Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lawsuit Claims Major Automakers Have Failed To Guard Against Hackers

Posted by Soulskill on from the maybe-they'll-listen-when-lawyers-say-it dept.

Lucas123 writes: A Dallas-based law firm has filed a class-action lawsuit in the U.S. District Court for the Northern District of California claiming Ford, GM and Toyota all ignored basic electronic security measures that leave vehicles open to hackers who can take control of critical functions and endanger the safety of the driver and passengers. The suit, filed on behalf of three vehicle owners and "all others similarly situated" is seeking unspecified damages and an injunction that would force automakers to install proper firewalls or encryption in vehicle computer bus systems, which connect dozens of electronic control units. "Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," attorney Marc Stanley said. The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes." A study released last month by Sen. Edward Markey (D-Mass.) also claims automakers have fallen far short in their responsibility to secure their vehicles' electronics.

17 of 107 comments (clear)

  1. Classless action. by Anonymous Coward · · Score: 5, Funny

    Yay, more class action lawsuits. Car owners prepare to get your 30 cent rebate forms ready! Lawyers, buy a new vacation home!

    1. Re:Classless action. by Bruce66423 · · Score: 2

      True, but this suit offers a libertarian alternative to government regulation, and hopefully will achieve the same outcome.

    2. Re:Classless action. by Anonymous Coward · · Score: 3, Insightful

      There will be no recall fix if they attempt to encrypt the CAN bus. Most of the processors on the bus are not powerful enough for software encryption. They have hardware CAN modules.
      A typical Dodge has from 17 to 22 CAN nodes on three CAN buses. Each node is, of course, a processor. Just how powerful does the sunroof controller have to be, anyway? Many of the processors on the bus have 128-256K flash program memory and 34 to 96k ram.
      Never gonna happen.

    3. Re:Classless action. by BLKMGK · · Score: 4, Insightful

      Sorry, but this is a complete bullshit lawsuit. Most of the hacks have required physical access to the CAN bus or have required modifications to the entertainment system to remove the firewalls in place - yes they have them on some I'm familiar with. A few jackasses have put out scary "hacks" and now this is the crap that we get to deal with? The CAN bus shouldn't be encrypted as not only will this drive cost up but it will also prevent some of the good stuff going on like replacement ECU in the performance industry and diagnostic tools for the home user.

      Sorry, but this is complete and utter garbage and I hope it's tossed out damned fast.

      --
      Build it, Drive it, Improve it! Hybridz.org
    4. Re:Classless action. by Jane+Q.+Public · · Score: 2

      By the way, I meant to make this point in my last comment:

      In at least some cases, it will take more than your usual simple recall to handle this problem. There are some very very serious design problems in the electronics of many of today's cars.

  2. Standing? by bws111 · · Score: 4, Informative

    They're suing because, theoretically, some third party could make them the victim of a crime? Good luck with that.

  3. Overblown Hyperbole by brunes69 · · Score: 5, Insightful

    In a 2013 study that was funded by the Defense Advanced Research Projects Agency (DARPA), two researchers demonstrated their ability to connect a laptop to two different vehiclesâ(TM) computer systems using a cable, send commands to different ECUs through the CAN, and thereby control the engine, brakes, steering and other critical vehicle components

    So you're telling me that if you have direct physical access to a car's ECU, you can issue commands to it? No shit sherlock. That is THE WHOLE POINT of the CAN bus. The only alternative would be to close down the bus and only allow "authorized" accessories to be connected to it - hello sky-high diagnostic fees and goodbye to useful bluetooth OBD connectors.

    Call me when this can be done wirelessly. Oh and yes I did read the "What the companies failed to note is that the DARPA study built on prior research that demonstrated that one could remotely and wirelessly access a vehicleâ(TM)s CAN bus through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo" blurb - which still failed to materialize an actual working example of exploiting a CAN wirelessly.

    1. Re:Overblown Hyperbole by bws111 · · Score: 3, Insightful

      No, he is saying that there should be an actual danger before you yell the sky is falling.

      What are the actual odds of an accident being caused by a hacker? What are the actual odds of an accident being caused by a software bug in security code?

    2. Re:Overblown Hyperbole by BenFranske · · Score: 2

      This is exactly my own viewpoint. All of this is a bunch of stirred up nonsense. Yes, systems like OnStar which bridge between the CAN bus and the phone network need protection. What I absolutely do NOT want is to see encrypted communications that I as the owner cannot see in plaintext on a wired bus. This will put non-dealer mechanics out of business pretty quickly and/or drive up repair costs tremendously including effectively preventing me from working on my own car. I think it's a dream come true for dealers and manufacturers.

      Yes, we need to prevent remote exploitation but I absolutely want to be able to hack and modify my own vehicle to my heart's content.

      The requirement for physical access makes these so-called hacks against cars a non-starter for me. People have been cutting brake lines, loosening bolts, etc. on cars to harm people for a long time but we don't require hardened physical access to the car. This whole thing is way overblown by people trying to make headlines.

    3. Re:Overblown Hyperbole by BenFranske · · Score: 2

      And if I want to cause you to have an accident in your pre-ECU car I can cause substantial damage with some wrenches and a minute. What's your real point? I want to maintain the ability to hack/modify my own vehicles. Encrypting bus communication would pretty much kill that unless their was a mandate to release the encryption keys to the vehicle owner (and then what about leased cars, financed cars, etc.) which is unlikely to happen. As long as it's not fully remotely exploitable (meaning you never have to have physical contact with my car) I'm not concerned.

    4. Re:Overblown Hyperbole by Minupla · · Score: 2

      Depends - maybe not if they use progressive for insurance:

      http://www.forbes.com/sites/th...

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    5. Re:Overblown Hyperbole by BLKMGK · · Score: 2

      The control systems ARE isolated with firewalls, the hacks that have been demonstrated - to my knowledge - have removed those. What exactly does "hardening the OBDII port" mean? You realize that locking that down will prevent diagnostic and home use tools form working right? Rate limiting? The signals that have been demonstrated to disable brakes were standard brake diagnostic signals recorded from using a standard tool, it wasn't abnormal. Filtering is already done by the entertainment systems on stuff I'm aware of - it's being removed to demonstrate "hacks". How much processing do you want your ABS, steering, and door locks to do exactly? IMO they have more important functions to attend to than acting like Fort Knox from imagined threats. 5mins with a hacksaw blade and I can make sure you lose your brakes or steering, maybe catch the car on fire. Why aren't we armor guarding any of those hoses exactly? Why does "cyber" automatically mean it's a higher threat?

      --
      Build it, Drive it, Improve it! Hybridz.org
    6. Re:Overblown Hyperbole by adolf · · Score: 2

      IIRC, the "brake disabling" hack involved many layers in a car with a dashboard that resembled a breadboard moreso than a car, and relied on being able to emulate/override the wheel-speed sensors so that the ABS computer -thought- it should be carefully modulating the brakes as if driving on ice or marbles or whatever.

      Anyone who has experienced it can easily attest that on dry pavement, even without third-party fuckery, a faulty ABS sensor can be a scary thing: One recognizes that the coefficient of friction is such that the car ought to be able to stop rather rapidly, but it just...doesn't. Instead, one get a dim clatter from the ABS relay(s) and maybe some unusual feedback through the pedal, combined with what is apparently a rather complete lack of stopping ability*.

      *: Though it wasn't completely disabled in TFV from years ago, either. There is no electronic "off" switch for any braking system in any road-going car, but there are very carefully-designed ways to provide far less braking than the operator's pedal input might suggest should be happening, and never a dashboard control to input whether or not this behavior (ABS) is or is not desirous.

      --
      Kid-proof tablet..
  4. I know of an exploit involving C4 by publiclurker · · Score: 2

    Yet you don't see people demanding bomb sniffing technology to be added to all cars. If someone can get enough access to your vehicle to hook a cable into it, it's pretty much game over.

  5. But people want to know how it works by RogueWarrior65 · · Score: 2

    People would still want to know how it all works so they aren't stuck going to the dealer for service. So how do you reconcile the two?

  6. Re:So... by mirix · · Score: 2

    That's how it generally works already. Important stuff is on one CAN bus (ECU, ABS pump, auto trans controller if it has auto trans, airbags, etc). All the secondary stuff like door modules (controls locks, windows, etc), cabin illumination, the radio/navi and whatnot are on a secondary CAN bus (or LIN, or..).

    This way if your rear door module dies and manages to take down the (secondary) bus, the car still runs.

    I don't see much point in securing it, as you need physical access anyway. I'd rather see it go the other direction, standard, open interface, instead of each manufacturer using a proprietary communication scheme. (CAN only defines lower layers).

    This is like suing computer makers for people being able to hack a computer they have physical access to. It's not possible to prevent.

    --
    Sent from my PDP-11
  7. Of all the stupidity by mitcheli · · Score: 2

    Clearly some lawyer has some teenaged kids he's looking to put through school. But food for thought here. Having just gotten into analysing the ECMs in my car and figuring out how to analyse the performance characteristics of my car, I appreciate the ability to figure out what's going on with the vehicle without paying $1000's to the mechanic. That being said, I have serious doubts that a public/private key cryptographic authentication mechanism on the vehicle ECM would be shared with the consumer that purchased said vehicle and would ultimately eliminate the ability of people to work on their vehicles.

    --
    Select from tblFriends where interesting >= 4;