Ask Slashdot: Buying a Car That's Safe From Hackers?

An anonymous reader writes: I'm in the market for a new car, and I've been going through the typical safety checklist: airbag coverage, crash test results, collision mitigation systems, etc. Unfortunately, it seems 2015 is the year we really have to add a new one to the list: hackability. Over the past several weeks we've seen security researchers remotely cut a Corvette's brakes, shut down a Tesla's computer, unlock a bunch of cars, intercept Onstar, and take over a Jeep from 10 miles away.

So, how do we go about buying a car with secure systems? An obvious answer would be to buy a car with limited or archaic computer control — but doing so probably comes with the trade-off of losing other modern safety technology. Is there a way to properly evaluate whether one car's systems are more secure than another's? Most safety standards are the result of strict regulation — is it time for the government to roll out legislation that will enforce safety standards for car computers as well?

65 VW Bug

Safe from EMP as well.

Re:65 VW Bug

[theNetImp]

my thought as well, go back to a carburetor based non-computer timed car from the 60/70s/80s

Re:65 VW Bug

[bobbied]

Safe from EMP as well.

ANY car made today is going to be safe from EMP. They did a test a few years ago and found that out of 12 vehicles subjected to EMP events similar to what would be experienced form a nuclear device outside of the immediate blast damage area, only TWO showed any signs of being affected in any way. Both of those vehicles where "fixed" by turning the key off and then restarting them.

I conclude from this study that modern vehicles are pretty much immune to EMP for the most part. Most would not even notice the pulse and just keep going down the road. Some (Say 10%) would stop running and the majority of those would restart after being powered off. Chances are the number of vehicles needing repairs would be less than 1%.

So.... Just own two vehicles of different makes and chances you will be just fine.. At least as far as immediate transportation is concerned. Having electrical power at home IS going to be a problem though...

Re:65 VW Bug

[Andy+Dodd]

Yeah. Automotive electronics are designed to be pretty EMP-resistant from the beginning because the ignition coils produce what amounts to small EMPs - and they're connected to the power rails!

Automotive engine compartments are one of the most electrically noisy environments out there.

As far as a "hacker-safe" car - buy a car WITHOUT those snazzy remote management features like uConnect/OnStar/etc. All of the remote compromises out there have used those "it's not a bug, it's a feature!" attack routes.

Re:65 VW Bug

[Technician]

I'd be more interested in an added toggle switch that would power down all RF modems including bluetooth,hands free entry, etc. When in a target rich environment such as attending Defcon, the car could enter radio silence. A physical key should still work.

Re:65 VW Bug

[jason.sweet]

They would steal the club and leave the VW.

Re:65 VW Bug

[bobbied]

You test EMP by using large voltage spikes. What are spark plugs run with? High voltage spikes.... Stands to reason that a generally well shielded set of electronics inside a metal box which was designed to generate high voltage spikes on purpose, would tolerate an EMP from an external source fairly well.

See Page 115 and following:

http://empcommission.org/docs/A2473-EMP_Commission-7MB.pdf

Apparently their testing involved 37 vehicles with approximately 10% showing signs of being upset by strong EMPs and nearly all of those not permanently damaged by the pulse.

Re:65 VW Bug

There's no way at all to start the engine with a mechanical key any more.

My 2013 Fiat would disagree with you.

Re:65 VW Bug

[smooth+wombat]

As would my 2010 Hyundai. It has a key and the typical remote. No fob to get hacked, always able to get into my car even if the battery in my remote dies, don't have to worry about a malfunctioning fob.

There's a reason analog is still better for many applications. Keyed entry for cars should be mandatory.

Re:65 VW Bug

[thrich81]

Does anyone around here remember DRIVING those carbureted, non-computer cars? Or worse, keeping them tuned up? I did both, along with major hotrodding, including engine swaps, camshaft swaps, carburetor swaps. Compared to the new cars they ran like cr*p. They barely started when it was cold or hot. They had weird idle and off-idle characteristics. They had very little power for the engine displacement. Worried about hackers shutting off your engine or brakes on your new car? -- well in the old days the cars did that all by themselves! Engines shutting down while driving -- yep, it happened, brakes failing while going down hills -- yep, it happened. Power steering fail while driving -- that happened, too. Those things happened with regularity. I recently helped with the purchase of a '68 Cougar with a small block V8 (302 CID) for a friend of mine -- upon driving it both of us said, "What a death machine" -- poor acceleration, poor braking, poor handling compared to the new cars we have (I'm driving a Honda Fit!). Yeah, everyone remembers the awesome big block muscle cars of the '60s, except they don't really remember them. I do, I had several. They were fun, but not very high performance compared to now. Check the magazine tests of the time.
If you want a decent car with no outside computer connectivity then your best bet is probably something from the mid-90's to around 2010, I would guess.

Re:65 VW Bug

[Greystripe]

You do know you're supposed to put that in the car?

Re:65 VW Bug

[sudon't]

I'd stay away from the 80s, and the latter half of the 70s. Not Detroit's best years. If you can afford a new car, you can afford any babied car from the 60's. Not only will you not have to worry about being hacked, or your computer choking, but you will look cool-as-fuck driving it. You'll have a car that can be picked out in a parking-lot, because it won't look like every other car there. Get one with bench seats - you'll have room for love-making. Don't forget, these cars we think of as hot rods today were the family cars of the 60s. Our family car, when I was a kid, was a '67 Impala. Nobody thought it was anything special then, but when you compare it to today's cars, it looks like a work of art.
You're worried about safety? Don't. We jammed the seat belts under the seats, and forgot about them. We did just fine without all that "safety" junk. Simply having a fine car will make you, and everyone around you, better drivers. Everyone respects a beautiful car from the sixties, and they'll respect you for having the good taste to own one. Crank the windows down, light a Lucky, put on your shades, crack a beer, and feel the power of an eight-cylinder, carbureted, Detroit engine under your feet!

Sorry, got a little carried away... But yeah, anything made before 1974!

The fix

[Ol+Olsoc]

Buy a horse.

Re:The fix

[Coren22]

I hacked your horse, all it took was an apple.

Re:The fix

[Ol+Olsoc]

I hacked your horse, all it took was an apple.

Damn Apple hipsters anythow!

mine is super secure, ultra affordable.

[nimbius]

After graduating college and transitioning to my career at Taco Bell as a cream engineer (sour) I've taken the liberty in my extensive sabbatical time to research and in fact provide the slashdot community with a hardened, hackerproof vehicle that is both affordable as well as reliable. I give you, the 2001 Ford Crown Victoria Police Interceptor.

The discerning customer will have acquired it through government auction between $600 and $800, where it will present not one, not two, but three indicator lights. One light, the engine light, serves to confirm an engine is present. The other two lights, ABS and the squiggly red noodle, are savvy decoys to confuse the hacker into presuming there is a functional breaking mechanism to exploit. Entering the vehicle the driver is greeted with the stench of so many dollar-menu breakfast sandwiches and carbon paper from a decade of parking citations. These aromas confound the hacker mind. Should the hackers persist, the vehicle contains plausible deniability technology for the engine itself. Instead of recirculating oil in the crankshaft, the security of this vehicle clandestinely burns the oil. Some people have heard of the chain of trust, and in this vehicle a sophisticated system called the chain of rust prevents tampering with idler and pitman suspension components as they are permanently affixed using oxidation technology. Finally, to seal their doom, hackers attempting to gain access to the glove box will become inextricably trapped in a foul blue, brown goo which is in fact the remenants of an exploded ballpoint pen and an old snickers bar, aged to perfection. Should the driver successfully decrypt the transmission and make it into first gear, the vehicle offers many moments of useful intermittent service.

Re:you void your warranty

[quintus_horatius]

What if someone else tampers with your software by exploiting security holes? Does THAT void your warranty as well?

Re:Classic FUD

[avandesande]

I am a nobody and have had my car (toyota/lexus) broken into because of the key fob amplifier exploit. This effects ordinary people too.

Re:Classic FUD

[cdrudge]

I'm a nobody as well. I've had my car broken into because of the brick through side window exploit. I'm searching for a car that doesn't have electronics or windows. Right now I'm left with a Razr scooter and an Amish buggy.

Re:Classic FUD

[epyT-R]

You might not be important, but you don't have to be if the goal is to cause accidents on major highways. In those situations the logical target would be the popular cars of the unimportant people. I'd just rather not have the connectivity in the first place. I am tired of manufacturers making excuses about their shitty software and over-automated cars. Needless complexity lowers safety and adds expense.

Even toyota's not immune btw..

Re:Classic FUD

[gstoddart]

Well, that's one way of looking at it.

The other way is if this stuff becomes easy enough to become a cheap device or an app for your smart phone ... then the bad guy presses a button which says "all cars which are ready to be hacked please honk your horn".

Just like script kiddies and other scams, if it's lucrative enough, and easy enough, it'll happen. You don't have to be a high value target. If someone knows they can pop the locks on every Escalade in the parking lot, they're going to do it. And someone might just say "oh, fuck it, let's make all the Corvettes disable their brakes because it will be funny".

If the last decade or so has taught us anything, it's that if it can be hacked, it will be ... and if it's worth doing, it will be done.

Pretending like the security risks aren't real because you're a low value target ignores the fact that if there's money to be made. The more automated it can be made, the more it will happen.

As to the OP's question -- there is no standards body, everything is closed/proprietary, and the corporations aren't going to say up front "yeah, the following cars are totally hackable". They're going to hide this as much as possible.

I'm just not sure short of following every news story for every company and hoping and guessing you've got a hope in hell of finding this in a way that will be useful.

Right now, cars are pretty much like every other consumer device .. the companies want to make them all shiny and digital, but they don't know (or don't care) how to make them secure. Which means they don't have a culture of security, accumulated best practices, or anybody telling them the minimum they're allowed to do.

If you're that worried about getting hacked, buy a car which is a few years old and doesn't have as much electronics in it.

Beyond that ... I'm not sure how you are going to know what's hackable.

Pretty much any car with a system like OnStar is going to be remotely accessible even if you don't use it, and the car companies have admitted this.

Part of a much larger problem, ISTS.

[johnnys]

"- is it time for the government to roll out legislation that will enforce safety standards for car computers as well?"

Which would be covered under *any* sort of "product liability for software" legislation.

Seriously: You can't buy food without the producer going through FDA checks, you can't buy a car without all the right safety and functionality checked by a gummint agency, you can't trade stocks without oversight by the SEC, so why can software vendors continue to peddle insecure crap with no liability?

Re:Classic FUD

[U2xhc2hkb3QgU3Vja3M]

Just remove the "Nissan" logo and replace it with one that says "Datsun".

How are you sure?

[mindcandy]

Do you have datalogging going on the CAN bus are you just guessing? .. just because you return to your car minus sunglasses but without shattered glass does not mean OMG HACKERZ.

FUD

[jon3k]

Most of those required physical access to the car. If I have physical access to any car I can hack it. Can we stop with the alarmist bullshit please?

Re:Keep it locked wndows up

[WindBourne]

LOL.
Tesla is the ONLY car that was considered difficult to crack and very safe. In addition, they are the only ones that were willing to work with the crackers at fixing things.
And BTW, the other cars were cracked remotely. Tesla required not only physical access to the car, but the door had to be opened, and then you accessed the Ethernet via the side of the dashboard. And then and only then, were they able to shutdown the computer, not control things.

So, if tesla is the one that concerns you, well, no doubt you are still running XP and lower.

Re:90s - era luxury cars

[crashumbc]

My 2014 Subaru has them. I think your seat belts are broke.