Slashdot Mirror
Why Car Info Tech Is So Thoroughly At Risk
Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
and thousands of people die the same moment because some terrorist pressed a button. Of course, well informed, as the big data terrorist is, they will find out whether you are a muslim and your wife wears a burqua with even their ankle being covered all day, they will spare your car if you are one.
We only see risks where we've seen the risk actually causing harm. This is also a reason why its so hard to find motivation to fight against climate change.
http://www.nydailynews.com/news/national/conspiracy-theories-abound-michael-hastings-death-article-1.1377392
Makes you wonder something like this might already be happending when steering wheels, GPS, independent brake control, throttle control can all be hack these days by getting on the can bus and issuing valid sequences.
http://www.nytimes.com/2011/03/10/business/10hack.html
Really not too far fetched to think that someone could be taken out by a little can-bus device that waited for a particular geo-location and then jammed the throttle to full and yanked the wheel and brakes into a bldg or tree.
Because the tech is invariably based on open Source and written by some unpaid intern.
At least the open source part isn't even just a joke. Had a rented car once, and when clicking through the info-tainment system there was a "copyright" menu, which brought up all sorts of open-source licenses.
Someone in the car industry needs to stand up and say "There will be no networked computers in my vehicles."
-- Thou hast strayed far from the path of the Avatar.
Didn't realize QNX, microsoft sync, et al. were open source
A significant problem is that computer-related security lessons seem to have to be learned from the ground up, industry by industry. Contrary to this, the smartphone industry (especially Apple) has relatively sophisticated security in both hardware and software, and I think it was because they could learn a lot of valuable lessons from their experience with the PC. As a result, iOS users enjoy a relatively malware-free system.
The automobile industry on the other hand, is probably somewhere in the early 2000's mindset, comparatively speaking. You see the same mistakes being made with many early Internet of Things manufacturers with brain-dead security mistakes, such as storing hard-coded encryption keys right on the devices themselves. Router manufacturers, just as little as a few years ago were still leaving shipping with services open to the internet by default. They're STILL shipping devices with known, default passwords, mysterious backdoors, and all sorts of other vulnerabilities. You can probably point to any other industry and see the same lack of basic security knowledge and practices. It's not going to change until these issues are dragged, kicking and screaming, into the light of day... either by lawsuits, legislation, or simply too much bad press.
Irony: Agile development has too much intertia to be abandoned now.
Why is Boing Boing getting credit for an Ars Technica article?
Disagree. Proprietary software is just as buggy and sometimes extremely buggy. There may even be NDA agreements that forbid revealing any bugs to third parties.
Narrator:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Business woman on plane:
Are there a lot of these kinds of accidents?
Narrator:
You wouldn't believe.
Business woman on plane:
Which car company do you work for?
Narrator:
A major one.
"If any question why we died, Tell them because our fathers lied."
There are arguments that can be made that state the stakes are higher now (due to the interconnectedness of systems), and it is plain that the attack surface of just about anything is larger, but those still are symptoms, not causes.
On the flip side of that, those with power and money have amassed more, and that interconnectedness plays to their advantage, resulting in the psuedo-regulated oligarchy we see across most industries and governments today.
The invisible hand of the free market is a hand that will push all to wrack and ruin if allowed to be completely free.
Silence is a state of mime.
Yeah. So when a proprietary hole is exposed no one will ever find out (Hacking Team). Your argument is invalid.
The problem with vulnerabilities is when you are in an organization where simple patching is overmanaged to death so that the patches are never applied in a timely manner.
As I have discovered, it is a lot better in a legal sense to leave things unpatched. The patching requires downtime, it adds nothing to business, it introduces risks to the system of a failed change. If the patching screws up, then YOU take the blame.
It is just MUCH easier to leave the vulnerability unpatched and tolerate getting hacked. Reason? Because then somebody else takes the blame. It wasn't you, Mr. System Admin, who broke the system, but someone else. Therefore, it's not your fault. You can walk away with your paycheck as the system explodes in the background. If you noticed the vulnerability and made plans to patch it, and it doesn't get patched due to some bureaucratic ITIL wrangling, you can just walk away from the carcrash.
Patching vulnerabilities just isn't a priority for many IT environments.
READY.
PRINT ""+-0
we're talking about security exploits and the well-documented tendency for the guys in the corner office to hush things up rather than fix it, and you complain about "union campaign money" linked to deferred convictions. of whom? union bosses? don't you mean the corporate suits the union bosses hate, who are the decision makers on this topic?
do you even try to make sense when you spew your propaganda?
you're a moron. not a baseless insult. objective true: your partisan obsession has so eclipsed whatever dim wattage your brain possesses that you can no longer think rationally on a topic
this is no defense of unions. there's plenty wrong with unions. but linking this topic to unions is a blind obsession. laughably moronic, objectively so
you are what is wrong with this country
partisanship so blind, no sense of reason can prevail in your empty skull
exactly what is wrong with this country
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The question is really how to educate dev teams in the auto industry. If they can be brought up to even modest levels of best practice (use of verification tools, test methods, asset versioning, etc) then at least quality can be improved going into the future. Also system separation should be the industry standard approach where critical and non-critical functions are not mixed together at all.
Given that many car owners never even respond to recalls on things like vehicle software, such vulnerabilities could live on for as long as those cars are on the road.
That's because manufacturers and dealers never notify them. At least in some countries owners have to regularly check manufacturer and government web sites for recall notices. And it has been proven that dealer services centers don't check for recall notices on vehicles when they have them in for service (I've personally experienced this with Honda service centers).
I think I'll walk, always against traffic, so I can see what's going to hit me. If you see my severed hand clutching a phone, be sure to upload the video before calling the cops.
“He’s not deformed, he’s just drunk!”
Seriously, whenever you have mission-critical control systems and networks, you _isolate_ them. As in _physical_ isolation. Anything else is asking for trouble and can charitably be described as grossly negligent. But apparently, this utter stupidity does gets some people better bonuses, when it should get them a few decades in prison instead for criminally negligent homicides.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Obvious troll is obvious.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, hey, at least the open stuff can be fixed.
Oh this is going to be wonderful..... I'll be running late. When I put the key in the ignition and turn it the display will boot up it will tell me, "Please wait, GM is installing 33 critical updates." then it will want me to reboot the car.
Unless the car is a Google car and will drive itself, I really don't need a networked car. This is just going to end badly and make everyone late.
Says the lefty wingnut, right? Your comment history suggests this. How are you different from the stereotype you're ranting about?
He was referring to situations where unions prevent bad employees from being fired. The US car industry suffered greatly from this and from too much insulation from outside competition.
While a bad employee might explain specific cases, the problem is much broader. It's 'hard' to write secure, complex software in any context. I think the best solution for security is to avoid overcomplexity. We don't 'need' networked computers in cars, it's just that the powers that be, public and private, want our mobility tethered to them. We don't 'need' electronic braking and throttles either. I guess it is political after all.
Hey right wing dumbass.... Union people don't design the cars, nor do they decide to ignore problems with them.
As to insulation from competition: you mean like making sure that we didn't have a race to the bottom like we do now? Because 30 plus years of right wing economics have worked so well for everyone. Just look at how wages and productivity have gone up! Oh, wait. Productivity has gone through the roof and wages have gone nowhere.
Even the front runner in your own party gets that 'free trade' is a disaster you know. That the rest of the party establishment hates his guts is rather telling too.
NHTSA publishes a list of civil settlements here:
http://www.nhtsa.gov/Laws+&+Re...
Fiat Chrysler was recently fined for inadequate protections on Jeep gas tanks, but I did not see that on the page linked above - so the list isn't entirely current.
NHTSA may not be the fastest regulatory group out there, but they have shown a willingness to go after car companies that do not issue timely fixes for dangerous problems. Automotive software bugs will eventually kill people. Unfortunately, NHTSA probably won't care until then.
When I put the key in the ignition and turn it
I think you are living in the wrong century
Because the tech is invariably based on open Source and written by some unpaid intern.
Though it's probably not in the way that you intended, you do have a valid point. Far too many companies seem to piece together open source software then slap on some proprietary code, without adequately testing it. Since they are doing so to save development and licensing costs, it frequently ends up as a disaster.
That being said, many companies do spend some time in integrating open source software and do thorough testing. So the success or failure of open source software in such circumstances is more a product of the company's motivation and culture than an indicator of the quality of open source software.
Well, hey, at least the open stuff can be fixed.
What a load of rubbish, millions of vulnerable Android devices are out there in-use precisely because this is *not* the case.
...M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them...
If it costs nothing to ignore security bugs that can cause car crashes and human injury, then clearly the cost of ignoring such bugs is far too low.
.
The question becomes, how can security bugs be made expensive to ignore and cheap to fix?
I think you are living in the wrong century
Yes.
Oh look, I'm at work. I'm going to stop the car and get out.
Oops. "Your car is installing 33 updates. Do not stop the engine. The car will shut down when the updates are complete."
The problem is that though the code can be fixed, it can't be installed.
Honestly, however, most of the vulnerable Android devices aren't fixed even when it's possible, because their users don't understand what they're doing. And the system was designed under the premise that they shouldn't.
But the code can be fixed. And may be in next year's model.
I think we've pushed this "anyone can grow up to be president" thing too far.
I want my car to be a stupid machine, that I control via key ignition, steering wheel, break pedal, and gas pedal. An electric power outlet inside my car, would be great.
Do the executives have such a strong union?
https://en.wikipedia.org/wiki/Inverted_totalitarianism
unions do not have jack shit to do with ignoring car security
to try to shoehorn that obsession into this topic means you are a moron. not right wing, not left wing. just fucking retarded
there's nothing else to be said. keep trying to derail the topic with your low brain wattage partisan mental diarrhea. you're too dumb to talk to
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
At least there's an easy fix (as untenable as it would be to cause our government to do it):
1) $100,000 fine per incident of any unauthorized access to a vehicle through a remote mechanism (any mechanism, any access, no exceptions).
2) Force manufacturers to carry insurance to cover at least $1,000,000 in liability per car sold.
Problem solved... no more remotely exploitable surface for vehicles at all (too expensive for the manufacturer, until it's security-solid enough to afford the insurance). Won't fix general software bugs (which could still kill people), but would be immensely great for getting the scourge of telematic systems under control.
NDAs in proprietary software is there for a reason - to protect the software vendor against revelations that they have done wrong, all the way from copyright infringement (like breaking an open source license condition in their solution), backdoors, security shortcuts etc. If it possibly can exist it will exist in the closed code.
As being involved in the car industry - I can agree upon the observation. Just look at the Autosar platform, it's a collection of bugs in tight formation that has been sold to the car industry as the greatest solution since the invention of the stone axe. But for everyone that have been working with internet solutions it's revealed to be a very clunky solution that doesn't really improve things, it just adds overhead.
Today the car industry starts to look at Ethernet as a replacement for CAN, but then there are complaints about it causing a higher power consumption and therefore there's a "need" to do quirky solutions like separating traffic on VLANs on the same physical bus, and that separation into VLANs is enough to offer sufficient security against intrusions and overload attacks (intentional through malware or unintentional through bugs).
In addition to this it's worth to realize that when you buy a car you only buy the hardware, you aren't permitted to know anything about the software. So essentially the manufacturer could say that you can keep the car but we have to erase the software in it - leaving you with a 2 ton shell of steel and plastics.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This is the interesting challenge for the auto industry. As cars become more tech and less mechanical, so to will their methodologies need to shift from manufacturing to software development. You'd have to wonder if the traditional auto companies can change quickly enough to survive, or if Tesla, Google, Apple etc will simply swallow them up with their expertise in this space?
From what I can gather, Apple and Google most certainly have an expertise which is a few orders of magnitude higher than the auto industry. Short of firing all the automotive CEOs and replacing them with geeks, I don't know how anyone can operate a significant shift in focus in less than 50 years.
I've worked for insurance, finance and distribution(I assume car companies to be as bad) and the state of the art is that none of those people have the first clue as to what computer science is, can bring to them or can take from them. They see a few wins (by looking around and copying ideas) and they don't want to pay for it.
So yeah, they end up with a badly glued patch of libraries (some open source, some not) and the end result is a collection of crap that has more bugs than features.
Write boring code, not shiny code!
Some are geeks who like talk about the bugs they find instead of "milking them" in secrecy ."
Some are whistleblowers from the inside
Some are bad guys who simply likes to brag "I can remote-kill any post-2010 Ford, and do so on dark stormy nights . .
So the secrets will eventually get out. Automotive magazines will jump on the sensational news. And in bad cases, such as being able to crash (not merely stop) cars at will, there may be a forced recall. That is expensive. Having a programmer team working on finding & fixing such stuff is not expensive, not for a manufacturer that employ millions. Cheap insurance against recalls . . .
It's all kind of baffling. We have decades of experience that tells us that writing secure software is very difficult and that patching insecure software is expensive, inefficient, and largely ineffective. So the response -- and not just in the auto industry -- is to constantly add more questionably necessary complex hardware and software (Why do I need digital air time pressure indicators that do not work properly to replace $2 mechanical pressure indicating Schraeder valve caps?) and then express surprise that the result is vulnerable to digital attack.
Folks. I don't know how to break this to you. The "solutions" that don't work on the internet, with financial stuff, with dating sites, etc probably aren't going to work in cars either..
What will work? Nothing most likely. But minimizing attack surfaces by air gapping systems that don't need to talk to one another, making ROMs read only with a physical programming switch, banishing anything that looks or works like javascript, abandoning the odd notion that over the air updates can't -- by accident or hijacking -- simultaneously brick millions of vehicles might help. The result would be clunky and sort of mid-20th centuryish. But it might be moderately secure.. And implementing it might free up resources to deal with the inevitable similar problems in the rest of the digital world.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Blame the company. They change and rewrite the code for their needs with full intent to label bugs as WONTFIX. You want bug fixes Pal? Buy the new model.
Anything can be hacked because everything is made to be easily accessible to the dumb consumer who can't do anything with tech unless they are practically spoon fed the setup. There are ways to better secure anything but it involves more detailed access measures which would complicate matters for basically inept average users. Besides that, I would not trust a car maker to do any technology right and they are probably using older cheaper technology to save money. The more tech put into cars the more we are exposing the lax and weak security in them.
NDAs in proprietary software is there for a reason - to protect the software vendor against revelations that they have done wrong, all the way from copyright infringement (like breaking an open source license condition in their solution), backdoors, security shortcuts etc. If it possibly can exist it will exist in the closed code.
NDAs only protect you so far. Once you enter into criminal territory the NDA won't be binding. Sure you can still try to sue the one who broke the NDA but they face jail time if they don't and you don't have much of a case if you didn't inform of your criminal activity before they signed it.
If you signed an NDA and then find out that your company keep the leftover of people they murdered in refrigerators in the basement then the recommended course of action is to go to the police and tell them everything you know, regardless of the NDA.
open source is not a problem - unpaid intern that had to incorporate it into something else may be however.
The android update model is based around your telecom companies pushing the update to your phone, not Google. I run a Nexus device specifically for this reason: I get updates from Google not my phone company. Just got the 5.1.1 patch (I'm on a two year old Nexus 4).
You are wrong, completely. We have FAR too much regulation. That regulation is pushed on middle class and fully enforced there. If you are rich, or an illegal they ignore the regulation. Is Clinton in jail for not following classified document handing? No. Would you be if you did the same? Yes. If you speed on interstate do you get pulled over and fined? Yes. If you illegally come into the country will you be taken to jail and then deported for breaking the law? No.
Us middle class see what regulation is for. Its for keeping us "in our place" while everyone else gets to benefit from not having to worry about it. Until you fix that problem you will always be wrong with the points you made.
Someone in the car industry needs to stand up and say "There will be no networked computers in my vehicles."
That is unrealistic and defeatist. Many customers (including myself) very much want some of the capabilities that come with network access and there is no reason it cannot be done utilizing good security practices and appropriate separation of function. I want a built in GPS with weather and traffic data overlays. I want to be able to monitor my car's performance with something more sophisticated than a check engine light. I want my car to be able to fix problems or add features without visiting a dealer. Maybe you don't and that's fine but pretending that this will go away and that networks will not be used on cars is foolish.
HOWEVER, I work in the auto industry and have for much of my career. The biggest problem the auto makers are going to have is that they almost completely new to this sort of security and they have little to no security culture built around software development. This is not surprising but it is a problem. Unlike the PC industry which has had 30+ years of people attacking networks to learn from and culture built around dealing with them. Most of the security issues in the auto industry have revolved around physical security of the ignition system and doors. Network security is an entirely different animal and the auto makers are going to have to transform themselves to some degree into software companies.
Based on my experience I think they are going to get a lot of painful and very expensive lessons. They tend not to acknowledge problems until they become public and embarrassing and expensive. That will have to change. They very much should be looking carefully at what Tesla is doing because something like that is probably the model for the future. Not saying they need to copy Tesla but they should be taking notes and seeing what works and what doesn't. Unfortunately the auto makers are run by guys (and girls) who are relatively old and most of whom have NO concept of computer network security so I think they are going to move too slowly for a while.
I just want my car to work.
Fair enough but that's a pretty vague statement. HOW do you want it to work? I suspect you and I might have different definitions for how we want our cars to work.
Why an Internet connection is necessary is beyond me.
It's not strictly necessary but it can be very useful. Furthermore asking that question is a little bit like my grandmother asking why email is useful when we can just send letters.
If a small convenience can give so much trouble I'd rather update at home or the garage using a wire, thank you.
Anything can be troublesome if it is badly designed. A wired connection instead of wireless just means the attack surface is different but there still is one.
@MacTO: "Though it's probably not in the way that you intended, you do have a valid point"
Seriously, a lot of commercial projects borrow heavily from Open Source and do get some lowly paid interns to write it. There's a least one HFT platform that owes a lot to Open Source. I know of at least one coder at the LSE who designed a 'Candlestick chart' application - using Ellipse.
I disagree, to me it's pretty clear what is going on here. The folks who make budgeting and resource planning decisions haven't the vaguest clue what is involved in writing software, let alone best security practices. All they see is developers that cost money.
The lead/principal/architect (whoever the head geek is) requests enough time to develop software that he/she considers reasonably secure. The suits freak out. The head geek is asked to quantify the expense. The suits see all this time spent making the software more secure. They ask the head geek to quantify the risk in terms of what is likely to happen if that time is not spent.
So here's the problem: Spending the time to make more secure software is DEFINITELY going to increase costs right now. Quantifying costs due to security problems once the product is in the wild is difficult at best and impossible at worst. So it's a matter of what is DEFINITELY going to cost money now and what MIGHT cost money in the future. The suits tell the head geek that if there are problems after it ships they'll release a patch. The head geek reminds the suits that security problems are much cheaper to fix before release than after. The suits ignore him and get a bonus for keeping expenses low, by skimping on development time.
The fact that you can't predict security problems with any reasonable degree of accuracy is the issue. The suits don't like spending money on something that MIGHT happen. Remember, this is an industry that at one time determined it was cheaper to let people die than fix a problem.
Never underestimate the power of stupid people in large groups.
The ability to remotely reach into the car over the Internet and do anything is a really dumb idea guided by car makers looking for a misguided way to fit into the information economy. At the very least, it should be required that the car have a driver accessable 'uplink' switch with disables the thing. The default position should be reset to no access at each engine restart. Maybe it can turn itself on automagically on an airbag deployment. This should include anything that can access the car from outside, including at close range. Maybe a graduated switch with cell, wifi, bluetooth, and tire sensors in that order. (We really have a problem here is we have that many access paths to think about. Sigh.)
That said, to complain that the on-board debug connector is attack surface is like complaining that a PC is vulnerable because it has a backplane connector with DMA access. Well, yes, but that's not a bug, it's a feature to be carefully managed. You have to have physical access to the car to use it. Once you have physical access, the game is pretty much over. One could make a 'cover our can' device to lock the connector, but that is likely to not even buy much time. This has been a problem since before electronics. Electronics just increase the possibilities of what can be done.
The basic premis of the article seems plausible. That car makers have the economic incentive to do the wrong thing. A mandated uplink switch seems a small thing to do to help correct this problem. It needs to be implemented in hardware, with no software in the path. (I'm thinking a power switch to turn off the communications devices.)
To advertise your old beater as air-gapped and secure.
No like all new tech Security by Obscurity...
Thing is, why is there "car" tech in the first place? What's wrong with running a steel cable to control the gas pedal? Computer controlled brakes? Sure. That way no one has to learn how to stop their car anymore. But, in time, some hacker will stand on a bridge, hit a button and all cars will "go fast, turn left". When there is no left.
Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
I don't think you understand how hard it is to write secure software. It's really, REALLY hard. If it were easy or even moderately difficult surely Windows would be -- after a decade of regular security patches -- be exploit proof.
OTOH, trying to write more secure software, probably won't do any harm and might do some good.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Which is why I used "more secure" instead of "secure" above; I realize that security is hard. However, security is almost certainly hurt when you cut development time because the suits don't give a fuck about security.
Never underestimate the power of stupid people in large groups.
Wouldn't a simpler solution be to make it not so complex?
Uh...mechanical is tech. Sometime high tech. Suspensions don't just magically pop out of the ground.
When building something physical, you have to look at it from a systems perspective like the aerospace industry does. The FAA doesn't certify software, the certify a system as a whole. When you do this, security (or safety in safety critical systems) becomes much simpler. Don't want a bug in your SDR based entertainment system crashing your ABS? Then don't have a physical path between them.
Engineering interns are not unpaid. In my experience, they were so well paid that people dropped out of college and continued on as engineering aides.
I don't know about MS Sync; I think Sync is name of the application, which runs on top Windows CE and MS Auto. My recollection could be wrong -- I've tried incredibly hard to forget everything 've ever known about WinCE, but I think WinCE and maybe MS Auto are "Shared Source", where you can obtain the source.
QNX is definitely open-source.
Yeah sure, but physical parts are 19th century tech, Agile Software Development is 21st century. One of those is much better placed to eat the other.
The classic example of "why does my radio need to talk to the engine?" is that feature in some cars where the volume automatically adjusts based on speed, so when you hit highway speeds you can still hear the music that was a comfortable volume at a stoplight. So what? Don't talk to the engine, use microphone to pick up noise level and adjust accordingly.