Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Control of a Car, With No Phone Or Network Connection Required

Posted by samzenpus on from the all-your-car-are-belong-to-us dept.

Albanach writes: Following on from this week's Wired report showing the remote control of a Jeep using a cell phone, security researchers claim to have achieved a similar result using just the car radio. Using off the shelf components to create a fake radio station, the researchers sent signals using the DAB digital radio standard used in Europe and the Asia Pacific region. After taking control of the car's entertainment system it was possible to gain control of vital car systems such as the brakes. In the wild, such an exploit could allow widespread simultaneous deployment of a hack affecting huge numbers of vehicles.

7 of 160 comments (clear)

  1. LOL at the touchscreen in the article... by Anonymous Coward · · Score: 5, Insightful

    "Car infotainment systems can allow drivers to see vehicle status updates, play music and videos, view maps and in some cases run third-party apps" - and they also allow drivers to NOT SEE OTHER CARS, while they're trying to use a stupid touchscreen in a bloody CAR...

  2. Why?? by Munchr · · Score: 5, Insightful

    Why exactly is the entertainment system of a vehicle, devoloped by design to display "unknown" content, tied into critical systems? First airplanes and now cars. What the actual fuck are these people thinking?

    1. Re:Why?? by Anonymous Coward · · Score: 5, Insightful

      Flash has millions (maybe billions) of users and after 15 years, they still find 0-day security holes. There's no "just" about it.

    2. Re:Why?? by 91degrees · · Score: 5, Interesting

      I think there's a lot of speculation in the article being represented as fact. Reading the article, it doesn't look like the researcher actually did manage to control the car through the radio. Just suggested that it might be possible to do so.

      Still, using the suggestion in the article, it might be possible to instruct the car to parallel park if this is operated using a touch screen through the "infotainment" system. Seems unlikely that such a system would operate any fundamental car functionality though.

  3. Car electronics are safe like work IT systems by Antique+Geekmeister · · Score: 5, Interesting

    Car electronics are safe like work IT systems are safe. No one competent would design the systems with a shared set of credentials, with an easily cracked master control system, with low security systems granted bus access and with privileged commands going over the common bus without protection, because we "trust the people we work with".

    Unfortunately, this is rarely completely true in a large IT environment. There's often a set of vulnerabilities, which can be closed but require time and resources not allocated in the current quarter or even ever enabled. They're checked off on the security checklist, but the checklist is crafted to avoid the real problems, or personnel simply lie outright: this is at the core of many companies compliance with the FIPS guidelines. Those kinds of gaps help pay my salary: I often help close them and reduce the danger of them while they're being fixed.

    For car systems, there are various "buses" in use now. A casual search shows more than 10 distinct "vehicle bus" standards in use, and trying to secure and reliably use all of them consistently and safely _in terms of security_ is barely feasible, much less likely in the high urgency car market. The components also have to be extremely robust, low quiescent power, and not too expensive per unit, which adds other limitations and slows closing known security or newly discovered security holes.

    So I'm afraid that real security risks of the systems are to be expected. And they're quite unlikely to be fixed quickly when discovered, because it could involve replacing core components of the system and causing a _much_ higher rate of upgrade induced failures.

  4. Consider the background of auto makers by sjbe · · Score: 5, Interesting

    Why exactly is the entertainment system of a vehicle, devoloped by design to display "unknown" content, tied into critical systems? First airplanes and now cars. What the actual fuck are these people thinking?

    I work in the auto industry running a company that manufactures electronic wiring products. I can tell you exactly what they were thinking.

    Nothing. They weren't thinking about it at all.

    Auto makers have never had to deal with security much beyond ignition and door locks and car alarms. The concept of hardening the internal system of a car against malicious hackers is really something they've never really had to deal. The fact that there are asshats out there who will do malicious things simply hasn't been an issue for them until now. It's more ignorance than incompetence. Their electronics experience is more embedded systems than consumer electronics and they've built their companies accordingly.

    I do think it is dawning on them but its going to take some years before they get their house in order. It will require some significant organizational restructuring and changes in development and engineering. I think you'll likely see some hacking incidents and some sizable lawsuits along the way. They will almost certainly have to get handed some very expensive lessons before they get religion about doing security properly.

  5. Wasn't the beancounters by sjbe · · Score: 5, Interesting

    Beancounters.

    Nope. I'm both an engineer and an accountant and I'm in the industry. I can assure you that the beancounters had close to zero input on these design decisions and that is pretty much routine. Most of the beancounters aren't engineers and aren't really in a position to challenge the engineers on design decisions. These systems were designed by engineers and I can tell you with near 100% certainty that the design engineers had no background in security because I deal with engineers like this routinely in my day job. Basically the beancounters don't get involved much beyond helping to set the budget and keeping people to it but they rarely get involved in the mundane design decisions of exactly how the product will be built.

    Let me give you an example from my own company about how little input the beancounters have. My company makes wire harnesses and one of our products goes into a series of SUVs from GM and is used across several brands. We make two versions that are identical except for one part. The reason we use two parts instead of one is because the engineers at Chevy couldn't be bothered to talk to the engineers at Buick to make a common hole size. This raised cost and added a part number for no reason at all. The beancounters didn't get involved and never said a word.

    But it gets worse. The same product uses connectors on each end. The engineers could have used common, off-the-shelf, already-in-production connectors but instead they decided to custom design the connectors on both ends. As a result they more than doubled the unit cost of each connector and instead of having a part that could be purchased with zero lead time from any distributor, we have a 16 week lead time, continual part shortages and have to buy over 50,000 units at a time (we use about 1,000/day) to get the pricing we get. So we end up selling them the product for probably 30% more than was necessary because of stupid design decisions. The beancounters never said a word about any of this foolishness either.