Slashdot Mirror
Why Car Info Tech Is So Thoroughly At Risk
Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
and thousands of people die the same moment because some terrorist pressed a button. Of course, well informed, as the big data terrorist is, they will find out whether you are a muslim and your wife wears a burqua with even their ankle being covered all day, they will spare your car if you are one.
We only see risks where we've seen the risk actually causing harm. This is also a reason why its so hard to find motivation to fight against climate change.
http://www.nydailynews.com/news/national/conspiracy-theories-abound-michael-hastings-death-article-1.1377392
Makes you wonder something like this might already be happending when steering wheels, GPS, independent brake control, throttle control can all be hack these days by getting on the can bus and issuing valid sequences.
http://www.nytimes.com/2011/03/10/business/10hack.html
Really not too far fetched to think that someone could be taken out by a little can-bus device that waited for a particular geo-location and then jammed the throttle to full and yanked the wheel and brakes into a bldg or tree.
Because the tech is invariably based on open Source and written by some unpaid intern.
At least the open source part isn't even just a joke. Had a rented car once, and when clicking through the info-tainment system there was a "copyright" menu, which brought up all sorts of open-source licenses.
Someone in the car industry needs to stand up and say "There will be no networked computers in my vehicles."
-- Thou hast strayed far from the path of the Avatar.
A significant problem is that computer-related security lessons seem to have to be learned from the ground up, industry by industry. Contrary to this, the smartphone industry (especially Apple) has relatively sophisticated security in both hardware and software, and I think it was because they could learn a lot of valuable lessons from their experience with the PC. As a result, iOS users enjoy a relatively malware-free system.
The automobile industry on the other hand, is probably somewhere in the early 2000's mindset, comparatively speaking. You see the same mistakes being made with many early Internet of Things manufacturers with brain-dead security mistakes, such as storing hard-coded encryption keys right on the devices themselves. Router manufacturers, just as little as a few years ago were still leaving shipping with services open to the internet by default. They're STILL shipping devices with known, default passwords, mysterious backdoors, and all sorts of other vulnerabilities. You can probably point to any other industry and see the same lack of basic security knowledge and practices. It's not going to change until these issues are dragged, kicking and screaming, into the light of day... either by lawsuits, legislation, or simply too much bad press.
Irony: Agile development has too much intertia to be abandoned now.
Disagree. Proprietary software is just as buggy and sometimes extremely buggy. There may even be NDA agreements that forbid revealing any bugs to third parties.
Narrator:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Business woman on plane:
Are there a lot of these kinds of accidents?
Narrator:
You wouldn't believe.
Business woman on plane:
Which car company do you work for?
Narrator:
A major one.
"If any question why we died, Tell them because our fathers lied."
There are arguments that can be made that state the stakes are higher now (due to the interconnectedness of systems), and it is plain that the attack surface of just about anything is larger, but those still are symptoms, not causes.
On the flip side of that, those with power and money have amassed more, and that interconnectedness plays to their advantage, resulting in the psuedo-regulated oligarchy we see across most industries and governments today.
The invisible hand of the free market is a hand that will push all to wrack and ruin if allowed to be completely free.
Silence is a state of mime.
Yeah. So when a proprietary hole is exposed no one will ever find out (Hacking Team). Your argument is invalid.
The problem with vulnerabilities is when you are in an organization where simple patching is overmanaged to death so that the patches are never applied in a timely manner.
As I have discovered, it is a lot better in a legal sense to leave things unpatched. The patching requires downtime, it adds nothing to business, it introduces risks to the system of a failed change. If the patching screws up, then YOU take the blame.
It is just MUCH easier to leave the vulnerability unpatched and tolerate getting hacked. Reason? Because then somebody else takes the blame. It wasn't you, Mr. System Admin, who broke the system, but someone else. Therefore, it's not your fault. You can walk away with your paycheck as the system explodes in the background. If you noticed the vulnerability and made plans to patch it, and it doesn't get patched due to some bureaucratic ITIL wrangling, you can just walk away from the carcrash.
Patching vulnerabilities just isn't a priority for many IT environments.
READY.
PRINT ""+-0
we're talking about security exploits and the well-documented tendency for the guys in the corner office to hush things up rather than fix it, and you complain about "union campaign money" linked to deferred convictions. of whom? union bosses? don't you mean the corporate suits the union bosses hate, who are the decision makers on this topic?
do you even try to make sense when you spew your propaganda?
you're a moron. not a baseless insult. objective true: your partisan obsession has so eclipsed whatever dim wattage your brain possesses that you can no longer think rationally on a topic
this is no defense of unions. there's plenty wrong with unions. but linking this topic to unions is a blind obsession. laughably moronic, objectively so
you are what is wrong with this country
partisanship so blind, no sense of reason can prevail in your empty skull
exactly what is wrong with this country
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I think I'll walk, always against traffic, so I can see what's going to hit me. If you see my severed hand clutching a phone, be sure to upload the video before calling the cops.
“He’s not deformed, he’s just drunk!”
Seriously, whenever you have mission-critical control systems and networks, you _isolate_ them. As in _physical_ isolation. Anything else is asking for trouble and can charitably be described as grossly negligent. But apparently, this utter stupidity does gets some people better bonuses, when it should get them a few decades in prison instead for criminally negligent homicides.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The question is really how to educate dev teams in the auto industry. If they can be brought up to even modest levels of best practice (use of verification tools, test methods, asset versioning, etc) then at least quality can be improved going into the future. Also system separation should be the industry standard approach where critical and non-critical functions are not mixed together at all.
"can" and "should" are meaningless words without government regulation to back them up
Obvious troll is obvious.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, hey, at least the open stuff can be fixed.
Oh this is going to be wonderful..... I'll be running late. When I put the key in the ignition and turn it the display will boot up it will tell me, "Please wait, GM is installing 33 critical updates." then it will want me to reboot the car.
Unless the car is a Google car and will drive itself, I really don't need a networked car. This is just going to end badly and make everyone late.
Says the lefty wingnut, right? Your comment history suggests this. How are you different from the stereotype you're ranting about?
He was referring to situations where unions prevent bad employees from being fired. The US car industry suffered greatly from this and from too much insulation from outside competition.
While a bad employee might explain specific cases, the problem is much broader. It's 'hard' to write secure, complex software in any context. I think the best solution for security is to avoid overcomplexity. We don't 'need' networked computers in cars, it's just that the powers that be, public and private, want our mobility tethered to them. We don't 'need' electronic braking and throttles either. I guess it is political after all.
Hey right wing dumbass.... Union people don't design the cars, nor do they decide to ignore problems with them.
As to insulation from competition: you mean like making sure that we didn't have a race to the bottom like we do now? Because 30 plus years of right wing economics have worked so well for everyone. Just look at how wages and productivity have gone up! Oh, wait. Productivity has gone through the roof and wages have gone nowhere.
Even the front runner in your own party gets that 'free trade' is a disaster you know. That the rest of the party establishment hates his guts is rather telling too.
NHTSA publishes a list of civil settlements here:
http://www.nhtsa.gov/Laws+&+Re...
Fiat Chrysler was recently fined for inadequate protections on Jeep gas tanks, but I did not see that on the page linked above - so the list isn't entirely current.
NHTSA may not be the fastest regulatory group out there, but they have shown a willingness to go after car companies that do not issue timely fixes for dangerous problems. Automotive software bugs will eventually kill people. Unfortunately, NHTSA probably won't care until then.
When I put the key in the ignition and turn it
I think you are living in the wrong century
Because the tech is invariably based on open Source and written by some unpaid intern.
Though it's probably not in the way that you intended, you do have a valid point. Far too many companies seem to piece together open source software then slap on some proprietary code, without adequately testing it. Since they are doing so to save development and licensing costs, it frequently ends up as a disaster.
That being said, many companies do spend some time in integrating open source software and do thorough testing. So the success or failure of open source software in such circumstances is more a product of the company's motivation and culture than an indicator of the quality of open source software.
...M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them...
If it costs nothing to ignore security bugs that can cause car crashes and human injury, then clearly the cost of ignoring such bugs is far too low.
.
The question becomes, how can security bugs be made expensive to ignore and cheap to fix?
I think you are living in the wrong century
Yes.
Oh look, I'm at work. I'm going to stop the car and get out.
Oops. "Your car is installing 33 updates. Do not stop the engine. The car will shut down when the updates are complete."
The problem is that though the code can be fixed, it can't be installed.
Honestly, however, most of the vulnerable Android devices aren't fixed even when it's possible, because their users don't understand what they're doing. And the system was designed under the premise that they shouldn't.
But the code can be fixed. And may be in next year's model.
I think we've pushed this "anyone can grow up to be president" thing too far.
I want my car to be a stupid machine, that I control via key ignition, steering wheel, break pedal, and gas pedal. An electric power outlet inside my car, would be great.
Do the executives have such a strong union?
https://en.wikipedia.org/wiki/Inverted_totalitarianism
unions do not have jack shit to do with ignoring car security
to try to shoehorn that obsession into this topic means you are a moron. not right wing, not left wing. just fucking retarded
there's nothing else to be said. keep trying to derail the topic with your low brain wattage partisan mental diarrhea. you're too dumb to talk to
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
At least there's an easy fix (as untenable as it would be to cause our government to do it):
1) $100,000 fine per incident of any unauthorized access to a vehicle through a remote mechanism (any mechanism, any access, no exceptions).
2) Force manufacturers to carry insurance to cover at least $1,000,000 in liability per car sold.
Problem solved... no more remotely exploitable surface for vehicles at all (too expensive for the manufacturer, until it's security-solid enough to afford the insurance). Won't fix general software bugs (which could still kill people), but would be immensely great for getting the scourge of telematic systems under control.
NDAs in proprietary software is there for a reason - to protect the software vendor against revelations that they have done wrong, all the way from copyright infringement (like breaking an open source license condition in their solution), backdoors, security shortcuts etc. If it possibly can exist it will exist in the closed code.
As being involved in the car industry - I can agree upon the observation. Just look at the Autosar platform, it's a collection of bugs in tight formation that has been sold to the car industry as the greatest solution since the invention of the stone axe. But for everyone that have been working with internet solutions it's revealed to be a very clunky solution that doesn't really improve things, it just adds overhead.
Today the car industry starts to look at Ethernet as a replacement for CAN, but then there are complaints about it causing a higher power consumption and therefore there's a "need" to do quirky solutions like separating traffic on VLANs on the same physical bus, and that separation into VLANs is enough to offer sufficient security against intrusions and overload attacks (intentional through malware or unintentional through bugs).
In addition to this it's worth to realize that when you buy a car you only buy the hardware, you aren't permitted to know anything about the software. So essentially the manufacturer could say that you can keep the car but we have to erase the software in it - leaving you with a 2 ton shell of steel and plastics.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This is the interesting challenge for the auto industry. As cars become more tech and less mechanical, so to will their methodologies need to shift from manufacturing to software development. You'd have to wonder if the traditional auto companies can change quickly enough to survive, or if Tesla, Google, Apple etc will simply swallow them up with their expertise in this space?
From what I can gather, Apple and Google most certainly have an expertise which is a few orders of magnitude higher than the auto industry. Short of firing all the automotive CEOs and replacing them with geeks, I don't know how anyone can operate a significant shift in focus in less than 50 years.
I've worked for insurance, finance and distribution(I assume car companies to be as bad) and the state of the art is that none of those people have the first clue as to what computer science is, can bring to them or can take from them. They see a few wins (by looking around and copying ideas) and they don't want to pay for it.
So yeah, they end up with a badly glued patch of libraries (some open source, some not) and the end result is a collection of crap that has more bugs than features.
Write boring code, not shiny code!
It's all kind of baffling. We have decades of experience that tells us that writing secure software is very difficult and that patching insecure software is expensive, inefficient, and largely ineffective. So the response -- and not just in the auto industry -- is to constantly add more questionably necessary complex hardware and software (Why do I need digital air time pressure indicators that do not work properly to replace $2 mechanical pressure indicating Schraeder valve caps?) and then express surprise that the result is vulnerable to digital attack.
Folks. I don't know how to break this to you. The "solutions" that don't work on the internet, with financial stuff, with dating sites, etc probably aren't going to work in cars either..
What will work? Nothing most likely. But minimizing attack surfaces by air gapping systems that don't need to talk to one another, making ROMs read only with a physical programming switch, banishing anything that looks or works like javascript, abandoning the odd notion that over the air updates can't -- by accident or hijacking -- simultaneously brick millions of vehicles might help. The result would be clunky and sort of mid-20th centuryish. But it might be moderately secure.. And implementing it might free up resources to deal with the inevitable similar problems in the rest of the digital world.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Blame the company. They change and rewrite the code for their needs with full intent to label bugs as WONTFIX. You want bug fixes Pal? Buy the new model.
open source is not a problem - unpaid intern that had to incorporate it into something else may be however.
Someone in the car industry needs to stand up and say "There will be no networked computers in my vehicles."
That is unrealistic and defeatist. Many customers (including myself) very much want some of the capabilities that come with network access and there is no reason it cannot be done utilizing good security practices and appropriate separation of function. I want a built in GPS with weather and traffic data overlays. I want to be able to monitor my car's performance with something more sophisticated than a check engine light. I want my car to be able to fix problems or add features without visiting a dealer. Maybe you don't and that's fine but pretending that this will go away and that networks will not be used on cars is foolish.
HOWEVER, I work in the auto industry and have for much of my career. The biggest problem the auto makers are going to have is that they almost completely new to this sort of security and they have little to no security culture built around software development. This is not surprising but it is a problem. Unlike the PC industry which has had 30+ years of people attacking networks to learn from and culture built around dealing with them. Most of the security issues in the auto industry have revolved around physical security of the ignition system and doors. Network security is an entirely different animal and the auto makers are going to have to transform themselves to some degree into software companies.
Based on my experience I think they are going to get a lot of painful and very expensive lessons. They tend not to acknowledge problems until they become public and embarrassing and expensive. That will have to change. They very much should be looking carefully at what Tesla is doing because something like that is probably the model for the future. Not saying they need to copy Tesla but they should be taking notes and seeing what works and what doesn't. Unfortunately the auto makers are run by guys (and girls) who are relatively old and most of whom have NO concept of computer network security so I think they are going to move too slowly for a while.
I just want my car to work.
Fair enough but that's a pretty vague statement. HOW do you want it to work? I suspect you and I might have different definitions for how we want our cars to work.
Why an Internet connection is necessary is beyond me.
It's not strictly necessary but it can be very useful. Furthermore asking that question is a little bit like my grandmother asking why email is useful when we can just send letters.
If a small convenience can give so much trouble I'd rather update at home or the garage using a wire, thank you.
Anything can be troublesome if it is badly designed. A wired connection instead of wireless just means the attack surface is different but there still is one.
@MacTO: "Though it's probably not in the way that you intended, you do have a valid point"
Seriously, a lot of commercial projects borrow heavily from Open Source and do get some lowly paid interns to write it. There's a least one HFT platform that owes a lot to Open Source. I know of at least one coder at the LSE who designed a 'Candlestick chart' application - using Ellipse.
I disagree, to me it's pretty clear what is going on here. The folks who make budgeting and resource planning decisions haven't the vaguest clue what is involved in writing software, let alone best security practices. All they see is developers that cost money.
The lead/principal/architect (whoever the head geek is) requests enough time to develop software that he/she considers reasonably secure. The suits freak out. The head geek is asked to quantify the expense. The suits see all this time spent making the software more secure. They ask the head geek to quantify the risk in terms of what is likely to happen if that time is not spent.
So here's the problem: Spending the time to make more secure software is DEFINITELY going to increase costs right now. Quantifying costs due to security problems once the product is in the wild is difficult at best and impossible at worst. So it's a matter of what is DEFINITELY going to cost money now and what MIGHT cost money in the future. The suits tell the head geek that if there are problems after it ships they'll release a patch. The head geek reminds the suits that security problems are much cheaper to fix before release than after. The suits ignore him and get a bonus for keeping expenses low, by skimping on development time.
The fact that you can't predict security problems with any reasonable degree of accuracy is the issue. The suits don't like spending money on something that MIGHT happen. Remember, this is an industry that at one time determined it was cheaper to let people die than fix a problem.
Never underestimate the power of stupid people in large groups.
To advertise your old beater as air-gapped and secure.
Strictly speaking, if you have better lawyers, you can ignore the regulation. As far as illegals go, the cost of enforcing the regulation is prohibitive at this point. Deporting 12 million people would cost billions of dollars, not to mention the damage to the US economy if that labor pool goes away. I agree that they're breaking the law, but you have to face the fact that there are practical concerns here and the money has to come from somewhere.
Uh, maybe you want to wait for the investigation to be completed, for her to be tried and convicted, before you bitch that she's not in jail? Everyone gets their day in court, even if you don't like their politics.
Yes, you're not wrong, but how do you pay for that?
Never underestimate the power of stupid people in large groups.
No like all new tech Security by Obscurity...
Thing is, why is there "car" tech in the first place? What's wrong with running a steel cable to control the gas pedal? Computer controlled brakes? Sure. That way no one has to learn how to stop their car anymore. But, in time, some hacker will stand on a bridge, hit a button and all cars will "go fast, turn left". When there is no left.
Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
I don't think you understand how hard it is to write secure software. It's really, REALLY hard. If it were easy or even moderately difficult surely Windows would be -- after a decade of regular security patches -- be exploit proof.
OTOH, trying to write more secure software, probably won't do any harm and might do some good.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Which is why I used "more secure" instead of "secure" above; I realize that security is hard. However, security is almost certainly hurt when you cut development time because the suits don't give a fuck about security.
Never underestimate the power of stupid people in large groups.
Wouldn't a simpler solution be to make it not so complex?
Uh...mechanical is tech. Sometime high tech. Suspensions don't just magically pop out of the ground.
When building something physical, you have to look at it from a systems perspective like the aerospace industry does. The FAA doesn't certify software, the certify a system as a whole. When you do this, security (or safety in safety critical systems) becomes much simpler. Don't want a bug in your SDR based entertainment system crashing your ABS? Then don't have a physical path between them.
Engineering interns are not unpaid. In my experience, they were so well paid that people dropped out of college and continued on as engineering aides.
I don't know about MS Sync; I think Sync is name of the application, which runs on top Windows CE and MS Auto. My recollection could be wrong -- I've tried incredibly hard to forget everything 've ever known about WinCE, but I think WinCE and maybe MS Auto are "Shared Source", where you can obtain the source.
QNX is definitely open-source.
Yeah sure, but physical parts are 19th century tech, Agile Software Development is 21st century. One of those is much better placed to eat the other.
The classic example of "why does my radio need to talk to the engine?" is that feature in some cars where the volume automatically adjusts based on speed, so when you hit highway speeds you can still hear the music that was a comfortable volume at a stoplight. So what? Don't talk to the engine, use microphone to pick up noise level and adjust accordingly.