Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Have No Confidence That We Can Protect Cars and Streets From Hackers (dailydot.com)

Posted by Soulskill on from the don't-hack-my-street dept.

Patrick O'Neill writes: Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they'll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office. "The government is coordinating with the transportation industry on the Security Credential Management System (SCMS), a project to verify that basic road-safety messages come from authorized devices. ... At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing 'a more active leadership role' for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational."

58 of 97 comments (clear)

  1. RESTORE CONFIDENCE! by TheRealHocusLocus · · Score: 3, Insightful

    Buy some new experts.

    --
    <blink>down the rabbit hole</blink>
  2. Really? by koan · · Score: 4, Insightful

    So no matter what we are going to attach cars and the "street" to the Internet? That's a good idea?
    And there is a serious question as to whether that control should be privatized?

    Let me convey my feelings about that as one concerned citizen.

    Never has it been more insulting, and dangerous, than to consider privatizing public utilities and assests, and thereby making people dependent on corporations to manage something we all use and need.
    Privatization never turns out well for the end user, and no matter what you say about the government running things, it's a damn sight better than some corporation.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re: Really? by hackwrench · · Score: 1

      Neither all privatized, nor all public is really the best option for society. Consumer co-ops like credit unions have had pretty good records where they've been tried, but I doubt they're always the solution, either.

    2. Re:Really? by Penguinisto · · Score: 2

      So no matter what we are going to attach cars and the "street" to the Internet? That's a good idea?

      This is the crux of what I'm thinking. Then again, why is it such a good idea to hard-wire a car with network connectivity in the first place?

      What I mean is, why not build something that you can plug a phone into and use the phone's connection (assuming you need 4G that damned badly in your car)? Rig the bluetooth in said car so that you have to specifically authorize a given phone, and you're done... Hell, my wife's 3-year-old Kia Soul does this.

      This way you don't have the stupid planned obsolescence... in a friggin' *car*.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:Really? by jellomizer · · Score: 5, Insightful

      Also if you are going to have internet access in your car, have it on a separate computer then what you are using for the core services, with the entertainment system.
      You engine, steering, breaking, and lights should be on a separate computer without any form of wide area network. Just a plug for manual software updates.

      Your other systems, that are not directly affecting your driving can be hooked up to the internet. Where hackers cannot harm the person.

      Not everything needs to be hooked up to the internet.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Really? by Lord+Bitman · · Score: 1

      > why is it such a good idea to hard-wire a car with network connectivity in the first place?

      Because once you make a feature completely ubiquitous, to the point that "this feature not being present is not only an edge-case, but a definite failure", then possibilities multiply exponentially.

      > This way you don't have the stupid planned obsolescence... in a friggin' *car*.

      So.. are we just talking about a data connection anymore? Do you want your car's steering control to compete for CPU power with notifications that your farm is ready to be harvested? If we're talking about "just the data", then there's no reason to think that Bluetooth will outlast [the *multiple* protocols available to a phone for longer-range connections].

      Your post also seems reliant on the notion that phone batteries are longer-lasting than car batteries, or that they will charge while in a car with a range comparable to the effective range of bluetooth, or that people will tether/dock their phones whenever they enter their cars, negating the mention of bluetooth

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
    5. Re:Really? by Grishnakh · · Score: 1

      We already do this: modern cars have Bluetooth, and connect to your phone (and with the way the Bluetooth protocol works, you have to explicitly "pair" two devices, in effect authorizing your phone to work with your car).

      4G is needed in your car mainly for navigation, communications, and music. Maybe "need" isn't the right word here, but it can be convenient; a lot of people like to listen to streaming music, so being able to play Pandora on your car stereo is nice. Being able to place and receive calls from your car is both nice and much safer than using the phone (since the car can do it hands-free with a microphone and the built-in speakers). And being able to get traffic updates while driving and have your nav system reroute you is a huge time-saver.

      Why this is a concern is because these "infotainment" systems are frequently tied into other parts of the car. How much and in what way depends on the particular system.

      IMO, all these systems should be completely open-source so that interested people can look for security problems, and so updates can be made. Manufacturers (I don't mean automakers here, I mean small electronic device makers, esp. such as router makers and phone makers, but there's little reason to believe automakers will do much better) have a terrible track record of abandoning products after a short time and not providing software or security updates, leaving users open to hack attacks. Disgustingly, the manufacturers' advice for these problems is to simply "buy a new device from us!". Forcing all such software to be open-source, and also requiring the technique (and any encryption keys needed) for performing updates to be open, would mostly solve this problem. Just look at the open-source firmwares for routers, and for phones. And unlike phones and routers where there's countless versions of the hardware out there and it changes every 3 months, from what I can tell, cars aren't like this: they come up with an infotainment system and use it in all the automakers' products for years at a time. My Mazda's system is made by JCI/Visteon and is used in almost all Mazdas, for instance, same firmware and all. I imagine other automakers are the same. So if someone came up with an alternative firmware for my car, the same build would work for probably a dozen cars across a 4-8 year range.

      Finally, I have to point out (I've already mentioned it above), but for your bit about "rigging the Bluetooth" to specifically authorize a given phone, **Bluetooth already works that way**. It's part of the protocol. Some random person can't just drive by with a Bluetooth phone and hack into your car; you have to pair them.

    6. Re:Really? by TWX · · Score: 1

      Also if you are going to have internet access in your car, have it on a separate computer then what you are using for the core services, with the entertainment system. You engine, steering, breaking, and lights should be on a separate computer without any form of wide area network. Just a plug for manual software updates.

      Your other systems, that are not directly affecting your driving can be hooked up to the internet. Where hackers cannot harm the person.

      Not everything needs to be hooked up to the internet.

      Even more importantly, if there is some kind of need for powertrain or other control modules to connect to other devices, like to other cars, there needs to be mechanisms in place to ensure the integrity of the car as an uncompromised node, and for the car to verify that the information it's receiving from other sources over radio also comes from other uncompromised nodes.

      I fully expect autonomous vehicles to have to have some means of receiving instructions from emergency responders and possibly even in such mundane situations as construction zones. It might also be handy for vehicles to broadcast when they're in an error-state and the nature of that error-state, so that the other vehicles can account for it and avoid it or make it safer for the occupants of that disabled vehicle. For all of this to work right though, there has to be a way to confirm the identities of the vehicles or services.

      I don't think that it should run TCP/IP. I don't think that it should run on existing Wireless Ethernet. I think it should have new wireless protocols with new communications protocols that are limited to use on vehicles themselves (ie, no commodity hardware) and that identity and checksumming is thoroughly tested before it's widely deployed to make sure that it's good.

      If those kinds of standards can't be met then the technology should be implemented.

      --
      Do not look into laser with remaining eye.
    7. Re:Really? by grep+-v+'.*'+* · · Score: 1

      Also if you are going to have internet access in your car, have it on a separate computer

      A separate computer? Hell, I've already GOT a second computer: my phone. Maybe I'll hook it up this time as i drive, maybe I won't. But I sure won't be paying for ANOTHER device on another data plan.

      But really? I use my phone and internet as a radio, and BT the stream to the receiving stereo. Or Google Nav with connected audio. I'm sure it's still breakable, but that's a lot of different hoops to go thru. And you can't control it if I don't connect it to the car.

      Yeeeeeah, time bombs, I know. But still I'll risk it to play my anime OSTs!

      Then again, the absolute worst thing you could do to me is to play Rap with the volume maxed out and frozen.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    8. Re:Really? by RingDev · · Score: 4, Insightful

      This isn't about internet access.

      Disclaimer: I work for a state DOT as a software development manager and I consult on systems that are impacted by these systems.

      This is about V2V and V2I communications platforms. In the 2017 model year, all new vehicles will require V2V communication systems. And another ~5 years after that we'll likely see V2I requirements.

      Currently, when you see those signs that say "X minutes to exit Y", they pull that data in one of a few ways:
      1) Buy it from Google or other cell phone tracking companies
      2) Use radar speed cameras to calculate the average speed and travel time
      3) Use roadside Bluetooth detectors to identify specific vehicle travel times between two detectors
      4) Magnetic loop vehicle counters and an algorithm to compare rate to volume and travel time.

      V2V communication systems don't directly communicate with the infrastructure system. But similar to the Bluetooth detection system, we can identify that a specific car with a V2V system has passed a point, and then measure the travel time for it to reach the next meter point. Currently we capture ~2% of traffic using Bluetooth, with the new V2V system being mandated for 2017 and a ~5% annual fleet replacement rate, by 2018 we should over double our data collection.

      There's nothing fancy there though. The detail data is only retained for the segment measurements, and since all we know is effectively a GUID, we can't identify specific people. But if you were to learn of a GUID associated with someone's vehicle or phone's Bluetooth, and you were to capture and store the meter data, you could, in theory, determine their travel habits across the specific place those meters are installed (pro-tip: there aren't many of them)

      Where V2I starts getting really cool is when we can actually communicate with vehicles about the environment. For example, If you have a densely populated area with significant street parking (say like pretty much any down town metro in the country) as the street parking fills, you get more surface traffic of people looking for parking. At ~50% parking capacity roughly 80% of the traffic is searching for parking. V2I communication can cut that rate tremendously by informing vehicles of the closest available parking spots.

      Another cool use that's already being done in Vegas is that the infrastructure can inform the car as to the optimum speed to travel at to hit all of the green lights.

      Then you get into the really cool stuff, next gen and all that. Where a vehicle that has it's route information can report travel times for each road segment, and share this data between V2V and V2I, allowing the other vehicles and infrastructure perform vastly more efficient route planning, alleviating traffic jams, minimizing road surface damage, etc...

      That data can also feed our construction plans giving us hard analytical data to determine where construction projects are needed. Where safety needs to be improved, where volume is changing rapidly. It can help plan lane closures and route plans for over sized-over weight vehicles. It can replace a ton of what is currently labor intensive and best-guess analysis with cold hard facts.

      But it needs to be shepparded by people who are aware of the security impacts and unwilling to overstep bounds.

      At one stakeholder meeting, a senior member of a policing branch of the state government asked if the system could be used to disable the vehicles of people who were driving recklessly. Or if they would be able to query the system to identify suspects in relation to a crime.

      Some of the ops folks were really excited about the idea of identifying common traffic routes, to be able to see how individual drivers get from point A to point B.

      But there were those of us in the group who were willing to say, no, killing someone's ignition at 90 mph is a bad idea. No, having a searchable database with PII is bad. No, showing full route information is a horrible intrusion in the drivers' privacy.

      These are the battles that are being had, across the country, in your own Department of Transportation.

      If you are concerned about it, contact your local DOT, that's where the magic is happening right now.

      -Rick

      --
      "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
    9. Re:Really? by ITRambo · · Score: 1

      "You forget that people are so entitled these days they think they have to do nothing at all and the world will hand them whatever they want" is too exaggerated. Not everyone lives in their parent's basement. People that I know do their best to earn an honest living.

    10. Re:Really? by TheRaven64 · · Score: 1

      So no matter what we are going to attach cars and the "street" to the Internet? That's a good idea?

      Of course it's a good idea! It will allow more tracking to sell even better-targetted advertising spots. And Google will keep us secure. After all, they've done such a good job with Android...

      --
      I am TheRaven on Soylent News
    11. Re:Really? by kheldan · · Score: 2

      So no matter what we are going to attach cars and the "street" to the Internet? That's a good idea?

      Emphatically no, it's not, but that won't stop it from happening, any more than 'wireless charging' being a thing now couldn't be stopped from being marketed, despite the incredible inefficiency of it, or the 'internet of things' becoming a thing (and not being anything like secure, and why the hell, really, do you need your refrigerator connected to the gods-be-damned Internet anyway?), or 'The Cloud' being a thing, despite 'Cloud' providers deciding to go belly-up on you and leaving you high and dry and/or getting hacked for its' contents, etcetera, etcetera, etcetera.. people want the Internet in their cars, because cars, like cellphones have become, are now more of a lifestyle choice than they are what they used to be made to be (transportation!), so of course you have to have all the comforts of home in your gods-be-damned car; I'm just waiting for there to be a toilet built into the drivers' seat, and some sort of shower facilities and a way to store and cook food, so you never have to leave the car, ever, for any reason. Anyway, back in Less Sarcasm Land, people want their cars to have all this wireless connectivity, and since they're rushing to market with this stuff, of course it's going to be a major attack vector for the entire vehicle. To be fair though even what we assumed were the most secure systems connected to the Internet have been hacked, which just proves the obvious: Anything can be hacked into. It's just a matter of time. You want unimpeachable security? Don't connect it to the Internet, or have any sort of wireless connectivity in the first place. I drive a 2008 Toyota Tacoma pickup with a 5-speed stick shift, it doesn't have wireless anything, and so far as I know, short of someone having physical access to the CANBUS, it's not hackable, and I like it that way.

      You want your vehicle to be unhackable? Then it needs a physical switch you can flip that kills power to any and all radio transceivers in the vehicle, and I don't mean a 'soft' switch that has to be acted upon by software, either. Short of that being available, find the antenna(s) for any radio transceivers, disconnect them, and connect the transceiver to a dummy load. That won't completely stop them, but at worst it'll reduce the range by which it can be accessed to a few feet.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    12. Re:Really? by The-Ixian · · Score: 1

      This brings up a good point.

      How about a standard interface for a car where you plug in the smart phone you already have? That is now the brains of your car. As technology advances, so does your smart phone. Your car can forever stay "dumb".

      --
      My eyes reflect the stars and a smile lights up my face.
    13. Re:Really? by edcheevy · · Score: 2

      Thanks for the background info! I'm curious, do state DOTs do their own thing or are they like other agencies where the large states tend to force the standard? In other words, if we pressure California DOT to build these platforms responsibly, would that be felt elsewhere in the country as well?

    14. Re:Really? by Grishnakh · · Score: 1

      Maybe, but in many states, holding a phone to your ear and driving is flatly illegal and will get you pulled over and a distracted driving ticket. Driving with the car's built-in handsfree phone system will not, and is usually completely legal. If nothing else, having two hands on the wheel is a big plus (as well as being able to talk to the car and tell it "call my wife" or whatever instead of messing with a dialer; on my car I can make calls without even looking away from the road).

      Finally, danger is relative. If you're driving on a rural interstate highway and the nearest town is 2 hours away, it's probably more dangerous NOT to talk on the phone; at least it'll keep you awake. If you're in heavy rush-hour traffic, then get off the phone.

    15. Re:Really? by RingDev · · Score: 2

      To some extent. I'd have to dig through my notes to see who is further along than others. I know Vegas has some cool stuff in Nevada, Cali comes up in conversation thanks to silicon valley. So does Minnesota though, so it's not like it's locked up by the typical coastal players.

      My state isn't on the cutting edge, but we are replacing some of our asset management software, which ties into traffic ops, so keeping an eye on which vendors are going to be able to leverage V2V and V2I communications is critical for us. Thanks to budget cuts from the Governor though, we don't have money to play around with future state stuff :(

      -Rick

      --
      "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  3. Privacy my eye by Anonymous Coward · · Score: 1

    From TFA :
    "Privacy will be a key component of the new road networks. Data generated by V2I networks may be given to academics, government agencies, and private companies for research purposes."

    I guess privacy does not mean what I think it means

    1. Re:Privacy my eye by __aaclcg7560 · · Score: 1

      What makes you think you have any privacy on the roads today? Your cellphone broadcasts a signal, video cameras monitors the roadways and some police departments use license plate scanners.

    2. Re:Privacy my eye by Anonymous Coward · · Score: 1

      What makes you think you have any privacy on the roads today? Your cellphone broadcasts a signal, video cameras monitors the roadways and some police departments use license plate scanners.

      private != privatization.

      koan makes valid points about attaching 2 ton vehicles to the internet and then not being able to ensure they cannot be used as weapons.

      As far as privacy on the road, I don't care anymore. I found out that the way they determine average speed on traffic reports is to monitor cellphone position. So much for privacy.

    3. Re:Privacy my eye by Penguinisto · · Score: 1

      All true. However, all but one condition is rather limited in scope and depth, with most of it installed in limited metropolitan areas (cities like London excepted).

      The cell signal is about the only thing that can be truly, well, sorta tracked... depending on how locked-down your phone is and what you have turned on. If you have GPS running and the world's loosest permissions, yeah you can be tracked to the square meter. If you have reasonable privacy controls turned on and GPS off unless absolutely needed, the most they can get at any one time is triangulated from the towers - after a subpoena is granted to get that info. Note that even this triangulation doesn't work so hot once you get out past the suburbs and into the sticks...

      The ideal? Given that parts of my own commute has zero bars on any phone and runs through mountainous terrain, well, good luck with that.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  4. Experts by Kohath · · Score: 1

    If they say there is no problem then experts are no longer valuable.

  5. Car infotaiment systems are a trojan horse by sinij · · Score: 3, Interesting

    Car infotainment systems are a Trojan horse by the car manufacturers in search of forced obsolescence.

    Modern cars normally last 12-15 years, no connected IT system would survive this long without constant maintenance. Thing is, it is all but certain that there won't be security patches developed for that long.

    With this in mind, buying a connected car is insane.

    1. Re:Car infotaiment systems are a trojan horse by sinij · · Score: 3, Interesting

      Lease payments will go up if resale value tanks due to obsolete security. For example, $30000 new car would cost $8000 as a 8 year old car. If it will only sell for scrap because of a remote steering and brakes hijack that 8 year old value is effectively $0. This will increase cost of ownership by average of $83/mo over these 8 years. This means that normal least payment of about $350/mo on a $30000 car is now almost $450/mo

    2. Re:Car infotaiment systems are a trojan horse by Dr_Barnowl · · Score: 1

      The big stupid for me was the hack that disabled the brakes by hacking the radio.

      Why, why, why is the entertainment system on the same WRITABLE hardware bus as the brakes? I can see why you might want to talk to the engine management (to enable "sport mode" and such), but not directly, that would be stupid.

      We know why : because they're cheap bastards.

    3. Re:Car infotaiment systems are a trojan horse by The-Ixian · · Score: 1

      I have seen IT systems in use for a lot longer than that.

      Amazingly enough, some software continues to work as long as the hardware it is running on continues to function.

      --
      My eyes reflect the stars and a smile lights up my face.
    4. Re:Car infotaiment systems are a trojan horse by sinij · · Score: 1

      Sure, but what you fail to notice is that infrastructure protecting such system gets updated. Things like firewalls, IPS, VPN that secure such IT system are much newer and maintained.

    5. Re:Car infotaiment systems are a trojan horse by The-Ixian · · Score: 1

      Well... or air gap... that technology hasn't changed.

      But I see your point.

      --
      My eyes reflect the stars and a smile lights up my face.
  6. The Experts suck. by Lumpy · · Score: 1

    It' seems these "experts" have zero clue at all on how to build cars or how to secure a local network that is isolated from the internet.

    --
    Do not look at laser with remaining good eye.
    1. Re:The Experts suck. by gstoddart · · Score: 1

      And they know it.

      Which means you have to ask the question: why the hell should we accept they are "experts"?

      This screams of an industry saying "we have no idea how to do this properly, but we're going to do it anyway".

      --
      Lost at C:>. Found at C.
    2. Re:The Experts suck. by sinij · · Score: 1

      What you are missing is "at this cost with this feature set". You want a secure IoT thermostat for $50? Not possible. The best that could be done is secure connected at $250 or 'please hack me' connected for $50 or not connected and secure for $50.

    3. Re:The Experts suck. by Archangel+Michael · · Score: 1

      While I see the draw of an internet connected thermostat, it isn't enough to outweigh the "Please hack me" that is inevitable. It isn't that hard to program a decent thermostat to function within the 90% of normal range, and manually change it for the 10% of the time that isn't normal. So, I get off work a little early and want the house cooled down (summer) or warmed up (winter) when I get home, I'll suffer the 30 minutes it takes.

      And why hasn't anyone of these people watched BattleStar Galactica, you don't network critical systems that are capable of being hacked.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:The Experts suck. by Lumpy · · Score: 1

      Yet my $19.00 programmable thermostat outdoes all the internet ones instantly. it just takes 10 minutes of effort to program it to never need to touch it again.
      In fact I haven't touched my thermostat in 3 years.

      --
      Do not look at laser with remaining good eye.
  7. That's OK ... by gstoddart · · Score: 2

    We don't have any confidence they can either. And if they're not confident they can secure it, and we're not confident they can secure it .. how about we simply don't deploy the damned thing?

    If everybody is rushing to roll out the awesome new digital infrastructure, and nobody believes it will be secure .. maybe it's not so fucking awesome?

    We don't want a system which doesn't protect us from privacy and security breaches. So don't make one. Why is everybody in such a rush to deploy shitty technology all the time?

    Sorry, but I don't want a car or anything else with a badly designed level of security which everybody knows is a badly designed layer of security. At that point it's more about marketing than it is technology.

    Just say no. The world will survive without one more incompetently implemented piece of digital integration nobody really cares about.

    Now get off my damned lawn.

    --
    Lost at C:>. Found at C.
    1. Re:That's OK ... by phantomfive · · Score: 1

      Are you confident in the security of.... the Internet at large?

      Ha, what?
      The internet is insecure by design. If you want your code to be secure, you must consider it a threat at all times, and not trust anything that comes from it.

      --
      "First they came for the slanderers and i said nothing."
  8. there should be many easy fail safes by circletimessquare · · Score: 1

    input or output from any part of the system should conform to narrow parameters, or the entire communication is disregarded, and the fail safe implemented. so falling back to the fail safe should be frequent, not rare and alarming. it could be a hack, it could also just be network or equipment issues, either way

    for example, the data: distance to car in front of you

    the data should be of rigorously correct format, received in the correct and expected small time frame, and the source must be locked to certain trust indicators (which would be another entire laundry list of overlapping qualifications)

    if there is any failure, no matter how slight, the data should be considered tainted and incorrect, and back up redundant systems (lidar, whatever) or even fail over to manual control should be implemented

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:there should be many easy fail safes by fustakrakich · · Score: 1

      trust indicators

      Um, no, you've already failed

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:there should be many easy fail safes by Mr.CRC · · Score: 1

      Or they could just make a car be a fucking car, and use something called wires to connect shit together! There is no need for "infotainment" integrated into a car. Passengers can use portable devices. I won't buy a car with a built-in TV, internet connected or not. And it's looking like I will never buy a new car again for the rest of my stay on this planet. I'll be seeking out used vehicles only with wires only inside.

  9. Simple solution for cars by elvesrus · · Score: 1

    Buy used, or build your own, without any computer controlled systems. For the less paranoid closed systems with no way to upgrade the software can be used.

  10. Privacy is a secondary issue by nine-times · · Score: 1

    Protecting cars from privacy breaches is, frankly, a secondary issue. There have been hacks demonstrating that an attacker can wirelessly take control of the car and interrupt the driver's control. This sort of hack certainly can be prevented-- by yanking any wireless connectivity, if nothing else.

    If a car maker has cars that are not fully protected against that kind of attack, it should be illegal to drive those cars on public roads.

  11. Don't worry by 0123456 · · Score: 1

    Slashdot experts are confident that driverless cars will never have crash. So it's all good.

    1. Re:Don't worry by Mr+D+from+63 · · Score: 2

      The safest cars will be both driverless and riderless.

    2. Re:Don't worry by TechHSV · · Score: 1

      And parked in a garage.

  12. Follow the money by grimmjeeper · · Score: 1

    The reason automakers can't build a secure system is that it costs money. And putting an expensive secure system on cars will raise prices. Of course, raising prices in a commodity market means you lose sales.

    But here's the thing. If they keep making their systems hackable where people can get in from the internet to the car and actually take over control (instead of isolating the infotainment network from the critical command/control network, you're going to get into a situation where one or more cars are hacked and one or more passenger is injured or killed. That's when the lawsuits hit and that's when car companies will start addressing security. When it hits them in the profit margins.

  13. Go on... by acoustix · · Score: 2

    I don't have confidence in most things anymore: federal government, personal responsibility, etc.

    Just add this to the list.

    --
    "A plan fiendishly clever in its intricacies"- Homer Simpson
    1. Re:Go on... by sociocapitalist · · Score: 1

      I don't have confidence in most things anymore: federal government, personal responsibility, etc.

      Just add this to the list.

      I have confidence in your lack of confidence.

      --
      blindly antisocialist = antisocial
    2. Re:Go on... by Shadow+IT+Ninja · · Score: 1

      Okay, I'll add to the list - corporate responsibility... from Enron to AIG to Volkswagen.

  14. Obvious solution by gurps_npc · · Score: 1
    Is to treat all radio data as suspect. Assume it is compromised, not valid. Worst case scenario airgap any computer that controls the cars from any computer that can receive outside instructions.

    There is NO need whatsoever for anyone to be able to control the brakes, gas, etc. of a car that from outside the car.

    The idea that they should is a poorly thought out concept.

    --
    excitingthingstodo.blogspot.com
    1. Re:Obvious solution by Martin+Blank · · Score: 1

      There are plenty of public safety arguments in favor of applying some level of control from outside of the car. Cars in a high-speed chase put anywhere from a handful to hundreds of people in danger. Suspected stolen cars and drunk drivers could be safely pulled to the side of the road. The implementations of these could vary from nearly direct control to a signal that automatically puts the car into a parking mode (external order with details handled by the car itself).

      There are various tradeoffs that have to be weighed and maybe ultimately the cons outweigh the pros, but it's incorrect to say that there is no need at all.

      --
      You can never go home again... but I guess you can shop there.
  15. Exactly. No one wants to think of the negative by WOOFYGOOFY · · Score: 1

    Exactly no one wants to think of the negative use case scenarios and what the scale of those use case scenarios might mean to society.

    The whole stampede towards IoT and internet on everything is driven purely by 1) multi-millionaire investors looking to be the next multi-billionaire and 2) people who are high on the curiosity / inventiveness scale but disastrously low on the harder-to-do societal implication / moral reasoning / counterfactual hypothesizing scales.

    Q What if people don't use the technology in the way you intended? Answers:

    A It's not my fault.

    Q What ways might someone deploy this technology which could plausibly lead to a large-scale, high human tragedy disaster?

    A. I don't think about that shit man, besides, people kill each other with shovels- do you want to control shovels too?

    Q. With this technology, does the level of possible disaster scale linearly with the level of adoption by society ?

    A. Fuck you man. If it was left to people like you, we'd still be sitting in the dark. "Oh, electricity, it looks so dangerous, just think what bad people could do with this. Better ban it! Someone get me a candle!

    There is no specific gene for forward-thinking, defensive strategizing in the absence of a very well defined and concrete threat to the herd. Basically, it seems like a low-interest, highly speculative, low-value activity.

    There IS a gene for taking parts which have different capabilities and creating cool composite new things with them that bring me abilities and extend my power over the world in some way !

    There's also a lot of money to be made engaging with the second and, well, you'd have to pay people to engage in the first.

    I think we can see where this is going.

    but please, let my low score and follow on comments speak for themselves.

    1. Re:Exactly. No one wants to think of the negative by gtall · · Score: 1

      You missed one. Just about every company has been taught over the years to be paranoid of the competition stealing their cookies, and the concept of "you do better by screwing the competition". Even in the absence of the millionaire to billionaire track, there would be an a push for this sort of technology. The cost of production is currently such that it is cheaper to produce a car with a single universal bus rather than two to isolate key engine components.

      Normally, we would rely on government to capture these sort of externality costs (e.g., safety, security, etc.). With the current crowd in Washington, we can no longer rely on government. So we must wait until the bodies pile up and the courts grind out enough justice to raise the cost of not doing these systems properly.

  16. And another thing by WOOFYGOOFY · · Score: 1

    If you think the govt is all up in your shit online because you might download some Disney movie illegally, just wait until you can crash cars via internet access.

    Then you'll need a license to even USE the internet. Think that's far fetched? It's not. If we let the internet become a common vector of attack against just everything, then kiss even your pseudo-anonymity goodbye. They will pull your license to surf just like they can pull your driver's license.

    We don't NEED IoT so let's not rush and build an insecure one. Security in IoT should be more or less impossible to break or tamper with and if we can't think of a way to achieve that yet, then let's wait until we can.

  17. Security standards by phantomfive · · Score: 1

    That role would include setting security and privacy standards when V2I and V2V networks become operational.",

    There's only one standard: "No security breaches."
    We can follow that up with, "For each security breach, you pay a fine of X dollars, and a bounty to the discoverer."

    That won't work perfectly, but it will work much much better than creating a list of coding standards. Create the incentive and people will find better ways to write good code than by following any silly 'standard.'

    --
    "First they came for the slanderers and i said nothing."
  18. Previous plans pointed toward car industry control by fustakrakich · · Score: 1

    Yes,well, let's all hope we understand where that leads us by now.

    --
    “He’s not deformed, he’s just drunk!”
  19. Re: The "experts" are on crack... it can be done by Anonymous Coward · · Score: 1

    Blu-Ray was hacked years ago. Decrypting them is trivial at best these days. WGA and secure boot can also easily be bypassed, as secure boot can be turned off on most devices. Forcing secure boot would end up a legal nightmare for MS as other OS's would also be excluded. That's why it's up to the manufacturer, and they too don't want the headache. The experts may be on crack, but you have no idea what your talking about. Anything can be hacked, it's just a matter of how long it takes. Sometimes it just isn't worth the hassle, so people don't bother, but that doesn't mean it can't be done.

  20. go retro by swschrad · · Score: 2

    you COULD dig some 60s Mopars out of the junkyard, and study them. they have excellent internal data security.

    the other option... no wifi, no data connections from the sound system to the rest of the car, no wireless comms. the diagnostic connector must have rolling passwords, just like a garage door opener. no other entry points to the car network. and get rid of commercial OS and software, cars are a killing tool in all but a handful of modes, there should be a custom RTOS running the gizmos.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  21. V2V's purpose is enriching industry/surveillance by WaffleMonster · · Score: 1

    The point of V2V is to force people to pay money to install and maintain useless systems for the purpose of assisting bulk electronic surveillance.

    V2V has no compelling safety based use case anyone has ever been able to coherently explain.

    Just look at their website they show a vehicle with a display showing the words "COLLISION ALERT".

    Then we have classic V2V use case.. the pile up accident caused by an unbroken chain of idiots failing to maintain proper following distance. If the car in front of the car in front of you brakes then V2V will warn you to stop... really? I have a better idea... a sensor on the front of your own damn vehicle that warns YOU when you are being that tailgating idiot who spectacularly fails to maintain proper following distance or warns when you are not paying attention and are therefore about to crash. No V2V or RF transmissions required. Nothing to hack or secure.

    In fact the supposed benefits (forward collision/emergency break,lane change/blindspot) don't require any vehicle to vehicle communications protocols of any kind. These features are already in production models currently on the road implemented with a few dollars worth of sensors. Cars will even panic brake for you now.

  22. NSA should secure public automated transportation by Bobbox1980 · · Score: 1

    We know that about 30,000 people are killed each year in the U.S. due to ordinary traffic accidents. Computer controlled vehicles will drastically decrease this in the coming years. We can't not afford to implement computer controlled vehicles. Why not have the NSA secure automated vehicle software. They would likely be ahead of the game on security vulnerabilities and are best positioned out of everyone to secure automated vehicles. Yes there is an issue with having the NSA track everyone's movements all the time. That is unfortunately happening to a lesser extent now with police license plate scanners.