Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Hacking is 'Distressingly Easy'

Posted by Soulskill on from the no-mr-bond-i-expect-you-to-die dept.

Bruce66423 points out a piece from the Economist trying to rally support for pressuring legislators and auto manufacturers to step up security efforts on modern, computer-controlled cars. They say, Taking control remotely of modern cars, for instance, has become distressingly easy for hackers, given the proliferation of wireless-connected processors now used to run everything from keyless entry and engine ignition to brakes, steering, tyre pressure, throttle setting, transmission and anti-collision systems. Today's vehicles have anything from 20 to 100 electronic control units (ECUs) managing their various electro-mechanical systems. ... The problem confronting carmakers everywhere is that, as they add ever more ECUs to their vehicles, to provide more features and convenience for motorists, they unwittingly expand the "attack surface" of their on-board systems. In security terms, this attack surface—the exposure a system presents in terms of its reachable and exploitable vulnerabilities—determines the ease, or otherwise, with which hackers can take control of a system. ... There is no such thing as absolute security. [E]ven firms like Microsoft and Google have been unable to make a web browser that cannot go a few months without needing some critical security patch. Cars are no different.

3 of 165 comments (clear)

  1. Re:So where are the CVE/Vuln reports for this?Oh,w by ledow · · Score: 4, Informative

    There have been public demonstrations, some televised, of certain models of modern car that allow you to change things like timings and injection sequences, via OBD, over Blueooth, using default passcodes.

    I'm sure they're all patched now. Of course. No more will that ever happen again.

    There's also been demos of being able to DoS certain buses in the car remotely and wirelessly, preventing everything from in-car entertainment to immobilisers from working, etc. using similar techniques.

    These things are all out there. Go look. And that's just OBD. God knows what happens when you start tying in Wifi into the car speakers, joining that to the satnav for Internet updates, joining those to the car etc.

    You can see cars on the market today, not even particularly unusual or modern ones, that pull in OBD information into the electronic dashboard which also doubles as a music interface and a satnav and a fuel gauge and a Bluetooth phone interface and everything else. It's not at all hard to imagine that such things haven't covered every single possible hole where information from one can leak to another.

    And anything OBD-writing is potentially dangerous. As in "blow up your engine" dangerous. Most older OBD systems are nothing more than read-only technical data. Newer ones do more to allow flashing, firmware updates, and even modification of settings that control emission levels (e.g. fuel injectors, exhaust re-introduction pumps, etc.). Add that together and you have one big mess waiting to happen.

    There's a reason that you don't buy mod-chips for your engine nowadays that you can swap out to pass emissions test and then swap back to get the "sports performance" of your car. Because they don't need to swap the chips physically any more.

  2. Re:So where are the CVE/Vuln reports for this?Oh,w by ledow · · Score: 3, Informative

    And for when you say "Links or it never happened":

    http://www.forbes.com/sites/an...

    Or just Google OBD hacks.

  3. Re:So where are the CVE/Vuln reports for this?Oh,w by Anonymous Coward · · Score: 2, Informative

    Yes, these have been on Slashdot before. And as said before, the big scaremongering jump is that while there are several well publicized examples of people hacking or DoSing buses by connecting a cable to the interface, demonstrations of remotely doing so wirelessly is much more scarce.