Slashdot Mirror
Why Car Info Tech Is So Thoroughly At Risk
Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
1 1
Because the tech is invariably based on open Source and written by some unpaid intern.
Pinto, Corvair, etc......can't convict them due to Union campaign money.
and thousands of people die the same moment because some terrorist pressed a button. Of course, well informed, as the big data terrorist is, they will find out whether you are a muslim and your wife wears a burqua with even their ankle being covered all day, they will spare your car if you are one.
We only see risks where we've seen the risk actually causing harm. This is also a reason why its so hard to find motivation to fight against climate change.
http://www.nydailynews.com/news/national/conspiracy-theories-abound-michael-hastings-death-article-1.1377392
Makes you wonder something like this might already be happending when steering wheels, GPS, independent brake control, throttle control can all be hack these days by getting on the can bus and issuing valid sequences.
http://www.nytimes.com/2011/03/10/business/10hack.html
Really not too far fetched to think that someone could be taken out by a little can-bus device that waited for a particular geo-location and then jammed the throttle to full and yanked the wheel and brakes into a bldg or tree.
Someone in the car industry needs to stand up and say "There will be no networked computers in my vehicles."
-- Thou hast strayed far from the path of the Avatar.
A significant problem is that computer-related security lessons seem to have to be learned from the ground up, industry by industry. Contrary to this, the smartphone industry (especially Apple) has relatively sophisticated security in both hardware and software, and I think it was because they could learn a lot of valuable lessons from their experience with the PC. As a result, iOS users enjoy a relatively malware-free system.
The automobile industry on the other hand, is probably somewhere in the early 2000's mindset, comparatively speaking. You see the same mistakes being made with many early Internet of Things manufacturers with brain-dead security mistakes, such as storing hard-coded encryption keys right on the devices themselves. Router manufacturers, just as little as a few years ago were still leaving shipping with services open to the internet by default. They're STILL shipping devices with known, default passwords, mysterious backdoors, and all sorts of other vulnerabilities. You can probably point to any other industry and see the same lack of basic security knowledge and practices. It's not going to change until these issues are dragged, kicking and screaming, into the light of day... either by lawsuits, legislation, or simply too much bad press.
Irony: Agile development has too much intertia to be abandoned now.
Why is Boing Boing getting credit for an Ars Technica article?
Narrator:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Business woman on plane:
Are there a lot of these kinds of accidents?
Narrator:
You wouldn't believe.
Business woman on plane:
Which car company do you work for?
Narrator:
A major one.
"If any question why we died, Tell them because our fathers lied."
There are arguments that can be made that state the stakes are higher now (due to the interconnectedness of systems), and it is plain that the attack surface of just about anything is larger, but those still are symptoms, not causes.
On the flip side of that, those with power and money have amassed more, and that interconnectedness plays to their advantage, resulting in the psuedo-regulated oligarchy we see across most industries and governments today.
The invisible hand of the free market is a hand that will push all to wrack and ruin if allowed to be completely free.
Silence is a state of mime.
Puma shoes are in many Nike Free Running people's view loved by large quantities of men and women among different ages especially their puma running shoes as well as Puma is an super popular company that yields athletic footwear and accessories and gained much celebrity around the world. Owning a pair of puma running shoes owning a health live. Hence only if you have the Ferrari shoes in hand which means you become one of the members of latest fashion boys or girls that is very exciting. Today with the fast development of puma shoes company it has been one of the leading blocs in the field of sports shoes or other kinds of shoes market and with a shocking range of styles colors and designs in the market catering for the need of majorities. Nike more than Adidas. Nike SB shoes, just designed for skateboarding. Also nowadays Nike has expanded its area to Nike golf shoes. All show Nike is the biggest company in the world from long period development. However, memory of Nike history will tell you how Nike from small to biggest so that achieve great success by monumental struggle.It began in 1964 with a casual agreement and a handshake between University of Oregon track coach Bill Bowerman and Phil Knight, a middle-distance runner. The pair formed Blue Ribbon Sports and began importing Japanese brand Onitsuka Tiger running shoes, known today as ASICs, for sale in the U.S. In 1967, Knight and Bowerman made the handshake deal formal and incorporated as BRS Inc.
The problem with vulnerabilities is when you are in an organization where simple patching is overmanaged to death so that the patches are never applied in a timely manner.
As I have discovered, it is a lot better in a legal sense to leave things unpatched. The patching requires downtime, it adds nothing to business, it introduces risks to the system of a failed change. If the patching screws up, then YOU take the blame.
It is just MUCH easier to leave the vulnerability unpatched and tolerate getting hacked. Reason? Because then somebody else takes the blame. It wasn't you, Mr. System Admin, who broke the system, but someone else. Therefore, it's not your fault. You can walk away with your paycheck as the system explodes in the background. If you noticed the vulnerability and made plans to patch it, and it doesn't get patched due to some bureaucratic ITIL wrangling, you can just walk away from the carcrash.
Patching vulnerabilities just isn't a priority for many IT environments.
READY.
PRINT ""+-0
The question is really how to educate dev teams in the auto industry. If they can be brought up to even modest levels of best practice (use of verification tools, test methods, asset versioning, etc) then at least quality can be improved going into the future. Also system separation should be the industry standard approach where critical and non-critical functions are not mixed together at all.
Given that many car owners never even respond to recalls on things like vehicle software, such vulnerabilities could live on for as long as those cars are on the road.
That's because manufacturers and dealers never notify them. At least in some countries owners have to regularly check manufacturer and government web sites for recall notices. And it has been proven that dealer services centers don't check for recall notices on vehicles when they have them in for service (I've personally experienced this with Honda service centers).
I think I'll walk, always against traffic, so I can see what's going to hit me. If you see my severed hand clutching a phone, be sure to upload the video before calling the cops.
“He’s not deformed, he’s just drunk!”
Seriously, whenever you have mission-critical control systems and networks, you _isolate_ them. As in _physical_ isolation. Anything else is asking for trouble and can charitably be described as grossly negligent. But apparently, this utter stupidity does gets some people better bonuses, when it should get them a few decades in prison instead for criminally negligent homicides.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Oh this is going to be wonderful..... I'll be running late. When I put the key in the ignition and turn it the display will boot up it will tell me, "Please wait, GM is installing 33 critical updates." then it will want me to reboot the car.
Unless the car is a Google car and will drive itself, I really don't need a networked car. This is just going to end badly and make everyone late.
NHTSA publishes a list of civil settlements here:
http://www.nhtsa.gov/Laws+&+Re...
Fiat Chrysler was recently fined for inadequate protections on Jeep gas tanks, but I did not see that on the page linked above - so the list isn't entirely current.
NHTSA may not be the fastest regulatory group out there, but they have shown a willingness to go after car companies that do not issue timely fixes for dangerous problems. Automotive software bugs will eventually kill people. Unfortunately, NHTSA probably won't care until then.
When I put the key in the ignition and turn it
I think you are living in the wrong century
...M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them...
If it costs nothing to ignore security bugs that can cause car crashes and human injury, then clearly the cost of ignoring such bugs is far too low.
.
The question becomes, how can security bugs be made expensive to ignore and cheap to fix?
I think you are living in the wrong century
Yes.
Oh look, I'm at work. I'm going to stop the car and get out.
Oops. "Your car is installing 33 updates. Do not stop the engine. The car will shut down when the updates are complete."
I want my car to be a stupid machine, that I control via key ignition, steering wheel, break pedal, and gas pedal. An electric power outlet inside my car, would be great.
At least there's an easy fix (as untenable as it would be to cause our government to do it):
1) $100,000 fine per incident of any unauthorized access to a vehicle through a remote mechanism (any mechanism, any access, no exceptions).
2) Force manufacturers to carry insurance to cover at least $1,000,000 in liability per car sold.
Problem solved... no more remotely exploitable surface for vehicles at all (too expensive for the manufacturer, until it's security-solid enough to afford the insurance). Won't fix general software bugs (which could still kill people), but would be immensely great for getting the scourge of telematic systems under control.
Some are geeks who like talk about the bugs they find instead of "milking them" in secrecy ."
Some are whistleblowers from the inside
Some are bad guys who simply likes to brag "I can remote-kill any post-2010 Ford, and do so on dark stormy nights . .
So the secrets will eventually get out. Automotive magazines will jump on the sensational news. And in bad cases, such as being able to crash (not merely stop) cars at will, there may be a forced recall. That is expensive. Having a programmer team working on finding & fixing such stuff is not expensive, not for a manufacturer that employ millions. Cheap insurance against recalls . . .
Anything can be hacked because everything is made to be easily accessible to the dumb consumer who can't do anything with tech unless they are practically spoon fed the setup. There are ways to better secure anything but it involves more detailed access measures which would complicate matters for basically inept average users. Besides that, I would not trust a car maker to do any technology right and they are probably using older cheaper technology to save money. The more tech put into cars the more we are exposing the lax and weak security in them.
You are wrong, completely. We have FAR too much regulation. That regulation is pushed on middle class and fully enforced there. If you are rich, or an illegal they ignore the regulation. Is Clinton in jail for not following classified document handing? No. Would you be if you did the same? Yes. If you speed on interstate do you get pulled over and fined? Yes. If you illegally come into the country will you be taken to jail and then deported for breaking the law? No.
Us middle class see what regulation is for. Its for keeping us "in our place" while everyone else gets to benefit from not having to worry about it. Until you fix that problem you will always be wrong with the points you made.
Someone in the car industry needs to stand up and say "There will be no networked computers in my vehicles."
That is unrealistic and defeatist. Many customers (including myself) very much want some of the capabilities that come with network access and there is no reason it cannot be done utilizing good security practices and appropriate separation of function. I want a built in GPS with weather and traffic data overlays. I want to be able to monitor my car's performance with something more sophisticated than a check engine light. I want my car to be able to fix problems or add features without visiting a dealer. Maybe you don't and that's fine but pretending that this will go away and that networks will not be used on cars is foolish.
HOWEVER, I work in the auto industry and have for much of my career. The biggest problem the auto makers are going to have is that they almost completely new to this sort of security and they have little to no security culture built around software development. This is not surprising but it is a problem. Unlike the PC industry which has had 30+ years of people attacking networks to learn from and culture built around dealing with them. Most of the security issues in the auto industry have revolved around physical security of the ignition system and doors. Network security is an entirely different animal and the auto makers are going to have to transform themselves to some degree into software companies.
Based on my experience I think they are going to get a lot of painful and very expensive lessons. They tend not to acknowledge problems until they become public and embarrassing and expensive. That will have to change. They very much should be looking carefully at what Tesla is doing because something like that is probably the model for the future. Not saying they need to copy Tesla but they should be taking notes and seeing what works and what doesn't. Unfortunately the auto makers are run by guys (and girls) who are relatively old and most of whom have NO concept of computer network security so I think they are going to move too slowly for a while.
I just want my car to work.
Fair enough but that's a pretty vague statement. HOW do you want it to work? I suspect you and I might have different definitions for how we want our cars to work.
Why an Internet connection is necessary is beyond me.
It's not strictly necessary but it can be very useful. Furthermore asking that question is a little bit like my grandmother asking why email is useful when we can just send letters.
If a small convenience can give so much trouble I'd rather update at home or the garage using a wire, thank you.
Anything can be troublesome if it is badly designed. A wired connection instead of wireless just means the attack surface is different but there still is one.
The ability to remotely reach into the car over the Internet and do anything is a really dumb idea guided by car makers looking for a misguided way to fit into the information economy. At the very least, it should be required that the car have a driver accessable 'uplink' switch with disables the thing. The default position should be reset to no access at each engine restart. Maybe it can turn itself on automagically on an airbag deployment. This should include anything that can access the car from outside, including at close range. Maybe a graduated switch with cell, wifi, bluetooth, and tire sensors in that order. (We really have a problem here is we have that many access paths to think about. Sigh.)
That said, to complain that the on-board debug connector is attack surface is like complaining that a PC is vulnerable because it has a backplane connector with DMA access. Well, yes, but that's not a bug, it's a feature to be carefully managed. You have to have physical access to the car to use it. Once you have physical access, the game is pretty much over. One could make a 'cover our can' device to lock the connector, but that is likely to not even buy much time. This has been a problem since before electronics. Electronics just increase the possibilities of what can be done.
The basic premis of the article seems plausible. That car makers have the economic incentive to do the wrong thing. A mandated uplink switch seems a small thing to do to help correct this problem. It needs to be implemented in hardware, with no software in the path. (I'm thinking a power switch to turn off the communications devices.)
To advertise your old beater as air-gapped and secure.
Wouldn't a simpler solution be to make it not so complex?
The classic example of "why does my radio need to talk to the engine?" is that feature in some cars where the volume automatically adjusts based on speed, so when you hit highway speeds you can still hear the music that was a comfortable volume at a stoplight. So what? Don't talk to the engine, use microphone to pick up noise level and adjust accordingly.