Poorly secured embedded systems in next-generation cars create a way in for hackers, according to a new study by McAfee. Hackers may be able to gain access everything from the locks to car engines and more, according to a report titled Caution: Malware Ahead that looks at the emerging risks in car system security. McAfee, which …
1) Antivirus software for cars? I really don't need a three second pause between my hitting the brake pedal and the stop lights turning on.
2) Can someone please develop an app which will allow me to steer that car doing 45 mph in the middle lane, into the empty left hand lane.
Tin-foil hats at the ready!
"Researchers have demonstrated that critical safety components of an automobile can be hacked, given physical access to the vehicle’s electronic components."
Well duh! Guess what, if I can get at your engine then I can give you a pretty good denial-of-service with a pair of wirecutters. Or I can nail the throttle half-closed and stop you getting any decent power, or I can nail it fully open and make you fail emissions regs.
No need to get to the engine.
I direct your attention to the most-critical safety component, "brakes".
"remotely unlocking and starting a car via mobile phone"
I'll gladly give anybody a mobile phone if they can start my Marina on a damp morning, even with the key.
With the size and heft of smartphones these days...
...I think you could use one to remotely open the windows of any vehicle from a reasonable throwing distance. Your wonky BL clunker^H^H^H example of fine British automotive engineering included ;-)
Tis important that they highlight these risks to ensure manufacturers start taking responsibiity for security. The potential rewards will be an enormous incentive for people to work out how to hack these systems.
By the way, presumably examples of such attacks actually happening in real life will always be hard to find- when a car is stolen, who knows how it was stolen?
Car Crime The Old Fashioned Way
Has McAfee got anything that prevents four masked thugs base ball batting you on the doorstep and taking your car keys by force ?
Nope, thought not.
"McAfee, which partnered with Wind River " - o'really?
Would it have been appropriate to mention somewhere that both these companies are controlled (wholly owned?) by Intel ?
Or did the press release not make that clear?
Agree with the poster ... Intel provides the chips; Windriver provides the OS (either Linux or vxWorks .. probably Linux for an infotainment hub) and MacAfee provides the security expertise.
And they all keep it in the same family
Next generation cars?
That stuff is already on the roads.
And they only mentioned the obvious threats. My favourite more subtle one is tracking USAians by the RFID chips in their tyres. Much easier than ANR.
Whoa there boy...
I think you forgot the Bacofoil and these instructions http://www.origami-instructions.com/origami-hat.html.
time to exit the denial phase, guys.
Sorry, I've a bit of a rant to get through here, having worked in precisely this field, and found very little acknowledgement of the longer term risks. This is not unexpected, newcomers to the field will always underestimate both the efforts and the rewards of exploiting weak computers.
The point is that you only need one clever guy to crack the system, and his exploit can then be packaged and sold to all and sundry.
The "reward potential" for a car is quite high, a sophisticated infotainment system will have all manner of passwords and accounts, phone numbers, possibly NFC (near field comms) e-payment details. This is not to mention any scam exploits - like putting a bogus, urgent fault on the car that directs you to the nearest "friendly" garage, where you are relieved of some money.
At the moment the industry is in the denial phase, it looks like too much effort, on too variable a platform. Good points both of them, cost and risk vs reward are the fundamentals of "the crime equation", but they are on a collision trajectory, costs will fall and rewards will rise.
I was a little disconcerted by The Reg's uncharacteristically poorly informed opinion:
"interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible"
I would recommend reading: http://www.autosec.org/pubs/cars-usenixsec2011.pdf
Wherein the following passage appears:"We next assess whether an attacker can remotely exploit the Bluetooth vulnerability without access to a paired device. Our experimental analyses found that a determined attacker can do so, albeit in exchange for a signiﬁcant effort in development time and an extended period of proximity to the vehicle.
They go on to describe in detail what can be done, today. Read on....
"we should all move back to wholly mechanical cars"
Well, maybe not "wholly* mechanical, I think an alternator is an acceptable electronic device to have in a car. Maybe even a contactless distributor... But nothing more complicated or treacherous than that, thank you.
Cyber thugs will turn your car into Christine
Christine could repair her/itself if I remember rightly. That is a feature my car sorely lacks... I look forward to it.
McAfee sales are down again then? Sales down, stir up some unsubstantiated shite, frighten a few people and get our name in the press!
What a load of wotnot!
... can produce software that blocks blatant infomercials masquerading unconvincingly as news articles, then I'm all for it.
Parasites calling wolf
I think we are willing to accept there are security issues with embedded systems in vehicles, we just don't want to hear from a vendor of parasitic bolt on afterwards anti-virus packages. It's the developers of the systems that need to get the message on security.
Surely it's not just me who thinks this is obvious...
Haven't we already had exploits for the remote keys for some cars?
The manufacturers of wireless gizmos for anything are notorious for getting security wrong, why should car systems be any different?
I'm slightly surprised that there haven't been more attacks on remote car keys, except that, of course, bricks are still pretty cheap.