Slashdot Mirror
One In Five Vehicle Software Vulnerabilities Are 'Hair On Fire' Critical (securityledger.com)
Long-time Slashdot reader chicksdaddy quotes a report from Security Ledger:
One of every five software vulnerabilities discovered in vehicles in the last three years are rated "critical" and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive. "These are the high priority 'hair on fire' vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component," the firm said in its report...
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation... The result is that vehicle cybersecurity vulnerabilities are not solvable using "bolt-on" solutions, IOActive concluded...
The article argues we're years away from standards or regulations, while describing auto-makers as "wedded to the notion that keeping the details of their systems secret will ensure security."
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation... The result is that vehicle cybersecurity vulnerabilities are not solvable using "bolt-on" solutions, IOActive concluded...
The article argues we're years away from standards or regulations, while describing auto-makers as "wedded to the notion that keeping the details of their systems secret will ensure security."
The recently publicized vulnerabilities in connected vehicles are examples of vehicle designers not understanding security threat models correctly (which also applies to IoT in general). In the rush for convenience and connectivity it is mind boggling that they wouldn't make more effort if for no other reason than to avoid the negative publicity.
The easiest thing to do in these critical vehicle systems systems is to outright air gap them. There is no reason that there should be any network connection to the autopilot or auto-parking or braking system of a vehicle unless the threat model and the subsequent design of security was sufficiently thorough. Until that happens, it should literally be a discrete action by the driver through a physical interface inside the vehicle and at most have a one-way reporting interface that can be picked up by a network interface.
The other thing that can be done is to hardware-interlock the network connection. For example, the steering motor controllers for automatic parking should have a logic AND control to the speed of the vehicle so that anything above a certain speed disables the motor control at a hardware level. At that point, one would have to physically tamper with the vehicle to overcome this safeguard, but if you could do that there's a lot more mayhem you could create anyway.
The one that causes your sunroom motor to overheat, which causes your hair to catch on fire - this is (hair on fire)^2; quadratic fire events are always bad.
Regulations typically only set minimum standards. Showing you followed regulations might help to demonstrate good faith, but I don't see why it should be a get out of jail free card.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I understand what you're getting at and mostly agree. My only comment is that once you design these big in-vehicle fully-connected systems to do stuff like report on steering angle and live fuel pressure or whatever else, it's awfully tempting to turn around and implement the PUT or POST to go along with those GET APIs so that all your dealer diagnostics and datalogging tools just hook into the same point everything else does. It reduces the number of different systems and interfaces you have to design, implement and debug.
I have no data on this, but I suspect cost cutting measures have to be insane at auto makers. I recall buying a nice turbo AWD Eclipse in the mid-90s for nearly $30k. Twenty years later and I can still buy a nice turbo AWD car for just a little more than that and this new car will have VASTLY superior features all around. The cost difference barely accounts for inflation. How they also crammed so much new tech and new hardware into it for what's effectively the same price today as it was 20 years ago boggles my mind.
So I suspect this all comes down to trying to push more stuff through that new system to save a few bucks somewhere and then skipping that whole "security" check in the process.
I said it before, and I'll say it again - fuck off you slimy shill. And no, we're not your friends, you spoon.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
I get that digital technology has brought a lot to the party when it comes to efficiency, emissions, and other important performance metrics. But cars are one-tonne-plus hunks of metal which contain human beings and regularly travel at speeds in excess of 30 metres per second. Do we really want them connected to the same Internet used by Nigerian scammers, Ashley Madison hackers, and Donald Trump?
The IOT - I guess it's not just for toasters any more...
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
I would much rather have these vulnerabilities than to have my hair on fire.
This place has never been welcoming to idiots who copy/paste ancient troll stories, especially when they forgot to adjust their numbers the first time to make the troll posting obviously copy/paste (in the "original" posted recently here, the rewrite was for Windows 2000).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Back in the early 80s when Bosch invented the CAN bus, security was a non-issue. For more than one reason. First, no critical system of the car was part of the bus system. It was mostly used to easily bundle electronics so you don't have to run 200 cables across the car just to transmit different signals. Second, microelectronic wasn't so advanced that you could implement some huge protocols with security in mind, you were lucky if you found chips that could at least find out what signals were for them. And third, there was no "open ends" so to speak, there was no bluetooth, no wifi and most of all none of all this ended at the user side of the car, the user had zero chance to mess with the whole deal.
But you know how it is, things grow and specs don't change. Because if you changed them, the existing technology wouldn't be compatible anymore, you'd have to develop new shit, your workers would have to be retrained and in the end, the whole crap simply costs more.
And today we're now at this mess where we have a totally insecure bus that pretty much takes whatever signal you put into it without bothering to question the source that connects mission critical systems (from door opening to brakes) along with user space gadgets, and of course wifi, bluetooth and various other ways to connect wirelessly, from inside or outside the car.
It does not take an expert in information security to see why this could possibly hint at being a wee bit of a potential problem, does it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You want to call it "engineering"? Then make it ENGINEERING, with actual consequences if you write bad code.
You call it "art"? You wanna do "art"? Go to Michael's and get your ass some fucking finger paint.
No Internet-connected vehicle. No wireless unlocking or ignition switch.
And no hair.
Have gnu, will travel.
VW is just the first mega-liability case even though it is between governments and VW, with some benefits going to VW owners.
The next issues are likely to be gigantic class action cases which might bring a car company to its knees.
... of which manufacturers take vehicle systems' security seriously and which don't?
How they also crammed so much new tech and new hardware into it for what's effectively the same price today as it was 20 years ago boggles my mind.
That's just the nature of progress. The ability to buy a new 1TB HDD now for the cost of a 1GB HDD 20 years ago doesn't mean that the designers aren't making the same or even more profit on them.
Frakkin' Cylons! :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I'm expecting that TTIP is dead at this point. It seems to have become a toxic issue in several EU member states and senior government officials have started overtly challenging its credibility. Plus with the US election coming up and Hillary Clinton publicly saying she won't support TPP, it would be difficult for her to come out in favour of TTIP, and with Brexit still a big issue, the last thing the EU needs is to be seen to be weak in international trade negotiations.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Cars were never built to be secure. Not one of these hackable technology issues is anywhere near as dangerous as all of the other dangers that have always existed for moving vehicles.
Some thought experiments for you:
imagine taking a handful of ball-berrings, and tossing them off of a bridge over a busy high-speed highway.
imagine, late at night, grabbing a paint brush and some yellow/white paint, and "adjusting" the lane markings on the empty-but-will-be-busy-come-morning-rush-hour road.
imagine, driving a remote-controlled toy car onto a busy road.
imagine, throwing a rock at high-speed traffic.
imagine, a paint-filled balloon sitting on the road.
imagine, a little bit of olive oil on the road.
car doors are easily opened with a hanger. windows are easily smashed with a rock. brake lines are easily cut with a knife. tires are easily punctured by just about anything. vision is easily blocked and even more easily blurred.
our system of vehicles and roadways has never been based on security. dammit, wi have 120kph traffic, separated by a yellow line of paint! Think about the 240kph collision. Think about the pile-up.
If I wanted to promote a security consulting business, I could identify a niche of that market and make up a bunch of stats for that market that show a need and enough people might buy into what I wrote that I could get some consultancy business.
The IOActive white paper seems to be a security analysis based on a review of other works, not work that they did themselves. The number are estimates based on their analysis, not measurement of real world vulnerabilities.
Connected cars are likely full of security holes and they are one reason that I am avoiding buying a new car. However, I don't think that this white paper describes the actual state of the security of connected cars.
"They won't learn and downplay all the exploits until someone famous dies or gets injured from it." -FTFY.
"Well, good luck finding a judge that doesn't run a bestiality site."
The auto industry has been making cars that crash and burn their owners alive for decades and then try to cover it up. This is just the new hi-tech version of the same damn thing. Wasn't it Ralph Nader who forced them to accept just a few safety features? Doesn't look like he has a comparable contemporary these days.
That's not true at all. Physical access is required to steal a car, but ease with which this is achieved is far from a non-issue.
Every software team has to prioritize bug fixes, including security vulnerabilities. When deciding which ones to fix first, every team considers factors such as:
- severity - how costly is the damage that occurs from the problem?
- frequency - how often does it happen, or how often is it likely to happen?
- cost - how much does it cost to fix?
If a bug is really severe (bricks your device) but it happens only once for each 100 million installations, it might not be worth the effort to fix it.
I think the author is considering only severity when he refers to these issues being "hair on fire." But how often are these vulnerabilities exploited in real life? How does this frequency compare to, say, ordinary car theft? In the US, about 2,000 cars are stolen every day, mostly through low-tech methods. I doubt these security "flaws" are exploited anywhere close to that often.
I don't think anybody's hair is actually on fire yet.
I'm not familiar with "hair on fire". Is that a higher priority than "lp0 on fire"? Does it notify via Morse code on the SES light? Is the code a P number, or ASCII?
Serious? Seriousness is well above my pay grade.
That said, if anyone wants to buy me a hackable car, I won't refuse it.
Or you could educate yourself, then you wouldn't confuse the usage with any particular man's (or woman's for that matter) anus.
Knowing the car industry, the parent is correct in their use of anally (retentive) when it comes to cutting cost-per-vehicle at all cost. They chase cents with a straight face, even though the car cost you tens of thousands of dollars. And for good reason. In many instances the car itself is mainly a loss leader to be able to sell service and spare parts. That's where the (at least main) income is. The margins in the car industry today are razor thin.
Stefan Axelsson
I understand what you're getting at and mostly agree. My only comment is that once you design these big in-vehicle fully-connected systems to do stuff like report on steering angle and live fuel pressure or whatever else, it's awfully tempting to turn around and implement the PUT or POST to go along with those GET APIs so that all your dealer diagnostics and datalogging tools just hook into the same point everything else does. It reduces the number of different systems and interfaces you have to design, implement and debug.
I have no data on this, but I suspect cost cutting measures have to be insane at auto makers. I recall buying a nice turbo AWD Eclipse in the mid-90s for nearly $30k. Twenty years later and I can still buy a nice turbo AWD car for just a little more than that and this new car will have VASTLY superior features all around. The cost difference barely accounts for inflation. How they also crammed so much new tech and new hardware into it for what's effectively the same price today as it was 20 years ago boggles my mind.
So I suspect this all comes down to trying to push more stuff through that new system to save a few bucks somewhere and then skipping that whole "security" check in the process.
Answer
Robotics and automated assembly lines did away with workers. It takes far fewer workers to assemble a vehicle today, than it required 5 years ago.
Leslie Satenstein Montreal Quebec Canada