooth OBD connectors.

Call me when this can be done wirelessly. Oh and yes I did read the "What the companies failed to note is that the DARPA study built on prior research that demonstrated that one could remotely and wirelessly access a vehicleâ(TM)s CAN bus through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo" blurb - which still failed to materialize an actual working example of exploiting a CAN wirelessly.

Re:Overblown Hyperbole

[penix1]

So in other words you are saying someone should die because of an exploit before something should be done? Sounds reckless to me. The car companies have been warned by many of these studies and still haven't done anything about it. Maybe this suit will get them off their asses. I won't hold my breath though...

Re:Overblown Hyperbole

[bws111]

No, he is saying that there should be an actual danger before you yell the sky is falling.

What are the actual odds of an accident being caused by a hacker? What are the actual odds of an accident being caused by a software bug in security code?

Re:Overblown Hyperbole

all those so called "exploits" require physical access to the car and wiring, at that point nothing is safe

Re:Overblown Hyperbole

[dpidcoe]

Give me a Bluetooth OBDII adapter and I'll show you wireless exploitation. I bet one could be made slim enough that no one would ever notice it plugged in. 5 seconds alone with someones car when they leave the door unlocked (or hell, if an attacker has the knowledge required to send malicious commands to the ECU I bet they have the knowledge to defeat a locked car door. It's not like they need to start the car and drive away).

Re:Overblown Hyperbole

[ganjadude]

and all of those situations happen exactly how often that we need to make a federal case over it???

Re:Overblown Hyperbole

[bws111]

OBDII is mandated by the government.

Re:Overblown Hyperbole

[BenFranske]

This is exactly my own viewpoint. All of this is a bunch of stirred up nonsense. Yes, systems like OnStar which bridge between the CAN bus and the phone network need protection. What I absolutely do NOT want is to see encrypted communications that I as the owner cannot see in plaintext on a wired bus. This will put non-dealer mechanics out of business pretty quickly and/or drive up repair costs tremendously including effectively preventing me from working on my own car. I think it's a dream come true for dealers and manufacturers.

Yes, we need to prevent remote exploitation but I absolutely want to be able to hack and modify my own vehicle to my heart's content.

The requirement for physical access makes these so-called hacks against cars a non-starter for me. People have been cutting brake lines, loosening bolts, etc. on cars to harm people for a long time but we don't require hardened physical access to the car. This whole thing is way overblown by people trying to make headlines.

Re:Overblown Hyperbole

[BenFranske]

And if I want to cause you to have an accident in your pre-ECU car I can cause substantial damage with some wrenches and a minute. What's your real point? I want to maintain the ability to hack/modify my own vehicles. Encrypting bus communication would pretty much kill that unless their was a mandate to release the encryption keys to the vehicle owner (and then what about leased cars, financed cars, etc.) which is unlikely to happen. As long as it's not fully remotely exploitable (meaning you never have to have physical contact with my car) I'm not concerned.

Re:Overblown Hyperbole

[dpidcoe]

And if I want to cause you to have an accident in your pre-ECU car I can cause substantial damage with some wrenches and a minute.

But what you can't do is cause the tie rod you cut to fail at exactly the point where I'm a hairpin turn along a cliffside road. Or the brakes to fail, steering to quit working, and airbags prematurely detonate as I try to come to a stop from 70mph with a semi truck in front of me. I guess you could put some remote detonated explosive or something on a brake line, airbag sensor, and steering linkages, but how long will it stay there while exposed to road and weather conditions? A disguised bluetooth adapter would have a good chance of sitting there for the life of the car.

I want to maintain the ability to hack/modify my own vehicles.

I do too. I don't think that encryption is necessarily the way to go, but at least some basic stuff like isolating the control systems from the entertainment systems, and hardening the OBDII port against casual exploitation (limit the message rate, inspect for certain kinds of malicious packets, etc.) shouldn't be too hard to do.

Re:Overblown Hyperbole

[bws111]

You watch too many movies. If someone actually wants you dead there are far easier ways to accomplish that than hacking your car. For instance, they could shoot you as you drive past. That actually happens in the real world. Should we sue automakers so they only use bulletproof glass and armor plating? Or they could drop a rock on you as you go under an overpass, also happens in real life. Or a bomb.

Re:Overblown Hyperbole

[jd2112]

In a 2013 study that was funded by the Defense Advanced Research Projects Agency (DARPA), two researchers demonstrated their ability to connect a laptop to two different vehiclesâ(TM) computer systems using a cable, send commands to different ECUs through the CAN, and thereby control the engine, brakes, steering and other critical vehicle components

So you're telling me that if you have direct physical access to a car's ECU, you can issue commands to it? No shit sherlock. That is THE WHOLE POINT of the CAN bus. The only alternative would be to close down the bus and only allow "authorized" accessories to be connected to it - hello sky-high diagnostic fees and goodbye to useful bluetooth OBD connectors.

Call me when this can be done wirelessly. Oh and yes I did read the "What the companies failed to note is that the DARPA study built on prior research that demonstrated that one could remotely and wirelessly access a vehicleâ(TM)s CAN bus through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo" blurb - which still failed to materialize an actual working example of exploiting a CAN wirelessly.

Obviously you aren't a lawyer. You never let facts get in the way of a good lawsuit. I'm surprised I haven't seen an add on TV for a class action suit against a company for having dangerous Dihydrogen Monoxide in their products.

Re:Overblown Hyperbole

[adolf]

Call me when this can be done wirelessly.

OK. What's your number?

Scenario: Physical access via an unlocked vehicle (quick trip into the carry-out, forgetfulness, or whatever), and an active attacker (with whatever motives an attacker has).

Attacker simply plugs in a COTS ODB-II Bluetooth dongle -- perhaps modified to be extra small (remove housing, clip LEDs, add black conformal coating), perhaps modified to talk to different buses than the standard interface, perhaps modified to have a stronger radio and/or antenna.

Add a directional 2.4GHz antenna at the attacker's end (which needn't be a particularly large or obvious thing), and the car can be controlled wirelessly, insofar as that physical interface allows.

Or, forget all that: It's not much of a hack to use an RS-232 ODB-II module and an RS-232 GSM modem, either, and gain wide-area control. I'll eat my hat if the amount of active digital logic needed to glue to tie the two COTS modules together in usable form is other than zero.

Do you always lock your car when you're not inside of it? Do you check regularly your ODB-II port for nefarious devices? I don't.

Re:Overblown Hyperbole

[ganjadude]

and lets look at use case scenarios

Is a random person going to do this?? why??? Is a terrorist going to do this??? again why???

No, the ONLY reason someone would do this is personal. and if they were going to go through all the trouble to do this, they could do something else much easier

Re:Overblown Hyperbole

[Minupla]

Depends - maybe not if they use progressive for insurance:

http://www.forbes.com/sites/th...

Min

Re:Overblown Hyperbole

[BLKMGK]

The control systems ARE isolated with firewalls, the hacks that have been demonstrated - to my knowledge - have removed those. What exactly does "hardening the OBDII port" mean? You realize that locking that down will prevent diagnostic and home use tools form working right? Rate limiting? The signals that have been demonstrated to disable brakes were standard brake diagnostic signals recorded from using a standard tool, it wasn't abnormal. Filtering is already done by the entertainment systems on stuff I'm aware of - it's being removed to demonstrate "hacks". How much processing do you want your ABS, steering, and door locks to do exactly? IMO they have more important functions to attend to than acting like Fort Knox from imagined threats. 5mins with a hacksaw blade and I can make sure you lose your brakes or steering, maybe catch the car on fire. Why aren't we armor guarding any of those hoses exactly? Why does "cyber" automatically mean it's a higher threat?

Re:Overblown Hyperbole

[adolf]

To extend your argument to its logical conclusion:

All attacks worth worrying about are personal, political, or business in nature. Risk mitigation must take this into account.

I know that Dropbox is insecure, but I use it anyway, because nobody I personally know can fuck with me using that vector and I have a personal policy against growing vendettas.

The random attacker won't give a whit of my cell phone landscape photos, or of my shorthand business notes. And I'm not into politics.

So, being a boring person and not having much to lose and even fewer enemies, I don't worry much about my personal security.

If I ever become less boring (doubtful), I'll take more steps.

Those amongst us with a reason to care about political, business, and personal attacks should perhaps look at my original comment with a keen eye, however.

Re:Overblown Hyperbole

[BLKMGK]

Scenario - you lock your car up for the night, I roll up with a hacksaw blade, roll under your car, and nick the fuel line next to the exhaust manifold slightly. Rolling down the freeway the next day whoosh, you go up like the Challenger.

Scenario - you lock your car up for the night, I roll up with a hacksaw blade, roll under your car, nick a brake line. Rolling down the freeway the next day and whooops - you have no brakes.

Scenario - you lock your car for the night, I roll up with a small BT device connected to a piece of constructed thermite and a small battery pack. I attach this to your fuel line with a zip tie. Rolling down the freeway I trigger it. Whoosh - you look like a Roman Candle.

Scenario - you lock up your car for the night. I roll up with a small BT device connected to a piece of constructed thermite and a small battery pack. I attach this to your power steering line with a zip tie. Rolling down the road at speed the next day I trigger it as you go into a turn. Whoops - you haz no steering!

Maybe the thermite works better on the gas tank? I can use some JBWeld to stick it on or magnets if you have a metal shield on your plastic tank, maybe I strap it to the filler neck?

I can do this all day long with scenario after scenario. This boogyman remote hack stuff is utter shit and this lawsuit will do NOTHING but make life harder for those of us who actually know how to turn a wrench and go exactly zippy for the dumbasses who're screaming like chicken little!

Re:Overblown Hyperbole

[adolf]

IIRC, the "brake disabling" hack involved many layers in a car with a dashboard that resembled a breadboard moreso than a car, and relied on being able to emulate/override the wheel-speed sensors so that the ABS computer -thought- it should be carefully modulating the brakes as if driving on ice or marbles or whatever.

Anyone who has experienced it can easily attest that on dry pavement, even without third-party fuckery, a faulty ABS sensor can be a scary thing: One recognizes that the coefficient of friction is such that the car ought to be able to stop rather rapidly, but it just...doesn't. Instead, one get a dim clatter from the ABS relay(s) and maybe some unusual feedback through the pedal, combined with what is apparently a rather complete lack of stopping ability*.

*: Though it wasn't completely disabled in TFV from years ago, either. There is no electronic "off" switch for any braking system in any road-going car, but there are very carefully-designed ways to provide far less braking than the operator's pedal input might suggest should be happening, and never a dashboard control to input whether or not this behavior (ABS) is or is not desirous.

Re: Overblown Hyperbole

Except that all of your "using a saw blade at night" "scenarios" of attacking cars:

1) leave physical traces (chemicals, tool marks, etc.) in the wreck, alerting investigators that foul play occured,

2) need close physical proximity between attacker and car to carry out, raising the risk of detection considerably,

3) are "dumb" in terms of efficiently and are more likely to leave the car damaged but the victim safe, alerting him to foul play,

4) are physical, peer to peer in nature: one attacker, one car. You won't be able to attack 100,000 cars in a night, or do it from China, Russia or Colombia.

While networked attacks against the CAN bus via Internet based wireless car maintenance infrastructure like OnStar:

1) are essentially undetectable to even skilled mechanics and don't leave any physical traces before or after the attack: attack software can wipe itself after/during the attack, shortly before the car is wrecked.

2) attacks against the CAN bus over the Internet don't need any physical proximity to carry out: can be carried out over the Tor network, or any other covert way the attacker wishes to use,

3) networked attacks over the Internet can be highly automated against a large number of victims, simultaneously,

4) can be arbitrarily "smart": can be carried out either indiscriminately; or highly tailored to a person, at the attacker's choice: combining acceleration, GPS, mobile cell tower data to carry out highly efficient, plausibly deniable kills, without alerting the victim before the high probability kill is carried out.

So yes, Internet based attacks against wide open CAN bus and OnStar vulnerabilities, which facilities are invisible and inaccessible to owners, which vulnerabilities were hidden and stonewalled by car manufacturers for years, which manufacturers are often using vulnerable DOS or Windows versions for car entertainment systems to pinch a penny, are exactly the same thing as someone sneaking up under your car with a sawblade at night ...

Re:Overblown Hyperbole

[AaronW]

The funny thing is that they only require the connector, no actual data. My car (Tesla model S) has an ODB II connector but it doesn't provide anything other than power and ground. The manufacturer can access the car via wifi, 3G or a special Ethernet port but not through ODB II. Before screaming about the insecurity of Wifi and 3G, all communication is sent over an encrypted OpenVPN connection and the devices connected to the internal Ethernet network are fairly secure. There's a web server that serves up the album art cover and the ability to display something remotely via X11 onto the center console and that's about it. As far as remote access to do things like unlock the car, etc? That's disabled by default and must be physically enabled via the center console.

Re:Overblown Hyperbole

[sumdumass]

Actual odds may be as large as odds of a spouse's brake lines being cut or a Toyota accelerating out of control with no obvious excuse.

Actually, i do not know the odds but i do not think the will to increase them is zero.

Re:Overblown Hyperbole

[joemck]

Bluetooth (depending how they implement pairing), CD and synced Android device sound like viable attack vectors. None of them are instant remote control with no action by the owner, but they're all quite usable.

Bluetooth: If it makes you enter a code displayed on the other device to pair, that's more secure. But if the car just displays something like "$DEVICENAME Do you want to pair with this device? [Yes] [No]", it's not really. Either someone will habitually click yes, or can be enticed to through careful choice of the device name.

CD: Pretty straightforward. Hand your enemy a CD when he's about to get into his car. Tell him it's a song, lecture or whatever you wanted him to listen to. CD goes in, malicious file does its thing, car crashes. Sure you could sabotage the car itself, but what car crash investigator is going to think to check the CD that was playing for custom-made viruses?

Paired Android device: Similar deal, but even better. Trick them into installing an app modified to contain malware. They'll have their app and be none the wiser. The malware lets you see when and where he's driving (GPS+accelerometer), and you can then interactively take control of the car when you please. Better still, the malware could erase itself from the phone just after the crash, so even if they think to check for that sort of thing, there will be nothing to find.

Re:Overblown Hyperbole

[houghi]

Not only usefull OBC connectors, but not being able to comply with the laws of several countries.

Re:Overblown Hyperbole

[bws111]

I have had a faulty ABS sensor, and the experience was not like you say. Here is what actually happened: the yellow 'ABS' light on the dash came on, informing me that the ABS was disabled. Scary.

Re: Overblown Hyperbole

[bws111]

So you say 'not true', then give an example where it is true. Or did this guy magically rifle the car without actually physically being there?

Re:Overblown Hyperbole

[bws111]

Uh, no. They require actual data relating to the emissions control system. Obviously, your car does not have an emissions control system. Such is not the case for the vast majority of cars on the road.

Re:Overblown Hyperbole

[jrumney]

I think what he is actually saying is that we should have some more evidence that this is actually possible outside of the minds of some attention whoring "security researchers" before engaging our knee jerk reaction. Right now all we have boils down to "omg, diagnostic bus works as designed!!!!!!11!!1" and "wireless access of any description = oh noes, 3v1L h@xx0rzz".

Re:Overblown Hyperbole

[mlts]

If someone has physical access, they can also slice a break line, cut a belt, drain the oil pan, put engine-kill into the crankcase, or many, many other things.

The fallout of this lawsuit is going to be bad for all consumers, and it actually puts car makers in a better spot:

Need an air filter? For security reasons, only Powell Motors filters will work, which have to be installed and activated by equipment only the dealer will have. Need a new battery? It has to be a genuine Powell part [1] because the battery has special authentication circuitry. New tires? Better be Powell authorized with built in TPMs, and they can only be installed at a Powell dealer because only they have the proper equipment.

We have seen enough of this hogwash already, and this lawsuit is only going to make it far, far worse when it comes time to do basic vehicle maintenance.

[1]: One foreign make of cars actually will have vehicles not start if the battery is replaced until it is "registered" at the dealer because they state an "unregistered" battery might fry their precise engine components.

Re:Overblown Hyperbole

[gnasher719]

So in other words you are saying someone should die because of an exploit before something should be done? Sounds reckless to me. The car companies have been warned by many of these studies and still haven't done anything about it. Maybe this suit will get them off their asses. I won't hold my breath though...

In my country, there are millions and millions and millions of people who could kill me with a knife. And about the same number of people could kill me with a brick. Since guns are rare, the number of people who could kill me with a gun is lower, but still many thousands.

How many people are there who could kill me by manipulating the electronics in my car? It's not many. It's not something I worry about. It's possible, but anyone wanting to kill someone that way would have much, much easier methods available.

Re:Overblown Hyperbole

[dpidcoe]

The control systems ARE isolated with firewalls, the hacks that have been demonstrated - to my knowledge - have removed those.

That's news to me then. My impression from watching a video a while back of how these worked was that they were simply using the OBDII port to send false signals and/or flooding the bus with so much traffic that the signals couldn't get through. I could have sworn they specifically said that the dash was only apart because they'd been monitoring signals while developing the hacks and couldn't be bothered to put it back together again.

What exactly does "hardening the OBDII port" mean?

Throw an interface in between it and the rest of the car that will do the following:
- Disallow any communication that wouldn't be expected to come from that port. e.g. I would not expect the ABS sensors to talk to the brakes via the OBDII port
- Limit the number of messages sent into the port if it exceeds some threshold (assuming that the attacks relied on spamming messages. But even if not, is there some reason you'd have to flood the bus with messages?)
- Possibly put it somewhere where casual physical access isn't as easy, e.g. inside the glovebox that locks when the doors are also locked.
- Add an indicator to the dash lights to say when something is plugged in and/or diagnostics are being run.

Note that this doesn't do any of the following:
- Hinder your ability to use diagnostic tools to read the values reported by the ECU
- Hinder your ability to access the port
- Cause additional processing on the part of systems other than the firewall between the port and the rest of the network

5mins with a hacksaw blade and I can make sure you lose your brakes or steering, maybe catch the car on fire. Why aren't we armor guarding any of those hoses exactly? Why does "cyber" automatically mean it's a higher threat?

Because as I said before, if you use a hacksaw you have no control over when or where the accident happens. It becomes a higher threat electronically because of controllability, variety, and ease of use.

Hell, you keep mentioning hacking and modifying your own car... do you drive with a bluetooth OBDII interface plugged in so you can log data on your phone? (I did for a while when trying to troubleshoot an airflow issue) Would you still do so knowing that someone could leave a transmitter somewhere near the road just waiting for someone like you to drive by so it could send your car off into a tree for the lulz?

Re:Overblown Hyperbole

[BLKMGK]

Umm no, I sat in the talk where this was presented and while they did tear that Prius a new ass diving into the dashboard they never claimed to be faking out the ABS sensors and they mentioned the ABS pump making hellacious noises - which is what occurs when you bleed the silly thing. Overwhelm the CAN bus with data signals telling the pump to bleed and it will try...

BTW - I have a faulty ABS sensor on one of my cars right now thanks to the Winter slush slopping all over it and screwing with the tone ring. Light came on the dash, ABS no workie. Having repaired this system before I can tell you that a toasted ABS sensor is no big deal. having incorrect data from one however will trigger traction control, stability management, or anti-lock. It ain't hard to flood the CAN bus with signals like that either - so what? All of this stuff requires physical access to the bus or reprogramming something to allow signals from the entertainment center to be bled over on those cars that have both on the bus.

Re:Overblown Hyperbole

[BLKMGK]

Some of the hacks that claim to be done wirelessly have relied on reprogramming entertainment firmware, others simply flooding the bus as you've surmised. The OBDII port is but one way into the bus, any device on the bus offers access to this bus to include some surprisingly easy to access places. It's a shared network, nothing knows that these signals from from the OBDII port. Rate limiting WILL call for more processing, something has to count packets and have smarts - you've added another computer to the bus it seems.

I don't think you're going to get a light on the dash for diag mode, how would that work? For one thing you're going to complicate diagnostics and end up having to build in new interfaces or replace existing diagnostics - yuck. If they can get in past a locked door, they can get into the glovebox. I'm not such a special snowflake that anyone is trying either of these.

An interface between the OBDII and the bus might slow some of this but it may also screw with diagnostics, it's an interesting idea but it will also increase cost in an industry that tries to shave pennies off of a production run :(

As for controllability - I can make thermite at home if I want and I can use the same BT interface you're slapping into an OBDII port for a controller to light the stuff. You're not buying any real safety but you DO make things more complicated. Oh and yes I do drive with an interface plugged in, sometimes BT, more often wired. I'm not concerned that someone will interface with it - seriously. I would remove it if I were, the OEMs aren't offering that sort of access to the system from the factory.

Bottom line - why are we so much more worried about this when the capability to do all sorts of wicked things exists already right now at the local hardware store? Why does cyber make it more scary?

Re:Overblown Hyperbole

[adolf]

So what you're saying is that by overwhelming things, an attacker can make brakes misbehave at a whim?

And you're also saying that flooding a CAN bus can save an expensive dealer trip when it comes to bleeding brakes on a Prius?

Awesome! That's even worse / better than what I was suggesting.

Thanks!

Re:Overblown Hyperbole

[dpidcoe]

If they can get in past a locked door, they can get into the glovebox. I'm not such a special snowflake that anyone is trying either of these.

Yes but it's one more layer to defeat. It might also keep the casual maliciousness out (say the neighbors kid just read about this cool thing you could do the hack a car). Either way, it's a really simple step with no downsides.

An interface between the OBDII and the bus might slow some of this but it may also screw with diagnostics, it's an interesting idea but it will also increase cost in an industry that tries to shave pennies off of a production run :(

It would be an extra device, just like a hardware firewall. My $30 desktop switch has enough brains to let me configure it to block some basic stuff (like MAC flooding) plus act as a switch. I'm sure it cost a 10th of that before all the retail markups. The cost argument is why I'm fine with the lawsuit. That will give the people who want to design with an eye for security a cost savings argument ($300 worth of chips is potentially cheaper than a massive lawsuit).

As for controllability - I can make thermite at home if I want and I can use the same BT interface you're slapping into an OBDII port for a controller to light the stuff.

Flammables are easy to make. Detonators that are consistent and reliable are hard. I'd be surprised if you could come up with a design that's less work than ordering a $20 device (one that no one would even think twice about you buying, unlike say, thinly shaved magnesium strips) and downloading a program.

Bottom line - why are we so much more worried about this when the capability to do all sorts of wicked things exists already right now at the local hardware store? Why does cyber make it more scary?

Again, because of the controllability and the way it lends itself to casual use. Also, this is exactly the kind of argument people made against securing computers in the 90s, and we're just now getting away from those consequences today. Why not spend a tiny bit of extra effort designing this stuff with a least rudimentary security in mind?

Re:So...

[bws111]

Hard to have a remote starter if you can't wireless control the engine. Hard to have traction control if you can't control the engine and brakes from the same point. Hard to have stability control if you can't control the steering, brakes, and engine.

Can those things be done some other way? Probably. But the other ways are more likely more complex, and you would have to show that the more complex ways actually increase safety, which may not be the case.

I know of an exploit involving C4

[publiclurker]

Yet you don't see people demanding bomb sniffing technology to be added to all cars. If someone can get enough access to your vehicle to hook a cable into it, it's pretty much game over.

Re:I know of an exploit involving C4

[ganjadude]

shhh, dont be giving people ideas

give me a hacksaw

[publiclurker]

and I'll show you another wireless exploit.

But people want to know how it works

[RogueWarrior65]

People would still want to know how it all works so they aren't stuck going to the dealer for service. So how do you reconcile the two?

Re:But people want to know how it works

[JeffOwl]

DMCA. That's how the auto makers reconcile it. If you are not an "authorized" service center then any attempts to read or modify data on the bus, or add unauthorized equipment, will constitute "circumvention." I'm sure authorization can be had for small fee.

What about...

[XB-70]

Where is the class action lawsuit against Microsoft for the shoddy design that has allowed innumerable hacks, data breaches and identity theft - not to mention billions of dollars and man-hours in lost productivity?

If automakers built cars that were as easily hijacked as Windows, everyone would be driving with body guards.

Re:So...

[mirix]

That's how it generally works already. Important stuff is on one CAN bus (ECU, ABS pump, auto trans controller if it has auto trans, airbags, etc). All the secondary stuff like door modules (controls locks, windows, etc), cabin illumination, the radio/navi and whatnot are on a secondary CAN bus (or LIN, or..).

This way if your rear door module dies and manages to take down the (secondary) bus, the car still runs.

I don't see much point in securing it, as you need physical access anyway. I'd rather see it go the other direction, standard, open interface, instead of each manufacturer using a proprietary communication scheme. (CAN only defines lower layers).

This is like suing computer makers for people being able to hack a computer they have physical access to. It's not possible to prevent.

Here is all you need to do

[Karmashock]

1. Segregate the parts of the computer with networked access from the portions of the car that actually involve driving. Brakes, acceleration, engine timing firmware, etc. All of that should be airgapped from the GPS OnStar stuff.

2. Make the storage media that those systems use both physically accessible from the inside of the car AND compatible with conventional computer technology. The internal storage of these systems should be on an SD card or a USB 3.0 Flash drive or a little SSD hard drive. The point is that if something goes wrong with my on board computer, I want to be able to pull its drive and re flash it with factory defaults. There is no reason for on chip storage the same way cell phones do it in a car. The reason you do that in a cell phone is to save space. In a car, you're not that hard up for space so you can make the storage media a little more bulky,

3. Install a firewall. Nothing fancy and let people configure it.

4. "What about people that want to start their car engine with a smart phone app?" Well, first I think this is a stupid feature. But assuming you want to keep it, you can have one way conditional communication across the airgap so long as that communication cannot pass executable code OR endanger the safety of the driver. So certain commands under specific circumstances should be fine. For example, if the engine is off, and the onstar system sends a "start engine command" that doesn't endanger the driver. If the engine is already on then the command will be ignored and so far as I know there are no other commands people want to issue to cars through their smartphones. If you want to mess with the headlights etc... perhaps have the condition that the transmission be in "park" or that the emergency brake is activated. If you put these conditions on very specific commands and only permit those commands to be passed. Then a hacker with total control of your onstar system won't be able to endanger you while you drive.

I'll be watching this one

[HiThereImBob]

If companies can be sued for selling an insecure product, I need to dump my Microsoft stock ASAP.

Re:So...

[sumdumass]

It would probably be rather easy to disablr input from unapproved ports or devices once the vehicle reaches a certain speed or is in gear for a specific length of time. This would allow for diagnostics, remote starters and so on. They could even employ a diagnostic override that requires pluging a resistor chiped dongle in under the hood or somewhere allowing user modifications and whatever at the owner's direction.

The fear doesn't seem to be you and your car. Its some hacker issuing commands at 5:30 causing toyotas to accelerate out of control, fords to brake rapidly, and gm vehicled to lose sterring controls because of an infected app on a synced phone or a device placed along side a stretch of road somewhere.

Re:Pacemakers have been hacked as well !

[houghi]

They ded.

Of all the stupidity

[mitcheli]

Clearly some lawyer has some teenaged kids he's looking to put through school. But food for thought here. Having just gotten into analysing the ECMs in my car and figuring out how to analyse the performance characteristics of my car, I appreciate the ability to figure out what's going on with the vehicle without paying $1000's to the mechanic. That being said, I have serious doubts that a public/private key cryptographic authentication mechanism on the vehicle ECM would be shared with the consumer that purchased said vehicle and would ultimately eliminate the ability of people to work on their vehicles.

Re:Of all the stupidity

[Smerta]

I'd just be happy to know that firmware images for every processor on my vehicle (at least important ones, like the Engine Control Unit (ECU)) have to be digitally signed. Unfortunately, I have little confidence in that. :-(

I would rather have them sue target

[WindBourne]

Seriously, I would rather see them sue the stores that continue to be cracked because they are running windows and outsourcing. Target; Home Depot; etc.
If class actions were taken against these companies, then quickly, companies would spend the money and secure themselves. So would companies like these car makers.

Automakers suck!

[SpeedBump0619]

I always suspected that automakers were amateurs. Real engineers use CMake.