Ask Slashdot: Buying a Car That's Safe From Hackers?

An anonymous reader writes: I'm in the market for a new car, and I've been going through the typical safety checklist: airbag coverage, crash test results, collision mitigation systems, etc. Unfortunately, it seems 2015 is the year we really have to add a new one to the list: hackability. Over the past several weeks we've seen security researchers remotely cut a Corvette's brakes, shut down a Tesla's computer, unlock a bunch of cars, intercept Onstar, and take over a Jeep from 10 miles away.

So, how do we go about buying a car with secure systems? An obvious answer would be to buy a car with limited or archaic computer control — but doing so probably comes with the trade-off of losing other modern safety technology. Is there a way to properly evaluate whether one car's systems are more secure than another's? Most safety standards are the result of strict regulation — is it time for the government to roll out legislation that will enforce safety standards for car computers as well?

65 VW Bug

Safe from EMP as well.

Re:65 VW Bug

[theNetImp]

my thought as well, go back to a carburetor based non-computer timed car from the 60/70s/80s

Re:65 VW Bug

[Andy+Dodd]

Yeah. Automotive electronics are designed to be pretty EMP-resistant from the beginning because the ignition coils produce what amounts to small EMPs - and they're connected to the power rails!

Automotive engine compartments are one of the most electrically noisy environments out there.

As far as a "hacker-safe" car - buy a car WITHOUT those snazzy remote management features like uConnect/OnStar/etc. All of the remote compromises out there have used those "it's not a bug, it's a feature!" attack routes.

Re:65 VW Bug

[Technician]

I'd be more interested in an added toggle switch that would power down all RF modems including bluetooth,hands free entry, etc. When in a target rich environment such as attending Defcon, the car could enter radio silence. A physical key should still work.

Re:65 VW Bug

[jason.sweet]

They would steal the club and leave the VW.

The fix

[Ol+Olsoc]

Buy a horse.

Re:The fix

[Ol+Olsoc]

I hacked your horse, all it took was an apple.

Damn Apple hipsters anythow!

mine is super secure, ultra affordable.

[nimbius]

After graduating college and transitioning to my career at Taco Bell as a cream engineer (sour) I've taken the liberty in my extensive sabbatical time to research and in fact provide the slashdot community with a hardened, hackerproof vehicle that is both affordable as well as reliable. I give you, the 2001 Ford Crown Victoria Police Interceptor.

The discerning customer will have acquired it through government auction between $600 and $800, where it will present not one, not two, but three indicator lights. One light, the engine light, serves to confirm an engine is present. The other two lights, ABS and the squiggly red noodle, are savvy decoys to confuse the hacker into presuming there is a functional breaking mechanism to exploit. Entering the vehicle the driver is greeted with the stench of so many dollar-menu breakfast sandwiches and carbon paper from a decade of parking citations. These aromas confound the hacker mind. Should the hackers persist, the vehicle contains plausible deniability technology for the engine itself. Instead of recirculating oil in the crankshaft, the security of this vehicle clandestinely burns the oil. Some people have heard of the chain of trust, and in this vehicle a sophisticated system called the chain of rust prevents tampering with idler and pitman suspension components as they are permanently affixed using oxidation technology. Finally, to seal their doom, hackers attempting to gain access to the glove box will become inextricably trapped in a foul blue, brown goo which is in fact the remenants of an exploded ballpoint pen and an old snickers bar, aged to perfection. Should the driver successfully decrypt the transmission and make it into first gear, the vehicle offers many moments of useful intermittent service.

Re:you void your warranty

[quintus_horatius]

What if someone else tampers with your software by exploiting security holes? Does THAT void your warranty as well?

Re:Classic FUD

[avandesande]

I am a nobody and have had my car (toyota/lexus) broken into because of the key fob amplifier exploit. This effects ordinary people too.

Re:Classic FUD

[cdrudge]

I'm a nobody as well. I've had my car broken into because of the brick through side window exploit. I'm searching for a car that doesn't have electronics or windows. Right now I'm left with a Razr scooter and an Amish buggy.

Re:Classic FUD

[epyT-R]

You might not be important, but you don't have to be if the goal is to cause accidents on major highways. In those situations the logical target would be the popular cars of the unimportant people. I'd just rather not have the connectivity in the first place. I am tired of manufacturers making excuses about their shitty software and over-automated cars. Needless complexity lowers safety and adds expense.

Even toyota's not immune btw..

Re:Classic FUD

[gstoddart]

Well, that's one way of looking at it.

The other way is if this stuff becomes easy enough to become a cheap device or an app for your smart phone ... then the bad guy presses a button which says "all cars which are ready to be hacked please honk your horn".

Just like script kiddies and other scams, if it's lucrative enough, and easy enough, it'll happen. You don't have to be a high value target. If someone knows they can pop the locks on every Escalade in the parking lot, they're going to do it. And someone might just say "oh, fuck it, let's make all the Corvettes disable their brakes because it will be funny".

If the last decade or so has taught us anything, it's that if it can be hacked, it will be ... and if it's worth doing, it will be done.

Pretending like the security risks aren't real because you're a low value target ignores the fact that if there's money to be made. The more automated it can be made, the more it will happen.

As to the OP's question -- there is no standards body, everything is closed/proprietary, and the corporations aren't going to say up front "yeah, the following cars are totally hackable". They're going to hide this as much as possible.

I'm just not sure short of following every news story for every company and hoping and guessing you've got a hope in hell of finding this in a way that will be useful.

Right now, cars are pretty much like every other consumer device .. the companies want to make them all shiny and digital, but they don't know (or don't care) how to make them secure. Which means they don't have a culture of security, accumulated best practices, or anybody telling them the minimum they're allowed to do.

If you're that worried about getting hacked, buy a car which is a few years old and doesn't have as much electronics in it.

Beyond that ... I'm not sure how you are going to know what's hackable.

Pretty much any car with a system like OnStar is going to be remotely accessible even if you don't use it, and the car companies have admitted this.

Re:Classic FUD

[U2xhc2hkb3QgU3Vja3M]

Just remove the "Nissan" logo and replace it with one that says "Datsun".