Unpatchable 'Flaw' Affects Most of Today's Modern Cars

Catalin Cimpanu, writing for BleepingComputer: A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others. The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components. The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team. Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.

That's why you must silence the comms

[JohnFen]

My approach so far is to avoid buying cars that include communications. Eventually, though, even older used cars will have this crap.

At that point, I'll have to disable the comms. Right now, that appears to be easy to do in almost every car (just locate and remove the antenna). Hopefully, that will get me through the rest of my car-driving years.

Re:All of these have this flaw

[TWX]

Most IoT systems out there are predicated on the fact that they can do this.

That's only one flaw in IoT. There are many others especially when consumer and commercial products connect to the vendor's central management instead of to the customer's central management. Those flaws include having to have an untrusted device on one's network that has to be able to communicate with the Internet, having software that might not be readily patched yet may be running on a consumer-grade OS, and any vulnerabilities affecting the vendor's central management.

Daktronics, I'm looking at you.

Re:Oh enough of this shit

[DarkOx]

So I am one of those infosec guys and we have been doing CAN bus assessments for the big 3 for some time now. This has to be the stupidest article I have read in some time.

First off the next gen cars are already implementing 'segmented' CAN buses with a firewall module that allows some devices to send white listed messages from the less privileged body areas to the more privileged engine management and safety buses. So this problem is already being solved.

Very few existing cars have a path to remotely introduce CAN messages. Some do but those interfaces have by and large been hardened pretty well, the Jeep stuff from some years ago is long fixed.

So what have here is basically if you are in the car you can do bad stuff by wiring into the can bus. Okay I make the airbag fail too buy yanking it out of the dash board, who cares.