FBI Warns That Car Hacking Is a Real Risk

An anonymous reader writes: The FBI and the U.S. National Highway Traffic Safety Administration are voicing their concerns about the potential risk of cars being hacked. In an advisory note, they urge the public to be aware of cyber-security threats revolving around connected vehicles. From the advisory, "Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience. Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats." They are also advising drivers and manufacturers to ensure the vehicle software is up-to-date, and keeping an eye out for recalls.

Okay, this is getting ridiculous

[Chris+Mattern]

Is anyone compiling a list of new cars you can get without this crap in them?

Re:Okay, this is getting ridiculous

[Gription]

With the level of regulation involved it is probably pretty close to being illegal to make a car without electronic control of everything.

Re:Okay, this is getting ridiculous

[Grishnakh]

Yeah, it's pretty simple: don't get a car with OnStar (I think there's a competing service out there like this from one of the other makers), and don't pair your Bluetooth phone to the car. Viola! Your car is now immune to hacking.

If there's no way to actually communicate remotely with your car, then there's no way to hack it remotely.

It would be nice if the system architectures in cars were open and all their interfaces publicly documented, so we could see what attack vectors are possible. A well-architected system would have Bluetooth for internet connectivity to the infotainment/nav system (so you can do Android Auto, listen to Pandora, etc.), but would have extremely limited ability to write any data to any other modules on the vehicle data bus (just configuration settings really), and all those interfaces would be publicly documented and fully tested by independent security auditors.

Re:Okay, this is getting ridiculous

[mrchaotica]

Is anyone compiling a list of new cars you can get without this crap in them?

Yes, here it is:

1.

Re:Okay, this is getting ridiculous

[TheCarp]

Suddenly.... having to replace your points occasionally or clean out a needle valve is looking quite attractive isn't it?

Re:Okay, this is getting ridiculous

[mrchaotica]

All of my cars were made in the '90s. They all have electronic fuel injection, but none of them has a transceiver (other than the AM/FM radio). No need to go back to carburetors, unless you really want to for other reasons.

(And yes, I drive cars that old on purpose, because of this issue.)

Re:Okay, this is getting ridiculous

[Lab+Rat+Jason]

I wouldn't be so sure about this... high line TPMS sensors can be commanded to report using a LF transmitter. This triggers the sensor to broadcast it's status, thereby allowing the capture of the sensor's serial number. Even low line sensors transmit every 5 to 10 minutes. With a little patience, one can copy and replay the TMPS sensor data... modify it to show low tire pressure and high temp, etc. and cause the console to show a tire flat condition. Admittedly a lame hack, but easy way to vex a particular driver. Now, admittedly I don't know if there is hack in the wild that lets you penetrate the TPMS, but since it has an antenna, and it has a connection to the car's CAN bus, it's possible, and it's likely that the gates are wide open somewhere, given the auto industry's aptitude for securing their products.

Re:Okay, this is getting ridiculous

[WaffleMonster]

Is anyone compiling a list of new cars you can get without this crap in them?

Cars are expensive. It likely doesn't take all that many people to say "thanks anyway" and walk off the lot before the message is received.

Re:Okay, this is getting ridiculous

[I4ko]

VW is selling completely restored and refurbished beetles from the 60's at very competitive low 20Ks. My next car will be one of these... or a dump truck or a mining truck (you know, the ones with tires 10 feet high).

Re:Okay, this is getting ridiculous

[The+Grim+Reefer]

Yeah, it's pretty simple: don't get a car with OnStar

Can you even get a new GM vehicle w/o OnStar?

(I think there's a competing service out there like this from one of the other makers),

1. UConnect from Chrysler/Dodge/FIAT /Jeep & Ram
2. Sync on Ford
3. Assist on BMW
4. Mercedes mbrace
5. Toyota Safety Connect
6. Honda Entune
7. Nissan NissanConnect
8. Hyundai BlueLink
9. Etc. and so on

I don't know how many of those currently ship models w/o this, but I imagine it won't be too long before you can't even by a vehicle that doesn't come with this.

I don't know about the newest vehicles, but I have two GM cars from the early 2000's that came with OnStar. it was 2 or three connectors that needed to be unplugged to disable it in those. But I'm guessing it's probably a lot more difficult in current ones. I'm also guessing that one of two things are going to happen in the very near future. It will either become illegal to disconnect these systems. Either through inspection, or if you are in a wreck and they find it's disconnected you get in trouble. Or the insurance companies will add a section in your policy that they are not liable for anything if you get in a wreck and they discover it was disabled.

Re:Okay, this is getting ridiculous

[The+Grim+Reefer]

Cars are expensive. It likely doesn't take all that many people to say "thanks anyway" and walk off the lot before the message is received.

Until a major incident occurs, damn near everyone in the public will remain totally oblivious to this issue. I've brought it up in conversation with quite a few tech people I know and not one has thought about it at all, and most never knew it was an issue.

Re:Okay, this is getting ridiculous

[Lab+Rat+Jason]

<slow clap>news for nerds, AC's sexual fetishes that matter</slow clap>

Re:Okay, this is getting ridiculous

[Grishnakh]

Not all cars have TPMS sensors. Mazdas don't; they use a cheaper method with the ABS system that just looks for differences in tire rotation rates over time. It's of course not as sensitive or convenient as the systems with sensors, but it's cheaper and you don't have to worry about batteries dying, tire shops screwing them up, having to buy a new set for your winter tires, etc.

Re:Okay, this is getting ridiculous

[Anonymous+Brave+Guy]

Yeah, it's pretty simple: don't get a car with OnStar (I think there's a competing service out there like this from one of the other makers)

I'm afraid your information is out of date there. Maybe it's different where you are, but if you look through the web site of almost any mid-range or high-end brand here in the UK, connectivity features are all the rage and pretty much everyone now has them.

Audi has Audi Connect.

BMW has various features including Teleservices and Emergency Call.

Volvo has Sensus.

Ford has Ford SYNC.

And the list goes on. Some of these seem, at the moment, to be primarily about things like hooking in your phone, presumably so you can do exciting things like kill someone while distracted by your car awkwardly mispronouncing the e-mail you just received. A few, the Volvo Sensus for example, sound downright creepy to me in terms of auto-updating software in your vehicle without any user interaction.

And if you think every major car manufacturer and every major car insurer isn't eyeing up the possibilities of phoning home with driver performance data whether you like it or not, I know a prince in Nigeria who has a really great offer that might interest you.

Re:Okay, this is getting ridiculous

[Grishnakh]

How many of these systems actually have cellular modems? My Mazda doesn't; it relies on Bluetooth from your phone for any kind of remote data. I was under the impression that most automakers except GM were like this these days. That cellular connection is extra money just for the hardware (Bluetooth radios are cheaper), plus someone has to pay the cellular provider for the monthly data charge.

Re:Okay, this is getting ridiculous

[Grishnakh]

My Mazda was made in 2015, and it has a bunch of receivers: AM, FM, XM (yuck), GPS, and precisely one transceiver: Bluetooth. If you don't pair it with your phone, it has no ability to connect to the outside world.

Re:Okay, this is getting ridiculous

[Bob+the+Super+Hamste]

VW is selling completely restored and refurbished beetles from the 60's at very competitive low 20Ks. My next car will be one of these... or a dump truck or a mining truck (you know, the ones with tires 10 feet high).

Same pollution per mile in those options. Although I would likely go with the haul truck (that is was they are called), I wouldn't mind having a 5MW mobile generator on hand just in case.

Re:Okay, this is getting ridiculous

How many of these systems actually have cellular modems?

Nissans appear to. http://www.nissanusa.com/connect/faq

Customers can lock or unlock their vehicle from the NissanConnect Services Web Portal or Mobile App from any location. Sixty seconds after Remote Unlock is initiated, the vehicle's doors will automatically re-lock.

I would look up the others but now I'm just sad.

Re:Okay, this is getting ridiculous

[Gr8Apes]

I would actually prefer anything other than a transmitting TPMS in the wheel. They are nothing but an annoyance, and don't even work properly on my car.

Re:Okay, this is getting ridiculous

[mrchaotica]

My Mazda was made in 2015, and it has a bunch of receivers: AM, FM, XM (yuck), GPS, and precisely one transceiver: Bluetooth.

How sure are you of that?

Even if you weren't neglecting the other obvious communications devices -- the ones to communicate with the tire-pressure monitoring system, the keyless entry / push-button start, etc -- I would have no confidence whatsoever that there wasn't a cellular modem hidden away somewhere, just waiting to be activated by a Stingray or something. Hell, even if they didn't design one in on purpose, at this point probably every SoC they might have picked to run the infotainment system probably has it so they wouldn't even have a choice!

Re:Okay, this is getting ridiculous

[Aaden42]

All you need is a vulnerability in the TPMS parsing code, and you have an exploit of the module that houses it. Near 100% odds that module is on a CAN bus and could be your foothold into more destructive systems.

As far as cars that “don’t have” TPMS, don’t be so sure that absense of the light on your dash means it’s not there. I’d be shocked if there aren’t at least some vendors that ship one system with a radio receiver integrated for all models. Program it to not care about absent senors (no warning light) and don’t put the sensors in the wheel. Might still be listening with flawed parsing code exposed. Plug something into your OBD2 port that will enumerate all devices on CAN bus and see what’s listening. Even on my super basic model Toyota Yaris, there are a LOT of things responding on the CAN.

Re:Okay, this is getting ridiculous

[Aaden42]

Just because you didn’t pair with Bluetooth doesn’t mean there isn’t an attack against the BT stack. Anything with an antenna attached to anything with a processor can be fuzzed remotely. Best-worst case is you over run something and DoS it, causing “weird” stuff for the interface in the car. Worst-worst case is you 0wn it and have access to the CAN bus to do more.

Re:Okay, this is getting ridiculous

2012 Focus S. Ships without ford synch. In North America anyways.

It does have keyless entry, but not sure if you can hack any further than remotely unlocking it, honking the horn and opening the trunk.

I don't know if that is true of the 2016, although this years model is only a mild facelift of the 2012.

Actually a decent car and even available with a manual.

Re:Okay, this is getting ridiculous

[Aaden42]

Does your radio support metadata for song title etc. transmitted over FM? Lots of even older cars had the capability even if very few radio stations in the US transmit anything. Wouldn’t surprise me much if even some basic radios that don’t have screens to display the info are ultimately built on chips that include the decode capability & just never display it. Find an exploit in the parser for metadata, 0wn the radio. Is the radio on CAN bus? Good chance that it is. Next stop, the antilock brake controller. Well... I guess that’s not exactly the next stop, but that’s kind of the problem.

Re:Okay, this is getting ridiculous

[The+Grim+Reefer]

Perhaps your current Mazda doesn't. But they're rolling out Mazda Mobile Start From a quick look it allows you to lock/unlock your doors, start the car, get it's location, etc. from your mobile phone.

Re:Okay, this is getting ridiculous

[BronsCon]

Mazda uses TPMS in models without ABS. My 6 and my friend's 3, both 2012 models, for example.

Re:Okay, this is getting ridiculous

And if you think every major car manufacturer and every major car insurer isn't eyeing up the possibilities of phoning home with driver performance data whether you like it or not, I know a prince in Nigeria who has a really great offer that might interest you.

Raise the price for insurance and offer some piece of shit customers put in their cars we can spy on them. Voilà!

Re:Okay, this is getting ridiculous

[Grishnakh]

Two problems here:

2012 was 5 years ago (model year wise). They don't make those cars any more.

ABS has been standard in all cars since the 1990s. There's absolutely no possibility your 2012 cars don't have ABS, unless you're in some 3rd-world country where it's not required.

Re:Okay, this is getting ridiculous

I'm dreading this next time I'm shopping for a new car. Hopefully I can at least disconnect the antenna for this stuff.

Re:Okay, this is getting ridiculous

[Grishnakh]

As far as cars that âoedonâ(TM)t haveâ TPMS,

All cars sold in the US are *required* to have TPMS, and have for several years now.

Not all cars have TPMS sensors inside the wheels; many cars use a passive system instead as I described earlier. The passive system is cheaper and simpler.

It's very doubtful there'd be a radio receiver for a car with passive TPMS, because that model is going to have that same system in every market. Radio receivers cost money, and they're not going to spend money putting something in a car model that will never be used on any such car anywhere.

Re:Okay, this is getting ridiculous

[Grishnakh]

No Mazdas do. That system is available for my car, but if you look closely at the site you'll find this nugget:

"MMS hardware must be purchased and installed in your vehicle."

The car, from the factory, does not have a cellular radio for this system to work. So to get MMS, you have to purchase the system and have it installed, which obviously includes a cellular radio. And of course, you have to pay a yearly fee for it to keep working.

Of course, there's no telling if it'll stay this way or if they'll forcibly include it on all new cars at some time in the future, but for now, you can safely buy a Mazda which doesn't have any kind of cellular radio pre-installed.

Re:Okay, this is getting ridiculous

[TheCarp]

I know, tbh even my most recent motorcycle had fuel injectors.

Though, I do occasionally think there is some benefit to using technology I can reasonably disassemble and troubleshoot. I would rather not do it, but I feel more comfortable rebuilding a carb, though in truth fixing the new car is probably easier...nothing to rebuild, the equivalent job is done by parts that you would just junk and replace rather than clean or repair.

Re:Okay, this is getting ridiculous

[BronsCon]

Funny, neither the 2000 Civic and Corolla the Mazda 6 replaced (we're a 1 car household now, no need for two, really) had ABS. The 99 corolla the 2000 corolla replace didn't, either; nor did the 91 Accord the 99 Corolla replaced. You might be right about the 2102 Mazda models having ABS, I'll be honest here and say I never really looked; but I do know they also use TPMS, as they don't complain if you replace the wheels such that the overall diameter is one or two inches larger or smaller, but they do complain if you don't move the bolt-mounted valve stems to the new wheels when doing so.

Re:Okay, this is getting ridiculous

[Grishnakh]

And if you think every major car manufacturer and every major car insurer isn't eyeing up the possibilities of phoning home with driver performance data whether you like it or not, I know a prince in Nigeria who has a really great offer that might interest you.

Insurers, perhaps, but manufacturers, I'm not so sure. If they really wanted to, wouldn't they have done so by now? But not every carmaker has put a cellular modem in their vehicle yet. Perhaps the cost of the cellular service per-car isn't worth the data they'd get from it.

Finally, you're already proven my point. The systems you list do not have any kind of data connection. They aren't connected to the internet: they have no cellular modem. I didn't look at them all, but I looked at your link for Audi Connect, and it was just as I suspected: it has no data connection. It requires your phone to have one: they warn you specifically on the page to check your cellular data plan and consider the data usage of the system and how that'll affect your phone bill. So, *as I said in my first post*, as long as you don't pair your phone with your car using Bluetooth, your car has no way to communicate with the outside world (unless it has OnStar).

Re:Okay, this is getting ridiculous

[Lab+Rat+Jason]

Don't forget about the most popular radio receiver in the car... the actual AM/FM head unit. FM broadcasts have a sub-channel for providing the name of the song, the name of the artist, etc. which is displayed on the infotainment system. One does wonder how secure that system is too. These systems are admittedly harder to compromise than say, the insurance industry's OBDII dongles, or the cellular data systems, but they are all there and all present a little opportunity to hack in. The funny thing is, just like it's internet based counterparts, just because one manufacturer or standard has "secured" the communication channel, doesn't mean that some future software update coded by a careless maintainer won't accidentally re-introduce the vulnerability. These systems are ALWAYS going to be at risk, just like any other connected device. There's always a way to get in.

Re:Okay, this is getting ridiculous

[Grishnakh]

How sure are you of that?

I'm 100% sure of it.

Even if you weren't neglecting the other obvious communications devices -- the ones to communicate with the tire-pressure monitoring system,

There's no such system in my car. It uses passive TPMS.

the keyless entry / push-button start

You have a point there, I did overlook that one. It does have keyless entry. However it's one-way: the car has no way to transmit back to the keyfob, it can only receive. You can't communicate with something over a one-way data link.

I would have no confidence whatsoever that there wasn't a cellular modem hidden away somewhere

That's tinfoil-hat territory. There's no cellular modem in my car. If you want remote start by phone app, you have to purchase a separate device and service to get that; the device has to be installed and of course has a cellular modem. If they already had a cellular modem in there, they wouldn't require you to purchase and install another module.

Re:Okay, this is getting ridiculous

[Sloppy]

I think he's talking about car salespeople, not tech people.

Re:Okay, this is getting ridiculous

[The+Grim+Reefer]

You still have a blue tooth radio, it's certainly safer, but there's still a receiver in your car. My guess is that at some point it'll be easier for them to install it at the factory on all cars. Or it'll become a government mandate. Actually I wouldn't be surprised if the insurance companies start giving a paltry discount for having it. At that point most auto manufacturers will.probably follow GM and just put it in everything.

Re:Okay, this is getting ridiculous

[umStefa]

There is! The car you are looking for is called a Used Car and as an added bonus it is significantly cheaper than any new car on the market! Even better is with the money you save you can not only purchase a full set of tools to maintain and repair the car, so you won't need to take it to an overpriced mechanic!

Re:Okay, this is getting ridiculous

[KGIII]

uConnect does have cellular - they're Dodge. You see it in the Ram, Charger, Jeep, etc...

If you want something without it then go for a fleet vehicle. You can order them by going to the dealership, you don't need to buy them in bulk. I've never ordered any online and never noticed a way to order them online. You probably can.

My suggestion is to find a nice, reasonable, older car and get it full restored and then maintain it properly. It's usually much nicer on the environment than the costs that go into making a whole new car or even recycling and old one and then incorporating what can be into a new car - and that's counting the lower mileage one might get with an older car.

Depending on what you purchase, you can find something that's reasonably safe and then add any additional modern features you want. Best of all, you can often find a car you could never afford when you were younger, fix it up to like-new condition, and do so for less than you'd have paid for a new car. Just don't fall in love with it - it's a car and it will break your heart if you fall in love with it.

A mid-1990s BMW 750 can be had and done up for under $20,000 and you'll find them with just 100k on them and be able to pull another 400k out of it pretty easily just with maintaining and driving it reasonably. I sent a 1988 Honda Accord LX back to Japan to be overhauled by a guru and the whole thing, including shipping, was about $20,000 and that includes purchase price. An '82 Volvo 245 can be sent to Oregon and patched up, skid plate added, stiffened, and some minor tweaks - then painted and all the bits and pieces put back properly for about $25,000. A 1973 Jeep Wagoneer can be done for under $10,000 unless you get extravagant.

There are lots of choices and those old cars need some love. They're still fun cars. They've got loads of life in them. Yes, I have a new BMW but that doesn't mean the rest don't get driven. I own 'em all, and more, for a reason. Get a nice 1990s Saab 900S Turbo, get it overhauled, the turbo rebuilt, and you're out $7500. Throw some Pirelli tires under it and it's like a hippie in Berkenstocks. It'll stick to the road until it dies - and it's a boat load of fun.

Hell, if you want to get fancy, you can find a 1978 911 in Targa trim and get a full factory restoration for less than the cost of a new 911. Once you get used to that little ass-wiggle, it's a bunch of fun. You can certainly do that for a lot less or you can get a full restoration done and it's still cheaper than a new one. You can put a Ford Mustang's 5.0 (it fits just fine, a little tight but it fits) into a 1980s Volvo 245 and make the ultimate sleeper - for under $20,000 - easy. That's not even doing the work yourself but it is starting with something that's in good shape - otherwise add 20%.

There are some options - find something you wanted a whole lot when you were a kid. Now, find something more practical than that. Buy that one. Restore it. Maintain it. Enjoy it. It will last the rest of your life. Automobiles, properly treated, can last a very, very long time. They just need to be treated well and maintained well. It's really less expensive to do this with a decent older car. It's also better for the environment (oddly enough) to use an older car (even if it gets horrible mileage) than it is to create a new one. Lots of resources and energy go into making a new car and in recycling an old one. Think of them as cute kittens and in need of a loving home.

Re:Okay, this is getting ridiculous

[Anonymous+Brave+Guy]

Insurers, perhaps, but manufacturers, I'm not so sure. If they really wanted to, wouldn't they have done so by now?

Realistically, the two have to go in sync, because manufacturers with phone-home technology are only likely to directly profit from it once they have deals in place with insurers or other third parties.

Perhaps the cost of the cellular service per-car isn't worth the data they'd get from it.

That is extremely unlikely, particularly when high-end cars increasingly have built-in data connections for sat-nav and similar facilities and these features are slowly working their way down into the mainstream.

Finally, you're already proven my point. The systems you list do not have any kind of data connection.

Some do, some don't. Volvo cars with their Sensus scheme do, for example. As I said in my first post, I'm afraid your information is out of date.

Re:Okay, this is getting ridiculous

That's tinfoil-hat territory.

the guy you replied to is dumber than dirt - don't post much but it is worth it atm

Re:Okay, this is getting ridiculous

[mrchaotica]

I have three cars: a '90 Miata, a '96 Ranger (with an aftermarket radio that does not support metadata), and a '98 Beetle TDI. Only the Beetle has any chance of having a CAN bus, and I don't think it does because the early '98s actually used some leftovers from the VW MK3 platform instead of being proper MK4s. For example, my Beetle is one of the few that came without anti-lock brakes, and when I got a chip tune the tuner had to de-solder the memory to re-flash it instead of uploading the tune via the OBDII port. The Beetle's radio also does not support metadata.

Re:Okay, this is getting ridiculous

[mrchaotica]

Another neat option for the paranoid would be a '70s or '80s Mercedes diesel. Those things had completely mechanical fuel injection and (obviously) no ignition system, so if you were willing to bump-start the car it could be used with no electrical system at all. Totally EMP-proof.

Re:Okay, this is getting ridiculous

[superdave80]

My 1999 Ford Mustang disagrees with your ABS assertion.

Re:Okay, this is getting ridiculous

My '06 Corolla "S" model has no antilock brake system.

Re:Okay, this is getting ridiculous

[Grishnakh]

Wow, that's really crappy. My 1994 Integra had ABS, and it wasn't exactly the most expensive car on the road back then.

A little bit of research shows that apparently, ABS was not mandatory in the US until 2012 when it was required in conjunction with electronic stability control (ESC).

Why on earth would you buy a car so cheap it doesn't come with ABS? If you're that hard-up for cash, you can get a much better deal on a used car than getting a stripped-down new one.

Re:Okay, this is getting ridiculous

[Aaden42]

My better half has an '01 VW Cabi (another MK3.5...). It's not standard CAN bus, but it does have a fair bit of integration between the various modules, all accessible through the OBD port. Radio is queryable (or was when it was still factory...), which suggests that attack against radio would be a starting point to the rest. The other "interesting" stuff like ABS, etc. shows up too. It's not as strongly integrated as the newer standard CAN bus V/A Group cars are, but still a lot of stuff that can talk to other stuff.

Dunno how much difference '98 to '01 made.

Re: Okay, this is getting ridiculous

Two problems here:
1 you're wrong
2 you don't know as much as you think you do but your know it all attitude won't let you keep your mouth shut.

Re: Okay, this is getting ridiculous

Again, you're talking as if you're a mechanic. You're not!

Re: Okay, this is getting ridiculous

Nobody in the US calls them haul trucks. You ain't from around here!

Re: Okay, this is getting ridiculous

[Grishnakh]

Fuck off, asswipe.

Re:Okay, this is getting ridiculous

> If they already had a cellular modem in there, they wouldn't require you to purchase and install another module.

Sometimes one hand doesn't know what the other is doing. Sometimes companies cripple products for market segmentation.

Re:Okay, this is getting ridiculous

Nothing much can be done with the song title data though, apart from displaying prank messages and hoping the driver is listening to the radio, and pays attention to their radio instead of the road. The Traffic Alert signal, or better still the Emergency Broadcast feature, which generally can't be disabled, on the other hand can bump the volume up and interrupt other music. Though in the US, EON isn't generally available, so you have to be jamming the local broadcaster's signal well enough to get yours over the top for the full length of time it takes to get your message across. With EON, you only need to jam for long enough to send them to a clear frequency for your nefarious broadcast.

Re:Okay, this is getting ridiculous

Find an exploit in the parser for metadata, 0wn the radio.

Good luck with that. The fields for RDS/RDBS are all fixed width, and the embedded developers who wrote the software for that radio have a strong aversion to things like dynamic memory allocation and null terminated strings.

Re:Okay, this is getting ridiculous

[TheCarp]

Is it really even paranoia? Sure an EMP is very unusual but, we certainly have the ability to make them and there are some rare natural events that could cause similar disruptions; and forget EMP, far more mundane things can happen to remove one from easy access to the comforts we know and love today.

There are a whole host of scenarios that, while each one is of very low probabiliy of happening on any given day....given a time horizen of a few decades, the probability of one of them happening gets pretty high.

Economies crash, natural disasters happen, civilizations crumble. The odds of any one disaster may be low but the odds of some disaster in ones lifetime? Pretty decent overall, especially since it can hit so many at once.

Re:Okay, this is getting ridiculous

[beastofburdon]

Think again. I owned a 2002 Jeep Liberty which did not have ABS, and it was obvious when you tried to stop when the road was wet.

Seriously?

[chubs]

The FBI is warning the public that it should take steps to protect itself from people breaking into computers? Isn't it in a legal battle with Apple because Apply is taking steps to protect consumers from people breaking into computers?

Re:Seriously?

[tsa]

Indeed. I was just going to post that phone hacking is also a Real Risk.

Re:Seriously?

[mlw4428]

Yes and no. What the FBI wants is a way to do something to a phone to disable the "account lockout/erase phone" functionality on an iDevice so that they can just run password attempt after password attempt at the device and bruteforce their way in totally unhindered. The whole encryption debate has blown into something where most people think the FBI wants to stop encryption. The specific order to Apple only specifies that Apple should allow them the ability to bruteforce their way in after supply a special passcode/certificate/whatever. The issue with the encryption is a supposition on the basis that a couple of the orders seek information from Apple, but Apple cannot provide the info due to the information being encrypted with keys Apple does not have and thus POSSIBLY Apple would PRESUMABLY, be ordered to write backdoors into their encryption routines.

Either way this is all a little stupid. Don't have encryption on the phones...just give the ability to create a container that I have root to and an application acts like Truecrypt and encrypts the container's storage. I'll store all my terrorist activity there instead. Or don't even give me a container and I'll still have an application that can encrypt text/images/etc and hide my terrorist activity there. There is literally NO WAY the government can win. As long as the internet exists, I can find and get software for my phone.

Re:Seriously?

[frnic]

Agreed there is no way the Government can win, since if they outlaw encryption only criminals will have encryption. And Apple turning off encryption does NOTHING to help or hinder the government, since the bad guys would simply add thier own as you say. However, if they turn it off, then everyone else suffers since they have no security - which Apple currently provides. Not all of Apples several hundred million iPhone users are geeks. I would hazard a guess that most aren't.

Re:Seriously?

[PatientZero]

The FBI is making it difficult for law-abiding citizens to rely on encryption for security yet doing absolutely nothing to stop criminals and "the terrorists" from doing so because, as you said, they can't. So why bother? Why endanger everyone else for zero gain?

Re: Seriously?

Zero PUBLIC gain. Depending on how tight your tin foil hat is, there are plenty of reasons for govt to want this.

Re:Seriously?

[Aaden42]

I think the FBI is content with having a publicly known method (IE real courts, not FISA) that they can access devices of not-all-that-savy criminals via standard warrant procedures. I doubt there are many at FBI that believe they can actually stop a highly dedicated adversary from using off the shelf encryption to prevent access. They’re looking for a non-extralegal way to get the low hanging fruit.

For everything else, it’s entirely plausible that NSA has a catalog of bootloader exploits for you-name-it and the ability to build their own custom software to brute force any passcodes. They just don’t want to use those for common thugs since disclosing they exist gives Apple et al. a chance to fix the vulnerabilities they’re using, closing off their access.

The iPhone case (they thought) struck a good balance between public outcry (ter’ism!) and information not really valuable enough to pursue extralegal means since the guy’s dead already. Looked like a good test case to get force of law behind making manufactures build their backdoors for them. If they succeed, they just get a warrant to get all the “easy” stuff without having to spill the beans on anything they’ve developed on their own. They can keep the top-secret expoits to use against data which is considered worth the risk of exploit disclosure, in cases where they have no intent of going to trial, etc.

Re:Seriously?

[Sloppy]

The FBI is warning the public that it should take steps to protect itself from people breaking into computers? Isn't it in a legal battle with Apple because Apply is taking steps to protect consumers from people breaking into computers?

No.

The FBI is in a legal battle with Apple, because back in 2013 Apple didn't try hard enough (in hindsight) to protect consumers from people breaking into the computer Apple was selling at the time. Thus it turns out that with some minor changes to its firmware, it'll be practical to bruteforce that computer's crypto. (Think about how unusual that is!)

If they had found a newer computer which is harder to break into, there's no order they would have been able to reasonably ask the court to give to Apple. What would the order have been, "Apple, perform magic?"

Re:Seriously?

[KGIII]

They're not bruteforcing the crypto. Not really. They're bruteforcing the PIN. It's not really a semantics argument. At least not in my head. This just just attacking the implementation of the crypto and not the crypto itself. Make sense?

Re:Seriously?

Bingo! Thank god someone else can see what's going on.

Re: Seriously?

Now you're just being a nerd. There is little difference between wanting a way to brute force hack it or just opening the door on up. They don't need either ability.

You can't have it both ways...

[Revarg]

The FBI can't complain about security flaws while taking Apple to court to mandate broken security. It is disturbing that they can't see how broken their logic is.

Re:You can't have it both ways...

It depends on how you think about organizations. "The FBI" isn't necessarily one cohesive organization. So they can certainly have completely opposite agendas going at the same time.

But I'd totally agree with you that the reality is that the tools to break into computers are the same damn tools used by the FBI and criminals. If the FBI can use it, so can criminals.

The problem is that people aren't really used to this idea that "big powerful tools" are easy to replicate. That sort of works in the physical world where you need more "stuff", and therefor more money to make big impacts on things. I can't buy or develop an F-15, fully loaded with armaments. But I can buy and/or develop very powerful hacking tools with very limited resources. That only gets easier if you make the target softer.

Re:You can't have it both ways...

You don't understand. It's okay, government logic is made for the upper echelons.

You hacking into cars is bad, beyond bad. It's verboten. Government hacking into cars is okay, because they lead the masses. To do that effectively, they must make sure that they have more power and leverage than you do.

Re:You can't have it both ways...

Maybe the FBI isn't complaining, they're just reminding people that car hacking is possible. After all, it's a side-effect of their stance against strong security. The risk of car hacking is one of the many prices that we have to pay if we want the FBI to catch terrorists.

Re:You can't have it both ways...

We here at the FBI do not have a sense of logic we're aware of. May we come in?

Re:You can't have it both ways...

[Grishnakh]

That's because you don't understand their logic.

Their logic is that what they want Apple to do is to put in a back door so they can get the data on anyone's iPhone. They simply don't believe that this back door could possibly be used by anyone else.

It's just like those dumb TSA master keys.

Re:You can't have it both ways...

American levels of doublethink are astounding.

Re:You can't have it both ways...

[Sloppy]

Some people speculate the FBI would like to mandate broken security. That's a believable speculation (and it got more believable after the president's "black boxes" comment); I am not going to say you're wrong.

But if you're trying to imply the Farook iPhone 5C case is about mandating broken security, then you are definitely wrong. That particular phone already has broken security.

(How do we know it's already broken? Because the FBI has identified a plan to bruteforce the crypto in a reasonable amount of time (with a little help from Apple), and Apple knows that their attack will work (and make them look bad, I guess?). Apple can already break the iPhone 5C. That's why the FBI is trying to get their help.)

It's not normal that your computer manufacturer can break into your computer. If you buy a Dell machine and the FBI asks Dell to crack your GnuPC files, they're going to be forwarded to Sales about their bruteforcing supercomputers inquiry. This whole phone thing is really weird and you should think about all the reasons why it's weird.

None of this relevant anyway, to whether or not your car is running some really bad code. Nor does it have bearing on whether or not you can audit and maintain that code.

Re:You can't have it both ways...

[penguinoid]

Be afraid. Be very afraid. Sincerely, the FBI.

PS: We are here to protect you.

Classic Cars

[invid]

From now on I'm only buying cars built in the 20th century.

Re:Classic Cars

[WheezyJoe]

I sympathize, but don't get in no accident. I remember my little rocket from '94, fun but no sun-roof, no power windows, no power locks, had to jury-rig a chirp-chirp alarm/kill-switch, no side-airbags, no anti-lock brakes. Fast, but it did NOT crash well.

Not quite the suicide machine as my college car, a '72 Olds with NON-POWER DRUMS on ALL WHEELS (you had to stand on the pedal to stop hard... if it worked at all due to a flaky master cylinder), but still, by today's standards, even my '94 was a death trap.

Now, we're going to see all cars with automatic braking in six years. More electronics, more complexity. But if it works, it will save lives. Shit, I used to think anti-lock brakes were too complex to mass-produce and work well, like I didn't want some jiggy contraption getting between me and my brakes. Sho' nuff, it's 2016 and they work great. They even got 'em on motorcycles.

So, particularly if you got kids, you're way better off in a new car then taking your chances in some old bolt bucket. Maybe car hacks raise the risk of theft, but older cars are child's play to break into. Maybe some monster hack might tinker with your car while you're driving, and that would be bad, but I'll warrant the BEST ODDS of that happening to you are TINY compared to being T-boned by a drunk. So, you're WAY better off in a new car, hackable or no.

Re:Classic Cars

[Bob+the+Super+Hamste]

You do know that there were non shit cars available in the 90s. My last daily driver was a '97. Sun roof, power windows, power locks, leather seats, tire boiling power if you wanted it, alarm, side air bags, brakes that could put you through the windshield if you weren't belted it. Even in the '80s there were non shit cars, just mostly non american ones. Hell even my '85 528e had an air bag (first year available IIRC), power windows, power locks, 4 wheel disk, sun roof, power seats, power mirrors. That 528e was safe too, I got rear-ended while stopped by some drug addled Mexican who was going 55-60 mph, totaled that car but I walked away without a scratch. I was more pissed because that was my first non trash car and I only owned it for 9 months.

Re:Classic Cars

[93+Escort+Wagon]

From now on I'm only buying cars built in the 20th century.

I've got a 93 Escort Wagon that I'd let go... for the right price.

More seriously - I use this thing mainly for the few-mile trip between our house and the transit station. It's been pretty reliable, all things considered, and has saved us a ton of money (having to put $1000 or so into it every two or three years is nothing compared to most car payments). But we are looking at replacing it mainly because I don't particularly want my daughter driving a car without air bags or antilock brakes.

Re:Classic Cars

[Nethead]

I love my '98 Volvo V70 wagon. Most comfortable car I've ever had. I travel and rent a lot of the newer cars and none of them I'd want to have to spend +$30k to "upgrade." Yeah, the new Avalon is very nice, but not $30k nicer. Did I mention that I got the V70 for $1,800. It has traction control, ABS, power windows, 4 wheel disc, sun roof, and the nicest power leather seats.

Even my 2001 Volvo S60 has side bags.

Re:Classic Cars

[Nethead]

Oh, it has a fucking ashtray too!

Re:Classic Cars

[WheezyJoe]

Ashtray??? Fuckin' WORD!

Kids today expect cupholders, but back in the day we had ashtrays! My '94 had back seats that no-one bigger than a tween would fit into, but they had a fuckin' ASHTRAY!

Re:Classic Cars

[thegarbz]

Even my 2001 Volvo S60 has side bags

Side bags? How quaint? Why would you want airbags? The current Volvo S60 barely crash at all with collision avoidance systems, auto breaking on the highway, lane keeping technology, driver alertness detection, better automated highbeams, adaptive cruise control, queue assist to help you not screw up in stop / start traffic, cross traffic alert while reversing, and some other older features like traction control too.

Point is, for every "good car" you can quote from 15 years ago, if you compare them to current models they are STILL behind in safety features.

Re:Classic Cars

[KGIII]

Dude, that car is your namesake. It's your moniker. You can't just let that go. That's against the rules. It either needs to be kept and treated accordingly, perhaps like a shrine or, alternatively, it needs to go out in spectacular fashion which may, or may not, cause injury, maiming, or death. Seriously, you can't just let that car go. No way... That'd be against some sort of rule. I don't know which rule but it's certainly a rule.

At the very least, it needs to go in spectacular fashion. This can be as simple as a bonfire by "accident" or selling it to a teenage boy for $200. Ideally, it should involve a great story, preferably involving screeching tires, broken glass, crunches, cliffs, and frightened passengers screaming about a deity. (Surviving is good. Try to do that - a good scar is handy, keep that in mind.)

Given the age of your account, the username, the odds of you having two vehicles of same type and year - and I'm guessing that's where your username came from. You, you can't just get rid of it... No!!!! The car gods will not forgive such. At least just get a second car and use that one as a lawn ornament. (Depending on where you live.) Put it in storage and lie to yourself about how you're going to fix it up some day and let some confused young soul find it at your estate sale in 50 years. Get a collection of all your Slashdot posts, to date, and put 'em in the glove compartment to confuse the poor soul even further. Take pictures and use a bunch of gasoline, tannerite, and a .50 cal muzzle loader. Anything... Something... But don't let it go out with a whimper.

Re:Classic Cars

[93+Escort+Wagon]

Knowing me, I'll find a way to hang onto it. Thank you!

And the only thing that'll save us...

[Type44Q]

...is to backdoor those bitches!

Oh take a fucking hike

Organization trying to force companies to build backdoors into their products warns of hacking risk.

You fucking think, you brain-dead cunts?

Therefore we need LESS encryption, right?

Your friendly neighbourhood FBI agent.

Can someone please hack my car...

And turn it into KITT?

The manufacturers should be forced to...

[Plumpaquatsch]

The manufacturers should be forced to do something to make cars unhackable. And then to add a backdoor, so the FBI can get in, because else the terrorists win.

Wait until they claim they need access

Yeah, and next week the FBI will say they need to be able to remotely control/track our vehicles to be able to catch terrorists -> criminals -> tax evaders -> jaywalkers -> politically inconvenient people. It will be totally secure though, because only the FBI/Government will be able to do it, and it's completely legal because of 16th century English common law and they have secret court rulings we can't read to back them up.

Be Afraid

Your data might not be secure! Give us more money for the FBI Computore Labe.

Also.

You can TOTALLY trust us with the keys to all iOS devices because no one will EVER steal them. .....

What?

FBI's help?

[softnewsit]

Did you really need the FBI telling you this to know it's a problem?

Re:FBI's help?

Michael Hastings found out the hard way, thanks to that very Agency. Ironic, isn't it?

No kidding....

[Kinwolf]

That's what Volkswagen is trying to tell everyone, their cars emission control software has been hacked!!!

The Real Threat

[frovingslosh]

So Slashdot accepted this story, but they rejected my submission that "Car Hackers Warn That FBI Is A Serious Threat".

Whaddaya bet?

Whaddaya bet that within a year of this solemn warning, the FBI will start demanding admin access to all connected vehicles on request -- forced braking, killing engines, lights, steering, door locks, etc. -- in the name of stopping child pornographers and terrorists. (Assuming they haven't already done so.)

And with zero sense of irony!

Re:Sexconker Warns

MOOOOOOOO!

It IS the real threat!

[mrchaotica]

You say that like you're trying to make an Onion-style joke headline, but -- like the Onion often is -- it turns out to be more valid than you think.

However, I'd say the bigger threat in that case is copyright law and DRM, rather than the FBI.

new automatic brake rules

promoted in the spirit of safety (which is laudable in an era of distracted driving, etc)... but, did anybody else see this as a way to mandate that law enforcement had a means of remotely/electronically disabling your vehicle?
http://www.usatoday.com/story/money/cars/2016/03/17/automatic-emergency-braking-coming-all-cars-2022/81907516/

Naturally, for your own safety...

[nashv]

The FBI would like to have the keycodes to open every car in America. It stands to reason that terrorists are using cars to get around their bombing/gunfight missions. To screen for potential terrorists, the FBI will now use the All Writs Act to force all car manufacturers to give the FBI the key to every car sold.

Re:Sexconker Warns

[Bob+the+Super+Hamste]

I think I need to go and register for a few write in campaigns. In Minnesota for a write in to be valid they need to register and personally I would vote for a pile of rocks as it seems a good way to vote none of the above.

If a Hacker...

...hacks into a car and causes, accidentally or on purpose, an accident, will they still be called a "researcher" and will Slashdotters still insist it was the driver's fault for having a hackable system in their car?

Re:If a Hacker...

Overlooking the logical holes in your fallacious argument, this is why self-driving cars are a stupid idea in the first place.

Is this why Verizon (and now Sprint) block IRC?

[Power_Pentode]

Back in 2012 or 2013 I was really annoyed when Verizon started blocking access to my favourite IRC servers, and they never did give me a satisfactory answer for why they were doing it. So I switched to Sprint. Within the past few months Sprint also started blocking IRC and it didn't make sense until I read the linked FBI announcement just now.

"Before the researchers report was released, the cellular carrier for the affected vehicles blocked access to one specific port (TCP 6667) for the private IP addresses used to communicate with vehicles"

6667, the default IRC port. Those carriers seem to have blocked port 6667 completely.

Re:Is this why Verizon (and now Sprint) block IRC?

[iggymanz]

I still use IRC and no network I know of only uses that port. heck, a couple even run servers that will take connection on any port

good guy with backdoor access

[j2.718ff]

The only thing that can protect you from a bad guy with backdoor access to your secured system is a good guy with backdoor access.

Michael Hastings

[Rujiel]

...would probably disagree with you, if his car didn't accelerate out of control and explode against a tree. CANBUS manipulation is also an option.

Government be like

Hey I know you are trying patch the security holes in your product but please, just for us (wink wink), add a security hole for us to get in...

let's build in some back doors...

If it helps fight terrorism, surely it'll make our cars safer :)

Dear FBI....

[JustAnotherOldGuy]

Dear FBI,

No shit.

Signed,

Everyone in the universe who's been paying attention

how long has captain obvious worked for the FBI?

[rbgnr111]

Wasn't this in the news over a year ago. I though by now everyone knew this... I guess not the US Gov...much like the fact that you can do things... good and sometimes bad with computers.. this must be a recent and frighting revelation for them.

They urge the public??

This 'public' ship is so massive and slow it can't respond quick enough. We're supposed to have laws in place, guided by sound scientific principles for the greater good. Instead our Industry asshats push political agendas for maximum gains, leaving the consumers to choose between getting hacked by co. A or co. B..... Ain't the free markets great? IoT is gonna be a wet dream for nefarious.

don't connect cars

DONT CONNECT CARS.

...but they need to be able to do it

[Larry+Lightbulb]

Do any of the three letter organizations really want secure systems? Or just ones that look secure but really have enough holes so that they can monitor the use?

What Are Consumers Suppose to Do?

How can consumers possibly defend themselves or their cars. They have exactly zero control over the vehicles computer and electronic systems and are completely at the mercy of the manufacturers.

Things like yesterday's story about all cars having over the air updates by 2020 is a massive gaping Goat.se like security hole in their vehicle which absolutely opens the vehicle up for compromise, as has already been demonstrated. But, there is fuck all the the consumer can do about it that will protect them without rendering the vehicle completely inoperable.

The FBI and the NHTSA need to be telling MANUFACTURERS that they need to secure the vehicles AND that they will be held accountable for failure to protect the vehicle/consumer form these threats.

The FBI and NHTSA are simply setting the victims of future incidents up for 'I told you so', victim blaming.

It's fucking ridiculous! What is grandma supposed to do to prevent her new Cadillac from being hacked/hijacked?

Unintended consequences

[ZeroWaiteState]

The whole reason a hacker can remotely disable your engine is because police asked for that capability and now hackers have it.

Unfortunately

I trust the FBI about as far as I can throw them with my little finger. Naturally they will have a software or firmware based spying solution of their own to implement. No thanks, I'm safer without you, coppers.

The internet of things

[pebear]

This is what happens when someone thinks it's a good idea to have real time connections of the internal workings of your Vehicles and appliances on the internet. How long has windows been out and they are still finding security flaws? How long has Linux and Unix been around, same thing? This OS's have been around for decades and we still have monthly patches on them. I kinda like older tech for my vehicles. I like carburetors and points and distributors, why because they are Simon simple and you can fix them in a rain storm on the side of the road unlike if you had some sensor go out somewhere in your car and you had to trace it back. Simple, tried and true is usually better than modern and convenient. Because when your life depends on something, that is the day it fails or gets hacked into. I can hack into someone's car and I can turn off their brakes and speed up their engine. You can even shift their transmission fort them. You can kill someone remotely with these vehicles. Nice to know...

Just think of the planes.

What next? Everything is hacked. Fuck. We need more blind cunts to defend us.