×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Least Secure Cars Revealed At Black Hat

Unknown Lamer posted about 5 months ago | from the why-bother-cutting-the-brake-lines dept.

Transportation 140

Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).

Sorry! There are no comments related to the filter you selected.

so that's why the Prius' behave that way. (4, Funny)

turkeydance (1266624) | about 5 months ago | (#47603713)

my apologies to the drivers. i thought it was them.

It's my 2004 Focus (5, Funny)

gelfling (6534) | about 5 months ago | (#47603727)

Because if it starts at all it may very catch on fire.

High speed car chase on "Cops" (0, Offtopic)

Latent Heat (558884) | about 5 months ago | (#47603953)

Didn't they have these episodes of "Cops" where the patrol officer would pull a car over for a "minor traffic infraction", run the plates, find out the vehicle was stolen, and a high speed chase would ensue?

No offense to your 2004 Focus, but it has been years since I watched the program, but the stolen car was always a Saturn?

I know that auto theft is a felony and the police are there to protect and serve, and this car was some poor dude's ride before it got boosted. But the cops engage in a high-speed chase to recover . . . a Saturn? Which ends up wrapped around a light pole in most of the "episodes"? "Sir, we recovered your car . . ."

So is it really worth the danger to the public to give chase to a criminal who has boosted a 10-year old Saturn?

Re:High speed car chase on "Cops" (1)

Pentium100 (1240090) | about 5 months ago | (#47604341)

Well, the criminal then gets to pay for the damage he caused to the car.

If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated. It does not matter that that something is not worth tens of thousands of dollars - it's still my money and my item.

Now, whether it is worth to the public - yes, most likely. While I would probably be OK with the government buying me an identical car after the cops refuse to recover the stolen one, the number of car thefts would increase. After all, if you steal a car that's cheap enough, the police won't chase you, so you get a free car.

Re:High speed car chase on "Cops" (0)

Anonymous Coward | about 5 months ago | (#47604923)

in most cases, stolen cars are branded "salvage". If you get it back intact, it will be worth significantly less.

In other words, oddly enough, lazy cops are doing you a favour if they fail to recover the car and you have insurance. :)

Re:High speed car chase on "Cops" (2)

rogoshen1 (2922505) | about 5 months ago | (#47605015)

considering most car thefts are committed by a very small number of people, anytime one of those little buggers gets tossed in the clink, we're all better off.

Re:High speed car chase on "Cops" (2)

mjwx (966435) | about 5 months ago | (#47605237)

Well, the criminal then gets to pay for the damage he caused to the car.

Awww, it's so cute you think rich people are stealing old Astra's.

If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated.

This is what we call "Insurance".

In Australia people are taking to stealing keys as immobilisers have become so common and effective it's easier to break into a house and flog the keys before taking the car. I dont really care that much if they do this and steal my 14 yr old Nissan... It's insured for $13,500. Sure it would be a shame as it's a mint condition Silvia S15 but in the end it's a car I have properly insured.*

If you dont have your car insured, that's your problem. As for getting it back, well considering the kind of people who steal cars I'm not sure I'd want that either (the first thing Police do on recovered cars is a sharps check, a check for used needles. Insurers will do the same to make sure the cops didn't miss any).

* I drive a manual, these days that's enough to stop most thieves in their tracks.

Re:High speed car chase on "Cops" (0)

Anonymous Coward | about 5 months ago | (#47605479)

How does a manual (gearbox I presume) stop thieves?

Re:High speed car chase on "Cops" (1)

pslytely psycho (1699190) | about 5 months ago | (#47605583)

Thieves, like the majority of the motoring public, generally have limited, if any experience driving a standard transmission. The stick has become the Linux of transmissions.

According to the article, and that number seems about right, only about 10% of cars are sold with a stick.

I needed to transport my 1997 Camaro across town after an emergency surgery that coincided with a move. I had a hell of a time finding someone who could both drive a stick and was willing to drive the car. Most who sit in it are freaked out that your front vision ends at the windshield and you simply cannot see the hood at all. That seems to make most people a bit squeamish about driving it.
On the plus side, no one EVER asks to borrow my car,

OOPs, forgot the link....... (1)

pslytely psycho (1699190) | about 5 months ago | (#47605587)

http://www.huffingtonpost.com/2014/06/25/teens-steel-car-cant-drive-stick_n_5530996.html

I know, I. R. A. Idiot.....

Re:High speed car chase on "Cops" (2)

jawtheshark (198669) | about 5 months ago | (#47605627)

Only in the Northern America and apparently Australia. In Europe, you can bet that everyone can drive sticks. Technically, you can do your driving license on a automatic, but it usually reserved for the physically disabled and you only are allowed to drive automatics with such a license.

Re:High speed car chase on "Cops" (2)

Arker (91948) | about 5 months ago | (#47604501)

Simply letting him get away would be horrible, because of the prevention aspect. If that were standard practice on the part of the cops, then the rate of car theft would certainly go way up.

But there is another possibility besides letting him go and flying off in a risky high speed chase. There's this old-school police technique called a 'tail' where you follow at a distance and let the target think he's getting away (while of course using your radio to get ahead of him.) Much less chance of injury or death that way. Too old-school for US cops these days, but in some backwards jurisdictions it might still be used.

Re:High speed car chase on "Cops" (1)

fustakrakich (1673220) | about 5 months ago | (#47604883)

Yep, there's not too many cars that can outrun a Motorola...

Re:High speed car chase on "Cops" (1)

F.Ultra (1673484) | about 5 months ago | (#47605751)

In my country high speed chases in cities or highly populated areas are prohibited due to the high risk of collateral damage. It's far better to let the car thieves get away than to kill some innocent bystanders.

Bullshit. (2, Insightful)

mythosaz (572040) | about 5 months ago | (#47603731)

"But... the radio can always talk to the brakes" because both are on the same network.

Bullshit.

They might be on the same network, but that doesn't mean they can talk to each other.

Re:Bullshit. (3, Informative)

viperidaenz (2515578) | about 5 months ago | (#47603899)

They're on the same network, which is a broadcast network.
Everything can talk to everything else.
A CAN bus is not a switched network. Same goes with Flexray and all other automotive networks.

Re:Bullshit. (0)

Charliemopps (1157495) | about 5 months ago | (#47604109)

you type faster than me ;-)
I just said the same thing. lol
Also, CAN Buss is not new. It's been in Semis for a very long time.

Re:Bullshit. (2)

bonehead (6382) | about 5 months ago | (#47604473)

you type faster than me ;-)
I just said the same thing. lol
Also, CAN Buss is not new. It's been in Semis for a very long time.

Also, the people who write the software for this type of platform are, at least traditionally, much more concerned about available RAM than they are about security. In this arena, the old-school folks have always worked in an environment where isolation from the outside world was pretty much a given.

As such, even the fairly ineffective security measures that are in place on the Internet haven't even been considered for use in these types of systems. Attaching wireless capabilities to them was very foolish.

All thing's considered, this all just goes to reinforce my dream of owning a mint condition 1965 Plymouth Barracuda.

Re:Bullshit. (5, Informative)

viperidaenz (2515578) | about 5 months ago | (#47604623)

Everything was fine until OnStar...
With OTA updates and the rest of the systems in the car using the CAN bus for diagnostic messages and reprogramming, you've got problems.

I haven't RTFA but I would assume the Honda Accord isn't as 'hackable' is because they use a separate K-Line bus for diagnostics instead of doing it over the CAN bus. Other than that, every single system in the Accord is connected in some way. The audio bus connects the radio to the aircon unit., The aircon unit is also connected to the body CAN bus (you'd need to reprogram it to make a bridge though). The gauge cluster connects to both the body CAN and the powertrain CAN bus. The ECU, ABS, Traction Control, Air bags, etc are all on the powertrain bus.

If you took control of the powertrain bus, you could speed the car off down the street (thanks drive-by-wire), lock up the wheels on one side of the car and spin it sideways into a wall (traction control), while setting off the side airbags on the wrong side of the car to increase the impact the occupants receive (not sure if the airbags can be triggered from the CAN though, I doubt it. Can probably disable them though)...

Re:Bullshit. (5, Interesting)

bonehead (6382) | about 5 months ago | (#47604731)

Everything was fine until OnStar...

Well, yeah, now that I think about it, I'd have to agree....

There's absolutely nothing wrong with these systems in your vehicle being able to communicate with each other. I think most of us can agree that there are many benefits to it.

The problems only arise when the systems gain the ability to communicate to systems outside of your car. And especially when they can do it without your consent, or even knowledge. And OnStar was the first and most obvious example of that ability.

The first time I ever really noticed OnStar was back when it first came out. A buddy of mine was driving, and we made a stop and he locked his keys in. This was "back in the day" so I immediately started trying to figure out where I could get my hands on a wire coat hanger. He pulled a card out of his wallet, called an 800 number, and a few seconds later all 4 doors unlocked. My initial reaction was "Damn! That's fuckin' cool!"

About 10 seconds later I thought "Damn! That's fuckin' creepy!"

And now it's not just OnStar that can do that. Now cars have bluetooth and WiFi, so if it's not secure (and they don't build them with security in mind"), any smart guy with a cell phone and access to Google can do similarly creepy things....

SIDE NOTE: There's an alley at work where we all go to smoke (yes, I'm a smoker, get over it). On the other side of the alley is another company's parking lot. There are two nearly identical GM SUV's that park in that lot. One has a broken off OnStar antenna, the other has an intact OnStar antenna. All of us refer to the two vehicles as "the smart one" and "the dumb one".

Re:Bullshit. (2)

advocate_one (662832) | about 5 months ago | (#47605249)

one of these days, there'll be an antenna which you won't know about, the visible one being a dummy... easiest way to hide the antenna would be to put it behind a plastic body panel.

Re:Bullshit. (1)

bonehead (6382) | about 5 months ago | (#47605271)

That's why I said earlier in this thread that I have reinforced my belief that my next car will be a late 60's or early 70's muscle car.

Might not be as "green" as some would like. But it was built without any spy tech, and I could spot any suspicious crap that has been added on after the fact.

Not like today's models, which are basically just computers on wheels. Take out the factory radio to install a superior aftermarket model, and suddenly your heater doesn't work.

You can't tell me there's not a 3 letter agency behind that sort of retarded engineering.

Re:Bullshit. (1)

drinkypoo (153816) | about 5 months ago | (#47605695)

That's why I said earlier in this thread that I have reinforced my belief that my next car will be a late 60's or early 70's muscle car.

Might not be as "green" as some would like.

My 1960 Dodge Dart (2dr/Phoenix) got over 20 mpg on the freeway, not too shabby. That was with a 240 hp 5.2 liter V8. If you added a high-flow cat to it, it probably would run relatively clean as well, in spite of being carbureted. That car always ran like a peach.

How about something in the middle, like a W126 300SD? Those get 30 mpg on the freeway in spite of the lack of a lockup torque converter.

Re:Bullshit. (1)

danbert8 (1024253) | about 5 months ago | (#47605833)

I unplugged the On-Star module underneath the glove compartment in my G6. Then the cruise control stopped working. Taking it into the dealership, of course their solution is to plug On-Star back in, and then the cruise magically started working again. Tell me that GM isn't going to sabotage the cars of people who choose to disable On-Star... So I got a Ford instead. Not that My Ford Touch is any great technology either.

Re:Bullshit. (0)

Anonymous Coward | about 5 months ago | (#47605031)

All thing's considered, this all just goes to reinforce my dream of owning a mint condition 1965 Plymouth Barracuda.

Get it while they exist. Soon there won't be one and there will be no parts for one.

Re:Bullshit. (1)

F.Ultra (1673484) | about 5 months ago | (#47605763)

All thing's considered, this all just goes to reinforce my dream of owning a mint condition 1965 Plymouth Barracuda.

And chasing down the tall man!

Re:Bullshit. (4, Funny)

MrKaos (858439) | about 5 months ago | (#47605273)

you type faster than me ;-)
I just said the same thing. lol
Also, CAN Buss is not new. It's been in Semis for a very long time.

I think the real question is: How much Buss would a CAN Buss Bus if a CAN Bus can CAN Can?

Re:Bullshit. (0)

Anonymous Coward | about 5 months ago | (#47605737)

If i had the points I'd give them to you!

Re:Bullshit. (1)

tapspace (2368622) | about 5 months ago | (#47604343)

In addition, I would challenge Charlie's and Chris's assessment of this. I didn't dig into it myself, but I would guess that a stateless gateway allows the radio to talk to the brakes in most autos, not just the few identified.

Re:Bullshit. (1)

viperidaenz (2515578) | about 5 months ago | (#47604557)

Yup, Honda Accord's (not sure about current model, but definitely 2003 -> 2007, probably most Honda's actually...) use the gauge cluster as the gateway between the two can networks
Not sure if every message is relayed or just a set of specific ones, it's copying between a 500kbit bus to a 33.6kbit bus...

Re:Bullshit. (1)

gl4ss (559668) | about 5 months ago | (#47604605)

yeah so I can take over all wifi and bluetooth devices in vicinity?

what I mean is that the research is just bullshit done by googling around. it's bullshit and should never have gotten greenlit to be presented without actual trials!

Re:Bullshit. (1)

philip.paradis (2580427) | about 5 months ago | (#47604951)

yeah so I can take over all wifi and bluetooth devices in vicinity?

Given a reasonable toolbox, that's arguably a reasonable proposition these days, at least for many devices in your immediate vicinity. Yes, things really are that bad.

Re:Bullshit. (2, Insightful)

Anonymous Coward | about 5 months ago | (#47603929)

Maybe they can't by design. But in a "radio" I worked on you could spoof CAN and we used that to test our software. Radio acted as if it were a few other devices. For their credit, brakes and the like were on a physically separate network, though.
I have also never met any sort of security concerns regarding internal data processing and communication protocols. Most internal protocols and implementations I've seen trust the sender 100%.
I once attended a meeting discussing navigation map data. They weren't the least concerned when the vendor told them their application(which runs as root, because...) would crash when given bad data, but it's okay because they check the self-reported SD serial number. Even if you don't care about your customer, opening up access to bluetooth, wifi, cellular networks, video recording and the like could cost you a few lawsuits.

Re:Bullshit. (4, Informative)

Charliemopps (1157495) | about 5 months ago | (#47604103)

"But... the radio can always talk to the brakes" because both are on the same network.

Bullshit.

They might be on the same network, but that doesn't mean they can talk to each other.

Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks: http://en.wikipedia.org/wiki/B... [wikipedia.org]
All devices send and receive on the same wire. So every device can talk to every other device on the network, all the time.
This works as long as all devices on the network are trusted devices... but then you add bluetooth and wifi? Now you have a network of implicitly trusted devices with a giant hole in it.

If the radio integrates media controls into the steering wheel and has song titles next to your speedometer, you're screwed. That bluetooth device has full access to the entire network. Now if it treats the bluetooth device like an audio input, and the only wires going into the "bluetooth PCB" are 12vdc, ground, and left and right outputs, then you're probobly ok. But there's no way most consumers are going to know which it is.

I personally dismantled the radio integration into my Fords CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features. Why the hell is the head unit for my stereo controlling major functionality in my car?!!?!

What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.

Re:Bullshit. (1)

Anonymous Coward | about 5 months ago | (#47604221)

CANN Buss which is very similar to old buss ...
CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features.

What, were you playing Scrabble and got stuck with a bunch of extra 'N's and 'S's? It's CAN bus [wikipedia.org] and DIN [wikipedia.org] .

Re:Bullshit. (1)

bonehead (6382) | about 5 months ago | (#47604481)

CANN Buss which is very similar to old buss ...
CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features.

What, were you playing Scrabble and got stuck with a bunch of extra 'N's and 'S's? It's CAN bus [wikipedia.org] and DIN [wikipedia.org] .

You must be very insecure and unhappy in your real life.

It's the only reason I can think of that you'd try to put down a very factually correct post based on a few irrelevant typos.....

Re:Bullshit. (0)

Anonymous Coward | about 5 months ago | (#47605061)

You must be very insecure and unhappy in your real life.

It's the only reason I can think of that you'd try to put down a very factually correct post based on a few irrelevant typos.....

I don't see any put down, and they are not typos, if all the same words in the message are typed incorrectly.

Re:Bullshit. (4, Informative)

TubeSteak (669689) | about 5 months ago | (#47604267)

What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.

Automakers agree to 'right to repair' deal
http://www.autonews.com/article/20140125/RETAIL05/301279936/automakers-agree-to-right-to-repair-deal [autonews.com]
January 25, 2014

Last week, two trade groups representing automakers -- the Alliance of Automobile Manufacturers and the Association of Global Automakers -- announced an agreement with independent garages and retailers to make Massachusetts' law a national standard.

[...]

Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year, as the Massachusetts law requires. In return, lobbying groups for repair shops and parts retailers would refrain from pursuing state-by-state legislation.

You couldn't be more wrong.

Re:Bullshit. (1, Flamebait)

disposable60 (735022) | about 5 months ago | (#47604327)

That just means they're required to sell it to you. No limit on what they're allowed to charge, though.

Re:Bullshit. (0)

Anonymous Coward | about 5 months ago | (#47605435)

Then China will make a cheap copy and people will use that... Done.

Re:Bullshit. (1)

Antique Geekmeister (740220) | about 5 months ago | (#47605615)

"Welcome to Bittorrent".

If the specifications are available online to one dealer, within short order they will be available illicitly worldwide.

Re:Bullshit. (1)

bonehead (6382) | about 5 months ago | (#47604503)

Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year

If I offer something for sale for the low, low price of $10,000,000, I have complied with the requirement to make it "available". Ain't my problem if you can't afford it.

Meaningful legislation would specify "make available at no cost", or at least set a cap on what they're allowed to charge.

Like the vast majority of legislation these days, this sounds good on the surface, but has too many holes in it to do anyone any good.

Re:Bullshit. (2)

JoeMerchant (803320) | about 5 months ago | (#47604435)

They've been playing at this since the 1970s. Scan code systems that sell for $50K. "Open" protocols that you have to be a member of the society to get a copy of, membership fee: $25K plus a reason they deem as valid to join. This was last century.

Just be glad that the OBD-III proposals with RFID communication requirements never got passed (or did they?) - with that, the same type of toll readers that are more and more common could as easily query your OBD port and read everything about your present vehicle condition - effectively making possible a "go directly to your mechanic and pay to fix your vehicle or get your license revoked" checkpoint anywhere desired, including across a 6 lane interstate where traffic moves at 80mph - yes, the protocol can query all the vehicles on the road simultaneously as they drive through a checkpoint.

Too much bullshit (3, Interesting)

ArchieBunker (132337) | about 5 months ago | (#47604513)

I bought a 99 Volvo S80 and it has the fancy auto dimming rear view mirror. The car was used so of course expensive mirror no longer dims. You can't even swap out a junked mirror because of the address bullshit. You have to keep the circuitry from your mirror and swap only the mirror itself. Otherwise you need the dealer software to reprogram the main computer.

Re:Bullshit. (1)

drinkypoo (153816) | about 5 months ago | (#47605687)

Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks

Modern cars are required by law to pass certain crash tests, get enough mileage to get the automaker's averages up to a certain point, put out emissions below a certain point, have the headlights and taillights in a certain position, come with seatbelts, airbags, ABS and AYC, and speak one of four documented OBD-II protocols on their DLC. They're not required to use a CAN bus. In practice, they do, because CAN is the only OBD-II protocol which can be used for both a bus and a diagnostic link. However, there are pre-OBD-II cars which use CAN between engine and trans and have a separate diagnostic bus, and there are post-OBD-II cars which don't use CAN at all.

Re:Bullshit. (1)

cheater512 (783349) | about 5 months ago | (#47604173)

No seriously they can. They might not out of the box, but the capability is there and chances are if someone has their way with the radio for a few minutes it very much will start talking to the brakes.

Your statement would be 100% correct in a ideal world. We are not in an ideal world.

Re:Bullshit. (-1)

Anonymous Coward | about 5 months ago | (#47604305)

It seems no one gives a fuck what a cum guzzling faggot fuck like you has to say.
 
Oh, and your homepage sucks a big dick too. God damn queer.

Re:Bullshit. (4, Interesting)

Rich0 (548339) | about 5 months ago | (#47604367)

Yup. Are the brakes actually controllable via CAN though? If the pedal just operates a transducer which relays instructions via CAN, that seems a bit risky to me. I wouldn't want even a single PHYSICAL linkage as a point of failure for the brakes, let alone an electronic one.

Granted, even if they have a cable backup, having a trojan apply full brakes without warning at highway speed would not be a fun experience (especially if it could disable ABS - which might or might not be possible but since ABS has self-diagnostics that need to report back to the dash it seems plausible that it could be tampered with). A cable backup would only prevent software from disabling your brakes - not prevent it from applying brakes.

Really, something like a radio should not be on the same network as safety-critical devices. Heck, do you really want to even do the necessary rigor to ensure that a faulty radio design doesn't cause a safety issue? Nothing should be plugged into a safety-critical bus without serious testing and design controls.

They are (2)

ArchieBunker (132337) | about 5 months ago | (#47604523)

The brakes are controllable on cars with collision avoidance.

Re:Bullshit. (4, Insightful)

bonehead (6382) | about 5 months ago | (#47604529)

Yup. Are the brakes actually controllable via CAN though?

Old school brakes, like you'd find in a mid-70's muscle car? Nope.

Modern anti-lock brakes, that depend on computer control? You bet your ass they can be fucked with through the onboard computer.

I'm an old-school geek. I've been fascinated and excited by technology for over 40 years now. But in the last half decade, I've been noticing that we're growing way, WAY too fast. We're implementing things and putting them out in the real world as soon as we "can do it". We're not waiting until "we can do it safely".

It's consumer culture gone wild.

Re:Bullshit. (0)

Anonymous Coward | about 5 months ago | (#47605363)

Oh, you don't want to *disable* ABS, you want to include the ABS system in your attack. The ABS system can control brakes individually... If you think locking up all wheels is scary, imagine locking up only the wheels on one side of the car.

Re:Bullshit. (0)

Anonymous Coward | about 5 months ago | (#47604671)

Oh, but it's true! Let's take for example the 2006 TrailBlazer.

The Liftgate/Endgate Module (controls the back hatch functions, also contains the receiver for the key fob), OnStar module, overhead DVD player, Driver Door Module, Passenger Door Module, Powertrain Control Module, Body Control Module, Radio, XM Radio Module, Bose Amplifier, Driver Memory Seat Module, SIR Module, HVAC Control Module, Auxiliary HVAC (the controls for the back) module, Transfer Case Shift Control Module, Electronic Brake Control Module, Instrument Panel Cluster, and Theft Deterrent Control Module are all linked along a common "Class 2 Serial Bus." The Transmission Control Module is the only thing not directly linked, instead having two links from it to the PCM, and a couple wires running to the OBDII port also.

Being a GMT360/370/305 platform enthusiast, I see plenty of stuff crop up on a forum regarding failures of the data bus in various ways. A common one is that the wire leading to the LGM either gets shorted to another wire or to ground in the flexible hosing that goes between the liftgate and the vehicle itself, which causes messed-up communication. The LGM itself crapping out also starts spurting garbage data onto the network. Suddenly, your driver door buttons don't work and they don't even light up when the lights are turned on. Because these functions require a proper data bus.

Another incident that recently happened was a person who had the DVD player had an issue, I can't remember if it was the wire or the player itself. In short, when they tried starting the vehicle the Driver Info Center would display "UNKNOWN DRIVER," because the DVD player was clogging up the network and the BCM, TDCM and PCM couldn't communicate with each other and decide that the right key was indeed in the ignition.

The radio, satellite radio, and OnStar modules are obvious entry points, if they can be cracked and are configured in such a way that information received wirelessly can be put through the bus. OnStar I know can access the bus wirelessly, that's how the OnStar service can offer the automatic call when you wreck (the SIR reports to the OnStar module to make the call), and how they can read off MIL codes to you (they send a signal via the OnStar module to get codes from the PCM, PCM responds, OnStar module transmits information back to the company). I believe in 2009 OnStar modules were equipped in these vehicles with BlueTooth functionality for connecting your phone to the hands-free phone system, which may provide another attack vector.

All this without even having to get in the vehicle. Crawling under and accessing the PCM's wire harness for the correct wire, or the EBCM since it's strapped under the vehicle, can allow a physical access point assuming it's just sitting there. The proper message sent in through this will allow you to unlock the door. If the vehicle is sitting there on and just locked or something, you could do all kinds of stuff. There really is no authentication of the device, it's just "Hey BCM, roll down the rear right window," instead of "Hey BCM, this is the Driver Door Module speaking, here's my serial code 12345, roll this down." That's why Snap-On and other high-end tools can also command many vehicle functions to do arbitrary things like move the throttle plate to a specific spot, instead of just the official GM Tech II scanner tool. "Yo PCM, advance the variable valve timing." It will do so, no questions asked.

Think about it.

Dupe post (0)

Anonymous Coward | about 5 months ago | (#47603741)

Duplicate of http://tech.slashdot.org/story/14/08/02/1843200/the-worlds-most-hackable-cars

Re:Dupe post (1)

viperidaenz (2515578) | about 5 months ago | (#47603907)

That was an article saying they will share their findings at Black Hat
This is one about their findings they shared at Black Hat

You're in a maze of twisty articles, all alike... (2, Insightful)

SlaveToTheGrind (546262) | about 5 months ago | (#47603755)

We've been here before. Two days ago. [slashdot.org]

Re:You're in a maze of twisty articles, all alike. (1)

J.R.C.L. (3739333) | about 5 months ago | (#47603915)

that's right. http://bit.ly/1qOrXX0 [bit.ly]

Re:You're in a maze of twisty articles, all alike. (0)

Anonymous Coward | about 5 months ago | (#47604637)

They probably figured that the hit count was low because it was a Saturday submission, so figured they would get better traction today. Little did they know it was because it's really because there is not much to discuss and/or people just don't care...

I owe an apology. (-1)

Anonymous Coward | about 5 months ago | (#47603761)

I know I call linsux users faggots all the time and that's just not fair because I know there are some bitches involved in the linsux circles and they don't want associated with faggots. I'm so sorry, dyke bitches, for not acknowledging you in a more progressive fashion.

so... (1)

thieh (3654731) | about 5 months ago | (#47603805)

Are we to stop driving and start using the bicycle?

Re:so... (1)

viperidaenz (2515578) | about 5 months ago | (#47603919)

Or scrap your Toyota's, Cadillac's and Jeep's and buy Audi's, Honda's and Dodge's

Re:so... (1)

Anonymous Coward | about 5 months ago | (#47604107)

or you could simply not react out of panic like a pathetic sheep, recalls, patches, and sheer unlikeliness of some of these exploits.. does that help you or do we need a media article to frighten you about something else instead

Re:so... (1)

R3d M3rcury (871886) | about 5 months ago | (#47604127)

Yes.

Re:so... (1)

Ol Olsoc (1175323) | about 5 months ago | (#47604601)

Yes.

Teenagers........are.......walking.......on.........our........lawns!!!

that, and athiests are waging a war on Christmas.

Re:so... (0)

Anonymous Coward | about 5 months ago | (#47604907)

that, and athiests are waging a war on Christmas.

and we're winning!

Re:so... (2)

pslytely psycho (1699190) | about 5 months ago | (#47605631)

"Teenagers........are.......walking.......on.........our........lawns!!!"

Quickest way to be rid of them...

Roll out the lawnmower, hedge trimmers, edgers, fertilizer and watch them set new world records as they leave posthaste!!!

Re:so... (0)

Anonymous Coward | about 5 months ago | (#47604625)

Because that's the only other choice? Wow dude

5cEp! (-1)

Anonymous Coward | about 5 months ago | (#47603835)

during pilay, this

They did not hack it (5, Interesting)

manu0601 (2221348) | about 5 months ago | (#47603845)

They did not hack anything, this is just speculation based on documentation. BlackHat used to offer more serious stuff.

Re:They did not hack it (1)

viperidaenz (2515578) | about 5 months ago | (#47603959)

Good point.

I have a Honda Accord with satnav. The satnav can always talk to the brakes, they're on the same CAN bus.
The radio can talk to the satnav through a separate bus, which also talks to the aircon.
The aircon talks to the body CAN network.

Even without satnav, the radio can talk to the aircon and the aircon can talk to the body CAN.

Infact... everything can talk to everything, because the gauge cluster acts as a bridge between the two CAN networks.

They did not hack it (2)

Jeff Nelson (3775163) | about 5 months ago | (#47604705)

I can't understand it either. If they are accusing so many car makes of having vulnerabilities, they should have been able to get access to at least one to formulate an actual attack. If everything on the same network was considered vulnerable by default - the Internet would be vulnerable.

Re:They did not hack it (2)

Minupla (62455) | about 5 months ago | (#47604795)

Here's the difference - we have firewalls on the Internet.

What they're saying is that the Bluetooth is sitting on the same network as your anti-lock brakes and there is no firewall.

Not sure about you, but where I work, if I didn't put a firewall between the internet, and my web servers and at least one more between my web servers and the database, I'd be looking for a new job. These guys hooked it up to the "internet" (bluetooth) and decided they didn't need any additional security between there and the "database" (your brakes).

Security is all about layers, and they've said that Bluetooth is all the security your health and safety critical systems needs. Not sure about you, but that doesn't leave me with a warm and fuzzy feeling.

Min

Re:They did not hack it (1)

manu0601 (2221348) | about 5 months ago | (#47605173)

Here's the difference - we have firewalls on the Internet.

Which explains why web site are never hacked, and why it happens everyday in cars.

Oh, wait....

pure speculation (1)

J.R.C.L. (3739333) | about 5 months ago | (#47603937)

pure speculation, http://bit.ly/1qOrXX0 [bit.ly]

Chevy Nova (0)

Anonymous Coward | about 5 months ago | (#47604003)

I would not feel secure in this car.

And of course, no one will ever read this.

Re:Chevy Nova (0)

Anonymous Coward | about 5 months ago | (#47604303)

And of course, no one will ever read this.

You're absolutely correct.

Opinion from industry insider (5, Interesting)

nhtshot (198470) | about 5 months ago | (#47604021)

I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.

That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.

Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).

Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.

Re:Opinion from industry insider (1)

w_dragon (1802458) | about 5 months ago | (#47604095)

Does nobody do signing or encryption of signals to control systems? Having had issues with VW's electrical systems in the past I wouldn't blindly consider a more complicated setup to be a benefit from them.

Re:Opinion from industry insider (5, Informative)

nhtshot (198470) | about 5 months ago | (#47604141)

"Does nobody do signing or encryption of signals to control systems"

VW/Audi does. The newest generation use 2048bit RSA signatures for everything. The previous generation used 1024, which is still pretty much unfactorable for a reasonable price.

But, they can't use encryption of any consequence or signing on the bus. It's all real time and needs to be that way. Would you want your airbag to wait to deploy until it had verified even a 512bit signature on the "oh crap we've been in an accident" message?

Same thing with ABS.

The only real place they can use that (and they DO use it here) is for starting. When you're starting a car, there is no imminent danger. In VW/Audi, they have the "immobilizer" system. It uses RSA again. The instrument cluster, ECU and each key have a coded serial number. Each devices holds a hashed/signed copy of the serial numbers of the other 2 and the VIN. If the 3 don't all agree, the car won't start.

There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

Re:Opinion from industry insider (1)

drinkypoo (153816) | about 5 months ago | (#47605665)

There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

For a 2014 Audi, that might be true. For a 1997 Audi, you can buy a $100-200 device which will read the key codes from the PCM and program new keys.

Re:Opinion from industry insider (1)

sinij (911942) | about 5 months ago | (#47604617)

I don't think it is possible, most of 'mission-critical' systems have to be real-time where response measured in milliseconds. There isn't enough time to preform any kind of authenticity or non-repudiation checks. What possible is properly isolating internal CANbus.

Re:Opinion from industry insider (2)

0123456 (636235) | about 5 months ago | (#47604661)

You just need a pre-negotiated shared key. AES encryption is pretty fast.

However, you still probably don't want to do it, because, if the encryption somehow gets screwed up, your ABS brakes will reject the readings from the brake sensors and cause you to crash when you lock the wheels. There are potential safety issues on both sides.

Re:Opinion from industry insider (1)

plover (150551) | about 5 months ago | (#47604255)

I figured as much. So since you're deep into the electronics, I have a question about my Ford that perhaps you can answer. Is the CAN bus extended out to the side mirrors that are filled with electronics, such as lighting, heaters, motors, and blind spot indicators? (My Taurus has all of the above.) Or is the bus terminated inside the panel of the door, and dedicated wires run to the various mirror assembly components? I've often thought that a thief who wouldn't mind trashing the passenger side mirror could access the CAN bus and unlock the doors.

Re:Opinion from industry insider (4, Interesting)

nhtshot (198470) | about 5 months ago | (#47604437)

I don't work with Fords, so I can't answer your question specifically. In general, the trend in cars is to have fewer controllers and devices on the bus controlling more and more things. In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

At the same time, many of those modules and the wires between them are accessible easily under the hood. I can reach under a VW, remove a plastic underbody panel and get to the powertrain (most important) canbus without opening the hood. I'd come up greasy, but I could certainly do it from under the car. With a little practice, I could probably do it in under a minute.

In the VW case though, that wouldn't do any good. I couldn't start the car or unlock the doors (door locks aren't on the powertrain can and the gateway won't pass through a door unlock message originating on powertrain). I could monitor their engine/transmission/ABS though and could turn off the car, change the gears or set/adjust the cruise control once the engine was running. I might even be able to trick the ABS into thinking the car is skidding and get it to lock up the brakes (I haven't played with ABS controllers much, so I'm not 100% certain of this one),

Re:Opinion from industry insider (1)

drinkypoo (153816) | about 5 months ago | (#47605659)

In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

Central locking is still its own module, isn't it? It certainly is in my 1997 A8. Fords seem to tend to have a BCM which controls doors, windows and lights. In my 1997 A8, lighting is separate from locking.

Re:Opinion from industry insider (1)

pslytely psycho (1699190) | about 5 months ago | (#47605673)

" I've often thought that a thief who wouldn't mind trashing the passenger side mirror could access the CAN bus and unlock the doors."

Heads to Hollywood script in hand for "Gone in sixty seconds...the mirror jackers....."

But but but but the whole POINT ... (1)

Ungrounded Lightning (62228) | about 5 months ago | (#47605183)

.. german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway.

A separate CAN(N)BUS for each system? But the original POINT of the bus was to replace the expensive, custom, wiring harness - a bundle of special-purpose wires as thick as your wrist - with a power line and a pair of signal wires. One big party line with everything talking on it. Now you're bringing back the harness AND adding an extra box.

(The above is only half facetious.)

Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).

Which, of course, is the downside of the system.

An alternative to restoring the bundle is for each user of the "big party line" to "recognize the voice" of those who can give it instructions - and have a list of what instructions each can give it. I won't go into details, but there is ample room for design here. An interloper would be reduced to trying to "mimic the voice" of a talker with enough authority to command the action, or DOSing by "shouting over" legitimate commands.

Re:But but but but the whole POINT ... (1)

soccerisgod (585710) | about 5 months ago | (#47605567)

An alternative to restoring the bundle is for each user of the "big party line" to "recognize the voice" of those who can give it instructions - and have a list of what instructions each can give it. I won't go into details, but there is ample room for design here. An interloper would be reduced to trying to "mimic the voice" of a talker with enough authority to command the action, or DOSing by "shouting over" legitimate commands.

Not with CAN. CAN has no concept of a sender address. It is thus impossible to determine where a CAN telegram originated.

Honda Accord "most secure" (0)

Anonymous Coward | about 5 months ago | (#47604055)

Haha oh wow

all defeated by a 1980's lada (0)

Anonymous Coward | about 5 months ago | (#47604057)

That baby was secure, bluetooth to hack, no gps, phone, no radio

It's greatest security flaw was created by users not buying a quality pad lock to secure its doors

Whew! (1)

93 Escort Wagon (326346) | about 5 months ago | (#47604423)

Next time the brakes fail on my 93 Ford Escort Wagon, I'll rest easy in the knowledge that it was a simple mechanical failure and not hacked!

so (0)

Anonymous Coward | about 5 months ago | (#47604431)

i wonder how the Mercedes C250 Coupé stacked up.

well (0)

Anonymous Coward | about 5 months ago | (#47604817)

we'd have to ask Mr. Hastings..

Re: so (0)

Anonymous Coward | about 5 months ago | (#47604845)

Michael Hastings

Mere hours before the fiery car crash that took his life, journalist Michael Hastings sent an email to friends and colleagues urging them to get legal counsel if they were approached by federal authorities.

âoeHey [redacted] the Feds are interviewing my 'close friends and associates,'" read the message dated June 17 at 12:56 p.m. from Hastings to editors at the website BuzzFeed, where he worked.

ADVERTISEMENT
"Perhaps if the authorities arrive 'BuzzFeed GQ', er HQ, may be wise to immediately request legal counsel before any conversations or interviews about our news-gathering practices or related journalism issues.â

Fifteen hours later, in the early morning of June 18, Hastings was driving a Mercedes C250 at a high speed when he lost control in Los Angelesâ(TM) Hancock Park neighborhood, causing the car to fishtail and crash into a palm tree. The impact caused the car to burst into flames, trapping the 33-year-old inside.

My old 75 Ford pickup, no so computer hackable (0)

Anonymous Coward | about 5 months ago | (#47604505)

I guess I am safe with my old pickup. No one has hacked in to that old pair of teeth in the glovebox yet. (I wonder what was in there that made them turn blue?

Oh, great... (0)

Anonymous Coward | about 5 months ago | (#47604589)

In a sense, the car is becoming a large mobile device, according to Morrison and others.

So now when your car crashes you'll experience a Red Screen of Death.

my beloved jeep wrangler (3, Funny)

shadowrat (1069614) | about 5 months ago | (#47604775)

I guess the wrangler didn't make the list, but it can hardly count as hacking when the hood doesn't even lock closed.

didn't physically test the vehicles in question (1)

fustakrakich (1673220) | about 5 months ago | (#47604871)

Well, we all like to whack off, don't we? Oh, I'm sorry, what was the question? Do our little automakers need some more free press? If the damn computer is more reliable than good old mechanics, then stick with the black boxes and hope for the best. We're just rolling the dice (get it?) anyway.

Least secure (0)

Anonymous Coward | about 5 months ago | (#47605121)

Try leaving your car parked in Queens with the window down.

Rare cars (0)

Anonymous Coward | about 5 months ago | (#47605509)

It is great that we now know some very rare cars are either very hackable or hard to hack, but do they also have results for some more common cars?

Re:Rare cars (1)

pslytely psycho (1699190) | about 5 months ago | (#47605699)

Well, if high end cars are vulnerable, I doubt that the security in lower end cars is better.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?