Slashdot Mirror
One In Five Vehicle Software Vulnerabilities Are 'Hair On Fire' Critical (securityledger.com)
Long-time Slashdot reader chicksdaddy quotes a report from Security Ledger:
One of every five software vulnerabilities discovered in vehicles in the last three years are rated "critical" and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive. "These are the high priority 'hair on fire' vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component," the firm said in its report...
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation... The result is that vehicle cybersecurity vulnerabilities are not solvable using "bolt-on" solutions, IOActive concluded...
The article argues we're years away from standards or regulations, while describing auto-makers as "wedded to the notion that keeping the details of their systems secret will ensure security."
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation... The result is that vehicle cybersecurity vulnerabilities are not solvable using "bolt-on" solutions, IOActive concluded...
The article argues we're years away from standards or regulations, while describing auto-makers as "wedded to the notion that keeping the details of their systems secret will ensure security."
Maybe one day it won't sound like a joke.
Anyways, this sounds like a job creation program.
It's not like people have been taking apart their cars for years to use Chinese cloned spare parts.
Car manufacturers should know better than any other industry that their products will be taken apart, scrutinized, broken and replaced.
The recently publicized vulnerabilities in connected vehicles are examples of vehicle designers not understanding security threat models correctly (which also applies to IoT in general). In the rush for convenience and connectivity it is mind boggling that they wouldn't make more effort if for no other reason than to avoid the negative publicity.
The easiest thing to do in these critical vehicle systems systems is to outright air gap them. There is no reason that there should be any network connection to the autopilot or auto-parking or braking system of a vehicle unless the threat model and the subsequent design of security was sufficiently thorough. Until that happens, it should literally be a discrete action by the driver through a physical interface inside the vehicle and at most have a one-way reporting interface that can be picked up by a network interface.
The other thing that can be done is to hardware-interlock the network connection. For example, the steering motor controllers for automatic parking should have a logic AND control to the speed of the vehicle so that anything above a certain speed disables the motor control at a hardware level. At that point, one would have to physically tamper with the vehicle to overcome this safeguard, but if you could do that there's a lot more mayhem you could create anyway.
How many people have an Internet connected vehicle?
Plugging something into the service port is not a vulnerability.
gnu public license
make available if you distribute it.
get your facts right and keep your fud,
I would be pressuring various governments for regulations as a car company for a legal out. So that when they get sued they can say "we followed all the government regulations" which puts the onus on the government and not the car companies.
The one that causes your sunroom motor to overheat, which causes your hair to catch on fire - this is (hair on fire)^2; quadratic fire events are always bad.
Whose hair? You nerds still fail to realize that people don't give a fuck about "security". Convenience and functionality trumps all.
STFU! I'm driving!
Regulations typically only set minimum standards. Showing you followed regulations might help to demonstrate good faith, but I don't see why it should be a get out of jail free card.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I understand what you're getting at and mostly agree. My only comment is that once you design these big in-vehicle fully-connected systems to do stuff like report on steering angle and live fuel pressure or whatever else, it's awfully tempting to turn around and implement the PUT or POST to go along with those GET APIs so that all your dealer diagnostics and datalogging tools just hook into the same point everything else does. It reduces the number of different systems and interfaces you have to design, implement and debug.
I have no data on this, but I suspect cost cutting measures have to be insane at auto makers. I recall buying a nice turbo AWD Eclipse in the mid-90s for nearly $30k. Twenty years later and I can still buy a nice turbo AWD car for just a little more than that and this new car will have VASTLY superior features all around. The cost difference barely accounts for inflation. How they also crammed so much new tech and new hardware into it for what's effectively the same price today as it was 20 years ago boggles my mind.
So I suspect this all comes down to trying to push more stuff through that new system to save a few bucks somewhere and then skipping that whole "security" check in the process.
I said it before, and I'll say it again - fuck off you slimy shill. And no, we're not your friends, you spoon.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Tell us something we don't know. Software is invisible, practically abstract, hardly real, almost like magic. How can you expect anyone but software developers to grasp anything related to software, especially things that don't appear to change functionality? There is never enough time to do it right, and "hair on fire" isn't going to change that.
Things that require physical access are a non-issue. I could just as easily swap in my preprogrammed computer of death or simply cut the brake lines.
What happened to this place? It used to be welcoming...
I get that digital technology has brought a lot to the party when it comes to efficiency, emissions, and other important performance metrics. But cars are one-tonne-plus hunks of metal which contain human beings and regularly travel at speeds in excess of 30 metres per second. Do we really want them connected to the same Internet used by Nigerian scammers, Ashley Madison hackers, and Donald Trump?
The IOT - I guess it's not just for toasters any more...
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
On an unrelated note, it's amazing that they spent thousands of man hours modifying the kernel and nobody at any point in time decided to read the licensing terms.
I know it's a joke post, but it still reads more like a incompetent company story than a linux failure story.
Making it do the thing it's supposed to do is usually one of the easier parts of software development. Making sure that it won't do things it's not supposed to do is harder. The hard parts of software development are expensive, but omitting them is even more expensive.
I would much rather have these vulnerabilities than to have my hair on fire.
If you modify the kernel and then distribute that modified kernel, yes, you are required to distribute those changes also.
As for actual programs you write, you do not have to release the source just because it is Linux. You do not have to release the source just because you compiled with gcc etc. If you modified an existing program that was GPL or used GPL code in your program, then yes, you would be required to release the source code.
However, if you wrote the whole thing from scratch as you claim, you would NOT be required to release the source for the software as GPL. There are a LOT of closed source Linux programs out there.
Before you start making claims like this, you may wish to learn the truth.
This place has never been welcoming to idiots who copy/paste ancient troll stories, especially when they forgot to adjust their numbers the first time to make the troll posting obviously copy/paste (in the "original" posted recently here, the rewrite was for Windows 2000).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Still not convinced that a car works better when it has all its bits connected to a network. ECM, sure. Connected by wires to the things it needs. Done.
Back in the early 80s when Bosch invented the CAN bus, security was a non-issue. For more than one reason. First, no critical system of the car was part of the bus system. It was mostly used to easily bundle electronics so you don't have to run 200 cables across the car just to transmit different signals. Second, microelectronic wasn't so advanced that you could implement some huge protocols with security in mind, you were lucky if you found chips that could at least find out what signals were for them. And third, there was no "open ends" so to speak, there was no bluetooth, no wifi and most of all none of all this ended at the user side of the car, the user had zero chance to mess with the whole deal.
But you know how it is, things grow and specs don't change. Because if you changed them, the existing technology wouldn't be compatible anymore, you'd have to develop new shit, your workers would have to be retrained and in the end, the whole crap simply costs more.
And today we're now at this mess where we have a totally insecure bus that pretty much takes whatever signal you put into it without bothering to question the source that connects mission critical systems (from door opening to brakes) along with user space gadgets, and of course wifi, bluetooth and various other ways to connect wirelessly, from inside or outside the car.
It does not take an expert in information security to see why this could possibly hint at being a wee bit of a potential problem, does it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes. The problems are 100% solvable, using well-established and longstanding techniques.
Textbook stuff, really.
But, in the rush to get more software developers in the labor market, everything hard or boring is stripped out of the software engineering curriculum at most colleges. In the rush to get products to market (and the push to keep costs down), cheap green developers are hired to the exclusion of senior level talent, and deadlines are set which are so aggressive that they preclude the possibility of properly integrating security concerns into analysis, design, and testing.
So, the problem here is not that the right answer is out of reach, but that economic forces make the right answer undesirable. The solution, then, is to modify or introduce new economic forces (e.g. regulatory laws) that change those incentives.
Nice in theory, but I don't think that is extremely practical in the real world, where diagnostics and logging are real requirements. And it's not as though the throttle pedal position information goes only to the engine controller - it surely is needed a lot of other places (such as the braking module, the cruise-control module, perhaps the entertainment system (for speed-controlled volume), etc. The model implicit in your comment may have been valid thirty or forty years ago, but things are a lot more complicated now, and a far more complicated and nuanced security model is needed now.
You want to call it "engineering"? Then make it ENGINEERING, with actual consequences if you write bad code.
You call it "art"? You wanna do "art"? Go to Michael's and get your ass some fucking finger paint.
No Internet-connected vehicle. No wireless unlocking or ignition switch.
And no hair.
Have gnu, will travel.
yep. in a nutshell: security costs extra. that don't work with today's business models/practices.
VW is just the first mega-liability case even though it is between governments and VW, with some benefits going to VW owners.
The next issues are likely to be gigantic class action cases which might bring a car company to its knees.
He's a troll, copy/pasting shit from years ago. And no, just because you use gcc to compile your code does not mean you have to publish your source under GPL. If you modify existing GPL code and distribute it, you do have to make your updates publicly available.
The world is not the same everywhere.
In the US you can do what you want, and pay big if y mes up.
In the EU you're strictly limited to what is allowed, but significant fines don't exist while you comply.
Along comes TTIP. Where what is allowed depends on the home market, and the fines on where the product is sold.
Phys.access not required. When some chinese sells a key fob that unlocks any ford built after 2013 - they have a problem.
When a researcher demoes a special mp3 that disables the brakes on some cars (hackable stereo sits on the CAN bus) then its over. Someone else will embed that into some popular pirated song...
... of which manufacturers take vehicle systems' security seriously and which don't?
How they also crammed so much new tech and new hardware into it for what's effectively the same price today as it was 20 years ago boggles my mind.
That's just the nature of progress. The ability to buy a new 1TB HDD now for the cost of a 1GB HDD 20 years ago doesn't mean that the designers aren't making the same or even more profit on them.
Frakkin' Cylons! :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I'm expecting that TTIP is dead at this point. It seems to have become a toxic issue in several EU member states and senior government officials have started overtly challenging its credibility. Plus with the US election coming up and Hillary Clinton publicly saying she won't support TPP, it would be difficult for her to come out in favour of TTIP, and with Brexit still a big issue, the last thing the EU needs is to be seen to be weak in international trade negotiations.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Cars were never built to be secure. Not one of these hackable technology issues is anywhere near as dangerous as all of the other dangers that have always existed for moving vehicles.
Some thought experiments for you:
imagine taking a handful of ball-berrings, and tossing them off of a bridge over a busy high-speed highway.
imagine, late at night, grabbing a paint brush and some yellow/white paint, and "adjusting" the lane markings on the empty-but-will-be-busy-come-morning-rush-hour road.
imagine, driving a remote-controlled toy car onto a busy road.
imagine, throwing a rock at high-speed traffic.
imagine, a paint-filled balloon sitting on the road.
imagine, a little bit of olive oil on the road.
car doors are easily opened with a hanger. windows are easily smashed with a rock. brake lines are easily cut with a knife. tires are easily punctured by just about anything. vision is easily blocked and even more easily blurred.
our system of vehicles and roadways has never been based on security. dammit, wi have 120kph traffic, separated by a yellow line of paint! Think about the 240kph collision. Think about the pile-up.
If I wanted to promote a security consulting business, I could identify a niche of that market and make up a bunch of stats for that market that show a need and enough people might buy into what I wrote that I could get some consultancy business.
The IOActive white paper seems to be a security analysis based on a review of other works, not work that they did themselves. The number are estimates based on their analysis, not measurement of real world vulnerabilities.
Connected cars are likely full of security holes and they are one reason that I am avoiding buying a new car. However, I don't think that this white paper describes the actual state of the security of connected cars.
Surely nobody is going to go seek whether or not they have a car in the "20% hair on fire" category.
Who reads this bullshit that isn't a fed? /2016/08/one-in-five-vehicle-vulnerabilities-are-hair-on-fire-critical/ /download/227664/
https:// securityledger.com
http:// www.infosecurity-magazine.com
Nobody is running around hacking your cars unless they are a fed. Vehicle software problems that are in the "20% category" are never hair on fire.
You fucking FBI douches. Burn.
Even the captchas are court related now. "arraign"
Windows 10, the spy choice for scoping on your naked kids on Skype.
Perhaps they just should move all the electronics to the trunk of the car (boot). After all, it worked for the server in Hillary's bathroom.
Folks, these *are* cars. Enough with the analogies. It's not "hair on fire" it's "car on fire". It's not "have an impact on systems" it's "cause impact with other cars, trees, bridges".
I work in automotive software/systems security. You have one thing precisely on the money: automotive is very competitive and, therefore, anally cost sensitive, especially cost-per-vehicle.
The main reason vehicles are so insecure is simply broken assumptions. Legacy designs, specifically in-vehicle network architecture choices, never factored in the connected car. The threat model only included local actors, and no one ever revisited that assumption until the problem was on the news.
Automakers were extremely slow to actually acknowledge this problem, and redesigning the internal electrical architectures in vehicles is not an overnight job. For the foreseeable future car security is going to revolve around more or less bandages to try to keep the legacy designs as secure as possible. Basically, a coconut design with high attention paid to safety electronics and ingress points. Depth solutions are a ways out.
The big problem is that the control networks in the vehicle have no security mitigations whatsoever. The were designed with local threats in mind only. Ditto with the network topologies. Security design flaws are broken assumptions, either broken from the get-go or broken because the world changed and the design didn't.
Your GET vs POST analogy is probably on the money, but there are actually worse problems than that. A lot of the data gathering performed in-vehicle is done over diagnostics protocols which are request/response formatted, meaning that in order to READ data, the telematics device must actually first request it. Combined with the fact that any party on a CAN network can send anything they want, you start to see the problem. A compromised telematics unit with access to a CAN network can impersonate the control systems on that network or anything else, like a mechanics tool. Firewalling does exist in some places, but these devices are often not given the security scrutiny required. To us in the industry, the interesting part of the famous Jeep hack last year, was that Miller and Valasek were able to get past the infotainment firewall by exploiting an insecure software update mechanism on the firewall device.
In conclusion, in modern cars, there are a few layers of defense, but not many, and, for something as critical as control of your vehicle, today, there are not enough. There are still several places in modern cars where, if a few layers are broken, many control features are at your command. Adding proper authentication mitigations is coming, but a bit slowly.
"They won't learn and downplay all the exploits until someone famous dies or gets injured from it." -FTFY.
"Well, good luck finding a judge that doesn't run a bestiality site."
The auto industry has been making cars that crash and burn their owners alive for decades and then try to cover it up. This is just the new hi-tech version of the same damn thing. Wasn't it Ralph Nader who forced them to accept just a few safety features? Doesn't look like he has a comparable contemporary these days.
anally cost sensitive
Your post is mostly pretty well-written, if a little workmanlike, and fairly informative to boot. But, and it's a big but, PLEASE stop using the word 'anally' in such a context. It could be substituted with 'extremely', and and I wouldn't be left trying to work out what a man's anus might have to do with cost sensitivity.
That's not true at all. Physical access is required to steal a car, but ease with which this is achieved is far from a non-issue.
Every software team has to prioritize bug fixes, including security vulnerabilities. When deciding which ones to fix first, every team considers factors such as:
- severity - how costly is the damage that occurs from the problem?
- frequency - how often does it happen, or how often is it likely to happen?
- cost - how much does it cost to fix?
If a bug is really severe (bricks your device) but it happens only once for each 100 million installations, it might not be worth the effort to fix it.
I think the author is considering only severity when he refers to these issues being "hair on fire." But how often are these vulnerabilities exploited in real life? How does this frequency compare to, say, ordinary car theft? In the US, about 2,000 cars are stolen every day, mostly through low-tech methods. I doubt these security "flaws" are exploited anywhere close to that often.
I don't think anybody's hair is actually on fire yet.
"Hair on fire" means you have a hangover. Drink a quart or two of your favorite electrolyte water and take a bunch of B vitamins.
"Pants on fire" means you're lying. Maybe they were trying to call the auto manufacturers liars and goofed the idiom?
I'm not familiar with "hair on fire". Is that a higher priority than "lp0 on fire"? Does it notify via Morse code on the SES light? Is the code a P number, or ASCII?
Serious? Seriousness is well above my pay grade.
That said, if anyone wants to buy me a hackable car, I won't refuse it.
Do you think there are viruses and malware bots and DDoS bots and credit card number snaggers and Sony DNC Wikileaks hacks and all the vast universe of effective malware and breaches because we lack security experts or the all companies involved are always negligent? No. It's an arm race where bad actors get an equal vote. That is what we know, for sure. That accurately describes the state of affairs with respect to computer security as it has actually shown itself to be in a place called reality.
Now they're going to transfer that rolling crime scene into vehicles carrying people going 70 MPH where, like computers, each car is an individual target.
Yeah. Maybe that's not a good idea today, not just today, but ever. Wow, imagine that. An area of human endeavor where connected and otherwise reemotely accessible computers aren't the SOLUTION, they're the PROBLEM.
Naw... that couldln't be right.
Or you could educate yourself, then you wouldn't confuse the usage with any particular man's (or woman's for that matter) anus.
Knowing the car industry, the parent is correct in their use of anally (retentive) when it comes to cutting cost-per-vehicle at all cost. They chase cents with a straight face, even though the car cost you tens of thousands of dollars. And for good reason. In many instances the car itself is mainly a loss leader to be able to sell service and spare parts. That's where the (at least main) income is. The margins in the car industry today are razor thin.
Stefan Axelsson
I understand what you're getting at and mostly agree. My only comment is that once you design these big in-vehicle fully-connected systems to do stuff like report on steering angle and live fuel pressure or whatever else, it's awfully tempting to turn around and implement the PUT or POST to go along with those GET APIs so that all your dealer diagnostics and datalogging tools just hook into the same point everything else does. It reduces the number of different systems and interfaces you have to design, implement and debug.
I have no data on this, but I suspect cost cutting measures have to be insane at auto makers. I recall buying a nice turbo AWD Eclipse in the mid-90s for nearly $30k. Twenty years later and I can still buy a nice turbo AWD car for just a little more than that and this new car will have VASTLY superior features all around. The cost difference barely accounts for inflation. How they also crammed so much new tech and new hardware into it for what's effectively the same price today as it was 20 years ago boggles my mind.
So I suspect this all comes down to trying to push more stuff through that new system to save a few bucks somewhere and then skipping that whole "security" check in the process.
Answer
Robotics and automated assembly lines did away with workers. It takes far fewer workers to assemble a vehicle today, than it required 5 years ago.
Leslie Satenstein Montreal Quebec Canada