Why Car Info Tech Is So Thoroughly At Risk

Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.

Security - One Industry at a Time

[Dutch+Gun]

A significant problem is that computer-related security lessons seem to have to be learned from the ground up, industry by industry. Contrary to this, the smartphone industry (especially Apple) has relatively sophisticated security in both hardware and software, and I think it was because they could learn a lot of valuable lessons from their experience with the PC. As a result, iOS users enjoy a relatively malware-free system.

The automobile industry on the other hand, is probably somewhere in the early 2000's mindset, comparatively speaking. You see the same mistakes being made with many early Internet of Things manufacturers with brain-dead security mistakes, such as storing hard-coded encryption keys right on the devices themselves. Router manufacturers, just as little as a few years ago were still leaving shipping with services open to the internet by default. They're STILL shipping devices with known, default passwords, mysterious backdoors, and all sorts of other vulnerabilities. You can probably point to any other industry and see the same lack of basic security knowledge and practices. It's not going to change until these issues are dragged, kicking and screaming, into the light of day... either by lawsuits, legislation, or simply too much bad press.

Re:Security - One Industry at a Time

[Dutch+Gun]

Oh, I'm sure that's part of it, but certainly not the entire story. You should skim over iOS's security whitepaper sometime if you don't believe there's a hell of a lot of security features built into the hardware and software at a *very* deep level. It's actually quite impressive. Keep in mind that the ability to root your phone doesn't necessarily invalidate all the other protections provided for the average user.

To start with, consider the notion of selective application permissions with user consent, compared to the "give this application all access to all resources" model with the PC. Applications are isolated from each other, which gives less flexibility, but also helps to prevent a rogue app from spreading itself everywhere on the system. The system is hardware-encrypted by default until you turn the device on (using a secure boot chain) and unlock it, meaning you can't simply pry the device apart and read the flash memory. And that's just what I can think of off the top of my head.

The ITIL approach sucks for security

[Neo-Rio-101]

The problem with vulnerabilities is when you are in an organization where simple patching is overmanaged to death so that the patches are never applied in a timely manner.

As I have discovered, it is a lot better in a legal sense to leave things unpatched. The patching requires downtime, it adds nothing to business, it introduces risks to the system of a failed change. If the patching screws up, then YOU take the blame.

It is just MUCH easier to leave the vulnerability unpatched and tolerate getting hacked. Reason? Because then somebody else takes the blame. It wasn't you, Mr. System Admin, who broke the system, but someone else. Therefore, it's not your fault. You can walk away with your paycheck as the system explodes in the background. If you noticed the vulnerability and made plans to patch it, and it doesn't get patched due to some bureaucratic ITIL wrangling, you can just walk away from the carcrash.

Patching vulnerabilities just isn't a priority for many IT environments.

Re: The ITIL approach sucks for security

[FranTaylor]

They had to be dragged kicking and screaming

by people who had money on the line and had the ability to drag and kick. this is how the system works

Re:same as it ever was

[circletimessquare]

we're talking about security exploits and the well-documented tendency for the guys in the corner office to hush things up rather than fix it, and you complain about "union campaign money" linked to deferred convictions. of whom? union bosses? don't you mean the corporate suits the union bosses hate, who are the decision makers on this topic?

do you even try to make sense when you spew your propaganda?

you're a moron. not a baseless insult. objective true: your partisan obsession has so eclipsed whatever dim wattage your brain possesses that you can no longer think rationally on a topic

this is no defense of unions. there's plenty wrong with unions. but linking this topic to unions is a blind obsession. laughably moronic, objectively so

you are what is wrong with this country

partisanship so blind, no sense of reason can prevail in your empty skull

exactly what is wrong with this country

Re:Also, who does not separate drive control?

[FranTaylor]

Yeah, and? They could stick a bomb on the car, so why worry about what firmware they might flash?

they don't need to leave physical evidence. they can leave an invisible logic bomb that will erase itself and leave no trace. why leave behind a physical bomb? why? it makes no sense.

"security theater" is worse than useless because you think you are secure and you let down your guard. you put in separate networks and you think you've solved the problem. wrong! you just prod the hackers to find new vectors.

Re:Why car info tech is so thoroughly at risk ..

[MacTO]

Because the tech is invariably based on open Source and written by some unpaid intern.

Though it's probably not in the way that you intended, you do have a valid point. Far too many companies seem to piece together open source software then slap on some proprietary code, without adequately testing it. Since they are doing so to save development and licensing costs, it frequently ends up as a disaster.

That being said, many companies do spend some time in integrating open source software and do thorough testing. So the success or failure of open source software in such circumstances is more a product of the company's motivation and culture than an indicator of the quality of open source software.

Re:Why car info tech is so thoroughly at risk ..

[vtcodger]

It's all kind of baffling. We have decades of experience that tells us that writing secure software is very difficult and that patching insecure software is expensive, inefficient, and largely ineffective. So the response -- and not just in the auto industry -- is to constantly add more questionably necessary complex hardware and software (Why do I need digital air time pressure indicators that do not work properly to replace $2 mechanical pressure indicating Schraeder valve caps?) and then express surprise that the result is vulnerable to digital attack.

Folks. I don't know how to break this to you. The "solutions" that don't work on the internet, with financial stuff, with dating sites, etc probably aren't going to work in cars either..

What will work? Nothing most likely. But minimizing attack surfaces by air gapping systems that don't need to talk to one another, making ROMs read only with a physical programming switch, banishing anything that looks or works like javascript, abandoning the odd notion that over the air updates can't -- by accident or hijacking -- simultaneously brick millions of vehicles might help. The result would be clunky and sort of mid-20th centuryish. But it might be moderately secure.. And implementing it might free up resources to deal with the inevitable similar problems in the rest of the digital world.