Physical Access
When someone has physical access to any device it is potentially game over. Also, there will no perfect security.
Last year, the Black Hat presentation by Charlie Miller and Chris Valasek caused Chrysler to recall 1.4 million vehicles to install a software update after they proved they could remotely hack Jeeps. This year, in Las Vegas, the pair showed us how to defeat that update. The dynamic duo praised Chrysler's efforts to secure …
Exactly.
You wouldn't even need to use the diagnostic port, you could splice straight into a bus on the other side of the gateway and push anything you like down it, which would also nobble their stupid little security idea.
Which in part is what I suspect they did because they're claiming to have done stuff that doesn't seem to be possible if you're going in via diagnostics, but could be if you went in elsewhere. Like overriding the vehicle speed messages which aren't on the diagnostic bus if you're talking about the ones between the control modules.
It's like claiming I can hack your banking passwords on your ultra-secure system after I've stuck a keylogger on the keyboard cable; not exactly complicated and doesn't really prove much.
"Indeed. After all, they can use the old standby of partially-cutting the brake lines (so any hard braking with cause a rupture and brake failure) or even putting sugar in the petrol tank.."
And that's the Bingo right there. Anyone prepared to go to the lengths the hackers did for this latest escapade will find it much easier to just go "old school" and physically damage the car in a way as to cause an accident. No need for a complicated physical hacks.
Bad of Chrysler to have left the holes in the first place, but hats off for dealing with it in what seems to be a comprehensive manner.
With 9 hours work I could attach a device to bleed your brakes at a certain speed.
Or fit a little latch to jam your throttle on at a certain revs.
Lock your steering at a certain angle of turn.
or even simply removing 3 of your 4 wheel nuts and waiting for the other one to sheer off will do the job.
a connection at 430THz, and all it does is unlock the doors... good luck with that one guys.
Remind me again why it's a good idea to have things telling the steering which way to turn?
(Although to be fair, hardening the external connectivity is at least a step in the right direction.)
Really there is a need for new regulations to make sure that certain critical systems are simply not modifiable in any way via on board communications.
At one time the "emergency brake" had to be a physically separate mechanical system to deal with the possibility of hydraulic failure (in the days of single circuit brakes). That seems to have been relaxed but really now it seems there is a single point of failure in the on-board computer and that should not be allowed.
Same goes for power steering, so far my cars have only had independent hydraulic systems for that and the range of things that can go wrong, and go wrong suddenly are pretty low. I really don't want to change that.
> the "emergency brake" had to be a physically separate mechanical system to deal with the
>possibility of hydraulic failure
Oh - you've had a Citroen XM too then? (Brakes, power steering and suspension all shared the same hydraulics. Not a good idea when the quality of the pipes and linkages was so abysmal..)
In the 12 months I had it I had total hydraulic loss 3 times. At least it had a food operated parking brake that used a cable!
In the 12 months I had it I had total hydraulic loss 3 times
I drove XMs for quite a few years. I only had one total failure[1].
The emergency brake was barely adequate[2], but it would have been so much worse if it had been a handbrake...
Vic.
[1] I snapped the belt that drives the hydraulic punp. In a well-maintained XM, this should cause gradual loss of pressure, with quite some time before total failure. But my XMs were never in that category...
[2] I was doing somewhere in the region of 90mph, just south of J9 on the M3. There was no way I was going to get through the traffic and onto the junction, so I had to keep it rolling for a couple of miles and pull up after the sliproad. That was interesting...
Something similar could have been said about exploiting buffer overflows, after RTM provided the proof of concept in 1988... In fact, given how many years it took before Sun bothered to even look at fixing buffer overflows, I'm pretty sure that's what their execs must have said!
Today this bug needs physical access, but perhaps in combination with another bug that lets you cross the boundary from the entertainment system to the CAN bus it could be remotely exploitable tomorrow. The problem with bugs in cars is that they'd be extremely difficult to fix, because there isn't any infrastructure set up to fix things - every owner has to take their car to the dealership and the automaker has to spend millions for this which rather disincentivizes them to do so unless they believe the cost of defending lawsuits > the cost of recalling every car for the fix.
Imagine a worst case scenario of a car that is able to receive text messages, and multimedia content that can compromise the OS (ala the multiple such holes that exist in all but the latest patch of Android) can be attached. Let's further imagine that from the OS, it is possible through a separate hole to access the CAN bus, and inject commands to tell it to steer left (potentially into oncoming traffic - substitute steer right in the UK) while at speed.
Imagine this getting in the hands of terrorists, and timing it to hit at 10:30am EDT on a Monday morning, sending the killer texts to every Jeep in the US, every 10 minutes. How long before people figure out what is going on, what models are affected, and word can get out to enough of the public that Jeep drivers stay parked? How many people will hear about it and simply pull over on the highway, afraid to drive any further because maybe their car will be hacked next? This could create as much fear as 9/11 even if it would be unlikely to match its death toll (unless it was a more popular make of car) and could disrupt travel in the US worse than 9/11 did.
Sure, that's a true worse case scenario, taken to an extreme to make a point though almost certainly impossible, but hearing an auto exec say "I'm not worried about it" makes me wonder if he knows it could be a real problem but doesn't want to alarm customers/investors, or he's really that clueless.
Yes, the technology to do it exists but hasn't been deployed by the traditional automakers yet. On the other hand, the ability to do remote updates provides exactly that sort of remote connectivity - that if exploited and combined with a "local" exploit to get on the CAN bus - which could lead to my nightmare scenario.
And that's leaving aside the concern that the update process itself could be hacked to essentially download malware onto cars. Or that the government could coerce them into adding some 'backdoor' ability like remotely shutting off the car, claiming it is necessary to prevent high speed chases or terrorist attacks like the truck running people down. And then you have to worry about the backdoor being compromised, which it almost certainly would if it wasn't an FBI only capability but was made available to local police departments all over the country.
So I'm actually sort of OK with making the update of a car's firmware kind of a pain in the ass. At least for updating anything that has any interface whatsoever with the CAN bus side of the house. If you want to update the GUI for the radio via an OTA update, be my guest!
"All these issues could be stopped if only car manufacturers built a basic intrusion detection system into their cars"
Is it even possible to buy a car without an alarm these days? As keeps being noted in regard to stories like these, physical access means game over. Trying to make things harder for someone who already has full physical access (and in this case not just a quick in and out, but a full 9 hours to play around inside your car) is much less useful than either preventing that access, or at the very least letting you know that it's happened.
By far the best security advice for car manufacturers would be to simply put the OBD port somewhere visible. If you can see there isn't a dodgy device plugged in to it, there's essentially no risk. Someone could still have disabled your brakes or something, but as others have noted they could also have just cut the brake lines. As long as all they can do is damage it in place rather than remotely change its behaviour while you're driving, it's no different from any physical sabotage.
"not just a quick in and out, but a full 9 hours to play around inside your car"
Don't forget that the 9 hours was what it took them from "cold" on a newly patched unseen system. If they were pro car thieves/assassins, no doubt they would practice and hone their skills and tools in a warehouse or garage, not your driveway.