back to article Auto manufacturers are asleep at the wheel when it comes to security

Cars are getting smarter every year but their increasing computational power isn’t being backed up by good IT security practices – hacking them is child’s play. That’s the conclusion of a series of speakers at the Kaspersky Security Analyst Summit. These security researchers have demonstrated how easy it is to introduce …

  1. Hans 1 Silver badge
    FAIL

    As I have written before, already ...

    They ship outdated software, with script-toddler-level design flaws, and provide updates for max 24 months .. and that is if you are lucky to get them... the automotive industry is incapable to keep pace with technology, so why are they so obsessed. Cars are used on average for 10 years, imagine unpatched cars, can we sue manufacturers for not providing patches ? The worst joke is the price of these addons ...

    Listen, our smartphones & tablets are fine for the car, we do not want your untested, obsolete at delivery, unpatched script-toddler code that has more vulns than a sex toy, thanks! Please provide us with an amp with standard connectors, no, WE DO NOT EVEN WANT bluetooth ...

    1. Sgt_Oddball Silver badge

      That's if the manufacturer feels nice enough to tell you of an update or if they just feel like it ignoring it unless something actually goes wrong (had Christmas tree light dashboard of engine management fails fixed with an update. Got told they'd do it at some point when I had the car in with them. Not that I would have been told)

      1. Marketing Hack Silver badge
        Mushroom

        Until bad software causes so much automotive mayhem that mass recalls are required and class-action lawsuits emenate, the industry will continue to ship crap software.

        Remember that this is the same industry where at least 1-2 of the big U.S. carmakers used the "Is the cost of a recall > cost of lawsuits? If so, then don't recall" And where only a couple years ago Volkswagen deliberately changed their software to allow illegal levels of automotive pollution.

        (Icon shows Ford Pinto doing what it is most famous for.)

    2. Anonymous Coward
      Anonymous Coward

      "...provide updates for max 24 months..."

      My decade-old car is constantly having its software updated. The dealer plugs in his laptop during every Full Service, and leaves it connected for the duration. I've noticed that the Speed Limiter often seems to have a different setting after some Full Services. I've seen limits at 250 (well, 235+), 220, and 210 (very disappointing) kmh. I've also noticed other details changing, seemingly related to system software.

      Perhaps duration of support depends on the manufacturer.

    3. el_oscuro
      FAIL

      I was looking at getting a new car my 2008 pickup, but didn't want to deal with dealerships. And why do I need a new car anyway? I'm starting to need a little more maintenance, but that is nothing compared to a new car payment. And how is my old truck out of date? Really, just the stereo. I would like to have something that can bluetooth with my phone so I can get spotify, hear waze alerts, etc. So I got one of these:

      https://www.crutchfield.com/p_130S600BS/Pioneer-MVH-S600BS.html

      It has exactly the same connection to your car as the ones we used to get in the 1980's at Radio Shack - power, antenna, and the speakers. Nothing else. I know this because I will be installing it myself.

      1. big_D Silver badge

        My wife's 2004 Nissan Micra was the same, we stuck a 100€ Blaupunkt radio, with bluetooth and hands-free kit into it. Job done.

        1. Danny 14

          my 2009 ford got a convers software update last june. Plus i wish the canbus was unencrypted so i can use standard apps to access the system....

          1. Anonymous Coward
            Anonymous Coward

            I notice they complain about the standard port by which I think they mean the OBD II. Access to this means you've already got into the car. The point of this port was to stop manufacturers making you use their service network so I hope they don't use this as an excuse to try and get it removed.

            Of course that doesn't mean it can't be made more secure.

            I think one of the biggest problems for car manufacturers is that they sometimes mix the networks used to send engine and braking info with the entertainment system.

            1. My other car WAS an IAV Stryker Bronze badge
              Holmes

              Mixed CAN networks

              "I think one of the biggest problems for car manufacturers is that they sometimes mix the networks used to send engine and braking info with the entertainment system."

              Because the driver controls (steering wheel buttons, etc.) are part of both mobility and entertainment functions, and they don't want the added costs of either putting two CAN controllers/transceivers on the steering wheel system or having a gateway/filter (essentially a CAN firewall).

              But firewall location #1 NEEDS to be that OBD II port.

        2. Dodgy Geezer Silver badge

          I would have stuch such a sustem into my 1950s Morris Traveller - but there is no space for a radio on the dashboard...

    4. big_D Silver badge

      Car manufacturers already have to provide spare parts for a set period of time. For me, the software is also a part of the vehicle, so they should have to ensure it is also of merchantable quality for the life of the car - and 10 years? That's a bit optimistic, I see a lot of cars around here that are closer to 20 years old.

      Most car manufacturers make smartphone makers look like they care...

  2. alain williams Silver badge

    What motivation car manufacturers ?

    A car stolen leads to a replacement being bought.

    Like IoT the cost of a security failure is borne by the consumer; the cost of making secure is borne by the manufacturer.

    1. Destroy All Monsters Silver badge

      Re: What motivation car manufacturers ?

      A car stolen leads to a replacement being bought.

      It also leads to another car not being bought or cheap spare parts hitting the dark shelves.

    2. Hans 1 Silver badge

      Re: What motivation car manufacturers ?

      Like IoT the cost of a security failure is borne by the consumer; the cost of making secure is borne by the manufacturer.

      Would you buy the same model car if your previous vehicle had been stolen ? Thought not ... and insurance offsets the price somewhat, though you eventually pay that ... if enough cars get stolen, premiums will be on the rise ...

      1. Stoneshop Silver badge

        Re: What motivation car manufacturers ?

        Would you buy the same model car if your previous vehicle had been stolen ?

        Depends. If the theft was directly attributable to the manufacturer's sloppiness[1], then yes, probably. On the other hand, one may have a particular preference for exactly that type of car (because of size, economy, handling, loading capacity, ergonomy or whatever else), taking any downsides as they come.

        [1] which in the EU may well get the manufacturer in a spot of trouble because of consumer protection laws.

        1. Voland's right hand Silver badge

          Re: What motivation car manufacturers ?

          Would you buy the same model car if your previous vehicle had been stolen ?

          Depending whom you ask:

          If it is rounded, cute and the correct color - of course.

          If it is the appropriate erectile dysfunction compensator for the lesser spotted salesman - of course

          If it is ...

          The quality, security and durability of the car have nothing to do with the criteria for shopping for 95% of the population. Same as for most other goods unfortunately.

        2. Frenchie Lad

          Re: What motivation car manufacturers ?

          Can't see anyone in the EU getting tough with car manufacturers, can you? It was the US of A that hauled Volkswagen presumably leaving Mercedes & BMW for deserts.

          They have all been at it and surprise surprise the UK is also very nice to car manufacturers; these guys know how to lobby.

          1. Voland's right hand Silver badge

            Re: What motivation car manufacturers ?

            Can't see anyone in the EU getting tough with car manufacturers, can you?

            This is simply because in the USA the oil lobby has nearly unlimited power. Anything that leads to lower consumption of cheaper fuel (f.e. diesel) is pushed back significantly. If you unwind the whole trail all the way to the money originating point you will be surprised to find that some of the clean air acts had petrol money in them. Once you do the math you see that you actually end up increasing the fuel consumption in order to satisfy some of the more odious requirements, such as for California. From there on it is no longer surprising.

            This does not mean that the whole lot who use "test facilities" on Bosch ECUs (it is funny how Bosch got off the hook in all cases) are not guilty as hell. Of course they are. However, the specific cases brought to the attention of the general public and lobbied against are based on money interests. They are not because of some "extreme benevolence" of the EPA and Americans. Just the opposite.

    3. Anonymous Coward
      Anonymous Coward

      Re: What motivation car manufacturers ?

      I would guess that the motivation will be when Insurers sue Manufacturers.

      1. Anonymous Coward
        Anonymous Coward

        Re: What motivation car manufacturers ?

        I would guess that the motivation will be when Insurers sue Manufacturers.

        Why would they do that? Insurers set the premium based on the risk profile, and if the premiums rise, unless they get the risk wrong, they make more money from those higher premiums. Whilst a little off topic, imagine the premiums (and insurer profits) of a theoretical fault free reliably self driving car that doesn't do all the risky, stupid or just incompetent stuff human drivers do, and can't be stolen. I'm guessing the car owner would pay a hundred quid a year tops.

        In the UK we had at one time an epidemic of car thefts before high grade immobilisers were mandated by government. Car physical security was poor, and any criminal who wanted to take a car easily could - sometimes with nothing more sophisticated than a robust screwdriver. Car makers could have beefed up the physical security and fitted immobilisers for a trivial incremental cost, but most chose not to until forced. Car insurers muttered, but essentially did little to force the issue - because they benefited from higher premiums - not just the higher premiums across all car buyers, but also because a theft claim caused the driver to lose their no claim bonus and the insurance industry benefited by classing those unlucky theft victims as "higher risk" in subsequent years.

        The people who weren't happy were the owners who lost cars and paid higher premiums, and the police fighting a losing battle to stop theft. It's looking like car software will be the same.

        1. Alan Brown Silver badge

          Re: What motivation car manufacturers ?

          "Why would they do that?"

          Because car makers have been misrepresenting the risks and vulnerabilities to the insurance industry.

          1. tom dial Silver badge

            Re: What motivation car manufacturers ?

            No insurance company worthy of staying in business long term bases premiums on other than their actuaries' projections from experience. They might get a bit blindsided the first year or so for a new model because of unknown vulnerabilities or unanticipated popularity with thieves, but they nearly always will have enough raw profit margin built into the rates to cover the losses until they can adjust premiums.

      2. Stoneshop Silver badge

        Re: What motivation car manufacturers ?

        I would guess that the motivation will be when Insurers sue Manufacturers.

        They won't.

        Insurance premiums are calculated based on the probability of the insurance co. needing to pay out, and this probability depends on a couple of factors such as the area you live in, yearly mileage, your personal claim history and, indeed, make, model and even colour of the car. If it's one that's easy to steal and (therefore) popular with the car-nicking crowd, premiums will become a factor in not buying that car, and the manufacturer will either drop the price or fix the problem, or in an extreme case drop the model.

    4. John Smith 19 Gold badge
      Unhappy

      cost of..security failure is borne..the consumer; the cost of making secure is borne by the mfg.

      Indeed.

      Until there is some way to incentivise the mfg to make it a good idea for them to update their software.

      1. Danny 14

        Re: cost of..security failure is borne..the consumer; the cost of making secure is borne by the mfg.

        you are more likely to have your house window bricked and the keys stolen.

  3. Anonymous Coward
    Anonymous Coward

    All together now, one, two, three

    Keep you mind on your drivin'

    Keep you hands on the wheel

    Keep your snoopy eyes on the road ahead

    1. Phil O'Sophical Silver badge

      Ah, lucky old Fred...

    2. Frenchie Lad

      My My, this does date you! 50s or 60s, I guess 50s.

      1. J. Cook Silver badge

        I dunno- I'm quite a bit younger than that, and I remember that song, if only because my dear mother had the 'classics' radio station on that played it fairly often.

  4. Boris the Cockroach Silver badge
    FAIL

    well there you go

    or rather not go (if you're lucky)

    The people designing the car's network thingummies should put in 1 usb port in the ECU that accepts one command "Download" and download the car's current status, and any log files from the ECU.

    But people want conveience in which case the manufacturers should put warning notices saying that their cars are insecure and could be stolen/interfered with by criminals

    "Oh your new car has internet capabilty"

    "yes.. and thanks to the shitty security I've got someone in China driving, someone in Russia changing gear and someone in the US braking"

  5. Zog_but_not_the_first
    Boffin

    Of course!

    Machines aren't getting smarter...

    People are becoming more stupid.

    1. Anonymous Coward
      Joke

      Re: Of course!

      Speak for yourself!

  6. frank ly

    WTF??

    "When he had connected his phone to the car earlier, it had crawled his entire address book and email list, taken a copy of SMS messages and logged his most visited locations in the last month ..."

    Would this be legal in Europe, with GPDR coming in? Why do they do this anyway?

    1. Headley_Grange Silver badge

      Re: WTF??

      "When he had connected his phone to the car earlier, it had crawled his entire address book and email list, taken a copy of SMS messages and logged his most visited locations in the last month ..."

      Designed by Linkedln?

    2. Thoguht Silver badge

      Re: WTF??

      They seem to have left out the bit where the phone asks you if it wants to be scraped by the car. Just say no if you don't like it.

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF??

        Does it give you a choice of WHAT it scrapes, or just give you a yes/no to access your music and oh yeah grabs all that other stuff just because? I'm not sure phones have the same protections about what can be grabbed once you 'trust' a device it is connected to. Looks like they need protections for individual items similar to how apps have to be separately granted permissions to touch contacts, texts, photos, etc.

        While you could perhaps understand grabbing contacts if it has some voice integration to tell your phone to call Joe or whatever, grabbing all your texts and location data should not be allowed. By either the phone or the law - because you know damn well if it is grabbing and storing that, it is getting uploaded to the automaker when you bring the car in for service (or maybe sooner, if it can connect via wifi or LTE) What they do with then, who knows, but it can't be good.

        Another reason not to upgrade my car that's too old to directly interface with my phone!

  7. Archtech Silver badge

    Obviously...

    "Conspiracy theorists claim car crash that killed Vladimir Putin’s chauffeur was an ASSASSINATION attempt on the Russian president’s life".

    http://www.dailymail.co.uk/news/article-3777916/Conspiracy-theorists-claim-car-crash-killed-Vladimir-Putin-s-chauffeur-ASSASSINATION-attempt-Russian-president-s-life.html

    Because of course the Daily Mail could not imagine it having been a deliberate assassination attempt. Mr Putin's car is demolished by another car that somehow loses control, crosses the central barrier and smashes directly into it. What are the odds of that?

    If in any doubt, take this into account too - just one month before the crash in Moscow, former acting director of the CIA Mike Morell made this public statement:

    "You don't tell the world about it. You don't stand at the Pentagon and say we did this. But you make sure they know it in Moscow and Tehran. I want to go after those things that Assad sees as his personal power base. I want to scare Assad. I want to go after his presidential car. I want to bomb his offices in the middle of the night. I want to destroy his presidential aircraft. I want to destroy his presidential helicopters. I want to make him think we are coming after him".

    https://www.zerohedge.com/news/2016-08-09/former-cia-acting-director-and-hillary-supporter-we-should-kill-russians-and-iranian

    1. Anonymous Coward
      Anonymous Coward

      Re: Obviously...

      I've been to Russia a number of times and the accident you referenced does not surprise me given the quality, or lack thereof, of Russian drivers. If you want a classic example, search on "Anna Shavenkova."

      1. Archtech Silver badge

        Re: Obviously...

        Yeah. Russian drivers are so terrible that they just keep crashing into the President's official car - when it's on the other side of the road.

        I've lost count of the number of times that has happened.

        1. Danny 14

          Re: Obviously...

          just watch car crash tv. cars going over barriers and careering around junctions is hardly a rare occurance in russia. The chance also increases if the car is a lada.

          1. AndrueC Silver badge
            Joke

            Re: Obviously...

            "Lada Alert"!

        2. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: Obviously...

          Anna Shavenkova, daughter of a Russian official, killed one sister and maimed a second one, both of whom were walking on the sidewalk. After Shavenkova knocked the two women around like ragdolls, she got out and checked the damage to her car.

          http://www.dailymail.co.uk/news/article-1253782/Fury-Putin-ally-caught-camera-callously-ignoring-pedestrians-run-car-fatal-crash.html

          Dmytro Chervoniuk, a lawmaker's son, killed a pedestrian in a zebra crossing while drunk, with zebra crossings meaning nothing there.

          https://zik.ua/en/news/2013/09/02/lawmakers_son_who_killed_pedestrian_on_zebra_was_drunk_427191

          And many Russians use dashcams for two reasons: to record corrupt cops and crazy drivers.

          It's likely that the reason Putin's car is involved in so many accidents is that his driver ignores traffic rules while using a blue light (migalka) on the roof.

          https://www.csmonitor.com/2006/0612/p04s01-woeu.html

        4. Tom Melly

          Re: Obviously...

          That's not how probability works - nor assassination attempts.

    2. Robert 22

      Re: Obviously...

      "What are the odds of that?"

      Someone has been watching too many James Bond movies. This is a situation where one should consider Occam's razor.

      It would take a considerable amount of effort to intentionally set up such a situation. Aside from getting the other vehicle to carry out such a maneuver with the requisite timing and precision to hit another vehicle that presumably carries out some evasive actions and do so with sufficient speed to ensure fatal damage, there is also the problem of locating and identifying the specific target in time. I doubt you would find a sufficiently skilled and motivated volunteer. The alternative scenario involving remote control or some kind of homing guidance would involve considerable engineering effort - note that there would be a need for sensors and other bits and pieces that would likely be noticed in the aftermath, and would likely provide some clues to the identity of the responsible party.

  8. Stuart Halliday

    I say find out the people writing this stuff and ask their opinion why they're writing shite?

    1. Stoneshop Silver badge
      Mushroom

      Writing shite

      Because they're not directly affected by their software failing.

      It has been like that from the moment software developers didn't have to get out of bed at o'dark thirty because their crap fell over, as there were sysadmins on duty to isolate the developers from those little inconveniences. And a chewing-out the next day won't ever be quite as educational.

    2. JeffyPoooh
      Pint

      "...why they're writing shite?"

      Are you referring to the examples of possibly insecure vehicle software, or the security researchers' presentation material that seems to be subtly incorrect and/or obviously exaggerated in several places?

    3. Anonymous Coward
      Anonymous Coward

      Some don't care anymore

      And some never did.

      A few of my colleagues are shockingly slapdash and cack-handed. Some can't even be bothered to keep their tools or OS up to date.

      They'd probably run Windows XP RTM if the IT dept would let them.

      Perhaps they never cared, maybe they have been broken by past events or are just plain incompetent, but they exist and as acceptance and regression testing can never be perfect...

    4. Anonymous Coward
      Anonymous Coward

      "I say find out the people writing this stuff and ask their opinion why they're writing shite?"

      Because they have to do as they are told by the requirements, which are defined by the OEM (Vehicle Manufacturer)

      ....

      The OEM and Supplier's primary focus is safety, security is coming, but it will be 2-3yrs min before any cars on the road have it and for some it will still not be enough.

      Security is never perfect, it's a distraction for someone determined enough to get into any system.

      It cannot be retrofitted due to the nature in which the vehicles work, it's not just software, the hardware and vehicle bus need to be capable of supporting it. Which once developed requires significant testing at significant cost.

      These are not PC's they are Embedded control systems with limited resources and Hard Real Time requirements. They are also developed to a much higher standard than PC apps.

      Are they perfect? No, of course not, software is written by humans and they sometimes make mistakes.

  9. Stoneshop Silver badge
    Boffin

    Blinkered

    “The only difference is when you have a problem with computer it won’t affect your physical security"

    One word: Therac-25

    And of course the proliferation of electronic locks, fire and intrusion alarm systems and such will mean that, while maybe not directly attributable to such a system, people have gotten hurt or died because of those systems failing. And this is not going to change, ever.

  10. Anonymous Coward
    Anonymous Coward

    "The car pings out a 40khz pulse of sound and uses echolocation to detect if there’s an obstacle in the road and will brake if a collision is imminent."

    I'll stick to my bike or an old car thanks. That's extremely dangerous. Just goes to show how people don't think when creating something they think will help.

    1. Alan Brown Silver badge

      "I'll stick to my bike or an old car thanks."

      With a 40kHz emitter pointing out the back?

    2. Amos1

      Unless they are modulating or encoding the ping in some way specific to that car, yeah, it will work.

      Decades ago a buddy picked up an old 10 GHz klystron-powered traffic radar. He built an audio modulator for it, impressed on the klystron's power supply, and by varying the frequency of the audio generator he could dial in any speed on the radar's speed display (mechanical needles at that time). Why? The AM modulation simulated the doppler shift that the traffic radars worked on. He figured out that if he got the AM modulation up to very close to 100% it would affect the cop's traffic radar (he could dial in any speed on their display because his transmitted signal was far more powerful than the reflection from their own radar transmitter).

      Yes, we had some interesting drives in those days. Moving precisely at the speed limit, the Fuzz Buster goes off and once the cop has you clearly in view because no one else is near you, flip the switch to 125 MPH and watch their reaction all while staring straight ahead down the road to avoid them seeing you watching them.

      Those things had an audio output so the cop could hear the doppler frequency so they knew it wasn't just an errant needle.

  11. Sgt_Oddball Silver badge

    Anyone Checked...

    If these sort of hacks can be done on auto parking systems since they have control of the steering wheel?

  12. JeffyPoooh
    Pint

    I don't think Cirlig understands how cars work...

    Ultrasonic Sensors (e.g. 40 kHz) are typically used for low speed Parking Assist / Obstacle Warning. On my Mercedes, they're only activated at 18 kmh or less. Above that speed, they're turned off.

    It's because they have fairly short effective range. Ideal for Parking Assist, useless for Automatic Braking.

    Ultrasonic would be a very poor choice of technology for Automatic Braking, as it would inherently require something like a 2m diameter dish and sophisticated coding to provide enough system gain and effective range to be even the slightest bit useful for Automatic Braking purposes. Even then, not really.

    I'd be surprised if Mazda were so silly as to try to use Ultrasonics to provide control of Automatic Braking functions.

    This isn't the only example in this column of Cirlig seemingly being somewhat unfamiliar with how such modern vehicle technology and systems actually work.

    1. Sgt_Oddball Silver badge
      Thumb Down

      Re: I don't think Cirlig understands how cars work...

      I didn't mean for the auto parking to be remotely hacked but hacked before hand through the USB port it'll enevitably have and the triggered after some period of time whilst the vehicle is in motion (say above 50mph?).

      If the electronic power steering suddenly pulled left or right I can see it quite easy to loose control and if the auto braking is adding to the fun then it could really get messy very quickly.

      1. annodomini2

        Re: I don't think Cirlig understands how cars work...

        There are safety mechanisms in place to prevent that, but if someone's reprogrammed ECU's all bets are off.

  13. JeffyPoooh
    Pint

    "A direct causal link is difficult..."

    "Car theft rates....in the UK in the last two years....have risen 20 per cent. A direct causal link is difficult..."

    If hacking were playing a significant role in the recent 20% rise, then the increase in thefts would be disproportionately focused on certain makes and models of vehicles, those that have the easiest to exploit weaknesses. Or those being targeted by a gang that bought a certain type of hacking gadget. It should be almost trivial to extract a correlation from the data.

    Inferring a direct causal link needs only the Vehicle Theft data, a spreadsheet, and some common sense.

    Is one of these lacking?

    1. Anonymous Coward
      Anonymous Coward

      Re: "A direct causal link is difficult..."

      A good friend works for a tow truck business with a contract for police recovery work. Accidents, thefts etc.

      There is a particular make and model that is currently the target of choice as all you need to do is break a side window, plug your dongle into the ODBC socket, start the car, and drive off. A few seconds max.

      This is on a very recent model from a large motor manufacturer.

      From his conversations with friends in other parts of the country this isn't just in his area either.

      Not sure how in depth theft stats go. I'd guess it must be identifiable in due course.

      Anon, well, because.

      1. Alan Brown Silver badge

        Re: "A direct causal link is difficult..."

        "There is a particular make and model that is currently the target of choice as all you need to do is break a side window, plug your dongle into the ODBC socket, start the car, and drive off. A few seconds max."

        Just say it: BMW - this one is well known and old hat.

        Thefts involving electronic replication of the remote keying and "keyless" (ie, no insert and turn) pushbutton start ignition systems are the new normal. This started about 15 years ago with high-end Mercedes, etc and has been spreading. Renaults were proven vulnerable about a decade ago but noone wants to steal and export a Renault (Renault's response was to reduce the range of the electronic entry and keyless ignition systems to less than a metre, not to beef up the security)

        Manufacturer "upgrades" of keyless system crypto are 20 years behind the attacks. Manufacturer defences of the internal comms systems' security is even worse than that.

        1. MrT

          Re: "A direct causal link is difficult..."

          Yup: BMW Group (inc MINI), VW Group (Audi, etc.), Mercedes. The usual tech feature route is whatever first appears on the S-class will eventually find it's way to all cars - only that's not just limited to the good features.

          I think Renault learned that trick from Nissan in their all-but merge - the 1-2m 'plip' range was a 'feature' on a friend's Primera about 15 years ago (even with a new fob battery), and it wasn't even a new car at that time.

    2. Alan Brown Silver badge

      Re: "A direct causal link is difficult..."

      "then the increase in thefts would be disproportionately focused on certain makes and models of vehicles,"

      Go look. It is.

      In particular, high end vehicles loaded with electronic control and access systems are being increasingly targetted. Up until recently thieves were conducting targetted burglaries (and in a few cases, armed home invasions) to get the ignition keys but such vehicles are increasingly being stolen without the keys being touched.

      1. Anonymous Coward
        Anonymous Coward

        Re: "A direct causal link is difficult..."

        "Go look. It is."

        A few years ago there I remebrer a fair amont of coverage on how people with certain models of Range Rovers were finding it diffiuclt to find insurance due numbers of thefts because teh security system had been cracked. Also, currently where I live there have been reports of several VW-group cars being unlocked overnight and items of value insdie stolen ... happened to my Skoda recently - though they only got away with half a packet of hay fever tablets ... I suspect the theives hoped these small white pills might have been sometthing more exciting!

    3. John Miles

      Re: "A direct causal link is difficult..."

      There was a dramatic rise in BMW thefts around 2011 - when thieves found they could just plug into port in car and program car to accept another key, compounded by a flaw where if you jammed a screwdriver in drivers door and twisted hard you could make it wind down window. There was a long running thread on Pistonheads about it - link, I believe other makes flaws were attacked later

      Now they can make some with "comfort access" just unlock and start with a pair of extenders - link

      Then there is the lower tech style attacks - just leave a jammer around which will stop car locking

  14. JeffyPoooh
    Pint

    "...recently bought a car..."

    Researchers "...recently bought a car and they decided to see how difficult it would be to hack."

    Step 1: Buy a car.

    Hmmm...

    In other words, comes with keys. Access to CAN bus is a given, since the Researchers can unlock the car door and lean inside. The vehicle owner isn't peeking out from behind the bedroom curtains, on the phone with the police.

    Granted, some of this might also be applicable to a Rental car, but the detective is likely to check who rented the hacked vehicle the day before the deadly crash. So best to rent without showing any ID.

  15. JeffyPoooh
    Pint

    "...can pick up the signal from keys..."

    "...can pick up the signal from keys and copy them to the car, unlocking them and disabling the alarm system."

    We need to clear about this. Especially considering system design as impacted by limited battery capacity.

    Your car key isn't like a smartphone, needing to be recharged every night. So it cannot be emitting RF signals all the time. The tiny button cell needs to last a year.

    Your key fob remote control (older RF technology) would be activated with a button press, and can thus have long range. So it can be captured surreptitiously from across the parking lot. It needs to have basic security like rolling codes (if somebody grabs the code out of the air, it's already stale). My ten year old Mercedes has rolling codes, just like the 1999 model I had 18+ years ago.

    Note: The rolling code algorithm needs to be kept secret.

    Keyless Car Starting is probably using RFID. That's much shorter range. The hackers need to get within a meter or two of your keys, so their can 'illuminate' it with enough RF to power it up. The system designers should include some handshaking, not just an easily copied serial number.

    If the researchers have identified a make and model of vehicle where they're using RFID relying on just the tag's SN, then name names and inform the Insurance industry. Such cars would be immediately recalled and lawsuits would fly.

    I detect that these researchers are exaggerating. There's no mention of the fact that many vehicles already have excellent security.

    Those that don't should be punished via theft insurance premiums. It'll sort itself out quickly.

    1. Hans 1 Silver badge
      Angel

      Re: "...can pick up the signal from keys..."

      @Jeffypooh

      You seem to be very informed about this stuff ... are you responsible in any way for this disaster ? I supect you work in automotive infotainment systems development ...

      1. JeffyPoooh
        Pint

        Re: "...can pick up the signal from keys..."

        No. Technology, oh yes. Software no; I struggle to avoid it.

        I have written software before, years ago. 30-feet long and 'Mic Drop' perfect, walk away. More than once, so not just lucky.

        These days it's all libraries and overly complex OSs, so even an individual effort is relying on hundreds of other idiots. It's now nearly impossible to achieve perfection, because modern programmers are all 'Standing on the Shoulders of Morons.'

        It's hopeless. I want nothing to do with software. Beyond fiddling with Arduinos because they're so cute and mostly harmless.

        PS. If I did work in the automotive industry, it'd presumably be Mercedes since that's what I drive (for almost 20 years now). That wouldn't be so embarrassing in this context, since their security is probably pretty good. They make fewer blunders than other brands.

        PS2: People working in tech should know how it all works. Shouldn't sleep until it's understood, in the basics. Can't accept magic.

        1. Anonymous Coward
          Anonymous Coward

          Re: "...can pick up the signal from keys..."

          PS. If I did work in the automotive industry, it'd presumably be Mercedes since that's what I drive (for almost 20 years now). That wouldn't be so embarrassing in this context, since their security is probably pretty good. They make fewer blunders than other brands.

          Do they now? Maybe you should do a search on Mercedes keyless car theft. Of course if your particular Merc is 20 years old then you won't have that problem.

          I did a search on my make of car and keyless car theft, and couldn't find a single instance. Partly because it isn't a premium brand, but more because the brand positioning by the parent group doesn't include all the keyless systems so beloved of expensive car makers.

          1. JeffyPoooh
            Pint

            Re: "...can pick up the signal from keys..."

            Relay Attack. Clever. Thanks for pointer.

            MB will have to update their software so that when the key fob signal fades away, the car explicitly counts down to engine off. Give an owner time to turn around to fetch their forgotten key, but not much more than that. Wouldn't it already do that?

            The Top Gear idiots once moved Hammond's car out into the middle of the street. Hammond's car had an RFID system with far too much range, no Relay equipment required to take the car a half block away.

            My dealer provides C-class loaners when my '08 is being serviced, and the loaners are often keyless. It's actually slightly less convenient than just using a key. The safety procedures take 3s, vice a key needing 1s. Ever so slightly worse. My older car would be already moving before the new one got started.

            1. Not also known as SC

              Re: "...can pick up the signal from keys..."

              "...so that when the key fob signal fades away, the car explicitly counts down to engine off. ... Wouldn't it already do that?"

              Our Ford doesn't. As long as the key is in the car when you start the engine all is fine. It is then perfectly possible to get out of the car leaving the engine running, take the keys with you into the house to get some forgotten item and put the keys down and forget to return them to the car with you. I image that it would then be possible to drive off without the key. I haven't tried it but with my luck it won't be long until I do.

              1. Anonymous Coward
                Anonymous Coward

                Re: "...can pick up the signal from keys..."

                "...so that when the key fob signal fades away, the car explicitly counts down to engine off. ... Wouldn't it already do that?"

                Our Ford doesn't. As long as the key is in the car when you start the engine all is fine. It is then perfectly possible to get out of the car leaving the engine running, take the keys with you into the house to get some forgotten item and put the keys down and forget to return them to the car with you. I image that it would then be possible to drive off without the key. I haven't tried it but with my luck it won't be long until I do

                They don't switch off in case some idiot has thrown the key out of the window.

        2. andyp-random-number
          Pint

          Re: "...can pick up the signal from keys..."

          because modern programmers are all 'Standing on the Shoulders of Morons.'

          Quote of the day, if not week, for me. Have a beer.

    2. JohnG Silver badge

      Re: "...can pick up the signal from keys..."

      "Keyless Car Starting is probably using RFID. That's much shorter range. The hackers need to get within a meter or two of your keys, so their can 'illuminate' it with enough RF to power it up. The system designers should include some handshaking, not just an easily copied serial number."

      Thieves use two way repeaters to steal cars. Increasing the size of the antenna increases the range of RFID devices.

      https://www.youtube.com/watch?v=hig7sTLAB5Y

      https://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/

      Some guy used a hacked Vtech toy with a large antenna to read RFID tags from 10m away.

      1. Steve Davies 3 Silver badge

        Re: "...can pick up the signal from keys..."

        Some guy used a hacked Vtech toy with a large antenna to read RFID tags from 10m away.

        Just like all your lovely credit card details...

        Soon we will have cars that MUST be connected to the Cloud before they will start. Oh Wait...

    3. Alan Brown Silver badge

      Re: "...can pick up the signal from keys..."

      "If the researchers have identified a make and model of vehicle where they're using RFID relying on just the tag's SN, then name names and inform the Insurance industry. Such cars would be immediately recalled and lawsuits would fly."

      Renault, 2006. It happened, recalls didn't and neither did lawsuits.

    4. Amos1

      Re: "...can pick up the signal from keys..."

      "The hackers need to get within a meter or two of your keys, so their can 'illuminate' it with enough RF to power it up."

      Actually it's the other way around. The car is continuously beaconing for the key fob because it has the battery power to do so. The attack uses a repeater that is close to the car (which is outside in a driveway or parking spot), amplifies the beaconing signal and thus triggers the key fob for a response even if the key is dozens of feet away inside the locked house.

      The repeater picks up the key's reply amplifies it, and passes it to the car, unlocking the doors and allowing the car to be started and driven away. The countermeasure is to detect the miniscule delay caused by the repeater circuitry that would not be present if the key was next to the car. Previous reports show that almost no car manufacturers implemented that check.

      1. Andytug

        Re: "...can pick up the signal from keys..."

        Can't speak for other makes (although have seen the Facebook CCTV video of repeater theft on a Mercedes) but on my Renault the keyless entry only works if you don't use the remote to lock the car after you turn the engine off, ie you just shut the door and walk off, it then locks as you walk away (it beeps). Then on your return if you stand within a metre and someone puts their hand in the door handle it unlocks. If you lock the car with the button on the remote key card, it won't unlock unless you unlock it again with the (different) button on the keycard. So would guess it's safe from repeater attack as long as you lock it with the remote.....

  16. Starace
    Flame

    'Security analysts'

    I would honestly be too embarrassed to stand up and present such a bunch of unoriginal and under researched crap.

  17. Anonymous Coward
    Anonymous Coward

    Old, old news

    Car computer network security has been an issue for so long now I'm starting to suspect that the continued weaknesses and vulnerabilities are intentional.

    You just never know when it might be convenient for a government to send the kill signal to a particular vehicle. Full accelerator followed shortly by full left lock while on the motorway, anyone? Of course, it was just a heart attack!

  18. adam payne Silver badge

    “The only difference is when you have a problem with computer it won’t affect your physical security, but a car can put your life in danger and automotive security is something that the industry needs to take seriously.”

    The car manufacturers will do nothing until they are forced to.

  19. Anonymous Coward
    IT Angle

    "Automobiles are getting smarter all the time"

    A bugs bunny like toon:~

    Two small time criminals, named from out of the movies.

    Luigi: {a large rotund man, slow thinker}.

    Vincento, {a much smaller type with narrow eyes, clearly the boss}.

    Both are walking down the street, together.

    Luigi: {Spies little pellets on the sidewalk/footpath and asks Vincento}

    Luigi : "what dem pellets boss ?"

    Vincento:"why, them smart pellets Luigi, if you eat them you get smart like me".

    Luigi: {stooping and picking up the pellets and eating them, as he follows Vincento down the street.}

    Luigi: "Hey boss, these pellets taste lie rat shit".

    Vincento:" Ahhh Luigi, you get smarter all the time !".

    ~~~

    Automobiles are getting smarter all the time! We are not.

    Although we are being given the rat shit and are being told how wonderful it is.

    After many deaths we might eventually gain some benefit and insight from these smart pellets, and wake up to the fact that we've been had, or at lease fooled ourselves.

    Use assistive AI, not replacement AI.

  20. Anonymous Coward
    Anonymous Coward

    There are sniffers out there that a criminal can use to pick up your remote key locking codes and after you have walked away use them to gain entry to your vehicle.

    Even start it and drive away.

  21. Pascal Monett Silver badge

    It could have been so simple

    Entertainment network with USB port to plug in any phone, linked to speakers and everything Internet-facing on its own network. Your in-car webcam has been hacked ? No problem, that's all that is accessible. Just don't shag in the car and you'll be fine (with a bit of black tape on the webcam camera, of course).

    Car CAN bus totally seperate, with high-level fob key ciphering to open doors and start engine, and under-the-hood/bonnet USB port for maintenance. Unhackable unless you get physical access (like most non-computer things these days).

    Why, why, WHY did they throw everything on the same bus ?

    Well, in the end, it doesn't matter. A few hundred deaths and a raft of class-action lawsuits will certainly sort the issue out.

    Unfortunately, it seems that that is what it is going to take.

    1. Anonymous Coward
      Anonymous Coward

      Re: It could have been so simple

      Why, why, WHY did they throw everything on the same bus ?

      The most expensive single component in a car is the wiring loom.

  22. MrT

    What depresses me...

    ... all these 'convenience' features are basically unnecessary smoke and mirrors covering the relative lack of progress needed to coax punters into buying (or, more likely, renting through PCPs) a new car every 3 years or so.

    Even basic security is being sidelined by the rush for new digital features. A friend had his Audi Q5 stolen in Coventry. The police said it was common there, with the electric windows pulled down by using glass clamp handles and then using a £20 key reprogrammer in the OBD port. Deadlocking the window mechanism and that old problem of not keeping the OBD port live all the time could be a solution there, but lets just chuck in Apple Carplay and a colour screen instead. It's like a couple of years ago when VW tried to cover up a weakness in their key security, rather than spend a microscopic amount of cash per car (IIRC a dollar or two) to fit an enhanced version.

    Current advice for the keyless-signal grab theft is to fit a full cover steering wheel lock. Very 80's.

  23. JB@register

    I think they meant deficiencies rather than features...

  24. EveryTime

    There are many uninformed guesses in the comments.

    Most vehicles don't put operational traffic on the diagnostic bus. You can't plug into the OBD2 port and (directly) control the brakes or engine.

    A typical car might have a handful of CAN buses, only one or two of which are connected to the OBD2 port. The traffic between the ABS, engine, transmission and steering certainly isn't on the diagnostic bus. Nor is the real-time information for the airbag system, which often has dedicated links to the impact sensors. Sure, all of these modules will have links to the diagnostic bus, but that is a very indirect path. Just because you can read the steering angle sensor doesn't mean that you can force the steering wheel to turn.

    There are certainly risks, but most are well understand by the people designing the systems. This paper doesn't identify any new ones.

    1. Anonymous Coward
      Anonymous Coward

      After the jeep hack, it's 'security researchers' trying to make a name for themselves.

  25. the Jim bloke Silver badge
    Coffee/keyboard

    Anyone else having flashbacks

    to the "studies" declaring computer keyboards were less hygienic than toilet seats - sponsored by cleaning product manufacturers ?

  26. Tigra 07 Silver badge
    Alert

    "After contacting the supplier they said the manufacturer considered its systems features, not bugs"

    That excuse actually sounds like it came direct from Apple's playbook.

  27. Updraft102 Silver badge

    I guess all of this just means I will continue to not buy anything approaching a new car.

    I don't want any bit of the car having any connectivity to anything. I want my intent as the driver to be transmitted from my hands mechanically to the important parts of the car without any opportunity for a malfunction (intentional or otherwise) to compromise it.

    I thought about all of this when the "sudden acceleration" hoopla over the Audi 5000s in the 80s, and then Toyota Priuses much more recently, was in the news. I remember one such Prius story describing how one of the supposed victims tried to turn off the ignition, but the car was equipped with one of those pushbuttons instead of the good old key in lock cylinder ignition switch that has been in every car I've ever owned. Naturally, when speeding down the highway, the car declined the request to have the engine turned off, and the person who was frantically giving this story to the police on the cell phone supposedly didn't survive the car's refusal to obey. Having never operated a car with such a "feature," I have to wonder if it has the same "hold it down if you _really_ mean it and it will turn off eventually" feature that modern computers, phones, tablets, etc., have.

    With my car, if I want a certain action performed, it happens unambiguously and without some computer pondering whether it really wants to do that first. If I turn the key off, the power to the ignition and fuel pump is cut off-- no ifs, ands, or buts. If I depress the clutch pedal, the engine is disconnected from the transmission, without question. If I turn the steering wheel, the front wheels change their angle. I may have to muscle it if the hydraulic assist is not functioning (the primary reason being that the engine's not turning), but there's no computerized anything that would ever even present the possibility of trying to thwart my intent or doing anything without my say so.

    While my engine is run by a computerized control, it would require the removal of a body panel and removing a service cover on the ECU to get to it. There's no other interface. There's no wireless... anything. There's no flashable firmware. There's no "entertainment" system... there's a car stereo that isn't tied in with anything else, but that's it. No bluetooth, no wifi, no cellular connection. It's a car; its purpose is to covert chemical potential energy into kinetic energy in a fashion controlled by the driver, and it seems to do that pretty well even without all of this modern "improvement." None of the computerized systems in the car were ever questioned for their "security."

    "Security" concerns for cars like mine were and are all about physical things, like using a slim jim to open the car door or whether a slide hammer could expose enough of the ignition innards to be able to hotwire the car. Of course, those things are still a concern; thieves can steal them, no question, but unpatched zero-days are not among the concerns.

    If I were to go buy a new car, how would I even begin to understand the insane amount of crap that carmakers hang off the relatively conventional car body these days? I'd want to understand it so I can block it, stop it, shut it down if I can. Those things are not all that hard to do, but you have to first understand what's happening, and where in the car the offending things are happening. I don't want a rolling computer! I know too much about how vulnerable they are without constant attention and work to mitigate it, and I know too well how quick hardware manufacturers love planned obsolescence. It was already there in cars, certainly, but it had to do with mundane and understandable things like parts that wore out, not security vulnerabilities that need to be patched, but aren't.

    I don't even want to be in the place of needing patches; I want my car to behave as it always has. One other poster has written about software "upgrades" reducing the artificially-limited maximum speed of the vehicle. Not acceptable! If the way my car operates is going to change even the slightest bit, it should be because I've changed something, swapped a part or a whole series of parts somewhere. That's how automotive stuff has been in every car I've ever owned, and I am not about to change my mind about it now. Certainly, I do not want any software update being pushed into my car without me first reviewing and approving each of the changes... if I won't tolerate that with that unusable piece of crap called Windows 10, I am not going to tolerate it when we're talking about a mechanical device that can kill me if it messes up.

  28. J. Cook Silver badge
    Trollface

    I have a very easy solution for this problem. it requires that the driver's side door be openable using a physical key to access to hood latch, and a switch capable of coping with the amperage flowing from the battery.

    Open door, pop hood latch.

    open hood latch, power up car from battery switch.

    close hood, get it, key in, start up, drive off.

    when done:

    park the car, turn engine off, pop hood latch.

    lock and close doors,

    turn car off via battery switch, close hood, walk away.

    Only way it can be stolen is via a flatbed rollback, or getting the hood popped open and manually kicking the battery back on. (no easy task on some cars!)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020