Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Shoddy State of Automotive Wireless Security

Soulskill posted more than 4 years ago | from the can't-wait-for-toyota-two-point-oh dept.

Security 260

angry tapir writes "Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged. While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study. The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington DC."

Sorry! There are no comments related to the filter you selected.

Probably the right design choice (4, Insightful)

Beryllium Sphere(tm) (193358) | more than 4 years ago | (#33201212)

If the potential for misuse is minimal, then it's only common sense to make the tire communications simple and easy to troubleshoot, and to assign the security people to work on something that matters.

Re:Probably the right design choice (5, Informative)

pwagland (472537) | more than 4 years ago | (#33201274)

That is a valid point about the communications, however, from the article, if incorrect data is sent by something pretending to be the tire gauge, it was enough to corrupt the controller to the point where even a simple reboot was not enough to fix it. It had to be replaced by the dealer. Certainly resources need to be allocated wisely however when the device crashes due to invalid inputs, that is at best annoying, at worst very expensive to repair.

Re:Probably the right design choice (3, Insightful)

AK Marc (707885) | more than 4 years ago | (#33201556)

And that goes back to input checking. Never trust your inputs. It's possible that interference could create the same pattern, so they should filter the inputs. But, security isn't needed. Just high school level programming basics. (security could reduce the possibility of bad inputs, but never assume valid inputs when you could just as easily check them)

Re:Probably the right design choice (1)

cayenne8 (626475) | more than 4 years ago | (#33203260)

Hmm...I remember when I got one of the newer (at the time) C5 Vettes, with the run flat tires and thought it was pretty cool to be able to monitor the tire pressure in each tire from the cockpit.

I can understand the need for this system for run flat tires, especially since you carry NO spare with you, but I can't imagine that many 'normal' cars out there today are going with run flats. If not...why are newer cars bothering with wireless from the tires??

Are there actually that many non-performance new cars out there running wireless communications with the tires in the first place?

Re:Probably the right design choice (1, Funny)

Anonymous Coward | more than 4 years ago | (#33201826)

A good programmer will always guard against invalid input.
http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Suppose a spark plug wire was grounding out against the exhaust manifold and randomly sent out signals that could be interpreted as RFID data?

Yeah? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#33202038)

Well, fuck you.

Re:Probably the right design choice (0, Redundant)

Thanshin (1188877) | more than 4 years ago | (#33201300)

Nope. Perfect security is the objective, whatever the cost.

I think it's time to start a War on Insecure Car-tyre Communication.

Btw, when I call someone, people around me can hear my side of the conversation. Does anyone know where to buy cones of silence?

Lets skip to the heart of the matter (4, Informative)

CdBee (742846) | more than 4 years ago | (#33201318)

Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected. I believe this system is moderately effective and not subject to radio spoofing.

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

Re:Lets skip to the heart of the matter (1)

wgoodman (1109297) | more than 4 years ago | (#33201380)

New cars have a lot more sound insulation, and louder stereos so it's a lot harder to know when a tire is getting low based on the sound. I've been on plenty of crappy roads where I've pulled over cause it felt like the tire was shot, It's kind of nice to have a little light save be a few min.

Re:Lets skip to the heart of the matter (4, Interesting)

Gordonjcp (186804) | more than 4 years ago | (#33201496)

You can use the ABS sensors to detect a soft tyre. Some Volkswagens can actually have a soft tyre warning added, by a firmware update!

Basically what you do is you measure the output of all four wheel sensors (as the ABS unit does anyway), and see if one is consistently a higher speed than the others. Soft tyre == smaller rolling radius == faster rotation for the same road speed. It won't catch if all your tyres are equally flat.

Re:Lets skip to the heart of the matter (0, Redundant)

Gordonjcp (186804) | more than 4 years ago | (#33201516)

You can use the ABS sensors to detect a soft tyre. Some Volkswagens can actually have a soft tyre warning added, by a firmware update!

Basically what you do is you measure the output of all four wheel sensors (as the ABS unit does anyway), and see if one is consistently a higher speed than the others. Soft tyre == smaller rolling radius == faster rotation for the same road speed. It won't catch if all your tyres are equally flat.

  This exact comment has already been posted. Try to be more original...

So why isn't it showing up?

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202528)

Comment 1: http://tech.slashdot.org/comments.pl?sid=1749062&cid=33201496 [slashdot.org]
Comment 2: http://tech.slashdot.org/comments.pl?sid=1749062&cid=33201516 [slashdot.org]

Try not to spaz out next time, okay? Maybe adjust your thresholds, then grab a coffee or something.

Re:Lets skip to the heart of the matter (4, Informative)

boring, tired (865401) | more than 4 years ago | (#33202694)

My last car did this. Driving on snow or very wet roads would trigger the low tire pressure warning. It did detect an actual low tire once but there were so many false positives that I learned to ignore it. One good thing is that it forced me to keep a pressure gauge in the car so I could check the tires and reset the warning light.

Re:Lets skip to the heart of the matter (5, Informative)

Thanshin (1188877) | more than 4 years ago | (#33201426)

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

I'd rather have airbags than a decent stereo.

However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

Re:Lets skip to the heart of the matter (5, Funny)

Thanshin (1188877) | more than 4 years ago | (#33201438)

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

I'd rather have airbags than a decent stereo.

However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

Wheels are a nice feature too.

Re:Lets skip to the heart of the matter (2, Funny)

The Mighty Buzzard (878441) | more than 4 years ago | (#33201848)

Ask me to design my ideal car and it'll have a lightweight but strong aluminium body, a simple, efficient diesel engine, comfortable seats and a decent stereo. Everything else is chaff, I don't even need ABS.

I'd rather have airbags than a decent stereo.

However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

Wheels are a nice feature too.

Nah, they're just a fad.

Re:Lets skip to the heart of the matter (1)

TheKidWho (705796) | more than 4 years ago | (#33202186)

I'd add a decent steering wheel to that too.

Re:Lets skip to the heart of the matter (1)

markov_chain (202465) | more than 4 years ago | (#33202426)

He forgot a transmission too.

Re:Lets skip to the heart of the matter (1)

CdBee (742846) | more than 4 years ago | (#33201482)

Most people would have included those things as defining features of a car and therefore unworthy of mention.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202568)

And the body, engine and seats aren't?

Re:Lets skip to the heart of the matter (1)

sleeping143 (1523137) | more than 4 years ago | (#33201836)

However, before even thinking about airbags, I'd really enjoy to have lights, windshield, mirrors, ...

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

All of which are required by law, and would obviously be features. In all fairness, though, cars do need many of the sensors in order to keep the engine running at peak efficiency, thanks to fuel injection. And if you say you'd rather have carburettors anyway, you've clearly never owned a carburetted vehicle for any length of time. Ultimately, data is good, and more sensors means more data.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202978)

"I'd rather have airbags than a decent stereo."

I'd rather people on the road were not lulled into a false sense of security by
airbags, so they would drive as though their life depended on how they drove,
because it DOES. In a big crash, airbags won't save you -- you will die anyway,
and all EMS responders know this is true. Just ask the next EMS person you
see and they will tell you about the bodies which were located behind the ( deployed )
air bag.

Best of all, selfish douche bags need to quit driving big SUVs. I tell you all this : if you
hit me while you are driving your SUV and you do not kill me, you will experience a life-altering
event shortly afterward.

Re:Lets skip to the heart of the matter (4, Funny)

MiniMike (234881) | more than 4 years ago | (#33203102)

Brakes are nice too. unless you're planning to go slow enough to brake with your foot.

His ideal car doesn't have a transmission or wheels, so unless he's on a steep enough hill that his lightweight but strong aluminum body can skid down it, he'll just be sitting in his driveway going 'vroom vroom' anyway. If his ideal house has a driveway, that is. As his ideal car also doesn't have a floor pan, he'll have no trouble using his feet to pretend to brake.

Re:Lets skip to the heart of the matter (1)

c0lo (1497653) | more than 4 years ago | (#33201472)

Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected.

I'm not arguing if favour of sensors, be them wireless or not. Just pointing why we are in the situation of discussing over "tyre sensor hijacking" now, maybe there's something to learn.

From TFA:

The U.S. has required such systems in new automobiles since 2008, thanks to legislation passed after controversy erupted over possible defective Firestone tires in 2000.

A bit of google-ing around resulted into this [wikipedia.org] , with the relevant section being:

Many outside observers tend towards blaming both parties; Firestone's tires being prone to tread separation and failure, and the SUVs being especially prone to rolling over if a tire fails at speed compared to other vehicles.

To summarize:

  1. two corporation releases products "defective by design" (no anti-DRM, at least not yet). Put together and the driver would have little chance to avoid a sudden tyre deflating followed by the SUV rolling over
  2. at least one overzealous government legislates an overcomplicated measure for the problem (another is to follow by 2012)

The moral of the story: common-sense is vanishing rapidly and we are living interesting times - yet another another mean for government to be aware of you [wikipedia.org] and another branch of security research is born (with the correspondent hacking branch to follow).
And no, the tin foil does no longer help, not when common-sense is so epically failing.

Re:Lets skip to the heart of the matter (3, Insightful)

nospam007 (722110) | more than 4 years ago | (#33201650)

"a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "

Is that the system that is unable to differentiate between gas and breaks in a Toyota?

Re:Lets skip to the heart of the matter (4, Funny)

nacturation (646836) | more than 4 years ago | (#33202548)

"a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately "

Is that the system that is unable to differentiate between gas and breaks in a Toyota?

In some cases, this non-electronic system called "THE DRIVER" is unable to distinguish between brakes and breaks.

Re:Lets skip to the heart of the matter (2, Insightful)

AlecC (512609) | more than 4 years ago | (#33201714)

Over past decades there has been a continuous fall in fatalities per mile driven. This is, to a large extent, due to continuous small improvements, of which this is one. Of course you may be savvy enough to keep your tires properly inflated - but the average Joe Public isn't - or at least 10% of Joe Public. And properly inflated tires reduce the risk of accidents, in which Joe Public can kill not only himself but also you. You may, indeed, be an above average driver (like 90% of the population, in their opinion) but most people (in real tests) are not.

Incidentally, you didn't specify synchromesh, windscreen wipers, indicators, damped suspension, automatic ignition timing... Once upon a time, cars didn't have these. Have you ever driven a car from the 1920s? Would you know how to double-declutch and when to use the ignition advance retard? What you are saying is that cars don't need the improvements since you started driving - a version of the "Good Old Days" fallacy.

Re:Lets skip to the heart of the matter (-1, Troll)

Anonymous Coward | more than 4 years ago | (#33201884)

You don't need ABS? How about the chances that the car hydroplaning in your direction has one of those drivers that stand on the brakes and close their eyes when they get in trouble?

Re:Lets skip to the heart of the matter (5, Insightful)

zippthorne (748122) | more than 4 years ago | (#33201944)

You might think you don't need ABS, but as another driver on the road, I'd prefer you had it. I'd prefer it a lot.

I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.

If the only danger was you sliding off a curve into a a tree or ravine after losing your steering, I'd say, "Go for it, we can always use less people." But it's not. There's also the danger of you not being able to avoid an accident with me, and I like being alive!.

Please be considerate of your other drivers.

Re:Lets skip to the heart of the matter (3, Informative)

Beyond_GoodandEvil (769135) | more than 4 years ago | (#33202488)

I don't care if you think you can pump the brakes well. ABS can pump them a lot faster, and it can do something you can't ever do without drastically changing the controls design: it can pump the brakes individually by wheel.
Not sure why parent is a troll, since he is correct modern ABS can brake each wheel individually allowing for maximum control under braking. So unless you're driving the McLaren MP4/12, ABS can do a better job braking each wheel then you can.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202904)

A non-abs car with trained talented driver will always stop faster applying a controlled amount of force to the breaks then a computer randomly pumping them. Granted in the US, that is probably about 2% of drivers.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202980)

Your information is at least a decade old, I'm afraid.

With modern ABS systems, it's 0% of drivers. While in theory perfect threshold braking will outperform ABS, in reality ABS systems have improved to the point where there doesn't exist the person who can outperform them.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202320)

As a pedestrian, I need you to have ABS.

Re:Lets skip to the heart of the matter (1)

Ephemeriis (315124) | more than 4 years ago | (#33202926)

Cars don't need wireless sensors. In fact they don't need most of the electronics that gets built in at all. This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected. I believe this system is moderately effective and not subject to radio spoofing.

This may come as a surprise to you, but there are an awful lot of idiots driving around out there.

Folks who don't even respond when the car clearly informs them that their tires are low.

And you want to rely on these idiots to accurately sense and diagnose everything that can go wrong with their vehicles?

If they were all driving on some closed course somewhere and their assorted issues only affected them, it would be one thing. But that isn't the case. I'm sharing the road with them. And when one of them loses control of their vehicle because a part didn't get serviced and broke, it's suddenly my problem.

I don't even need ABS.

Maybe... Depending on where you live and how you drive... You might never use ABS. If you never, ever drive under any conditions where you could lose traction then you're probably correct.

But if you ever drive in rain, or on any kind of loose gravel or sand, or in the snow, or on ice, you really do need ABS.

Sure, yes, you can pump your brakes. But you can't pump the brakes on just one slipping wheel while leaving the rest of them spinning normally. And you certainly can't pump the brakes anywhere near as fast as the ABS does.

Speaking as someone who would rather not have you careen into me because you've lost control of your car - yes, you do need ABS.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33203176)

You actually stop faster in nearly every condition without ABS. But, with ABS, you are more likely to be able to maintain steering control.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33202946)

Even the most insecure and least-reliable computer is better than the average human.

What's the single largest cause of accidents, both now and from the beginning of the automobile? Hint, it's not computer error.

Re:Lets skip to the heart of the matter (0)

Anonymous Coward | more than 4 years ago | (#33203124)

You must not be from Texas, or air conditioning would have made the list.

Re:Lets skip to the heart of the matter (2, Insightful)

drinkypoo (153816) | more than 4 years ago | (#33203258)

This may seem old-fashioned but for nearly a century a complicated non-electronic system called 'THE DRIVER" would monitor the state of the car and act appropriately when a deflating tyre is detected.

Your strategy is fine for racing vehicles, but ABS provides additional safety to those who do not believe it to be magical and disable switches are very easy to implement since all ABS fails to simple brakes. Meanwhile, we have run-flat tires that can go flat so graciously that you don't even notice until you try to make a 90 mph curve on one, and they CERTAINLY enhance vehicle safety (being less vulnerable to blowouts, let alone leaving you stranded on the uphill of the Bay Bridge in the left lane or something like that.

Airbags save lives, and events beyond your control happen all the time in motoring. You can be as cocky as you like, but suggesting that these safety features are unuseful is ridiculous at best. And as to your decent stereo, doesn't that interfere with your monitoring of a car that has no monitoring equipment?

Re:Probably the right design choice (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33201420)

Risk Management doesn't work if you don't understand all the risks (Which most people don't) which is why State Correctness should be used instead, especially in this relatively small system. These sorts of security issues arent just poor security, it's poor system development. Security and assurance of any system, whether it be from an unintentional problem or a malicious actor, should be considered an equal requirement of any well designed system.

Re:Probably the right design choice (4, Informative)

DDLKermit007 (911046) | more than 4 years ago | (#33201484)

Actually this is all old hat at this point. This guy is just stealing from a Def Con talk which needs attribution to Mike Hertzfeld. I was at the talk that first brought this about. It was a little jaw dropping. He came up with ways to track people around cities using the information from the systems. That in itself isn't so bad since almost everyone has Bluetooth and/or active wireless scanning enabled on their phones, but I digress (the police use this method already since it requires no court order). The really meat & potatoes was where if he flooded the system with garbage data over the wireless something interesting happened, the car shut off. Thats the real crazy part to me, that the system is that vulnerable.

Re:Probably the right design choice (1)

bbksy (1655481) | more than 4 years ago | (#33201640)

yes,i gree with it .

Sudo (1, Funny)

Anonymous Coward | more than 4 years ago | (#33201224)

break
break!!!
Oh... sudo break.

Re:Sudo (3, Funny)

16Chapel (998683) | more than 4 years ago | (#33201554)

I dunno about you, but I'd rather tell my wheels to brake.

Disconnected from reality... (3, Interesting)

http (589131) | more than 4 years ago | (#33201234)

FTFA:

Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. "Someone would have to invest money at putting receivers at different locations," she said. Also multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost US$1,500.

Oh yeah, good thing RFID detectors are so freaking expensive. Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure.

Homework Help (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33201278)

Homework Help or project submission, we provide online support to student’s right from their nursery level to the post graduation level. Reach us through an email as we work tirelessly 24 hours on all the 365 days.

www.homeworkmall.net

Re:Disconnected from reality... (4, Insightful)

Yvanhoe (564877) | more than 4 years ago | (#33201290)

By the way someone who wants to track a car can use these very convenient numbered plaques visible in front and in the back of the car with only a cheap camera and on-the-shelf software.

I wonder however if a bad pressure signal could be forged, forcing the car to stop ?

Re:Disconnected from reality... (1)

Silfax (1246468) | more than 4 years ago | (#33202418)

I wonder however if a bad pressure signal could be forged, forcing the car to stop ?

Worse yet - if a steady stream of forged low pressure signals can be sent to a vehicle with automatic tire inflation causing it to overinflate to dangerous blowout levels.

Re:Disconnected from reality... (0)

Anonymous Coward | more than 4 years ago | (#33203288)

Yes, there are schemes out there now where a "concerned motorist" flags you down because he says he sees smoke coming from your car, and helpfully leads you to a nearby garage that he knows of, where his brother-in-law scams you into needless expensive repairs. It would be a simple matter to drive up and down the highway with a transmitter sending bogus low-tire readings to scare folks into a shady tire shop.

Re:Disconnected from reality... (3, Interesting)

Anachragnome (1008495) | more than 4 years ago | (#33201398)

"Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure."

I think you fail to recognize the seriousness of the capabilities of a simple RFID system.

Most people do not think much about the RFID chips in their tires until they realize (are told) that EVERY stoplight out there has multiple sensor grids built right into the roadbed (to sense the presence of cars and be able to control the lights accordingly). The looks on their faces usually change the moment comprehension dawns on them.

Those very same grids can be used to detect the RFID chips in your tires. In short, any car with tires made since 2000 can be tracked by the very roadbeds they ride upon.

Seriously. All this technology to check your TIRE PRESSURE? Who the fuck is kidding who?

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips, and usually ask for all sorts of additional info--for "warranty reasons". Even paying with cash, they will argue with you about not giving them a name (but usually crumble when you say you'll just shop elsewhere). Why is it SO important they have a name? So they can help you join the next class-action against a tire manufacturer?

Media jumped all over the Firestone story, fear-mongered it into something bigger and we end up with this. Tracking tags in our cars. More security theater. Yay.

Re:Disconnected from reality... (1)

Technician (215283) | more than 4 years ago | (#33201518)

A secondary coil or dual resonant tuning would be required. The frequency for vehicle detection and RFID are several orders of magnatude different in frequency. Induction loop vehicle sensors are most often 10-50 KHZ.

RFID tags use either LF: 125-134.2 kHz and 140-148.5 kHz, 13.56 Mhz, or UHF 868-928 MHz frequencies.

Re:Disconnected from reality... (3, Interesting)

marten_77 (590526) | more than 4 years ago | (#33201520)

It should be pointed out that sometimes these tracking features (such as OnStar) can be used in ways that actually do not serve the interests of the government. For instance, in my jurisdiction, police recently set up a sting operation designed to catch car thieves. Undercover agents set up a storefront for purchasing stolen cars, and collected dozens of vehicles over about a half-year period. When car thieves would come in to sell the cars, they would be paid in marked bills, and the undercover agents would drive the cars into a hidden parking deck. The agents didn't want to blow their cover early, though, so they didn't immediately return the stolen cars. (After all, in their minds, catching criminals was considerably more important than returning stolen property.) They left the vast majority of the recovered vehicles in the hidden parking deck for months, without ever notifying the victims that their property had been recovered. This, of course, translated into a significant financial loss for the victims (and their insurance companies). There was one class of victims, however, who got their cars back in short order -- the ones whose vehicles were equipped with OnStar. When asked by law enforcement to keep the operation secret from the vehicle owners so as not to hinder the sting operation, OnStar flatly refused, notifying police that they would immediately provide the GPS coordinates of the missing vehicles to their customers so that the customers could begin legal actions to recover them. Faced with this problem, the undercovers immediately drove the OnStar-equipped cars out to an abandoned lot and then anonymously notified local law enforcement that they had been discovered. The cars that were not so equipped sat in the hidden deck until after the entire sting operation had concluded.

Re:Disconnected from reality... (1)

AK Marc (707885) | more than 4 years ago | (#33201564)

That's nothing that can't already be done with red light cameras. No RFID necessary.

Re:Disconnected from reality... (0)

Anonymous Coward | more than 4 years ago | (#33201758)

Put on your Tin Hat buddy, its going to be a long ride for you...............

Re:Disconnected from reality... (5, Informative)

tweak13 (1171627) | more than 4 years ago | (#33201896)

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips

As someone who sold tires for years, I can tell you that there's a foolproof way to get tires without giving out your name. I realize it's crafty and devious, which is why you may not have thought of it. Here it is: Make something up. Wild, I know, but there's about a 99% chance it will work because nobody gives a shit. Seriously, take off the tinfoil hat.

When I was working for a major chain selling tires, I asked for a name for one and only one reason. Our software wouldn't let me make an invoice without a name. It also required a few other things, but it's just as easy to make up a phone number too. If you lied to me at any point, how the hell would I know? It's not like I asked people to present ID to get tires.

The looks on their faces ... (1)

Joce640k (829181) | more than 4 years ago | (#33201974)

Do they also drop when you point out the 3" tall sequence of number on the front/back of their car is unique to that car and easily readable by roadside cameras, the police or passers-by using built-in organic sensors?

Re:Disconnected from reality... (1)

bev_tech_rob (313485) | more than 4 years ago | (#33202124)

Ummmm....most of the time, they ask you your name so when they are finished and you are walking around the local Wally World waiting on your tires to be installed, they don't have to page you over the store PA and say "Would the person with the mohawk and stud in their tongue please return to automotive? Your car is ready".....duhhhh.... Fricken paranoid...

Re:Disconnected from reality... (1)

couchslug (175151) | more than 4 years ago | (#33202340)

"Why is it SO important they have a name? "

In order to direct snail mail spam.

Re:Disconnected from reality... (1)

Jawnn (445279) | more than 4 years ago | (#33202436)

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips, and usually ask for all sorts of additional info--for "warranty reasons". Even paying with cash, they will argue with you about not giving them a name (but usually crumble when you say you'll just shop elsewhere). Why is it SO important they have a name? So they can help you join the next class-action against a tire manufacturer?

Sorry, not buying it. If Discount Tires is working for "the government", they don't need your name, the need details on your car, like, oh..., the license number.

Re:Disconnected from reality... (1)

plover (150551) | more than 4 years ago | (#33202958)

Correlation is not your friend. You can expend a lot of energy trying to avoid giving the tire seller your name, but the first camera+RFID Reader combo you encounter will associate your tires with your license plate. This could happen at a gas station, or county courthouse, or parking garage.

If you're that concerned, you need to kill the RFID tags. I'm not sure how you'd do that, as a tire in the microwave is not exactly feasible.

Well.. (1)

The Creator (4611) | more than 4 years ago | (#33201526)

Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure.

They would want to know about changes so that they can guess where/when you have picked off or left off passagers or cargo.

This is onstar! (3, Funny)

Anonymous Coward | more than 4 years ago | (#33201248)

We currently show you driving 95 miles an hour with four flat tires. Would you like to be routed to a service station?

If you've got a toll tag... (3, Interesting)

pongo000 (97357) | more than 4 years ago | (#33201252)

...the government is tracking you already (where I live, toll tag transponders can be seen on telephone poles miles from the toll roads). If you have OnStar (even if it's "disabled"), GM can still locate your vehicle. I suspect it's even possible to monitor a vehicle's CANBUS for unique signatures that would identify a specific vehicle. Hell, your cell phone will give you up.

For some reason, I'm not too worried about the RFID tags on my tire valve stems.

Re:If you've got a toll tag... (5, Funny)

Anonymous Coward | more than 4 years ago | (#33201284)

Hell, your cell phone will give you up.

At least Rick Astley won't give you up, nor will he let you down.

Re:If you've got a toll tag... (0)

Anonymous Coward | more than 4 years ago | (#33202802)

Excellent reply. What a guilty pleasure.

Re:If you've got a toll tag... (2, Informative)

TheLink (130905) | more than 4 years ago | (#33201314)

If you carry a cellphone with you and are within "coverage", you're already tracked.

They can find out which towers your phone has been talking to and thus figure out where you've been.

Re:If you've got a toll tag... (1)

FuckingNickName (1362625) | more than 4 years ago | (#33202070)

I often move around on foot or by public transport; I'm often either not carrying a 'phone or have it switched off; I frequently don't carry ID; I pay in cash, where necessary. In short, I'm like the average human in Britain 30 years ago. One of the reasons I do this - on top of all the obvious arguments about good health, good tree-hugging, the ability to concentrate when I'm not always interruptible, etc. - is that I love knowing that I'm untrackable. What I'm doing on such a day won't be written down and used against me, or as a training exercise for some more oppressive system. Nothing can see me which I cannot also see. We are even.

(To preempt "CCTV": yes, there's a lot of it in cities and large towns. Most of it is privately owned. We may be the most populated country in Europe, but most of the United Kingdom is still empty space with the occasional interspersed village.)

Re:If you've got a toll tag... (0)

Anonymous Coward | more than 4 years ago | (#33202752)

Switching off your phone doesn't stop them tracking it. You need to remove the SIM card and battery to be sure (and if you're really paranoid, wrap them in tin foil).

Re:If you've got a toll tag... (1)

plover (150551) | more than 4 years ago | (#33203014)

In America, most metropolitan buses have an array of CCTV cameras, continually recording on a locked-up storage device. Theoretically these deter criminals. But they record regardless of your non-criminal actions.

Re:If you've got a toll tag... (1)

jridley (9305) | more than 4 years ago | (#33203076)

No. I don't keep my phone on. I'm pretty sure it's not doing anything sneaky while off, because I can leave it off for a month at a time and the battery is still in good shape, so it's not doing much, if anything when off.

Re:If you've got a toll tag... (1)

Nichole_knc (790047) | more than 4 years ago | (#33201664)

Not only toll tag readers on toll roads.. I my area on the interstate loops around the city and on the primary major routes through the city there are these covered square sensor looking gadgets that point at the roads, they are similar in appearance to the prepass sensors for Semi truck weight stations. HOWEVER they are placed at intervals along the road path, low and to the side. My conspiracy theory: they read car data that newer cars already spew out for ID and theft recovery. This information is already stored at the DMV by VIN, DVR license, name and SSN. Once you open any door to your home you have no reasonable expectation of privacy..Be it the front door or an electronic one to a cloud...

Turn off the brakes (2, Interesting)

drop table user (1517433) | more than 4 years ago | (#33201330)

Why bother with the tire pressure when you can make instruments give false readings, kill a car engine remotely or turn off the brakes [bbc.co.uk] ?

Re:Turn off the brakes (0)

Anonymous Coward | more than 4 years ago | (#33201418)

All of this requires physical access to the car at some point... I can put a whole in your brake line and get the same results

Re:Turn off the brakes (1)

tris203 (1768578) | more than 4 years ago | (#33201504)

I can put a whole in your brake line and get the same results

a whole what?

Re:Turn off the brakes (1)

plover (150551) | more than 4 years ago | (#33203044)

I can put a whole in your brake line and get the same results

a whole what?

A whole hole, of course. A partial hole would do nothing.

Re:Turn off the brakes (1)

ledow (319597) | more than 4 years ago | (#33201890)

A lot of modern cars have or have had installed Bluetooth OBD. This means it's NOT required to have physical access - you can be several km's away with a good antenna. And it also means that such tricks would work in a virtually-evidence-free way (i.e. drive past your target of, say, a princess driving through a French tunnel - turn the car's brakes off remotely by breaking the dodgy "security" on such things, and carry on driving - in the opposite direction, a mile down the road, wherever there's a relatively clear line of sight).

And when the crash investigators look, all they see is that the ECU disabled the brakes and the car crashed.

Re:Turn off the brakes (2, Interesting)

drop table user (1517433) | more than 4 years ago | (#33201924)

All of this requires physical access to the car

That used to be true. While some hacks still require physical access [smartplanet.com] , others can be executed remotely [wired.com] . Cars are getting online and the security problems go with it.

Re:Turn off the brakes (0)

Anonymous Coward | more than 4 years ago | (#33202296)

These features allow you to turn inject code that will disable brakes,airbags and power steering at some point after two weeks when the car has reached a significant speed; and then overwrite it all back with the original data to remove any evidence.

This is a suprise.... How? (4, Interesting)

Platinumrat (1166135) | more than 4 years ago | (#33201440)

Typically, I find that the engineers that work in these industries (automotive/transport/white goods/manufacturing) have very little motivation to think about security. The pressure is all on building features into products. They are generally led by electrical or mechanical engineering managers, who are pushed with limited budgets and time-to-market constraints to get something out the door. So they do the most limited research on how to add widget X to the product. As engineers, their dangerous enough to think they know how to program, when most of their experience is microcontrollers or some simple scripting. Security is something that just adds cost in most of their minds.

Re:This is a suprise.... How? (0)

Anonymous Coward | more than 4 years ago | (#33201510)

It will only change when they get hit with some financial loss because of this.

For example, the all the ECU's tend to be insecure, so the interesting part is if the manufacturer will be hit with a high-$ civil suit after the first murder case committed by hacking a car's controllers to disable the brakes and airbags as soon as the speedometer hits 100mph.

Re:This is a suprise.... How? (0)

Anonymous Coward | more than 4 years ago | (#33201534)

Take the number of gadgets we expect to sell, A.

Multiply it by the probable rate of exploitation, B.

Multiply the result by the average out-of-court settlement, C.

A x B x C equals X.

If X is less than the cost of doing it properly, we do a half-arsed job instead.

Re:This is a suprise.... How? (0)

Anonymous Coward | more than 4 years ago | (#33202858)

As engineers, their dangerous enough...

So just like how Slashdotters have little motivation to think about spelling?

car jacking (1)

tris203 (1768578) | more than 4 years ago | (#33201488)

how about a scam where the type pressure reading is intercepted to make the car tell you the tyre is flat. you get out to check and get car jacked?

what about ELEVATORS? (4, Funny)

orange47 (1519059) | more than 4 years ago | (#33201558)

I mean, anyone can program them to go to 20000th floor and we could end up in orbit or something.

Tracking is NOT an issue (3, Insightful)

Mr. Freeman (933986) | more than 4 years ago | (#33201574)

"If the sensor IDs were captured at roadside tracking points and stored in databases, third parties could infer or prove that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs,"

The issue described in the article is that you can identify the tires by their RFID tag. This means that you could track cars. The article completely fails to mention that you ALREADY HAVE A FUCKING LICENSE PLATE ATTACHED TO YOUR CAR! The license plate is a unique identifier required by law on all motor vehicles. Anyone who wants to prove you visited location XYZ is simply going to use a $20 camera and get a shot of your license plate. Yeah, getting readings with RFID is a little easier then setting up a camera and some plate scanning software, but neither one is very hard for someone who wants to track you.

As for "confounding" the control unit, that's not a problem with security, that's a problem with the fucking control unit. The article mentions that once they sent false data to it, they couldn't get the thing to work correctly even after rebooting it. Any device that can't handle junk data is worse than useless. Something being intolerant of noise is not a security problem, it's a stupid engineer problem. Sure, it might not function while you're jamming it with garbage, but if it fails to work after a reboot then you've done something seriously wrong.

Re:Tracking is NOT an issue (1)

delinear (991444) | more than 4 years ago | (#33202816)

Conversely, it's easier for someone up to no good to throw on fake plates than it is for them to switch out all their tyres or spoof the tags.

Tire sensors must last years on battery (3, Informative)

gmueckl (950314) | more than 4 years ago | (#33201606)

Tire sensors are built to run on battery for years. You can't easily get to them and change the battery, so these things are extreme low power devices. Each line of code for these controllers costs real world battery lifetime and shortens maintenance cycles. The same goes for extra crypto hardware: every transistor costs. So I'm not surprised that the protocol is not secured to oblivion. There simply isn't room for that unless battery storage capacities rise by an order of magnitude or two. So, a part of me wonders whether this researcher has had a look at the constraints of these systems and understood them before he tried to make the news.

Still, this is no excuse for being able to corrupt the receiving controller irreparably by some protocol error. These errors can occur normally as transmission errors, not just through deliberate attacks. This is where the sloppy engineering exists and the only part of the story that is actually newsworthy.

If theres ever wifi to the throttle or brakes... (0, Offtopic)

Viol8 (599362) | more than 4 years ago | (#33201626)

... wake me up , I might be concerned about potential interference from hackers.

But giving false readings to the tyre pressure unit? Meh, who cares. I don't trust mine anyway and always check the pressures with a proper physical meter.

What next , a scare story about the door ajar monitering system being compromised?

*yawn*

Relevant experience (3, Interesting)

AlecC (512609) | more than 4 years ago | (#33201752)

A colleague recently got a call from his wife: her car dash had lit up with warning lights. After about half an hour he traced it to a single fault: an under-inflated tire, presumably reported (correctly) by one of the sensors described in TFO. One tire warning light - OK so far.But the tire warning system had talked to the ABS system, which had decided for inscrutable reasons that it wouldn't work with an underinflated tire. And that had talked to the central monitoring system, which had turned on the "Safety Critical Fault" light. And maybe a few other things. The result was, like Three Mile Island, a single underlying fault had turned into a christmas tree of warnings that an unskilled interpreter (the wife) was terrified of and a skilled engineer (my colleague, a very good hardware engineer) took half an hour to troubleshoot.

The point being that there is a possibility for a dangerous prank here. By fooling cars into thinking their tires are dangerously underinflated, you can give the driver a serious fright - with possibilities comic to the simple minded, but potentially dangerous if the driver is distracted or does something unexpected like braking to a sudden halt.

Re:Relevant experience (1)

Syberz (1170343) | more than 4 years ago | (#33202574)

So one tire pressure sensor causes a christmas tree of lights in the dash...

Before we had the one Check Engine light for anything and everything that failed, and now we have a bunch of lights when 1 thing fails. That's progress...

Re:Relevant experience (1)

Muad'Dave (255648) | more than 4 years ago | (#33202720)

My wife's Mazda 5 sounded off like the Enterprise going code red the other day because of a low tire alert. Luckily, after all the klaxons stopped sounding, a single 'idiot light' was illuminated - a tire with a '!' over it. Pretty clear. Thank heavens it was that all of her tires were a little low and not just one of them.

Wireless (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33201838)

Well It looks to me as if wireless power is here to stay? http://wirelesschargershop.co.uk/

Potential for Misuse (0, Redundant)

AlecC (512609) | more than 4 years ago | (#33201904)

A friend's wife had a problem with her car which caused the dashboard to light up with multiple warning lights. My friend, a highly skilled hardware engineer, traced the fault after half an hour's work: a single underinflated tire, presumably reported by the sensors referred to in TFA. The tire sensor had turned on its own warning light - so far so good. But it had also talked to the ABS, which had decided to turn itself off, producing another red warning. And this had talked to the central monitoring system, which had flagged up a safety critical fault and ordered her to a garage. And maybe some other faults.

So a malicious prankster could suddenly turn on a christmas tree of warning lights on many passing cars, with results comic to some but potentially dangerous if the driver is distracted and/or does something unexpected like an emergency stop or a swerve to the shoulder.

Re:Potential for Misuse (1)

Lumpy (12016) | more than 4 years ago | (#33202514)

if warning lights on your dash causes you to freak out and flip over your car or drive dangerously, then you should not be driving.

Encrypted ID? (0)

Anonymous Coward | more than 4 years ago | (#33201926)

If this encrypted ID works like most password hashes, it'll always be the same sequence, which is just as good for tracking purposes.

A sexist security symposium? (0, Offtopic)

dangitman (862676) | more than 4 years ago | (#33201930)

The researchers will present their findings at the Usenix Security Symposium,

At first I read that as "Unisex Security Symposium" and wondered why they would have a technical symposium for only one gender. On closer inspection I saw that was not the case, but that only raises more questions, like why the hell would they give their symposium a name that's an anagram of unisex?

Re:A sexist security symposium? (1)

delinear (991444) | more than 4 years ago | (#33202868)

At first I read that as "Unisex Security Symposium" and wondered why they would have a technical symposium for only one gender.

I don't think unisex [thefreedictionary.com] means what you think it means:

adj.
1. Designed for or suitable to both sexes: unisex clothing; unisex hairstyles.
2. Not distinguished or distinguishable on the basis of sex; androgynous in appearance: cultivated a unisex look.
n.
Elimination or absence of sexual distinctions, especially in dress.

Why have security when a very limited range should (1)

netsuhi.com (1867770) | more than 4 years ago | (#33202044)

Surley the best solution to this is no security at all and just use a very low power signal. How far should it need to go between the tyre and a fixed point on a car (a few cm at the most I think). Would it even be possible for the sensor to be connected to the cars computer via a cable and just eliminate the wireless security hole. Then they just need to have the reciever ignore any signal with values outside the valid range.

Wi-Fi in tires? (1)

Cheezymadman (1083175) | more than 4 years ago | (#33202314)

There's no way my computer's date can be right, it says it's August 10th, not April 1st.

It's all FUD by a researcher trying to get noticed (3, Interesting)

Lumpy (12016) | more than 4 years ago | (#33202502)

Sorry but you will not figure out how to bomb a embassy by reading the tire pressure in my front left tire. All this is nothing but FUD and fear-mongering by a researcher that is late on the scene to automotive hacking. Many of us in the automotive hacking circles have done this stuff for well over 30 years. Now suddenly just because one guy who decided to make a lot of noise about it it's a problem?

it is not a problem, ignore this attention whore.

You cant send a virus down the tire pressure comms channel to the ECM and cause the car to explode or disable the brakes. (Except for toyota cars... JOKING!) and his demos with wirelessly changing the dashboard and other "hacks" are via a 3rd party wireless device he installed in the car.

If I buy a new windows server and install VNC without a password can I demonstrate to the world how horribly insecure the newest windows server release is? It's the same thing. Everyone glosses over the fact that none of his hacks are possible without having the target's car for a few days and installing a lot of gear in it.

The ONLY wireless OEM hack I have ever seen is the one where you blast mp3 files to bluetooth devices with the codes set to 0000 or 1234.. and that was to a BMW. Unfortunately it did not allow me to take control and steer the car or control the brakes. It did allow us to play audi adverts to the guy.

The A380 Runs on WEP (2, Interesting)

static416 (1002522) | more than 4 years ago | (#33202916)

Well the entire A380 doesn't run on WEP, but the entire cabin entertainment system does.

And having been involved in other parts of the A380 design, I can tell you that data security problems were not even on the product development radar. Non-IT engineering companies view IT the same way that the rest of the world does and generally doesn't design against malicious uses, only accidental failures.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?