Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Control of a Car, With No Phone Or Network Connection Required

Posted by samzenpus on from the all-your-car-are-belong-to-us dept.

Albanach writes: Following on from this week's Wired report showing the remote control of a Jeep using a cell phone, security researchers claim to have achieved a similar result using just the car radio. Using off the shelf components to create a fake radio station, the researchers sent signals using the DAB digital radio standard used in Europe and the Asia Pacific region. After taking control of the car's entertainment system it was possible to gain control of vital car systems such as the brakes. In the wild, such an exploit could allow widespread simultaneous deployment of a hack affecting huge numbers of vehicles.

11 of 160 comments (clear)

  1. LOL at the touchscreen in the article... by Anonymous Coward · · Score: 5, Insightful

    "Car infotainment systems can allow drivers to see vehicle status updates, play music and videos, view maps and in some cases run third-party apps" - and they also allow drivers to NOT SEE OTHER CARS, while they're trying to use a stupid touchscreen in a bloody CAR...

  2. Why?? by Munchr · · Score: 5, Insightful

    Why exactly is the entertainment system of a vehicle, devoloped by design to display "unknown" content, tied into critical systems? First airplanes and now cars. What the actual fuck are these people thinking?

    1. Re:Why?? by invictusvoyd · · Score: 4, Insightful

      Hyper integration . Top-end car buyers grin when they hear things like voice recognition ignition system. That level of integration is bound to introduce some security holes. They just have to be patched.

    2. Re:Why?? by Anonymous Coward · · Score: 5, Insightful

      Flash has millions (maybe billions) of users and after 15 years, they still find 0-day security holes. There's no "just" about it.

    3. Re:Why?? by Anonymous Coward · · Score: 3, Insightful

      They should have separate networks with separate update mechanisms.
      1. The main engine computer and network should rarely, if ever, need to be updated, unless it's something like a vehicle recall. Putting a USB port in a somewhat obscure or hard to access place would be fine for this, as it would normally be done by a dealer or by someone who is very motivated and knows what they're doing.
      2. The cosmetic functionality should be easily updated by anyone at anytime, as it's more likely to receive user interface updates. These could even be purchased to make older cars appear and function more like newer cars.
      3. The two networks should be completely separate or only communicate through simple, well understood and tested, ironclad protocols.

      At this point, I think we're going to need some very large lawsuits to break the current mindset that is present at these companies. Unfortunately, money is the only language a corporation understands.

  3. NSA by Anonymous Coward · · Score: 2, Insightful

    Same reason why they leave backdoor in encryption mechanisms.

    We used to think the reason was incompetence, post Snowden we know these vulnerabilities are by design.

  4. This is why the IOT will be a clusterfuck by Anonymous Coward · · Score: 4, Insightful

    WTF are the ass clowns who produce this shit thinking ? Have they been in a cave for the last 30 years ?

    All these so called "smart devices" seem to have been programmed by 5 year old children who have never considered that malicious people might try to crack/exploit their systems.

    10 minutes after the "Internet Of Things" is in place the world is going to descend into chaos as every script kiddie on the planet starts fucking around with stuff and exploiting every single one of the devices. Probably just by using the default admin password which will be printed on the box.

    Honestly I can't believe how truly abysmal the state of most modern programming is. Piss poor code running on umpteen frameworks (mostly just adding bloat) and every bit of it seemingly written without the FIRST THOUGHT to security. Fucking fifth rate crap the lot of it.

    You can take all your smart TVs, smart cars, smart fridges etc. and stick them right up your arse. None of this shit is coming into my house ever. Morons....

  5. Re: potentially by djdarko · · Score: 3, Insightful

    ... spoken like a true conspiracy theorist. A concept baked-in to Hanlon's Razor is the assumption that people generally try to do the best job that they can, within their abilities and constraints. This implies that most problems result from unintentional errors rather than malicious intent. Some people simply cannot accept the true level of complexity of the systems that humanity has created and their inherent fallibility. For those people, it is far more comforting to assume that it is all guided by an unseen hand with a larger (and in this case, malicious) purpose. It's the ideology of the conspiracy theorist, and it is shown by history to be nonsense.

  6. Arm chair quarterbacking by sjbe · · Score: 4, Insightful

    Incompetence is ignorance when you can hire someone competent and aware.

    That is an argument from hindsight. It's easy to see the problem in the rear view mirror. How do you propose they go about hiring someone "competent and aware" when they don't know about the existence problem in the first place? It's REALLY easy to armchair quarterback this and it's pretty unfair. The real question is what they will do going forward because the leadership damn well ought to be aware of it now. If they continue with business as usual THEN it is fair to say they are incompetent.

    They hired incompetent, ignorant idiots.

    Untrue and unfair. The problem is that they hired good people people to do the wrong task because they didn't know any better. I assure you that the people they hired were by and large competent at what they were hired for. I work with many of these engineers. They aren't stupid. They aren't incompetent. They ARE naive about computer security and how to design systems with that in mind.

    It's a problem they will likely deal with effectively in due time but there are going to be some painful lessons learned along the way. Companies that have made their money cutting metal don't become advanced IT operations overnight.

  7. Re:Consider the background of auto makers by njnnja · · Score: 4, Insightful

    If a carmaker builds a car that explodes in a normal accident, then they are negligent. But if they build a car that explodes when someone fires an RPG at it, I don't blame the automaker.

    The kind of hack that takes control of a car and disables the brakes is not an accident. It is like someone cutting the brake lines. And we don't require car manufacturers to make brake lines out of triply reinforced kevlar and steel so that people can't maliciously cut through them, nor require automakers to wrap the car in fireproof material in case somebody douses it in gasoline and sets fire to it. They just need to be enough to make it through standard operating conditions, not outright attacks.

    There will always be security holes as long as there is enough reason for someone to want to take control of a car. So although I think it is a good idea for carmakers to build better systems ("Mercedes Benz - the only luxury car that isn't affected by the ZeusMobile trojan!"), I think assigning liability in hindsight is a bit harsh. But some additional regulations that require some of the obvious best practices (air-gapped systems, etc) would also make sense.

  8. Re:Consider the background of auto makers by Nkwe · · Score: 4, Insightful

    They just need to be enough to make it through standard operating conditions, not outright attacks.

    As soon as you connect something to the Internet, "standard operating conditions" include outright attacks.