Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Hacking is 'Distressingly Easy'

Posted by Soulskill on from the no-mr-bond-i-expect-you-to-die dept.

Bruce66423 points out a piece from the Economist trying to rally support for pressuring legislators and auto manufacturers to step up security efforts on modern, computer-controlled cars. They say, Taking control remotely of modern cars, for instance, has become distressingly easy for hackers, given the proliferation of wireless-connected processors now used to run everything from keyless entry and engine ignition to brakes, steering, tyre pressure, throttle setting, transmission and anti-collision systems. Today's vehicles have anything from 20 to 100 electronic control units (ECUs) managing their various electro-mechanical systems. ... The problem confronting carmakers everywhere is that, as they add ever more ECUs to their vehicles, to provide more features and convenience for motorists, they unwittingly expand the "attack surface" of their on-board systems. In security terms, this attack surface—the exposure a system presents in terms of its reachable and exploitable vulnerabilities—determines the ease, or otherwise, with which hackers can take control of a system. ... There is no such thing as absolute security. [E]ven firms like Microsoft and Google have been unable to make a web browser that cannot go a few months without needing some critical security patch. Cars are no different.

5 of 165 comments (clear)

  1. Re:Memory Safe Languages As Countermeasure by BitZtream · · Score: 4, Insightful

    ...

    Your solution to the problem is to try to kill the problem of bad developers by hiding it with the language.

    Could you name one example of where that has actually worked, EVER?

    When you write your 3 lines of Swift (lets limit it to languages real people outside of one company actually use), there are possibly a million lines of C could doing the actual work.

    You do real work in C. You ride on someone else C code in pretty much every other modern language. Switching them from C to any other language won't solve the problem, the problem is using people who don't think things through. Thats not a language problem is a person problem.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  2. Stop interconnecting systems by schwit1 · · Score: 5, Interesting

    Why should a hack of the navigation or audio system allow access to the braking system? Why hasn't the DOT mandated an air gap between critical vehicle operation systems(braking, acceleration, ignition, steering, transmission, etc) and all others.

  3. Re:Memory Safe Languages As Countermeasure by ThosLives · · Score: 4, Insightful

    Five letters generally prevent most of the software *coding* issues found in critical automotive software: MISRA.

    Failures that happen in automotive software are almost never coding issues, but rather design issues. For instance, even the "infamous" Toyota brake control issues were due to design, not faulty coding.

    Switching languages is actually more likely to introduce more errors than reduce them, since you've now likely added coding errors on top of the design issues.

    (And I second the other poster mentioning things like compile-time allocation of all objects. I have never seen a dynamically-allocated anything in any of the embedded programs on which I've worked in the main code stream; closest we came was in a data logger which wrote to a dedicated area of flash, on a separate chip even from the main micro.)

    --
    "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
  4. Re:So where are the CVE/Vuln reports for this?Oh,w by ledow · · Score: 4, Informative

    There have been public demonstrations, some televised, of certain models of modern car that allow you to change things like timings and injection sequences, via OBD, over Blueooth, using default passcodes.

    I'm sure they're all patched now. Of course. No more will that ever happen again.

    There's also been demos of being able to DoS certain buses in the car remotely and wirelessly, preventing everything from in-car entertainment to immobilisers from working, etc. using similar techniques.

    These things are all out there. Go look. And that's just OBD. God knows what happens when you start tying in Wifi into the car speakers, joining that to the satnav for Internet updates, joining those to the car etc.

    You can see cars on the market today, not even particularly unusual or modern ones, that pull in OBD information into the electronic dashboard which also doubles as a music interface and a satnav and a fuel gauge and a Bluetooth phone interface and everything else. It's not at all hard to imagine that such things haven't covered every single possible hole where information from one can leak to another.

    And anything OBD-writing is potentially dangerous. As in "blow up your engine" dangerous. Most older OBD systems are nothing more than read-only technical data. Newer ones do more to allow flashing, firmware updates, and even modification of settings that control emission levels (e.g. fuel injectors, exhaust re-introduction pumps, etc.). Add that together and you have one big mess waiting to happen.

    There's a reason that you don't buy mod-chips for your engine nowadays that you can swap out to pass emissions test and then swap back to get the "sports performance" of your car. Because they don't need to swap the chips physically any more.

  5. Re:Memory Safe Languages As Countermeasure by Chris+Mattern · · Score: 5, Funny

    Five letters generally prevent most of the software *coding* issues found in critical automotive software: MISRA.

    Or possibly XYZZY or PLUGH. I forget which.