Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Demand Automakers Get Serious About Security

samzenpus posted about a month ago | from the lock-it-down dept.

Security 120

wiredmikey writes: In an open letter to Automotive CEOs, a group of security researchers has called on automobile industry executives to implement five security programs to improve car safety and build cyber-security safeguards inside the software systems powering various features in modern cars. As car automation systems become more sophisticated, they need to be locked down to prevent tampering or unauthorized access. The Five Star Automotive Cyber Safety Program outlined in the letter asked industry executives for safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation. Vehicles are "computers on wheels," said Josh Corman, CTO of Sonatype and a co-founder of I am the Cavalry, the group who penned the letter (PDF). The group aims to bring security researchers together with representatives from non-security fields, such as home automation and consumer electronics, medical devices, transportation, and critical infrastructure, to improve security.

cancel ×

120 comments

Sorry! There are no comments related to the filter you selected.

deaf ears (3, Interesting)

Anonymous Coward | about a month ago | (#47647105)

Nothing is going to happen until they get sued.

Shouldn't be necessary, but if it is... (4, Interesting)

Anonymous Brave Guy (457657) | about a month ago | (#47647173)

It's kinda terrifying that the people making fast, heavy lumps of metal with computerised control systems don't already routinely isolate those control systems from any other computerised technologies in the vehicle, particularly any that can interact remotely. They shouldn't need to be publicly admonished about the dangers of these situations. Don't these organisations employ actual engineers any more?

But given that it does seem to be necessary to make a public display of this -- which presumably removes any plausible deniability if the auto makers do get sued after an accident later, so I can believe it will at least get their attention -- I'm glad it seems to be a responsible group with the right motivations who are starting the ball rolling. If it were just a bunch of lawyers or insurers, the general public could write the campaign off as the signatories just looking out for their own interests.

Re:Shouldn't be necessary, but if it is... (5, Interesting)

Anonymous Coward | about a month ago | (#47647427)

My 2002 Jetta's stock stereo system is wired to the CAN bus. This means when I run an in-car-diagnostic with the little dongle connected to the computer port in the driver's seat, that the stereo system is part of the diagnostics. It actually told me one of the speakers was broken/disconnected which I was able to leverage another $100 off the price when I bought it used. ... Turned out, it was literally disconnected. Easy DIY fix ;)

Anyway, my car has not internet connectivity. But I bet the newer models have stereos that integrate GPS, Satellite Radio, and internet services. Theoretically, both satellite radio and web services are potential attack vectors into the stereo, and if you can manipulate the firmware on the stereo to be a CAN bus master, you can now talk to anything in the car.

So either take the entertainment stuff off the CAN bus, or install some sort of CAN router/firewall, that allows the rest of the car to talk to the stereo, but doesn't let the stereo talk to the rest of the car.

Re:Shouldn't be necessary, but if it is... (-1)

Anonymous Coward | about a month ago | (#47647995)

If suspect any system in your car is flacky, the easy fix is to go back to the dealer and get it re-flashed back to factory or have a factory reset button to save money.

Thus, there is no need for encryption, password, or fancy auto-security standard to fix the issue.

Re:Shouldn't be necessary, but if it is... (2, Insightful)

Anonymous Coward | about a month ago | (#47648315)

You are totally ignoring the base issue: The fact that its so easy to get access to any part of the system.

Reflashing a "faulty" component isn't what people are worried about. It's the combination of Wifi/remote accessable parts of a system, that once gotten into leads to total control.

Imagine a virus that is able to jump from car to car once cars are able to simply mesh-hotspot to each other.

Reflashing the stereo means nothing when the entire system is compromised at 80mph.

Re:Shouldn't be necessary, but if it is... (1)

Anonymous Brave Guy (457657) | about a month ago | (#47649023)

It's the combination of Wifi/remote accessable parts of a system, that once gotten into leads to total control.

Exactly. Think how many people run WiFi in their homes that is insecure. Now imagine a world where every script kiddie with a grudge can kill everyone on each of those homes just by running some software they found on the Internet.

Re:Shouldn't be necessary, but if it is... (2)

sjames (1099) | about a month ago | (#47649383)

Don't worry, they'll implement the encryption to keep the owner locked out so they can continue charging high fees for simple things like turning the service engine light off. They'll make sure it provides no actual security from infections spreading from a DVD to the engine controller or ABS to make it easier for someone who has paid them the appropriate annual 'certification' fees to diagnose the car.

Re:Shouldn't be necessary, but if it is... (0)

Anonymous Coward | about a month ago | (#47648535)

VW, Audi and Porsche actually have multiple CAN busses, with firewalls between them that only allow specific messages to be passed between the various busses. You stereo is probably not able to talk the the anti lock brakes or the engine management, no matter what firmware you install in it. The diagnostics plug should be able to poll status information from basically anywhere.

Re:Shouldn't be necessary, but NOT NEEDED (2, Interesting)

Anonymous Coward | about a month ago | (#47647913)

1). Not needed since it will add to the cost of the car.
2). The Computer is not accessible via wireless to change the program (stand still or not) - no issue
3). How to eleiminate insurance company access to impact data
4). The whole hobby market would be eliminated i.e. tuner groups, and the DIY since besides just encrypting or isoalting the internal computer, it would be taken to the next step to encrypt the communications such that 3rd party tools couldn't access the data or they would have to pay a license
5) The people who are suggesting this are just trying to create business for themselves to milk the car industry of an un-needed thing. Since they would be the self-proclaimed standards body and that all testing by the car manufacturers would have to come through them for a high price per car to get their seal of approval, let alone any recerts.

6). I'd prefer to to be more open sourced and transparent so that I could figure out how to make a 3rd party tool to diagnose the car.

Re:Shouldn't be necessary, but NOT NEEDED (1)

Marillion (33728) | about a month ago | (#47650941)

I'd worry about people hacking my car about the same time as I'd worry about people cutting my brake lines.

Re:Shouldn't be necessary, but if it is... (1)

Shoten (260439) | about a month ago | (#47648251)

It's kinda terrifying that the people making fast, heavy lumps of metal with computerised control systems don't already routinely isolate those control systems from any other computerised technologies in the vehicle, particularly any that can interact remotely. They shouldn't need to be publicly admonished about the dangers of these situations. Don't these organisations employ actual engineers any more?

But given that it does seem to be necessary to make a public display of this -- which presumably removes any plausible deniability if the auto makers do get sued after an accident later, so I can believe it will at least get their attention -- I'm glad it seems to be a responsible group with the right motivations who are starting the ball rolling. If it were just a bunch of lawyers or insurers, the general public could write the campaign off as the signatories just looking out for their own interests.

Problem #1; you can't isolate those systems, in the context of the reason for why they exist.

So, let's look at OnStar, or Hyundai's Bluelink. These are systems that connect to larger infrastructure over public or semi-public communications channels (i.e., cellular) for a variety of purposes. Such purposes include being able to start your car remotely, notify authorities of an accident even if you are incapacitated and unable to call for help (especially in that case, actually) and recover your car in case of theft. All three of those functions inherently require access to engine functions (in a read-write sort of way), GPS, and/or OBD-II data. And you can make a strong argument that many of these things are beneficial from a safety perspective as well. But you can't have them if you isolate the control systems from any other computerized technologies...you absolutely cannot.

On the flip side, you *could* isolate the systems that manage our financial accounts...banking, stocks, pensions...from any other computerized systems. But then you'd lose online banking, bill pay, ability to trade in stocks and other financial instruments without going into an office, etc. But that industry has figured out how to connect things together without the world coming to an end, despite the tremendous opportunity and motivation it provides for criminals. The car industry can figure this out too. I dare say it's easier to figure out how to develop a reference architecture based on the CAN II that is secure than it is to secure all the various interconnections of the financial industry. And it also bears mentioning that once upon a time, the financial industry got egg on their face too for security problems. This is the normal evolutionary process.

Re:Shouldn't be necessary, but if it is... (1)

Anonymous Brave Guy (457657) | about a month ago | (#47648941)

I'm afraid I don't buy your examples.

Why does anyone need the ability to mess around with starting my car remotely, ever? I see no need to start my car if I'm not in the driver's seat, and if I'm in the driver's seat and we've got cell reception why I can't I just turn the key or push the button?

Accident detection and related safety systems absolutely should be independent of engine control and the like. Why can't they be? (If your answer involves having both the normal control systems and the safety systems relying on common sensors, please consider that there is a significant likelihood that if an accident happened it was precisely because something electronic or sensor-related failed, and therefore you really want redundancy here.)

As for recovering my car in case of theft... Unless you are suggesting that someone is going to take over control of my car and auto-pilot it home against the will of someone physically in the driver's seat, again I don't buy it. And if you are suggesting that, I really don't want that system in my car. If I'm in the driver's seat and responsible for what happens with my vehicle, then any system that someone could use to take over lawfully and drive my car is also by definition vulnerable to being taken over unlawfully and used to crash my car, and I know which one I am more concerned about.

Re:Shouldn't be necessary, but if it is... (1)

GTRacer (234395) | about a month ago | (#47649413)

I, however, will buy them:

Remote Start: My car has a rotary motor. One lovely aspect of its design is that it really should be gotten to operating temperature before driving under any sort of load. And in the winter, I'd love to be able to warm the engine and the interior from inside my house while I gather my things for work.

Crash reporting: Agreed on sensor redundancy but at the same time, part of the reporting includes detection of airbag deployment, ABS / traction control usage prior, speed prior, and more. This data is used to help triage the severity of the crash before the EMTs roll out. Can all this be made redundant and air-gapped whilst remaining useful?

Theft recovery: I've not heard of any remote-drive systems, only telematics to locate and shut down. The telematics is used to determine approximately when and where the car is moving, or when it was last driven and where to. Makes it easier to track down quickly before it's parted out. Also, in extreme cases, the OnStar / Bluelink / et al. system can actively end a felon's joyride by cutting throttle, braking, or cutting the engine entirely. Then it can honk and flash the lights to attract the authorities' attention.

Re:Shouldn't be necessary, but if it is... (2)

Anonymous Brave Guy (457657) | about a month ago | (#47649611)

And in the winter, I'd love to be able to warm the engine and the interior from inside my house while I gather my things for work.

This is clearly a case of prioritising convenience over security, which you're welcome to do as your own personal preference but I would never choose myself.

This data is used to help triage the severity of the crash before the EMTs roll out.

Well that's probably the single most disturbing thing I've seen in this whole discussion. Are you really telling me that in the event of a known road traffic accident, which is severe enough that no-one on the scene can immediately respond to verbal contact, they don't routinely send the full works where you are?

In any case, I would point out that this is purely status reporting, i.e., read-only data. There is no need for anyone to control anything remotely in this situation.

Also, in extreme cases, the OnStar / Bluelink / et al. system can actively end a felon's joyride by cutting throttle, braking, or cutting the engine entirely. Then it can honk and flash the lights to attract the authorities' attention.

This is my main problem with the whole debate: any system that can do this kind of thing can also be used for less welcome purposes.

Car theft is essentially a solved problem without any remote control needed. Technologies like immobilisers have become so good that stealing the car keys has been the preferred technique for some time. Trackers, which need no integration with any control system, provide an effective deterrent and means for police to locate a vehicle that has literally been put on the back of a lorry.

Again, YMMV, but personally I would rather be careful about where I keep my keys than risk a hostile party, or simply a human error or software bug, doing something like cutting the engine and applying the brakes when I'm driving at high speed or through a hazardous area.

Re:Shouldn't be necessary, but if it is... (1)

sjames (1099) | about a month ago | (#47649557)

Looking at problem #1, the on-star system needs read only access to know when the airbags deploy. It needs to be able to send a start command to a computer that is attached to the bus, but does not need that connection itself. A simple serial link to a proxy/firewall would do. It needs read only access to the current GPS data for finding a stolen car. Again, let it ask the proxy.

It does not need to be actually connected to the same CAN bus as the ABS and ECU.

In actuality, OnStar should be re-designed in general. The only reason it needs to go through a centralized service is so they can collect monthly payments from you. Instead, give it a cell modem. If the airbags deploy and the driver doesn't cancel it, call 911. If the owner wants GPS location, start, or unlock, do it with a public key and SMS messages with the owner's smartphone or PC.

Re:Shouldn't be necessary, but if it is... (0)

Anonymous Coward | about a month ago | (#47650349)

The only reason the financial institutions of the world are not targeted by criminals is because they are run by them instead. Why would you attack fro mthe outside when you have people on the inside?

Re:deaf ears (4, Interesting)

Z00L00K (682162) | about a month ago | (#47647207)

Nothing is going to happen until a serious mishap occurs.

Meanwhile the automakers looks into strange hacks instead of proper physical segmentation and gatewaying. They do have a gateway, but it is just a gateway between different IP address series on the same physical net in some cases - in order to save money on hardware. So a rogue unit can just look at the different series and fake it being a different type of unit causing interesting things to happen.

Re:deaf ears (1)

Anonymous Coward | about a month ago | (#47648309)

Wait until people start dying because of these security loopholes, only then will they wake up. :(

Re:deaf ears (0)

Anonymous Coward | about a month ago | (#47650485)

Nothing is going to happen until a serious mishap occurs.

The problem is, how do you PROVE an attack caused an accident versus just blaming the driver?

The average car accident isn't going to have forensics of any kind. Maybe somebody will take some photos but nobody is going to look too hard at whether the CANBUS was hacked, and anyway, there's probably little or no residual electronic evidence on a crashed car. If there is a data recorder, it would be trivial to hack that too to show no attack was happening.

At that point, it becomes driver vs driver, or perhaps nothing at all if the driver hits a pole or something and dies. There won't be any witnesses to say what happened, and even if the driver survives, he or she may not know what happened.

Until a real-world attack can be observed and proven, nobody is going to believe this stuff isn't just random car accidents. It's going to take the insurance companies leaning hard on car makers and policy holders to get this changed. But as we have seen with the huge GM mess, even when insurers face lots of liability for defective cars, they do nothing. I mean, every GM with a bad ignition switch is a threat not only to its own driver but to anyone else that car might hit if the issue happens. So why aren't insurance companies, who would be held for any accident loss, screaming for the cars to be pulled off the road? No idea. But a hacked car situation could be very similar in terms of impact on the public so we can extrapolate from this that the insurance companies don't care. And they NEED to care to make this change. Otherwise it will continue to be brushed under the carpets and dismissed as impossible, even as the hackers show it's trivial.

Re:deaf ears (4, Insightful)

mlts (1038732) | about a month ago | (#47647429)

What I am afraid of is what happens after. There is a difference between security from remote attackers, and security from "jailbreakers". For example, my Android phone is just as secure rooted as not.

My fear is that what steps would be taken would force the car into the shop for any minor issue. Already, one automaker, if you change the battery out, the vehicle will refuse to start until the vehicle goes into the dealership and the battery is "registered" into the ECM.

Automakers should just keep stuff isolated. The radio should not have access to the brakes. Hell, the radio should not even be on the CAN. It should just be vital components, and have the doodads be stuck on another bus that can be "dirty".

Re:deaf ears (1)

93 Escort Wagon (326346) | about a month ago | (#47648091)

Already, one automaker, if you change the battery out, the vehicle will refuse to start until the vehicle goes into the dealership and the battery is "registered" into the ECM.

Which automaker is that? I want to be sure to avoid them.

Re:deaf ears (1)

Anonymous Coward | about a month ago | (#47648571)

BMW and Cooper
http://atlanticmotorcar.com/tech-tip-bmw-and-mini-battery-registration-replacement-2/

Re:deaf ears (0)

Archangel Michael (180766) | about a month ago | (#47648769)

If this cannot be performed by the owner of the vehicle, it is nothing more than a rip-off service for BMW dealerships.

Re:deaf ears (0)

Anonymous Coward | about a month ago | (#47649157)

You can do it... You need a copy of the diagnostic software its about 10-20 bucks depending on where you get it. You then need an obdii port connector for your computer. It will cost 50-250 depending on where you take it.

The car will 'run' but may start to act oddly.

Re:deaf ears (0)

Anonymous Coward | about a month ago | (#47650381)

Welcome to German Engineering.
Audi/BMW/Porsche/Mercedes, all great cars if you can afford the maintenance.

Re:deaf ears (1)

Vitriol+Angst (458300) | about a month ago | (#47649237)

I'm afraid we may see a rehash of the DMCA being used to protect profit margins on the Printer Toner cartridges. Already it's about $200 to get a spare key because they have a chip in it. There's a whole host of problems that occur where you just go in and they reinstall software or replace some CPU chip worth $5 -- but they are the sole source. So as the car gets more reliable, they build in "must get dealer to fix" and it's just a quick software patch -- it just costs a few hundred and the money goes directly to manufacturer.

YES they need security, but you know their first instinct will be "pay us big bucks to solve simple problem because SECURITY." Then we'll see more software patents keep improvements locked up because "car + computer". Any obvious thing will be patented and we are back to $100 in equipment, $1,000 in FRAND patents.

Re:deaf ears (0)

Anonymous Coward | about a month ago | (#47650263)

$200?. If you want a some brands of key, expect at least double that with the programming charge at a dealer.

One thing I like about US vehicles. Even though they are not "cool" like imports, I can buy a key for $8, and program it into the ECM for $0. On a GM vehicle, if I lose all keys, I get one made, stuff it in the ignition on "on" for 10 minutes (until the light stops blinking), turn the ignition off, then back on for another ten minutes, then repeat that one more time. Voila, it works. Ford's requires a special tool, and it will make you wait 10 minutes, but you can add/delete keys.

Yes, in theory, this is less secure than obfuscated stuff only a dealer can fix, but I'm more concerned with vehicle usability than the difference between 99.99% secure and 99.99999% secure.

Problem is that the more obfucated a system gets, the more cash dealers and car makers get. However, will it reduce actual hacking/thieving? Doubtful. It is a great way to part consumers from their money though when a part like an air filter that you could buy for $15 now becomes a $200 part because it has a special chip in it.

Re:deaf ears (2)

Etherwalk (681268) | about a month ago | (#47647495)

Nothing is going to happen until they get sued.

Nothing is going to happen until (1) a senior officer at GM has his car hacked, (2) a very public hacking makes security a point on which automakers compete, or (3) they get sued.

Re:deaf ears (1)

jd2112 (1535857) | about a month ago | (#47650361)

Nothing is going to happen until they get sued.

Nothing is going to happen until (1) a senior officer at GM has his car hacked, (2) a very public hacking makes security a point on which automakers compete, or (3) they get sued.

Correction: They get sued after multiple deaths have occurred as a result of lax security resulting in a penalty in the hundreds of millions of dollars. (This is not unique to GM, All of the manufacturers will react the same.) You can strike 1 and 2 from the list.

Re:deaf ears (1)

Solandri (704621) | about a month ago | (#47648173)

Nothing is going to happen until they get sued.

I'd say it's the other way around. Nothing is happening because they get sued. All the time. Every time there's a serious accident involving injury or death, the automaker gets sued. Doesn't matter if something about the car contributed to the accident or not, they're the ones with the deep pockets so the lawyers sue them as a matter of course. Defending against these suits costs enough that in many cases it's cheaper for them to just settle rather than really look into the matter and fight it.

Except for extreme cases, there's too much of this noise for lawsuits to be an effective means of signaling genuine problems with the vehicles to the automakers. In particular, serious problems which are extremely low frequency events like people hacking into vehicles' computer systems do not generate enough signal to cut through the noise. For a similar case, look at the recent GM recall of ignition switches. It seems to have stemmed from a real design problem, but with only a dozen or so injuries or deaths caused per year, the signal was too infrequent to rise above the statistical noise until many years had passed. When you're sued for tens or hundreds of thousands of accidents each year blaming faulty vehicle design, how do you sift out a dozen cases which are tied to a single genuine problem?

Re:deaf ears (1)

bobbied (2522392) | about a month ago | (#47648383)

Nothing is going to happen until they get sued.

For what? Somebody broke into your Bluetooth connection and loaded a bunch of MP3's you didn't like? Or that they managed to unlock the doors or steal the car using some hacking? Are you going to sue the car maker because your car got stolen? Maybe, but I don't think you will win.

Personally, IMHO there just isn't that much the car makers need to do. The cars they now produce are NOT insecure in practice, only in theory. Car companies are not going to spend money on *theories* without some kind of pay off for them.. You don't fix a non-existent problem.

HOWEVER, What might happen is bad PR might cause car makers to "do something" about security, if only paying lip service in their marketing, or making minor changes to things you'd never notice

.

Re:deaf ears (1)

sjames (1099) | about a month ago | (#47649581)

Someone put your brakes in maintenance mode and caused a crash...

Re:deaf ears (1)

bobbied (2522392) | about a month ago | (#47650115)

Someone put your brakes in maintenance mode and caused a crash...

Oh, you mean they "hacked" your car by connecting directly up to the CAN buss which requires physical access to the car and disabled the breaks? This is so much tripe.

Tell me this... IF somebody cuts your break line, are you going to have a cause to sue the manufacturer? Short answer is: NO. What you suggest is not different as it requires PHYSICAL access to your car too.

Re:deaf ears (1)

sjames (1099) | about a month ago | (#47650235)

No, I mean someone got in through the OnStar, the back seat entertainment system, or on and on and disabled the brakes while I was at speed.

Re:deaf ears (1)

bobbied (2522392) | about a month ago | (#47650541)

Not going to happen, you needn't worry. Folks that say you need to care are just fear mongering.

Where your scenario is *theoretically* possible, the chances of it happening are less than you winning the lottery or getting hit by a Mir space station part. It's just not going to happen. A cost risk analysis says it's not worth the cost to harden such systems beyond where they are now and unless you are a high value target, hacking your car as you suggest is not worth the cost and effort over just cutting the break line.

Re:deaf ears (1)

sjames (1099) | about a month ago | (#47650665)

I'm pretty sure it won't happen tomorrow, or next year so I'm not going to run around shouting like my hair is on fire, but it should be a cheap and easily addressed problem if it is done even half right.

They didn't think people would figure out the funky sequences for bypassing the immobilizer in the ignition key either but many such sequences are well known now.

The first application I would expect would be unlock door, start car.

I'm not too worried about that one personally since I tend to make utilitarian choices in cars and so don't own the ones popular for auto theft.

Re:deaf ears (1)

bobbied (2522392) | about a month ago | (#47650907)

Then my point stands. Automakers are not going to worry with this kind of hacking because there is really no new risk here. They will naturally provide more secure keys and locks, but not because folks are gnashing their teeth, but because the "state of the art" moves forward. After all, we've moved from zero security on the Model A Ford to actually having keys with electronics embedded in them to immobilize cars without having all us techies up in their grills over cars getting hacked and stolen.

Re:deaf ears (0)

Anonymous Coward | about a month ago | (#47648553)

Absolutely, it's a business decision - will it cost us more to implement security than it will to settle possible litigation?

Re:deaf ears (0)

Anonymous Coward | about a month ago | (#47649483)

Why I will not be an early adopter of driver-less cars

This is like... (0)

Anonymous Coward | about a month ago | (#47650923)

...hackers demanding printer companies make more secure ink cartridges.

Easier to parallel park a train (4, Insightful)

disposable60 (735022) | about a month ago | (#47647123)

Getting the automakers to make any kind of substantive change requires either legislation or expensive PR disasters like a Pinto or Firestone/Explorer event.

Re:Easier to parallel park a train (2)

Virtucon (127420) | about a month ago | (#47647873)

Or GM Ignition Switches?

if this goes the same way as the computer desktop (2, Insightful)

Anonymous Coward | about a month ago | (#47647131)

it won't be long before we are forced to install antivirus in our cars : /

Re:if this goes the same way as the computer deskt (3, Funny)

Chrisq (894406) | about a month ago | (#47647147)

it won't be long before we are forced to install antivirus in our cars : /

Lets hope it doesn't make them run significantly slower ;-)

Re:if this goes the same way as the computer deskt (-1, Troll)

Z00L00K (682162) | about a month ago | (#47647223)

If the environmentalist big brothers gets their way the cars will be constricted to be very slow and inefficient, all to make public transportation appear more appealing.

Re:if this goes the same way as the computer deskt (0)

Anonymous Coward | about a month ago | (#47647533)

If environmentalists were running things, cars would be slow and efficient. We'd probably have 55mph speed limits again (I get 54mpg in my car at 55mph, but only 42mpg at 75mph), and CAFE standards/gas taxes would be raised significantly. Your mock-conspiracy theory ignores the logic used by environmentalists. At no point would environmentalists argue for inefficient automobiles.

Re:if this goes the same way as the computer deskt (0)

0123456 (636235) | about a month ago | (#47648823)

I believe they mean 'automobiles which are inefficient at actually getting you anywhere', which is what environmentalists actually want, so we'll start using their beloved buses and bikes instead.

Re:if this goes the same way as the computer deskt (1)

jd2112 (1535857) | about a month ago | (#47650499)

it won't be long before we are forced to install antivirus in our cars : /

Lets hope it doesn't make them run significantly slower ;-)

2015 Dodge Challenger SRT Hellcat (707 hp, capable of 10 second quarter mile times with the sole modification of using race tires. And if you can keep your foot off the gas pedal you can get about 20 MPG) + McAfee Antivirus 2016 Automotive Edition = Prius-like performance @ 10 MPG

Hackers (3, Insightful)

just_another_sean (919159) | about a month ago | (#47647133)

So is it "Hackers" demanding better security or is it "a group of security researchers"? Because the inflammatory headline surely conjures the modern, media definition of Hacker and not "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary". And the headline certainly doesn't make me think of security experts at all!

Come on /. , you can do better than that...

Re:Hackers (1)

Knightman (142928) | about a month ago | (#47647155)

Well, the article has a link to Security Week and they swiped the headline from there... No thinking included...

Re:Hackers (2)

just_another_sean (919159) | about a month ago | (#47647187)

Yeah, I noticed that after I posted. You'd think I'd learn to RTFA before posting!

Security Week can do better than that! :-)

Re:Hackers (1)

Lab Rat Jason (2495638) | about a month ago | (#47647267)

I'm surprised they didn't name the publication "Security weak"... but perhaps they're not the laughing type?

Re:Hackers (0)

Anonymous Coward | about a month ago | (#47647227)

Fodder for scriptwriters

Re:Hackers (2)

mwvdlee (775178) | about a month ago | (#47647275)

You prefer the media continue to bastardize the word "hacker" into some sort of evil-doer?

Re:Hackers (0)

Anonymous Coward | about a month ago | (#47651417)

I'd prefer they used 'haxxor'. At least then the headlines would be mildly entertaining.

Boston Brakes and more. (1)

Anonymous Coward | about a month ago | (#47647139)

People are going to be murdered like Diana, only it won't be MI6, it's going to be script kiddies and highway griefers.

We can't even get automakers to admit they put faulty ignition switches in for decades... A solid "good luck" to these hackers raising the issue to them.

Re:Boston Brakes and more. (-1, Flamebait)

Chrisq (894406) | about a month ago | (#47647157)

People are going to be murdered like Diana, only it won't be MI6, it's going to be script kiddies and highway griefers.

Or mass attacks by Muslims - causing death and industry and crippling the infrastructure in one go would be just what Muhammad (may piss be upon him) ordered

Re:Boston Brakes and more. (-1)

Anonymous Coward | about a month ago | (#47647405)

Maybe we should stop importing Muslims, period.

Modern-day Islam is not a "religion of peace." It is a political system of conquest. And it is a political system that is completely incompatible with our own.

Islam does not separate church and state; in Islam the state acts as enforcer for the religion (Islam), and only one religion is allowed. All citizens who wish to participate in the political system must belong to the one state-sanctioned religion. Non-believers are shut out, or even killed. Women must be subservient, homosexuals are executed. Free markets are not allowed because business practices must conform to the dictates of the Koran (no charging interest allowed, etc.). And on and on.

Concepts that form the basis for our societal compact in the U.S. -- concepts like equality under the law, freedom of religion, freedom of speech, free markets, separation of church and state, etc. -- are flatly rejected by Islam. Yet we have allowed millions of Muslims to immigrate here, and we continue to allow more to come every day.

Someone once said that the U.S. constitution is not a suicide pact, but you would be hard-pressed to prove that by our current immigration policy.

Re:Boston Brakes and more. (0, Troll)

Anonymous Coward | about a month ago | (#47647531)

You trolls need to go back to foxnews.com, there is really nothing to fear from Islam compared to automobiles. You are idiots.

Re:Boston Brakes and more. (-1)

Anonymous Coward | about a month ago | (#47647553)

http://weaselzippers.us/196073-genocide-in-iraq-eight-members-of-christian-family-shot-in-their-faces-for-refusing-to-covert-to-islam/

"Christians are now facing the hapless condition of having their fates limited to three choices: leave, convert to Islam or die.

On August 1, Canon Andrew White, also known as the vicar of Baghdad, had witnessed the horrifying condition that Christians were suffering in Iraq.

“Todays Pictures are too awful to show. You know I love to show photos but the photo I was sent today was the most awful I have ever seen,” White posted in his Facebook page.

“A family of 8 all shot through the face laying in a pool of blood with their Bible open on the couch. They would not convert it cost them there life. I thought of asking if anybody wanted to see the picture but it is just too awful to show to anybody. This is Iraq today. The only hope and consolation is that all these dear people are now all with Yesua in Glory.”

Various reports were echoing the tragic fate that Christians were experiencing in Iraq, under the rule of the Sunni militants.

The militants are now seizing control Iraq’s biggest Christian town – Qaraqosh. An exodus of Christians is happening as they were only given three choices – leave, convert to Islam or face death.

These militants were described as more violent than al Qaeda as they are naming all Christians and other ethno-religious community as infidels. Hence, more violent acts are directed towards these “minorities”.

Re:Boston Brakes and more. (0)

Anonymous Coward | about a month ago | (#47647589)

http://images.catholic.org/media/2014/07/28/14065692051961_700.jpg

Re:Boston Brakes and more. (0)

Anonymous Coward | about a month ago | (#47649825)

Well, too bad the Saudis have broken the American Code. This code is quite simple: Bribe yourself into whatever you want by liberally handing out dollar bills.

Now, take the piss of your own corrupt culture and suffer Islam. You deserve it.

Re:Boston Brakes and more. (0)

Anonymous Coward | about a month ago | (#47647617)

Because a god-loving christian would never go on crusa^Wa killing spree.

Right to repair (1)

Anonymous Coward | about a month ago | (#47647183)

I'm all for this *provided* these 'researchers' don't cause the prevention of access to diagnostic data so that users can continue to have the right to repair their own vehicles.

Otherwise the next headline will be a repeat of old ones where vehicle owners can't repair their vehicles because the automakers have locked things down *far* too much so you can only use their dealerships to reset computers, etc, etc.

An easier solution (4, Insightful)

smooth wombat (796938) | about a month ago | (#47647235)

Don't put this crap in cars in the first place.

I know, I know, simplicity is such an ugly word. It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas [wikipedia.org] .

Re:An easier solution (3, Insightful)

Anonymous Brave Guy (457657) | about a month ago | (#47647335)

It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.

No doubt, but it would be more horrible if modern systems for things like braking and traction control went away. People who've grown up with cars that are full of three-letter technologies like ABS and EBD might not appreciate how much more skill is required to drive a car safely at the same speeds and in the same environments without these driver aids.

Re:An easier solution (1, Interesting)

Anonymous Coward | about a month ago | (#47647731)

It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas.

No doubt, but it would be more horrible if modern systems for things like braking and traction control went away. People who've grown up with cars that are full of three-letter technologies like ABS and EBD might not appreciate how much more skill is required to drive a car safely at the same speeds and in the same environments without these driver aids.

Grr! If the U.S. would teach people how to drive and have real penalties for not doing simple things like using directional indicators before taking any other action, like turning ones head to see if the way is clear there would be little need for ABS, electronic stability control or driverless cars. Finland comes to mind as an example of the proper way to teach people how to drive and appropriate testing and licensure of drivers. Not only do they have to learn to drive a real car (one you have to shift and pay attention to with both hands and feet) they need to learn handbrake turns, cadence breaking and how to control a car under skid conditions. These skills are all part of the licensing test! Should be everywhere. And yes, you are required to know all of the rules you learn and cannot claim ignorance. That applies everywhere, but most American drivers think they can study for the test, pass, then do whatever they want. It's lunacy!

Re:An easier solution (1)

93 Escort Wagon (326346) | about a month ago | (#47648191)

Grr! If the U.S. would teach people how to drive and have real penalties for not doing simple things like using directional indicators before taking any other action, like turning ones head to see if the way is clear there would be little need for ABS, electronic stability control or driverless cars.

You sound like you're 85 years old.

But, in any case, you've got to be kidding me. First, that was a very long stretch to go for a vague anti-American rant. Second, the idea that ABS is somehow only necessary because people aren't driving properly is laughable. Third, antilock brakes were invented in Europe.

Finally - how on earth do you mentally link ABS, stability control, and driverless cars together? Did you briefly consider adding windshield wipers to the list? What about kids and their loud music, or giving women the right to vote?

Re:An easier solution (1)

Anonymous Brave Guy (457657) | about a month ago | (#47649505)

You find me a human driver who never makes a mistake, and I'll find you someone who has little need for ABS, ESC and their friends.

No human can outperform a modern ABS system using manual cadence braking. ABS is essentially cadence braking judged at the speed of a computer and applied to each wheel independently.

You don't need to control a skid you never got into.

And speaking of skids, for driving on public roads under normal conditions, I don't know what handbrake turns have to do with the price of fish.

Re:An easier solution (0)

Anonymous Coward | about a month ago | (#47648833)

You support breaking Iraq's government and now you expect peace there - because you are a fucking moron. Under Saddam your beloved Catholics were just fine.

Separate Physical Concerns.... Physically (1)

tomxor (2379126) | about a month ago | (#47649427)

Things like ABS EBS and the many engine control computers that i have probably never heard of do not need to be connected to the car stereo or the internet, they should be physically separate from any other non crucial set of components that they have no need to communicate with...

As Andrew Tenenbaum would put it:

When you flush the toilets on an airplane; an error in the toilet flushing mechanism should not be able to possibly cause missile launch systems to go off or engines to shut down.

The same applies for security of a system as important as breaking on a car: Any convenience given by connecting an ABS to a networked computer will never outweigh the safety benefit of the physically isolated security of not having it connected. It's too important and you don't need to have access to it on the same network as your frickin iTunes device. The same goes for all the other critical systems in a car. At most it's central hub should be separated from a networked hub that is capable of connecting to the internet.

Re:Separate Physical Concerns.... Physically (1)

Anonymous Brave Guy (457657) | about a month ago | (#47649629)

I couldn't agree more. I was just challenging the idea that not using modern technologies at all was a viable solution to the problem. Some technologies do make cars safer, more reliable, and more efficient, and the important practical question is how we secure those technologies, not whether we should use them in the first place.

Re:An easier solution (1)

murkwood7 (807159) | about a month ago | (#47649857)

All they need to do is learn how to drive.

Re:An easier solution (1)

MickyTheIdiot (1032226) | about a month ago | (#47647341)

It's a decent point, but you didn't follow through. The whole point is that cars depend on computers MORE than having a computerized dashboard. What you are mentioning in your second paragraph is quite trivial.

Computers are used to regulate just about every system in your car. If a "hacker" gets into your car and shuts down the brake system then it's a whole lot worse than if he's just putting a picture of Goat.se on the dashboard.

Re:An easier solution (1)

Lumpy (12016) | about a month ago | (#47647407)

" If a "hacker" gets into your car and shuts down the brake system then it's a whole lot worse than if he's just putting a picture of Goat.se on the dashboard."

For him as well because he would have to be stuffed up under the dashboard to do his hacking, therefore he will probably die in the accident.
All of these stories are dripping with scare tactic bullshit from these "researchers"

Re:An easier solution (3, Insightful)

drinkypoo (153816) | about a month ago | (#47647465)

For him as well because he would have to be stuffed up under the dashboard to do his hacking, therefore he will probably die in the accident.

These vehicles overwhelmingly share a single bus between everything including powertrain and infotainment. If you can control the infotainment system you can control the diagnostic bus. The infotainment system now commonly includes internet access, so it's not even necessary to be near the vehicle to gain attack surface.

Has anyone in fact demonstrated such a hack, so far? Nope. Does that mean it's not a realistic threat? Also nope. Indeed, it's becoming a more realistic threat as more internet-connected features are being added to autos.

Re:An easier solution (1)

LongearedBat (1665481) | about a month ago | (#47647657)

These vehicles overwhelmingly share a single bus between everything including powertrain and infotainment.

Cars that ride the bus, and the bus doubles as a train?!? Transport really is getting complicated nowadays.

Re:An easier solution (3, Informative)

Charliemopps (1157495) | about a month ago | (#47647545)

Don't put this crap in cars in the first place.

I know, I know, simplicity is such an ugly word. It would be truly horrible if people had to concentrate on their driving rather than the six-channel, streaming video playing on their dashboard while they blend margaritas [wikipedia.org] .

What's even crazier is, you don't even need what they are doing to get the the same services. Just give the car radio bluetooth and be done with it. I've got an after market headunit in my car that cost me less than $150 and it can stream, do audio calls, shows my contacts in the head unit, I can use voice activation to say "Call home" and my phone will dial... etc... for another $50 I could have even gotten an LCD screen and streamed movies if I wanted. The last thing I want is to buy a car with some proprietary system in it that I wont be able to upgrade for the next 15yrs until I trade the car in.

The last car I bought had "Ford Sync" in it, and it was a pain in the butt to take out. The entire dashes electronics were integrated into the radio. WHY?!?! I had to purchase an after market computer module to replace the functions of that head-unit so I could put in a real radio. What a joke.

Re:An easier solution (0)

Anonymous Coward | about a month ago | (#47651497)

Which headunit did you get?

Then again, a lot of integration could have purpose:

    1. Steering wheel switches that don't have separate wiring to the stereo

    2. Speed-controlled-volume adjustment (esp for convertibles!)

I never got the "enhanced" option from the dealer because it turned out to be a $1200 adder :/

Re:An easier solution (0)

Anonymous Coward | about a month ago | (#47647737)

Haven't you noticed how much more reliable and efficient modern cars are? There's a reason for that, it's called technology. So piss off with your suggestion.

Hoping For Maven, PIP, easy_install (0)

Bob9113 (14996) | about a month ago | (#47647247)

Hackers Demand Automakers Get Serious About Security

I misread the subject line as being about automake systems, like Maven, PIP, and easy_install, and was very excited. All of those are vulnerable to DNS cache poisoning attacks, allowing injection of arbitrary code into software builds.

An enormous first step in improving security is the incorporation of PGP signature checks, but at least in Maven, many of the most popular libraries aren't signed.

Given how many of the people here use these tools on a daily basis, perhaps pointing fingers at the automakers is not warranted until the automakes are not glass houses.

Re:Hoping For Maven, PIP, easy_install (0)

Anonymous Coward | about a month ago | (#47647661)

Right. When you move out from your mother's basement and get your first car, this all will be clear to you.

A Modest Proposal (4, Interesting)

VernonNemitz (581327) | about a month ago | (#47647293)

One of the simplest ways to lock down a computer is to physically lock it away from access. Originally car-makers did that --you needed physical access to the computer (usually inside locked hood compartment) to do anything to it. Now they have connected it to radio waves. That is the main security hole. Go back to a solid wired-only connection, with the connection point(s) behind locked doors, and a significant chunk of the security problems goes away.

Re:A Modest Proposal (1)

Anonymous Coward | about a month ago | (#47647655)

That is among the reasons I am apprehensive about buying a new car of any kind. Mine has the little diagnostic port, but not the wifi access. If someone is in a position to plug something in and hack my car, it would be easier and more profitable for them to just hotwire it and drive it over to the recycling yard to get scrap value for the steel.

Well, boy (1)

Anonymous Coward | about a month ago | (#47649933)

The latest in braking technology involves radars which detect obstacles, vehicles, pedestrians etc. That information is processed and then fed to the ABS/ASR/ESP brake, the motor, the clutch and an electric steering unit.

So,... being in a warfare mode I say you could potentially eliminate that rich guy in his S-class by means of a $500 laptop and a $50 USB microwave transmitter. You could also do this with a nice directional antenna from 50 kilometers distance from a Cessna. Or a Rivet Joint.

I am not privy to the Radar code, but I am privy to some inner working of an auto business and it does not look nice+secure, to be honest.

Re:Well, boy (1)

drinkypoo (153816) | about a month ago | (#47651669)

You could also do this with a nice directional antenna from 50 kilometers distance from a Cessna. Or a Rivet Joint.

It would take more than one rivet joint to defeat one of these cars. One of the dirty little open secrets of the mainstream automotive industry is that a truly disgusting percentage of the spot welds in your car may have been bad ones which will pop apart at the least provocation. By contrast, every last rivet and spot weld in an S-Class (or an Audi A8, or any other similar vehicle which costs a lot and involves Aluminum and/or carbon panels) will have been inspected.

If the radar unit gets very funky data it will most likely refuse to work at all. The system will throw a code and deactivate, and the driver had better not be napping.

presupposing my car 'must' be online (-1)

Anonymous Coward | about a month ago | (#47647297)

bogus to begin with then there's http://science.slashdot.org/comments.pl?sid=5517341&cid=47646895 media censorship & vandalism i can access from my pocket gadget?

all things being equitable.. any notion of real justice is based entirely on mercy, the centerpeace of momkind's heartfelt connection with creation

being spiritually & creatively merciful with each other takes out the (media/fear) drama of the hateful fear & loathing punishment features. are we not each our very own reward? punish as we would wish to be punished? WMD on credit 'weather' is not punishment enough? https://www.youtube.com/results?search_query=wmd+weather+media news http://www.globalresearch.ca/weather-warfare-beware-the-us-military-s-experiments-with-climatic-warfare/7561

Due to excessive bad posting from this IP or Subnet, anonymous comment posting has temporarily been disabled. You can still login to post. However, if bad posting continues from your IP or Subnet that privilege could be revoked as well. If it's you, consider this a chance to sit in the timeout corner or login and improve your posting. If it's someone else, this is a chance to hunt them down (&/or demonize them....) based on speculation of ill intent... peace out /. https://www.youtube.com/watch?v=m39DWVFK-Bw

#irc._trolltalk.com (-1)

Anonymous Coward | about a month ago | (#47647445)

While you're at it... (1)

NReitzel (77941) | about a month ago | (#47647559)

Since people are now talking about car computer security, now is the time to start thinking about including a secure keyed police shutdown mode.

When we get to autonomous vehicles, the nay-sayers are are already worrying about how this would permit alleged felons to drive off form robberies all the while taking pot-shots at the police (not having to drive, and all).

If we're building a Star-Trek ® flavor of car, start thinking about including Command Authorization Codes on a per-car basis.

Re:While you're at it... (1)

jd2112 (1535857) | about a month ago | (#47650581)

When we get to autonomous vehicles, the nay-sayers are are already worrying about how this would permit alleged felons to drive off form robberies all the while taking pot-shots at the police (not having to drive, and all).

Perhaps, but that self-driving car is going to be obeying all traffic laws while making the getaway, including stopping for said police.

In other news hackers demand cheetos (0)

Anonymous Coward | about a month ago | (#47647599)

Damn those hackers!

Automakers = conflicted (1)

aurizon (122550) | about a month ago | (#47647613)

Every stolen car, and every damaged car = $$ for the automakers for a new car, as the cost of parts is so high that a small amount of true damage = writeoff. or for the repair network for damaged parts.

Better security has been easy to implement for decades, but has not been implemented due to this conflict of interest.

Secure handshake key fobs are the way. Hard wired into the computer so they can not be bypassed or copied.

It's all about the costs (1)

Calibax (151875) | about a month ago | (#47648087)

Automobile companies make a large number of vehicles - both GM and Toyota make around 10 million per year. Saving just one dollar on each vehicle adds millions to the company profits.

Something as simple as the extra wiring to create multiple data busses in the vehicle could add a couple of dollars to the vehicle cost. The auto makers will not do it unless it is mandated (either by law or their legal department fearing lawsuits) or they see some sort of a competitive advantage (somewhat unlikely) or there's a PR disaster.

You're Missing the Other Half of the Story... (0)

Anonymous Coward | about a month ago | (#47648401)

It's easy to say "Just isolate the critical driving functions (brakes, accelerator, ignition) from the non-critical systems (radio, NAV, etc.). The problem is that for as many people are pushing to keep these two worlds isolated from one another, you have an entirely different set of constituents pushing for integration - customers, governments, law enforcement, OEMs, etc.

- Someone steals your car or car jacks it, groups want the ability for law enforcement to remotely track it (NAV) and disable it (turn off the engine, apply the brakes, etc.).
- Lock you keys in the car? Customer want the ability to call in and have the doors remotely unlocked.
- Air bags deployed? Many want that in-car event to automatically alert emergency response.
- Want monthly preventative diagnostics run by the car and emailed to you? Guess that requires...
- Some OEMs like Tesla are intentionally pushing the boundaries of 21st century automotive computing. Automatic remote firmware updates (a la Windows Update). Remote diagnostics. Sounds cool... until someone pwns you through that vector.

Cryptology and 2FA can help address some of these security concerns, but the manufacturers also need a workable support model that scales to the size of thousands of dealerships worldwide and their need to get stuff done too.

Automatic jail sentences (1)

gnasher719 (869701) | about a month ago | (#47648493)

20 years minimum for any hacker who affects a car which is driving on a public road. Would that be enough of a security measure?

Well, obviously not. We also need 30 years minimum for anyone trying to pin fake evidence of such a crime on someone else, and 40 years for anyone who suggests doing this on slashdot.

Yep (0)

Anonymous Coward | about a month ago | (#47650029)

Land Of The Prison Inmates and Fatty Burgers !

I suppose the obvious answer (1)

gelfling (6534) | about a month ago | (#47649219)

Of don't own a car with all those gadgets doesn't occur to anyone? On the other hand, laws are funny things. Everyone claims to want to end drunk driving no matter what but as soon as you suggest lifetime revocation of all licenses upon first conviction and mandatory long prison time for second offense, all of a sudden it's a 'societal problem'.

Oh well.

Re:I suppose the obvious answer (1)

0123456 (636235) | about a month ago | (#47649245)

Of don't own a car with all those gadgets doesn't occur to anyone?

So, where are we going to buy cars which don't have all these gadgets? New cars need the gadgets to meet economy and safety requirements, and there aren't enough old cars to go around.

Re:I suppose the obvious answer (1)

gelfling (6534) | about a month ago | (#47649845)

I doubt it's impossible to buy a car w/o a built in GPS and it's equally unlikely that having one for instance is a requirement for registration. Anyway this /. are there not some bright lights out there who know how to pull a fuse out?

Garbage post (1)

Anonymous Coward | about a month ago | (#47650273)

I am yet to read anything even close to correct on how CAN works and how wireless for vehicles work. These articles all compare the vehicle network to a computer network. They are not the same. Wireless systems have existed in vehicles for years. Only recently have cell phone modems been included but the connection to the vehicle systems is hardware separated.

You can communicate with the modules,on the vehicle network but you need to know what bits to send. Also there are limits to what cannot change on each module in the network. Wifi communication is typically on a radio or hands-free module with a cell phone modem. Wireless communication is to that module and no others. Communication between the wifi and to external modules is limited by the radio/hands-free device and network. These cell phone modems are locked down quite drastically to prevent any such issue from occurring. Reducing technical details to manager speak on how CAN networks work is not easy. Having crackpot authors whom think they are experts like this does not help.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>