Slashdot Mirror
Ask Slashdot: Buying a Car That's Safe From Hackers?
An anonymous reader writes: I'm in the market for a new car, and I've been going through the typical safety checklist: airbag coverage, crash test results, collision mitigation systems, etc. Unfortunately, it seems 2015 is the year we really have to add a new one to the list: hackability. Over the past several weeks we've seen security researchers remotely cut a Corvette's brakes, shut down a Tesla's computer, unlock a bunch of cars, intercept Onstar, and take over a Jeep from 10 miles away.
So, how do we go about buying a car with secure systems? An obvious answer would be to buy a car with limited or archaic computer control — but doing so probably comes with the trade-off of losing other modern safety technology. Is there a way to properly evaluate whether one car's systems are more secure than another's? Most safety standards are the result of strict regulation — is it time for the government to roll out legislation that will enforce safety standards for car computers as well?
So, how do we go about buying a car with secure systems? An obvious answer would be to buy a car with limited or archaic computer control — but doing so probably comes with the trade-off of losing other modern safety technology. Is there a way to properly evaluate whether one car's systems are more secure than another's? Most safety standards are the result of strict regulation — is it time for the government to roll out legislation that will enforce safety standards for car computers as well?
Safe from EMP as well.
But the manufacturers would prefer that you can't do anything like that. More drm.
You don't own it you just have a lifetime lease.
That they charge to repair.
Minimum threshold fixed. Thanks!
Unless you are someone important, people won't spend the significant effort required to hack your car. I would say you can probably avoid the seemingly quite inept "classic" US manufacturers, especially if you don't plant to do the usb upgrades etc that they might require if a remote exploit is found, but still it should be a minor concern. Ok, if you are paranoid get a Tesla, researches spent TWO YEARS and they ended up with an exploit that required physical access to a port inside the car, could at most turn of your engine (very gracefully in neutral and with you in full control) and could be instantly patched over the air...
Again, if you are some sort of a dictator etc I could see an intelligence organization with great resources finding a way to hack your Tesla if they have physical access to it, but it will still be cheaper and more efficient to just plant a bomb...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Buy a horse.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
After graduating college and transitioning to my career at Taco Bell as a cream engineer (sour) I've taken the liberty in my extensive sabbatical time to research and in fact provide the slashdot community with a hardened, hackerproof vehicle that is both affordable as well as reliable. I give you, the 2001 Ford Crown Victoria Police Interceptor.
The discerning customer will have acquired it through government auction between $600 and $800, where it will present not one, not two, but three indicator lights. One light, the engine light, serves to confirm an engine is present. The other two lights, ABS and the squiggly red noodle, are savvy decoys to confuse the hacker into presuming there is a functional breaking mechanism to exploit. Entering the vehicle the driver is greeted with the stench of so many dollar-menu breakfast sandwiches and carbon paper from a decade of parking citations. These aromas confound the hacker mind. Should the hackers persist, the vehicle contains plausible deniability technology for the engine itself. Instead of recirculating oil in the crankshaft, the security of this vehicle clandestinely burns the oil. Some people have heard of the chain of trust, and in this vehicle a sophisticated system called the chain of rust prevents tampering with idler and pitman suspension components as they are permanently affixed using oxidation technology. Finally, to seal their doom, hackers attempting to gain access to the glove box will become inextricably trapped in a foul blue, brown goo which is in fact the remenants of an exploded ballpoint pen and an old snickers bar, aged to perfection. Should the driver successfully decrypt the transmission and make it into first gear, the vehicle offers many moments of useful intermittent service.
Good people go to bed earlier.
What if someone else tampers with your software by exploiting security holes? Does THAT void your warranty as well?
I am hoping by then I can get a car that is in the cloud.
You do NOT need to let OnStar or similar capabilities. No need for it at all. Maybe if your car was self-driving and designed to network with other cars you would need such functionality, but the ability to call for help or use wifi or wireless diagnostics is NOT worth making it hackable
Once you do this, your car is as safe from hacking as it needs to be.
excitingthingstodo.blogspot.com
"- is it time for the government to roll out legislation that will enforce safety standards for car computers as well?"
Which would be covered under *any* sort of "product liability for software" legislation.
Seriously: You can't buy food without the producer going through FDA checks, you can't buy a car without all the right safety and functionality checked by a gummint agency, you can't trade stocks without oversight by the SEC, so why can software vendors continue to peddle insecure crap with no liability?
Sometimes the "writing on the wall" is blood spatter...
If you want a modern car, you're just going to have to accept that right now, they're all full of closed-source, black-box computer stuff. Short of going to work for the manufacturer and signing an NDA, you're never going to be able to get access to the inner workings of these things. The unfortunate truth is that these manufacturers are adding features without incorporating security from the very beginning, in an effort to have more bells and whistles than the other guys. They're getting better about security, but they still have a lot to learn.
The good news is that most of these hacks are at least somewhat mitigated. The Jeep one seems the worst, as it worked over a cellular connection from seemingly anywhere, to get into the infotainment system, and then jump to the car's actual controls from there. Chrysler was able to make some change to their network that (partially?) stopped the attack even if the individual cars were still technically vulnerable. The OnStar hack was a MITM between the mobile app and the OnStar website (due to not verifying the cert); it resulted in being able to do things to the car, but wasn't actually a vulnerability in the car itself. Most of the previous hacks require physically connecting to the OBD2 port in the car. As was stated in related posting, just as with computers, if the bad guy can break into your car and install a dongle, you're pretty much screwed anyway. Just like installing only necessary packages on a server to minimize its attack surface, you can also skip unnecessary vehicle options to reduce the chance of a vuln (though you may have varying levels of success getting a car with exactly what you want and nothing you don't).
We need these hackers to keep pointing out these flaws until the manufacturers fix them (and hopefully completely avoid the same mistake in the future). For now, it's still fairly early in the cycle with lots of learning being done. We need more isolation between the vital control systems and the trivial entertainment junk to completely remove the possibility of something like a USB stick being able to take over your engine, but for the most part these vulns are still rather limited in their application, due to the inherent limitations of actually getting linked up to your car's systems. I'm afraid it might get worse before it gets better, but at least these things seem to be getting addressed by the manufacturers, rather than just covered up.
They started disabling seat belts when they integrated air bags. Seat belts don't have centrifugal or pendulum locks anymore, so don't lock up in a collision. They let you slam face-first into the airbag, which is itself dangerous (the statistics lie: airbags occasionally kill people, and we can see that plain enough; but every single non-fatal high impact in which an airbag has deployed is marked as "airbag saved this person's life", which simply assumes seatbelts never did save lives. They don't take a delta statistic of how many more lives were saved per such collision after airbags were introduced--not that it would be less than bullshit itself, since we can't measure if these collisions in these cars would have been fatal anyway).
I just want real, working seat belts. Is that too much to ask?
Support my political activism on Patreon.
RestoMods are where you take an older car and upgrade it to more modern standards. Thus, you get the best of both worlds; superior handling and acceleration, some added safety features, and a car that looks vintage, styled to stand out from the crowd of oval-shaped vehicles.
There's even an upgraded pan for the VW Beetle that provides disc brakes, better handling and smoother ride; as well as a large assortment of engines that can provide anything from mild performance to tire squealing, drag-strip style that'll smoke most other cars.
And yes, almost all RestoMods eschew too much electronics, which make the cars as unhackable as they were when they were original 60's and 70's cars.
If telephones are outlawed, then only outlaws will have telephones.
We're going to need the car equivalent of being able to turn off all wireless connections. With some hardware switch.
At least 'til manufacturers get it through their skull that it MIGHT be a good idea to separate consumer-area entertainment electronics from the electronics necessary for operation of the vehicle.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Do you have datalogging going on the CAN bus are you just guessing? .. just because you return to your car minus sunglasses but without shattered glass does not mean OMG HACKERZ.
Most of those required physical access to the car. If I have physical access to any car I can hack it. Can we stop with the alarmist bullshit please?
At least 'til manufacturers get it through their skull that it MIGHT be a good idea to separate consumer-area entertainment electronics from the electronics necessary for operation of the vehicle.
That's not that feasible: they use the consumer-area electronics a lot now to allow configuration of the more critical systems, and to read data from them. With a decent API which only allows certain operations, the ability to cause damage can be limited. From what I read, the recent hacks involved rewriting the firmware in some modules, so I guess on some models (like Jeep), the consumer-area system has the ability to apply firmware updates over CAN to other modules, so if you can figure out how to make a compatible firmware image and how to build one that does what you want, you can use this mechanism to hack in and take over the car.
I wonder if every manufacturer has designed their systems this way or not.
LOL.
Tesla is the ONLY car that was considered difficult to crack and very safe. In addition, they are the only ones that were willing to work with the crackers at fixing things.
And BTW, the other cars were cracked remotely. Tesla required not only physical access to the car, but the door had to be opened, and then you accessed the Ethernet via the side of the dashboard. And then and only then, were they able to shutdown the computer, not control things.
So, if tesla is the one that concerns you, well, no doubt you are still running XP and lower.
I prefer the "u" in honour as it seems to be missing these days.
My 2014 Subaru has them. I think your seat belts are broke.
OTA updates are probably safer than every vehicle being stuck with whatever old version of software they have until the driver brings it in for service, the whole time being vulnerable to publicly known security flaws.
I'm sure Tesla digitally signs it's updates, so it's not as if any idiot can just beam over whatever software they want onto your car. And if they can, that's something that needs to be patched immediately (i.e. with an OTA update), rather than waiting a few weeks.
In short: If you want a secure car, get something with a carburetor or buy a VW, Audi, Porsche, Seat, Skoda, Bently, Bugatti or Lamborghini.
I reverse engineer automotive software for a living and I can say without question that Volkswagen Auto Group cars are as secure as you can possibly find.
Most of the cars you hear about being "hacked" are vulnerable because of something in the infotainment system. Once an outsider has access to that, in most cars, they have access to the canbus and can do "bad" things.
Vag cars are not this way. They have multiple can buses, one for each primary function. Body control, convenience and power-train are all on separate buses. Between these buses sits a device called the "can-gateway", which is essentially a canbus firewall. No packets can move between the buses except those that are necessary to allow. A "wheels are spinning, activate ABS" message cannot originate on the convenience or body control bus.
The software for just about everything important is secured with signatures (2048 bit now). Modifying the software for these cars is extremely difficult, getting access in the first place requires enormous amounts of very skilled labor. We spend many thousands of man hours each year just keeping ahead of the security features added to the ECU engine control code (we're a performance company).
It's hard enough to modify anything on these cars when you have every tool imaginable, a seasoned veteran staff, complete access to the cars and nearly unlimited financial resources.
Well, your article points out it's the EOL for support for the following Nexus devices: Nexus 4, Nexus 10, and Nexus 7 (2012). The 2012 version of the Nexus 7 was introduced in July 13, 2012. Nexus 4 and 10 were first introduced November 13, 2012. Lollipop 5.1.1 was released April 21, 2015 (or later if you're counting on when factory images and OTA updates might have been available). But in any case, that's 29-33 months of support, not 18.
Also from your article, it points out that they are providing 2 years of major updates, security updates 3 years after the OS is introduced or 18 months after you buy a device from them in the Play Store, whichever is longer. What isn't mentioned is that particular apps and components may receive additional updates that aren't part of the core OS.
I compare all that to Samsung's S4 that both my wife and I have. I've updated my phone to KitKat via a 3rd party rom, but my wife is still stuck on KitKat 4.4 after initially having 4.2. That's all the updates she's ever received.
Stay away from any cars that are popular,
The companies which make small-run cars aren't generally making their own PCM. Koenigsegg is a notable exception, but most of these companies will just buy a PCM from Hitachi or Bosch or, if they're American, potentially from Edelbrock or Holley etc etc — but more likely something imported. And the extremely small-run companies might use absolutely anything, except their own design. Meeting OBD-II compliance etc. is fairly complex and not something for newbies.
and all those that can be controlled by the manufacturer.
It won't be long before that's a standard feature...
If you want to be secure from hackery, get a car without diagnostic interfaces. I've got a straight 300SD that runs like a mad bastard that I'm about ready to let go of...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
And BTW, the other cars were cracked remotely.
No, not the 'vette. They added hardware to it. If you added crap hardware like that to pretty much any car you would make it vulnerable. It might be common hardware but that still wasn't a remote hole in the car.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This is a great example:
When they see a news story about ISIS executing a journalist they should ignore it, because it isn't about them?
Versus doing what? What action should the average person take to be safe from being beheaded by ISIS? How much effort should the average person spend protecting himself from ISIS each day?
What did you do to protect yourself from ISIS today? All of us morons who just went about our lives like normal need you to tell us where we all went wrong.
That's not that feasible: they use the consumer-area electronics a lot now to allow configuration of the more critical systems, and to read data from them.
It's not feasible to lock my front door, because my house was built with a non-stop conveyor belt running from the mailbox to the kitchen.
The entire point of this ask-slashdot is to identify cars that DON'T integrate entertainment systems and wireless access with the safety critical electronics. Cars that DON'T do the dumb&dangerous stuff you just listed.
Data flow *from* the primary systems *to* entertainment&wireless systems is marginally acceptable, if it's a physically enforced one-way data flow using optocouplers or something.
I seriously want each car manufacture to have one employee on staff, who's sole job is say "YOU'RE FIRED" every time any idiot engineer wants to permit ANY data flow from entertainment-or-wireless systems into safety-critical systems. I don't care how limited the APIs are, I don't caret how encrypted it is, I don't care how cryptographically-secure the certificates are. If there's data flow into critical safety systems, it's effectively certain that it's going to be vulnerable. You don't connect safety-critical systems to wireless input, period.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
It's ironic that this article appears just a few slots above the "the network is untrustable" article about AT&T's support of hacking. The process of keeping an Internet-facing machine safe is a more or less daily battle of 0day patches. This isn't, has never been, and likely never will be possible for consumer electronics because it imposes too much cost on the manufacturer. Automotive software doesn't get updated with the same frequency as desktop software for a bunch of reasons, and it also doesn't get updated indefinitely because there's a distinct end-of-lifecycle for it. TL;DR: The only safe-ish automotive electronics, both now and in the future, are electronics that have no connectivity. It's impossible to feel safe about connected electronics of any sort, and in a realtime control environment like a vehicle, it's frankly irresponsible to permit such connectivity.
Hacking isn't the only problem that can occur. There can be deadly software bugs that are discovered (e.g. like Toyota's stuck accelerator problem), that an OTA update would be able to fix relatively quickly. Even if you do a recall, it will be impossible to fix all the cars at once, it will take months to get all the cars fixed, and in the mean time people will be driving them. Even the people that fix them immediately will need to drive to those cars to the dealership to get them updated.