back to article Internet of Car...rikey what the hell just happened to my car?

Vehicle manufacturers are making many of the same security mistakes as each other, creating scores of vulnerabilities in the process. Not very reassuringly, half of the vulnerabilities discovered by security researchers at IOActive could result in "complete or partial loss of control" of a vehicle. IOActive’s study is based …

  1. Jason Bloomberg Silver badge
    Childcatcher

    The worth

    "Insurance companies are very good at assessing risk. If anyone can figure out what the value of 1,000 man hours of cybersecurity vulnerability testing is worth, it’s them"

    I would venture the answer is "bugger all" or so low as to make no difference. At least at present.

    Just like we have 'a gazillion Android devices' out there exposed to vulnerabilities we don't have that many people falling foul of them; there is a significant gap between being exploitable and being exploited.

    If we get to the stage where oiks can stand on motorway bridges, press a button on their Pi-powered gizmo, can crash a stream of cars into each other, can do it time after time at any time of their choosing, we will indeed have a problem. But we are a long way from that.

    1. Spudley

      Re: The worth

      Most exploits are committed with the intention of being un-noticed by those being attacked. An attacker would much rather steal your credit card details without you noticing than crash your computer.

      Extrapolating this to vehicles, I would venture that very few hackers are actually interested in taking over control of your steering or brakes. So I would say insurers can rest easy on that score -- safety is unlikely to be materially affected in the main, even with wide open gaping flaws in every vehicle on the road.

      The people who do need to worry about this kind of thing are the celebrities, government officials, high ranking executives, or anyone else that might be a target for assassination, because these kinds of security flaws would make it trivially easy to cause fatal road "accidents", leaving virtually no evidence at all of foul play. If you're the kind of person who currently pays for bullet-proof glass on your car, you're going to need to start also paying attention to having it security hardened.

      1. BebopWeBop
        Gimp

        Re: The worth

        I suspect that most criminals are more interested in disabling locks and tracking/security devices, although the warning on drive by 'assassination' is probably worthwhile emphasising. Kill a few politicians and/or major business leaders (while possibly welcome by the electorate) will be traumatic for the motor companies businesses. And proto-terrorists (who would gain a great deal by, for example, halting all cars of a particular make at rush hour over a city) could gain a lot - and may easily be imagined to have the intellectual know how to crack simple systems.

        Insurance companies may have a broader interest than just individual malicious hacks and they have a great deal of clout - and quite possibly can move faster than government.

      2. Doctor Syntax Silver badge

        Re: The worth

        "I would venture that very few hackers are actually interested in taking over control of your steering or brakes."

        There are few idiots who drag obstacles onto railway lines. Nevertheless they exist and are a nuisance at best and very dangerous at worst. I don't see any reason to suppose that those who'd do that wouldn't also be interested in crashing your car if it came in range.

        1. Anonymous Coward
          Anonymous Coward

          What about terrorists?

          Being able to cause injury or death to people as they drive along the motorway would be better for them (in terms of causing maximum mayhem) versus shooting a few people in a public place until the police show up and they're killed. They could probably do it dozens or hundreds of times before being caught.

          Imagine the disruption of the owners of newer vehicles are afraid to drive them? What happens to the economy if the public is afraid to buy new cars and instead prefers the older models that can't be drive by hacked?

    2. Doctor Syntax Silver badge

      Re: The worth

      "If we get to the stage where oiks can stand on motorway bridges, press a button on their Pi-powered gizmo, can crash a stream of cars into each other, can do it time after time at any time of their choosing, we will indeed have a problem. But we are a long way from that."

      So you're saying that the time to solve a problem is after it's gone into production? Surely conventional wisdom is that you build security into the design, not try to add it on afterwards. Because by the time we have that problem it will be far too late to fix it.

      1. Nolveys

        Re: The worth

        Surely conventional wisdom is that you build security into the design, not try to add it on afterwards.

        What planet are you from?

    3. You aint sin me, roit

      Re: The worth

      There is the reputation cost to the manufacturer.

      If your car is listed as easy to hack, if your car is vulnerable to an attack that could potentially give the attacker control of the car, then you have to do something about it.

      Re-engineering your product will be expensive - as they said, it is not easy to bolt on security, it should be built into the design from the start.

      Recalling "defective" products will be equally, if not more, expensive.

      It doesn't matter that the hack is unlikely, or that only a psychopath would try to crash cars. If there is a public perception that your cars are unsafe then your reputation will be adversely affected.

      (It doesn't affect Android, or Windows, as much because people don't see vulnerabilities as the fault of the OS, it's the fault of "bad people". It's a different matter if it's your car the bad people might be hacking.)

      1. Anonymous Coward
        Devil

        Re: The worth

        The ability to take over or disable a car would also be extremely valuable to kidnappers. If you know that celebrity/rich guy X drives a Maserati up to his/her weekend house on a somewhat regular basis, you can look for Maseratis on the road, kill the ignition and lock the celeb in the car until your snatch team rolls up, then you unlock the doors and start making your ransom demands.

        And there is just good ol' corporate espionage. "Wow! Did you see that some evil bastard disabled 500,000 Fords last weekend? We over at General Motors deplore this crime, and would like to assure the public that this could never happened if you bought GM..."

  2. Anonymous Coward
    Anonymous Coward

    Maybe old is best

    My old diesel 4x4 is of an age before computers were fitted to cars and strangely enough I don't have any of those security problems. The doors unlock with a key, the engine starts with a key and only stops when you turn it off (or run out of diesel) and so on.

    1. Alister

      Re: Maybe old is best

      My old diesel 4x4 is of an age before computers were fitted to cars... The doors unlock with a key, the engine starts with a key

      My old diesel 4x4 doesn't even require a key - a screwdriver, or blunt knife is quite sufficient to unlock the doors and operate the ignition :)

      No prizes for guessing the manufacturer...

      1. phil 27

        Re: Maybe old is best

        A screwdriver? you younguns dont know your born :D my new old car doesnt even have door locks. Sorry it has internal latches you can flick, but the sliding windows dont lock either. It is from 1977 however and was designed to be driven by people with guns (land rover 101fc)

        1. AMBxx Silver badge
          Coat

          land rover 101fc

          Yes, but if it's stolen, you can outrun the thieves!

          Mines the one with the 110SW keys in the pocket.

      2. Anonymous Coward
        Anonymous Coward

        operate the ignition

        A diesel has no ignition system.

        1. Alister

          Re: operate the ignition

          A diesel has no ignition system.

          Strictly true, but what else would you call turning the key on before pressing the starter?

        2. Chloe Cresswell Silver badge

          Re: operate the ignition

          As a diesel is compression ignition by timing, I'd say in an old diesel, the starter motor is very much the ignition system: As it's providing the rotation to a) provide compression and b) to turn the injector pump to actually inject the fuel and therefore be ignited?

        3. phil 27

          Re: operate the ignition

          It does however usually have a electrically operated fuel cut solenoid on the pump ;)

          1. Chloe Cresswell Silver badge

            Re: operate the ignition

            That's why I said an older diesel - most don't even have that.

        4. ElsmarMarc

          Re: operate the ignition

          Actually, they do. They need a glowplug to start and it stays on for a minute or so until the engine is hot enough to carry on without it.

    2. Will Godfrey Silver badge
      Unhappy

      Re: Maybe old is best

      @Ivan4. Never mind your car not being hackable, what about that new artic you're just about to overtake?

  3. Anonymous Coward
    Anonymous Coward

    self serving and without credibility

    I could not find on IOActive's web sitethe report mentione din thsi article but I have already read the ridiculous report about the Jeep Cherokee mentioned. This repor tis use don their web site as the ssole evidence to argue there is a big security problem with cars.

    It is worth summarising what the report shows - if an attacker has physical access to the internals of a car, connects to the vehicle electrical system and installs malicous hardware, then the attacker can control systems in the car with potential safety implications. Not a surprise, not an issue and at some level something that will always be possible.

    Were there massive scares about the possibility of cutting a brake pipe?

    1. phil 27
      Stop

      Re: self serving and without credibility

      Ask yourself this. You get in your car and someone has cut your brake pipes. Do you notice when you come to the first time you need it rolling out the drive and its not there, or half a hour later when your barrelling up a motorway?

      Software can do remote connections, and it can do timed attacks or tie things into gps or cell towers. Yes you can partially saw through a brake pipe or remove a few crucial nuts holding wishbones secure etc, but you still have no real control over where it might fail. MIght work, might just put the wind up someone and alert them to the fact that next time they won't be lucky.

    2. Anonymous Coward
      Anonymous Coward

      Re: self serving and without credibility

      And again, you do not need access to the interior of the car to get onto the CAN bus, it's almost always possible to get at it from outside the car, I've even seen it documented in manufacturer's service information.

    3. Bob Dole (tm)

      Re: self serving and without credibility

      I guess you missed the part where the car was hacked over the internet from the comfort of the hackers own home. No physical access was required.

  4. Version 1.0 Silver badge

    Same old same old

    Many years ago it was just "complete loss of brake fluid" having the same effect because something wasn't tightened properly. Nowadays we blame the software - there's always something that's going to break. And someone to blame.

    1. 8Ace

      Re: Same old same old

      Not really, in the case of the brake fluid, the system was OK and suffered an issue. With these software issues the system is faulty from day one and doesn't leave a handy puddle to show the problem

      1. Anonymous Coward
        Anonymous Coward

        puddle

        This is what makes LandRovers great. When there's no puddle on the driveway, it's a solid indication there is no more oil present in the engine/drivetrain. Simplicity always wins.

  5. Sampler

    Standard

    If there were a standard electronic system for these cars, then wouldn't security be better? Like, say a linux fork that all the cars used with their own tailoring for their own needs but the baseline software would be secure by design and they wouldn't have to re-invent the wheel for each new car (as, judging by the various incar electrics I've seen, happens).

    The open source platform would be reviewed by each car maker and independent reviewers alike to ensure it's secure and updates are keeping inline, yes there's the argument that car company y wouldn't want to share information with car company x but as a baseline security is in their interests they should comply with disclosure, as any eventual discovery will make them look bad, as either they'll have to lie and say they're affected as to not piss everyone off that they'd already patch it, or piss everyone off by admitting they didn't disclose it.

    1. Mystic Megabyte
      Linux

      Re: Standard

      This guy seems to have got off to a good start, scroll down to see the screenshots.

      https://engineering-diy.blogspot.co.uk/

    2. Charles 9

      Re: Standard

      No, because it's the custom stuff (that makers will insist on for the sake of identity, otherwise why bother with more than one make) that will be the problem. All you do is move the target.

    3. chris 17 Silver badge

      Re: Standard

      @ Sampler

      Like Android for your car,

      we all know how well that goes on peoples phones and tablets.

      i'd hold out for the iCar as at least the 3 year or older models will get updates.

      1. Anonymous Coward
        Anonymous Coward

        Re: Standard

        How about "MS Windows for Cars 10". WSUS forces a reboot qhen you are doing 70 on the motorway.

      2. Anonymous Coward
        Anonymous Coward

        Re: Standard

        @ chris 17

        "we all know how well that goes on peoples phones and tablets."

        Quite well, from my experience and what I've read of others.

        "i'd hold out for the iCar as at least the 3 year or older models will get updates."

        I'm curious... How often does your car currently get updates?

  6. AndrueC Silver badge
    FAIL

    Based on the state of Honda's infotainment system I'm not surprised. Only this morning I was greeted by 'Process System not responding. Would you like to close it?' then I had to wait a couple of minutes for it to reboot before music playing resumed. They've issued a couple of patches but so far the only one that claimed to address the issue said that it was 'improved' whatever the hell that means.

    And of course the updates should only be installed by the dealer. And apparently 'only if the customer specifically asks'. In my case the dealer couldn't even do that so I ended up applying my own update from an Android hacker's cloud store.

    I've said this before and it remains true. Never trust software that comes from a hardware manufacturer.

    1. 8Ace

      "I've said this before and it remains true. Never trust software that comes from a hardware manufacturer."

      Bollocks. Ever heard of Microsoft ?

      I think you mean "never trust software"

      1. AndrueC Silver badge

        Bollocks. Ever heard of Microsoft ?

        Lol, of course MS does also produce hardware ;)

        But there are degrees of bad and MS software is not as bad as 'true' hardware manufacturer's. At least MS understands the value of investing in software development. Hardware manufacturers seem to see it as an afterthought.

        1. Peter Hawkins

          "Hardware manufacturers seem to see it as an afterthought."

          Better not get on any planes then if that's what you think !

          Actually most software development could benefit greatly from the engineering approach used in a lot of hardware design rather than its usual cylce:

          1. Get it sold

          2. Find the problems (or more likely someone else does)

          3. Maybe fix it if it's worth the hassle

          2 and 3 to be repeated as needed.

          If the costs to fix software mirrored those to physically fix hardware we'd get better products

          1. AndrueC Silver badge
            Meh

            Those are good points, and yes, you're right that it's not universally true. But if you get a new printer do you just plug it in and see what the OS can do with it or do you automatically install the software on the CD that came with it? It was CreativeLabs who first taught me to just trust the OS. After their installer has dribbled half a dozen shortcuts to useless crap all over your desktop and eaten up a hunk of storage you being to see the light.

            So I'll amend my view. If something is critical and has to work every time without fail or at least fail safely then, yes, trust hardware and associated software. But for the other 95% of stuff that we all just buy for personal use expect problems if you rely on the manufacturer's software.

          2. This post has been deleted by its author

        2. PNGuinn
          Joke

          Bollocks. Ever heard of Microsoft?

          "At least MS understands the value of investing in software development"

          So I've been told.

    2. sjaddy

      "so I ended up applying my own update from an Android hacker's cloud store"

      because installing from a non authorised app store couldn't possibly go wrong could it!

      Jailbroken iOS users hacked

      1. AndrueC Silver badge
        Happy

        "so I ended up applying my own update from an Android hacker's cloud store"

        Yeah I thought about that but the link came from a contributor to a thread on XDA where a group of hackers (using the original meaning of the word) were dissecting the infotainment centre to work out how to install Play store apps. There were at least half a dozen knowledgeable hackers who had the chance to call foul on the posting and several who had already applied it. The thread is still ongoing (here for anyone interested) so I think it was a pretty small risk.

        Pity the patch didn't actually fix what I wanted and now that the message has come back I have even less idea what 'improved' is supposed to mean.

        If the costs to fix software mirrored those to physically fix hardware we'd get better products

        True but we'd also have less innovation and I don't think computers would be as endemic and ubiquitous as they are now. Then again maybe that would be a good thing :)

        1. Rich 11

          and now that the message has come back I have even less idea what 'improved' is supposed to mean.

          It means that it now only crashes when you least want it to crash rather than when you least expect it to crash.

    3. Anonymous Coward
      Anonymous Coward

      It's not just Honda, I've had a Ford Focus infotainment system crash a few weeks ago, complete with filesystem check messages on restart and that appeared to be Win CE based.

  7. m0rt

    KITT is screwed, then.

    Alas, poor KITT and MK. That last Turbo Boost® fired when parked in a mid-floor of a multi-story...

    1. Peter Gathercole Silver badge

      Re: KITT is screwed, then.

      KITT was always interfering with other car's ignition and locking systems (it was one of it's/his normal tricks), and I'm pretty sure was hacked more than once.

      But of course that was fiction.

    2. Charles 9

      Re: KITT is screwed, then.

      "...fired when parked in a mid-floor of a multi-story..."

      If you'll recall, KITT's heavily reinforced. I think it's managed to pull off escapes using techniques similar to what you describe, although I'll have to consult my KR collection to be sure.

      1. m0rt

        Re: KITT is screwed, then.

        I did consider that. But then discounted it in favour of an easy humourous remark.

  8. Anonymous Blowhard

    “The Automotive industry has been making improvements in the awareness department. But, as we’ve seen in other industries, it can still be difficult to get appropriate spending in security as its ROI [return on investment] is difficult to gauge,”

    This is what Ford thought with the Pinto, until a jury stung them for $127.8 million in damages.

  9. Stevie

    Bah!

    All your clutch are belong to lightbulb.

  10. Anonymous Coward
    Anonymous Coward

    They're not making the 'same security mistakes' as each other

    They simply don't care. Until there are massive fines / lawsuits for IoT recklessness, expect more of the same. Its put me off buying cars. While not my only concern, its been a factor. People need to stop buying IoT. Profit is all they care about....

    1. SImon Hobson Bronze badge

      Re: They're not making the 'same security mistakes' as each other

      Trouble is, the few of us here who actually understand and give a damn are in a tiny, tiny, TINY minority. The vast majority these days don't understand and don't care - the sort of people who are so concerned about privacy that they splurge all their (and others who'd rather not be on there) activities on FarceBork.

      People are buying the likes of Hive and Nest and ... because ... well, "ooh shiny". They don't know about the security and privacy implications, and (in general) they don't care.

      Suggesting that the answer to any of these problems is to "not buy the crap" is forgetting that the 0.000<something> % of us who would actually boycott (if given the chance*) don't even make up a rounding error on the vendors' balance sheets.

      * I say that because it's increasingly hard to actually not buy into this sort of crap. Take mobiles - well Apple will take your soul while you thank them for "allowing you" to use some iTat in a manner approved by Apple, Google will take your soul and sell you to advertisers, Microsoft will take your soul and sell you to advertisers, and the rest .... err who ?

      Same for cars - all cars these days need all the sorts of electronics that are causing the problems, just to meet things like EU emissions and safety requirements. The rest is driven by demand from the "ooh shiny" brigade for useless crap. The pool cars at work even have touch screens for such fundamentals as demister controls - how ****ing stupid is it to make the driver look at a computer screen to work basic functions ?

      1. ecofeco Silver badge

        Re: They're not making the 'same security mistakes' as each other

        Well said Simon.

  11. Leeroy

    Security

    "Security is a relatively new concern for the automotive industry,”

    Maybe you should have used "Computer Security" ?

    I'm quite sure physically entering a vehicle and driving it away has been more difficult year on year since the 90's.... It's going backwards due to the addition of unnecessary gimmicks not because they are using crap locks.

  12. Anonymous Coward
    Anonymous Coward

    Insurance won't really help

    Generally people don't check on the insurance rates until AFTER they buy a car. So the manufacturer still won't have much incentive to invest in security as it isn't going to affect their sales.

    If the automaker was held liable for poor security, with hacks leading to injuries and deaths making them pay up instead of the automobile owner's insurance company, THEN they'd do that. But that would take a huge change in the law, as no one is being held liable for insecure software now. You can bet that every software company on the planet from Microsoft to Google to Apple to SAP to Oracle and on and on would do everything in their power to stop such laws, as they know it would be a short step from being held liable for insecurity in a car to the same in smartphones, enterprise software, etc.

    Not saying we shouldn't have such laws, but they would have been a lot easier to pass before software became so intertwined with almost every facet of daily life, involved in tens of trillions of annual revenue.

    1. ShortLegs

      Re: Insurance won't really help

      Of course criminals will bother... You get in your car, you turn it on, and up pops a message saying the system has been disabled until you pay a small fee.

      If they will extort data that has some degree of protection, they'll go after cars that have none.

      1. Anonymous Coward
        Anonymous Coward

        Re: Insurance won't really help

        Would you really trust a compromised auto to drive it even if the ransom was easily affordable? At least if you pay ransom to get your encrypted files back, assuming they are decrypted you can copy them to a safe place and reinstall your PC from scratch to insure the malware isn't still about. How exactly do you do that with your car?

        I would call a tow truck to have it brought in, and insist all software be reinstalled from scratch before I'd even think about driving that car again.

  13. fidodogbreath
    Holmes

    It's our own fault

    No one asks or cares how secure a car's systems are. However, buyers demand whiz-bang "infotainment," connectivity, and operational features -- which must be easy to use.

    It's the same problem as IoT. If you make your product easy enough for the average bear's grandma to operate without costing you money (by calling support or returning for warranty service), the product will likely be a security disaster.

    1. Charles 9

      Re: It's our own fault

      In other words, Security hurts sales which is why the only industries that do it regularly are those where it's a prerequisite (such as military industrial). And since there's a sliding scale between security and ease of use, not even laws or insurance pressure can help (because who cares about laws or insurance premiums if your sales tank and you can't stay in business).

  14. fidodogbreath
    Stop

    v!UT7p=3u$DHnt8~kQI*

    In fairness to car makers, most of the standard security practices that we endure in the computer world are wildly inappropriate in an automotive setting.

    Do we really want people entering a 20-random-character password into their in-dash system as they're hurtling down the road?

  15. Kratoklastes

    It's the US corporate obsession with 'IP'

    Quite apart from the retardedness of attempting to 'bolt-on' datasec because designers didn't think about it at the design phase, the carmakers' approach to their onboard systems is identical to banks' approaches to their client datasec (including, but not limited to, the security protocols for web interaction).

    That approach centres on developing everything themselves, in order to have a proprietary system. That way, the expense is R&D and can be amortised (and/or marked up as an intangible asset).

    In the software crypto world, one of the very first things that good crypto devs will tell you is "Do not try to develop your own crypto. P(you miss something critical)=1. Use an open-source library."

    And yet time and time again, software firms have implemented their own versions of data encryption - the best example being Microsludge with NTLM (a really sick joke of an encryption protocol) - and it turns out that their 'roll your own' approach was vulnerable to a fundamental exploit (timing oracles, padding oracles, or any of the other shocks that crypto flesh is heir to).

    Being crowd-checked isn't a guarantee, as the OpenSSL vulns from last year make clear... but it's a good deal better than having black-boxed code (often code that is badly documented - so if key members of the dev team leave, you can't make head nor tails of it).

    Carmakers also know that most car buyers will never become aware of the vulnerability - journalists are stupid, power-craven and technologically illiterate, and so will repeat whatever talking points are being promulgated by the car manufacturer.

    I can see it now... a 500-car pileup on a major turnpike, with cars' brakes failing to respond, and accelerators 'pedal to the metal' ; the TV news would say

    <blockquote>"Tragedy today on the roads, as global warming caused electrical malfunctions in 500 vehicles. Witnesses say that cars rammed into the pileup - which began with a semi-trailer that had jack-knifed. ISIS immediately claimed responsibility, claiming that it had hacked the systems of the vehicles, however a spokesman for the White House said that this was 'clearly propaganda trying to exploit this climate-caused catastrophe' and that the event reinforced the need to ratify the Paris climate accord. Industry insiders agree: in Detroit is our Maggie BleachedTeeth with a spokesman for Ford. Over to you Maggie..."</blockquote>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like