back to article Auto manufacturers are asleep at the wheel when it comes to security

Cars are getting smarter every year but their increasing computational power isn’t being backed up by good IT security practices – hacking them is child’s play. That’s the conclusion of a series of speakers at the Kaspersky Security Analyst Summit. These security researchers have demonstrated how easy it is to introduce …

Silver badge
FAIL

As I have written before, already ...

They ship outdated software, with script-toddler-level design flaws, and provide updates for max 24 months .. and that is if you are lucky to get them... the automotive industry is incapable to keep pace with technology, so why are they so obsessed. Cars are used on average for 10 years, imagine unpatched cars, can we sue manufacturers for not providing patches ? The worst joke is the price of these addons ...

Listen, our smartphones & tablets are fine for the car, we do not want your untested, obsolete at delivery, unpatched script-toddler code that has more vulns than a sex toy, thanks! Please provide us with an amp with standard connectors, no, WE DO NOT EVEN WANT bluetooth ...

54
3
Silver badge

That's if the manufacturer feels nice enough to tell you of an update or if they just feel like it ignoring it unless something actually goes wrong (had Christmas tree light dashboard of engine management fails fixed with an update. Got told they'd do it at some point when I had the car in with them. Not that I would have been told)

9
0
Anonymous Coward

"...provide updates for max 24 months..."

My decade-old car is constantly having its software updated. The dealer plugs in his laptop during every Full Service, and leaves it connected for the duration. I've noticed that the Speed Limiter often seems to have a different setting after some Full Services. I've seen limits at 250 (well, 235+), 220, and 210 (very disappointing) kmh. I've also noticed other details changing, seemingly related to system software.

Perhaps duration of support depends on the manufacturer.

7
0
FAIL

I was looking at getting a new car my 2008 pickup, but didn't want to deal with dealerships. And why do I need a new car anyway? I'm starting to need a little more maintenance, but that is nothing compared to a new car payment. And how is my old truck out of date? Really, just the stereo. I would like to have something that can bluetooth with my phone so I can get spotify, hear waze alerts, etc. So I got one of these:

https://www.crutchfield.com/p_130S600BS/Pioneer-MVH-S600BS.html

It has exactly the same connection to your car as the ones we used to get in the 1980's at Radio Shack - power, antenna, and the speakers. Nothing else. I know this because I will be installing it myself.

5
0
Silver badge
Mushroom

Until bad software causes so much automotive mayhem that mass recalls are required and class-action lawsuits emenate, the industry will continue to ship crap software.

Remember that this is the same industry where at least 1-2 of the big U.S. carmakers used the "Is the cost of a recall > cost of lawsuits? If so, then don't recall" And where only a couple years ago Volkswagen deliberately changed their software to allow illegal levels of automotive pollution.

(Icon shows Ford Pinto doing what it is most famous for.)

12
0
Silver badge

Car manufacturers already have to provide spare parts for a set period of time. For me, the software is also a part of the vehicle, so they should have to ensure it is also of merchantable quality for the life of the car - and 10 years? That's a bit optimistic, I see a lot of cars around here that are closer to 20 years old.

Most car manufacturers make smartphone makers look like they care...

5
1
Silver badge

My wife's 2004 Nissan Micra was the same, we stuck a 100€ Blaupunkt radio, with bluetooth and hands-free kit into it. Job done.

2
0
Silver badge

my 2009 ford got a convers software update last june. Plus i wish the canbus was unencrypted so i can use standard apps to access the system....

0
0
Anonymous Coward

I notice they complain about the standard port by which I think they mean the OBD II. Access to this means you've already got into the car. The point of this port was to stop manufacturers making you use their service network so I hope they don't use this as an excuse to try and get it removed.

Of course that doesn't mean it can't be made more secure.

I think one of the biggest problems for car manufacturers is that they sometimes mix the networks used to send engine and braking info with the entertainment system.

6
0
Holmes

Mixed CAN networks

"I think one of the biggest problems for car manufacturers is that they sometimes mix the networks used to send engine and braking info with the entertainment system."

Because the driver controls (steering wheel buttons, etc.) are part of both mobility and entertainment functions, and they don't want the added costs of either putting two CAN controllers/transceivers on the steering wheel system or having a gateway/filter (essentially a CAN firewall).

But firewall location #1 NEEDS to be that OBD II port.

3
0
Silver badge

I would have stuch such a sustem into my 1950s Morris Traveller - but there is no space for a radio on the dashboard...

0
0
Silver badge

What motivation car manufacturers ?

A car stolen leads to a replacement being bought.

Like IoT the cost of a security failure is borne by the consumer; the cost of making secure is borne by the manufacturer.

29
1
Silver badge

Re: What motivation car manufacturers ?

A car stolen leads to a replacement being bought.

It also leads to another car not being bought or cheap spare parts hitting the dark shelves.

15
0
Silver badge

Re: What motivation car manufacturers ?

Like IoT the cost of a security failure is borne by the consumer; the cost of making secure is borne by the manufacturer.

Would you buy the same model car if your previous vehicle had been stolen ? Thought not ... and insurance offsets the price somewhat, though you eventually pay that ... if enough cars get stolen, premiums will be on the rise ...

2
2
Silver badge

Re: What motivation car manufacturers ?

Would you buy the same model car if your previous vehicle had been stolen ?

Depends. If the theft was directly attributable to the manufacturer's sloppiness[1], then yes, probably. On the other hand, one may have a particular preference for exactly that type of car (because of size, economy, handling, loading capacity, ergonomy or whatever else), taking any downsides as they come.

[1] which in the EU may well get the manufacturer in a spot of trouble because of consumer protection laws.

4
0
Anonymous Coward

Re: What motivation car manufacturers ?

I would guess that the motivation will be when Insurers sue Manufacturers.

3
0
Silver badge

Re: What motivation car manufacturers ?

I would guess that the motivation will be when Insurers sue Manufacturers.

Why would they do that? Insurers set the premium based on the risk profile, and if the premiums rise, unless they get the risk wrong, they make more money from those higher premiums. Whilst a little off topic, imagine the premiums (and insurer profits) of a theoretical fault free reliably self driving car that doesn't do all the risky, stupid or just incompetent stuff human drivers do, and can't be stolen. I'm guessing the car owner would pay a hundred quid a year tops.

In the UK we had at one time an epidemic of car thefts before high grade immobilisers were mandated by government. Car physical security was poor, and any criminal who wanted to take a car easily could - sometimes with nothing more sophisticated than a robust screwdriver. Car makers could have beefed up the physical security and fitted immobilisers for a trivial incremental cost, but most chose not to until forced. Car insurers muttered, but essentially did little to force the issue - because they benefited from higher premiums - not just the higher premiums across all car buyers, but also because a theft claim caused the driver to lose their no claim bonus and the insurance industry benefited by classing those unlucky theft victims as "higher risk" in subsequent years.

The people who weren't happy were the owners who lost cars and paid higher premiums, and the police fighting a losing battle to stop theft. It's looking like car software will be the same.

14
0
Silver badge

Re: What motivation car manufacturers ?

Would you buy the same model car if your previous vehicle had been stolen ?

Depending whom you ask:

If it is rounded, cute and the correct color - of course.

If it is the appropriate erectile dysfunction compensator for the lesser spotted salesman - of course

If it is ...

The quality, security and durability of the car have nothing to do with the criteria for shopping for 95% of the population. Same as for most other goods unfortunately.

4
0
Silver badge

Re: What motivation car manufacturers ?

I would guess that the motivation will be when Insurers sue Manufacturers.

They won't.

Insurance premiums are calculated based on the probability of the insurance co. needing to pay out, and this probability depends on a couple of factors such as the area you live in, yearly mileage, your personal claim history and, indeed, make, model and even colour of the car. If it's one that's easy to steal and (therefore) popular with the car-nicking crowd, premiums will become a factor in not buying that car, and the manufacturer will either drop the price or fix the problem, or in an extreme case drop the model.

2
1
Silver badge

Re: What motivation car manufacturers ?

"Why would they do that?"

Because car makers have been misrepresenting the risks and vulnerabilities to the insurance industry.

3
0
Gold badge
Unhappy

cost of..security failure is borne..the consumer; the cost of making secure is borne by the mfg.

Indeed.

Until there is some way to incentivise the mfg to make it a good idea for them to update their software.

2
0
Silver badge

Re: cost of..security failure is borne..the consumer; the cost of making secure is borne by the mfg.

you are more likely to have your house window bricked and the keys stolen.

1
0

Re: What motivation car manufacturers ?

Can't see anyone in the EU getting tough with car manufacturers, can you? It was the US of A that hauled Volkswagen presumably leaving Mercedes & BMW for deserts.

They have all been at it and surprise surprise the UK is also very nice to car manufacturers; these guys know how to lobby.

2
1
Silver badge

Re: What motivation car manufacturers ?

No insurance company worthy of staying in business long term bases premiums on other than their actuaries' projections from experience. They might get a bit blindsided the first year or so for a new model because of unknown vulnerabilities or unanticipated popularity with thieves, but they nearly always will have enough raw profit margin built into the rates to cover the losses until they can adjust premiums.

2
0
Silver badge

Re: What motivation car manufacturers ?

Can't see anyone in the EU getting tough with car manufacturers, can you?

This is simply because in the USA the oil lobby has nearly unlimited power. Anything that leads to lower consumption of cheaper fuel (f.e. diesel) is pushed back significantly. If you unwind the whole trail all the way to the money originating point you will be surprised to find that some of the clean air acts had petrol money in them. Once you do the math you see that you actually end up increasing the fuel consumption in order to satisfy some of the more odious requirements, such as for California. From there on it is no longer surprising.

This does not mean that the whole lot who use "test facilities" on Bosch ECUs (it is funny how Bosch got off the hook in all cases) are not guilty as hell. Of course they are. However, the specific cases brought to the attention of the general public and lobbied against are based on money interests. They are not because of some "extreme benevolence" of the EPA and Americans. Just the opposite.

2
0
Anonymous Coward

All together now, one, two, three

Keep you mind on your drivin'

Keep you hands on the wheel

Keep your snoopy eyes on the road ahead

6
0
Silver badge

Ah, lucky old Fred...

6
0

My My, this does date you! 50s or 60s, I guess 50s.

0
0
Bronze badge

I dunno- I'm quite a bit younger than that, and I remember that song, if only because my dear mother had the 'classics' radio station on that played it fairly often.

1
0
Silver badge
FAIL

well there you go

or rather not go (if you're lucky)

The people designing the car's network thingummies should put in 1 usb port in the ECU that accepts one command "Download" and download the car's current status, and any log files from the ECU.

But people want conveience in which case the manufacturers should put warning notices saying that their cars are insecure and could be stolen/interfered with by criminals

"Oh your new car has internet capabilty"

"yes.. and thanks to the shitty security I've got someone in China driving, someone in Russia changing gear and someone in the US braking"

15
0
Silver badge
Boffin

Of course!

Machines aren't getting smarter...

People are becoming more stupid.

18
0
Joke

Re: Of course!

Speak for yourself!

0
5
Silver badge

WTF??

"When he had connected his phone to the car earlier, it had crawled his entire address book and email list, taken a copy of SMS messages and logged his most visited locations in the last month ..."

Would this be legal in Europe, with GPDR coming in? Why do they do this anyway?

15
1

Re: WTF??

"When he had connected his phone to the car earlier, it had crawled his entire address book and email list, taken a copy of SMS messages and logged his most visited locations in the last month ..."

Designed by Linkedln?

14
0
Silver badge

Re: WTF??

They seem to have left out the bit where the phone asks you if it wants to be scraped by the car. Just say no if you don't like it.

9
0
Silver badge

Re: WTF??

Does it give you a choice of WHAT it scrapes, or just give you a yes/no to access your music and oh yeah grabs all that other stuff just because? I'm not sure phones have the same protections about what can be grabbed once you 'trust' a device it is connected to. Looks like they need protections for individual items similar to how apps have to be separately granted permissions to touch contacts, texts, photos, etc.

While you could perhaps understand grabbing contacts if it has some voice integration to tell your phone to call Joe or whatever, grabbing all your texts and location data should not be allowed. By either the phone or the law - because you know damn well if it is grabbing and storing that, it is getting uploaded to the automaker when you bring the car in for service (or maybe sooner, if it can connect via wifi or LTE) What they do with then, who knows, but it can't be good.

Another reason not to upgrade my car that's too old to directly interface with my phone!

7
1
Silver badge

Obviously...

"Conspiracy theorists claim car crash that killed Vladimir Putin’s chauffeur was an ASSASSINATION attempt on the Russian president’s life".

http://www.dailymail.co.uk/news/article-3777916/Conspiracy-theorists-claim-car-crash-killed-Vladimir-Putin-s-chauffeur-ASSASSINATION-attempt-Russian-president-s-life.html

Because of course the Daily Mail could not imagine it having been a deliberate assassination attempt. Mr Putin's car is demolished by another car that somehow loses control, crosses the central barrier and smashes directly into it. What are the odds of that?

If in any doubt, take this into account too - just one month before the crash in Moscow, former acting director of the CIA Mike Morell made this public statement:

"You don't tell the world about it. You don't stand at the Pentagon and say we did this. But you make sure they know it in Moscow and Tehran. I want to go after those things that Assad sees as his personal power base. I want to scare Assad. I want to go after his presidential car. I want to bomb his offices in the middle of the night. I want to destroy his presidential aircraft. I want to destroy his presidential helicopters. I want to make him think we are coming after him".

https://www.zerohedge.com/news/2016-08-09/former-cia-acting-director-and-hillary-supporter-we-should-kill-russians-and-iranian

4
3
Anonymous Coward

Re: Obviously...

I've been to Russia a number of times and the accident you referenced does not surprise me given the quality, or lack thereof, of Russian drivers. If you want a classic example, search on "Anna Shavenkova."

8
1
Silver badge

Re: Obviously...

Yeah. Russian drivers are so terrible that they just keep crashing into the President's official car - when it's on the other side of the road.

I've lost count of the number of times that has happened.

1
1
Silver badge

Re: Obviously...

just watch car crash tv. cars going over barriers and careering around junctions is hardly a rare occurance in russia. The chance also increases if the car is a lada.

6
0

Re: Obviously...

"What are the odds of that?"

Someone has been watching too many James Bond movies. This is a situation where one should consider Occam's razor.

It would take a considerable amount of effort to intentionally set up such a situation. Aside from getting the other vehicle to carry out such a maneuver with the requisite timing and precision to hit another vehicle that presumably carries out some evasive actions and do so with sufficient speed to ensure fatal damage, there is also the problem of locating and identifying the specific target in time. I doubt you would find a sufficiently skilled and motivated volunteer. The alternative scenario involving remote control or some kind of homing guidance would involve considerable engineering effort - note that there would be a need for sensors and other bits and pieces that would likely be noticed in the aftermath, and would likely provide some clues to the identity of the responsible party.

4
0

This post has been deleted by its author

Anonymous Coward

Re: Obviously...

Anna Shavenkova, daughter of a Russian official, killed one sister and maimed a second one, both of whom were walking on the sidewalk. After Shavenkova knocked the two women around like ragdolls, she got out and checked the damage to her car.

http://www.dailymail.co.uk/news/article-1253782/Fury-Putin-ally-caught-camera-callously-ignoring-pedestrians-run-car-fatal-crash.html

Dmytro Chervoniuk, a lawmaker's son, killed a pedestrian in a zebra crossing while drunk, with zebra crossings meaning nothing there.

https://zik.ua/en/news/2013/09/02/lawmakers_son_who_killed_pedestrian_on_zebra_was_drunk_427191

And many Russians use dashcams for two reasons: to record corrupt cops and crazy drivers.

It's likely that the reason Putin's car is involved in so many accidents is that his driver ignores traffic rules while using a blue light (migalka) on the roof.

https://www.csmonitor.com/2006/0612/p04s01-woeu.html

2
0
Silver badge
Joke

Re: Obviously...

"Lada Alert"!

1
0

Re: Obviously...

That's not how probability works - nor assassination attempts.

1
0

I say find out the people writing this stuff and ask their opinion why they're writing shite?

4
0
Silver badge
Mushroom

Writing shite

Because they're not directly affected by their software failing.

It has been like that from the moment software developers didn't have to get out of bed at o'dark thirty because their crap fell over, as there were sysadmins on duty to isolate the developers from those little inconveniences. And a chewing-out the next day won't ever be quite as educational.

4
0
Silver badge
Pint

"...why they're writing shite?"

Are you referring to the examples of possibly insecure vehicle software, or the security researchers' presentation material that seems to be subtly incorrect and/or obviously exaggerated in several places?

8
0
Anonymous Coward

Some don't care anymore

And some never did.

A few of my colleagues are shockingly slapdash and cack-handed. Some can't even be bothered to keep their tools or OS up to date.

They'd probably run Windows XP RTM if the IT dept would let them.

Perhaps they never cared, maybe they have been broken by past events or are just plain incompetent, but they exist and as acceptance and regression testing can never be perfect...

1
0
Anonymous Coward

"I say find out the people writing this stuff and ask their opinion why they're writing shite?"

Because they have to do as they are told by the requirements, which are defined by the OEM (Vehicle Manufacturer)

....

The OEM and Supplier's primary focus is safety, security is coming, but it will be 2-3yrs min before any cars on the road have it and for some it will still not be enough.

Security is never perfect, it's a distraction for someone determined enough to get into any system.

It cannot be retrofitted due to the nature in which the vehicles work, it's not just software, the hardware and vehicle bus need to be capable of supporting it. Which once developed requires significant testing at significant cost.

These are not PC's they are Embedded control systems with limited resources and Hard Real Time requirements. They are also developed to a much higher standard than PC apps.

Are they perfect? No, of course not, software is written by humans and they sometimes make mistakes.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018