Slashdot Mirror
Car Hacking is 'Distressingly Easy'
Bruce66423 points out a piece from the Economist trying to rally support for pressuring legislators and auto manufacturers to step up security efforts on modern, computer-controlled cars. They say,
Taking control remotely of modern cars, for instance, has become distressingly easy for hackers, given the proliferation of wireless-connected processors now used to run everything from keyless entry and engine ignition to brakes, steering, tyre pressure, throttle setting, transmission and anti-collision systems. Today's vehicles have anything from 20 to 100 electronic control units (ECUs) managing their various electro-mechanical systems. ... The problem confronting carmakers everywhere is that, as they add ever more ECUs to their vehicles, to provide more features and convenience for motorists, they unwittingly expand the "attack surface" of their on-board systems. In security terms, this attack surface—the exposure a system presents in terms of its reachable and exploitable vulnerabilities—determines the ease, or otherwise, with which hackers can take control of a system. ... There is no such thing as absolute security. [E]ven firms like Microsoft and Google have been unable to make a web browser that cannot go a few months without needing some critical security patch. Cars are no different.
Rust, Swift, Sappeur, Vala - they must also be used in the car industry. Instead of C. Look at the CVE database - 50% of exploits are solely due to the cowboy style of C (lack of memory safety).
Or just roll over and concede that electronics are too dangerous.
The real question to me is. Do these cars really need all this shit? How about a car that just takes me where I am going, don't really need it to babysit , entertain of second guess me.
Why should a hack of the navigation or audio system allow access to the braking system? Why hasn't the DOT mandated an air gap between critical vehicle operation systems(braking, acceleration, ignition, steering, transmission, etc) and all others.
The real question to me is. Do these cars really need all this shit?
So long as there is consumer demand the answer is yes.
How about a car that just takes me where I am going, don't really need it to babysit , entertain of second guess me.
Those are available if you want them. Not hard to find relatively bare bones vehicles if you bother to look. For people who want something a little more sophisticated there are extra options available. Personally I LIKE having a screen in my car with GPS. I like having satellite radio, remote entry, heated seats, AC and USB power, backup camera, etc and I'm willing to pay a bit extra for them. Personal preference and your mileage may (literally) vary.
since the next time the fob sends a signal it won't be the right one needed to trigger whatever it was supposed to do
No different than if the fob sends a signal while out of range of the device.
They would have to jam the fob across numerous communication attempts, before they would truly come out of sync so badly that the fob could no longer operate after the jamming was turned off.
Personally, I want a hackable car. What I do not want is a /remotely/ hackable car.
I want a vehicle where I, as the owner, can access all its bits-n-bobs - even the digital ones - to tune it as I desire. I do not want a car whose computers are so saddled down with "security" that the only ones who can access its electronic brains are "authorized" technicians who have paid tens of thousands of dollars for the appropriate software and hardware. Too often I see "security" being used by automobile manufacturers as an excuse to lock out the owners (or even ordinary mechanics) from modifying - or even diagnosing - the vehicle without first tithing to the manufacturer for the privilege.
Of course, only I as owner (or any I authorize) should be allowed to adjust my car in this way; obviously, I do not want any nefarious parties to alter my car's settings - especially not while I am driving! But while this is something the designers and manufacturers need to keep in mind, so far I am unaware of /any/ successful attempt to "hack" a moving car. Of course, if a nefarious individual gets access to the OBDII port on my car, there's no end to the damage he could do, but no computer (or car! think "cutting the brake lines") is safe if somebody has physical access to it.
So forgive me if I interpret these worried cries about how my car might be "hacked" less as an earnest warning about my vehicle's vulnerability to malicious actors and more as another attempt by the manufacturer to gouge the owner out of even more money just so he can continue to tinker with his own property.
There have been public demonstrations, some televised, of certain models of modern car that allow you to change things like timings and injection sequences, via OBD, over Blueooth, using default passcodes.
I'm sure they're all patched now. Of course. No more will that ever happen again.
There's also been demos of being able to DoS certain buses in the car remotely and wirelessly, preventing everything from in-car entertainment to immobilisers from working, etc. using similar techniques.
These things are all out there. Go look. And that's just OBD. God knows what happens when you start tying in Wifi into the car speakers, joining that to the satnav for Internet updates, joining those to the car etc.
You can see cars on the market today, not even particularly unusual or modern ones, that pull in OBD information into the electronic dashboard which also doubles as a music interface and a satnav and a fuel gauge and a Bluetooth phone interface and everything else. It's not at all hard to imagine that such things haven't covered every single possible hole where information from one can leak to another.
And anything OBD-writing is potentially dangerous. As in "blow up your engine" dangerous. Most older OBD systems are nothing more than read-only technical data. Newer ones do more to allow flashing, firmware updates, and even modification of settings that control emission levels (e.g. fuel injectors, exhaust re-introduction pumps, etc.). Add that together and you have one big mess waiting to happen.
There's a reason that you don't buy mod-chips for your engine nowadays that you can swap out to pass emissions test and then swap back to get the "sports performance" of your car. Because they don't need to swap the chips physically any more.
And for when you say "Links or it never happened":
http://www.forbes.com/sites/an...
Or just Google OBD hacks.
Yes, these have been on Slashdot before. And as said before, the big scaremongering jump is that while there are several well publicized examples of people hacking or DoSing buses by connecting a cable to the interface, demonstrations of remotely doing so wirelessly is much more scarce.
In fact, we don't need cars at all.
Achille Talon
Hop!
That's what I do, I have a 1998 car which I intend to keep for the rest of my life. It still has some electronics (ECU, ABS)...
And those electronics are probably going to be one of the biggest issues with keeping that car going. Most mechanical parts can be repaired, be made, or sourced from junk yards.A lot of classic cars also have other companies making replacement parts. For example, you can build a brand new replica of a 1963 Corvette if you would want to as every part for them is in reproduction by one company or a company.
There has been a bit of concern regarding the electronics in cars that have been made in the last 20-30 years though. They will wear out as a car is a very harsh environment for such things. Since the auto manufacturers are not that big on creating competition for their parts, they don't make it easy for other companies to reproduce these components and they also only make them for a set number of years. Besides, they don't want you to keep that car for decades. If you do that, you won't be buying a new one. Eventually electronic replacement parts for a car built in 1998 are going to run out and there won't be any replacements. Without a functional ECU, you won't be able to start the engine.
If you are lucky enough for your car to be popular with racers or some other group that likes to modify its engine, then there may be aftermarket ECU systems available. But that's going to cost a lot in most cases.
Yes, you can do a lot through the OBD. So what? If you have access to the OBD, you also have access to roll under the car and cut the brake line or pop open the hood and tamper with the engine that way.
There will come a day when some clown, nut, terrorist, whatever will stand on a bridge over a highway and push a button on his remote. And all cars will speed up and turn left. When there is no left turn. Computerizing creature comforts in a car makes sense. Computerizing, engine, brakes and things that can kill you... well, what are they thinking?
Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
> There have been public demonstrations, some televised, of certain models of modern car that allow you to change things like timings and injection sequences, via OBD, over Blueooth, using default passcodes.
What car has Blutooth OBD without having to have physical access to the car to attach a bluetooth dongle to the OBD port?
Your hair look like poop, Bob! - Wanker.
We don't need wi-fi, remote unlocking or push-button start or any of that other unnecessary nonsense.
There's nothing wrong with these features. The problem is when you can reach the brake system from the bluetooth in the radio. There is no reason why these systems could not be separated, even air gapped.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Software, compared to mechanical parts, does not rust or wear out. Write it properly once and it will work properly forever.
Pass a law that requires all car software to be in a mask ROM and you will see the decline in bugs as the cost of updates increase. The software will be written more carefully and there will be less of it.
Just like my old tape deck or CD player or TV does not need updates (because that would be done by replacing a chip) but a new TV or Bluray player does.
The wireless access being put in without much care for the sake of ease of use the main issue, not that cars ECU's can be modified.
The performance tuning community depends on being able to do ECU modifications to bump up performance.
The debate about ECU security is actually about encrypting or otherwise hindering the ability of car owners to modify their tune. Locking down the ECU is relatively easy; the farm tractor manufacturers already use encryption and keys and will void a warranty if their ECU's are modified. This created an increase in demand for older farm equipment that could be modified.
This issue boils down to freedom to own and do what you will with what you own verses licence-ship and having to accept something with use limitation.