Report: Automakers Fail To Fully Protect Against Hacking 100
An anonymous reader writes with news about a report by Senator Edward Markey on the security of new vehicles. "Automakers are cramming cars with wireless technology, but they have failed to adequately protect those features against the real possibility that hackers could take control of vehicles or steal personal data, a member of the U.S. Senate is asserting. Basing his argument on information provided by manufacturer, Sen. Edward Markey has concluded that "many in the automotive industry really don't understand what the implications are of moving to this new computer-based era" of the automobile. The Massachusetts Democrat has asked automakers a series of questions about the technologies — and any safeguards against hackers — that may or may not have been built into the latest models of their vehicles. He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."
Automaker just as incompetent as anybody else... (Score:5, Informative)
...with regard to IT security. What a shocker. This really is not surprise at all. Hopefully their customers will react a bit less forgiving that the mindless masses that cheer for insecure OSes and applications. But I somehow doubt it.
Re: (Score:3)
Exactly... as has been opined about dozens of times before... you can never fully protect against hacking, so automakers are always going to fail at it.
Re: (Score:2)
Exactly... as has been opined about dozens of times before... you can never fully protect against hacking, so automakers are always going to fail at it.
Yeah, but...
Though TFA is pretty short on details, it's a safe bet that the auto makers have made only a half-assed attempt at security, at best. Time will tell, of course, but I've got money to wager that within the next few years, we're going to see just how little those companies knew and/or cared about security.
Re: (Score:2)
Half-assed, incompetent and on the cheap is probably the best way to describe it.
Re:Automaker just as incompetent as anybody else.. (Score:4, Informative)
Lord, I'm really about to start upping my efforts to buy a restored 70's muscle car. No excess computers, nothing connecting to anything, basically a nice beefy engine, a drivetrain, possibly no catalytic converter (depends on the year)...simple and fun to drive.
Ok, I will update the suspension, and swap out the 8-track for a bit more modern stereo, but seriously, I would rather have a simpler car that just MOVES and is fun. I don't need it to be a connected device that likely transmits far too much information about me and my driving habits for my comfort, and is a target for hackers.
What customers are actually ASKING for all this shit in cars today? Seriously?
Re: (Score:2)
What customers are actually ASKING for all this shit in cars today? Seriously?
Most of them.
Nowdays people expect connectivity from a base model Korean hatchback. Its more important to buyers than airbags and seatbelts. All you have to do is look at the ads for a Ford Fiesta to realise their marketed as fashion accessories for a chic lifestyle with their iwhotsits connectivity, bluetooth, satellite navigation. Having their phone play music through the speakers is more important than a car that actually works. It started with BMWs and Mercs in the early 00's, now its expected in a K
Re: (Score:2)
Not a problem.
Old cars are grandfathered in for pollution levels.
That and I live in a state where they don't do any "sniff" tests on inspections. Hell, not all states even require inspections at all.
Re: (Score:2)
That is exactly not what I am saying. What I am saying is that they went cheap and did not have independent outside evaluation. Of course that will almost always fail. You can make these things secure enough that nobody will hack them (because it is too much effort), but that costs money.
Easy fix... (Score:5, Insightful)
This is fixed pretty easily:
Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.
One CAN for the basic stuff that is vital to life safety. As for wanting to turn the climate control system on and off via an app? How about no. Automobiles are dangerous, and there is a point where you just can't let the entire Internet have access to a vehicle, in the name of security.
Even things like OnStar are disasters waiting to happen. If/when it gets breached an attacker can turn an evacuation into an epic disaster by disabling all GM cars trying to get out of an area that is about to get nailed by a hurricane. A microcosm of this happened in Austin when a car dealer's immobilization system (the buyers of cars had to type in a code each week or else their vehicle was disabled) got "hacked" (by an ex-employee who knew the manager's user info), and all cars that were in that dealer's system shut off and made to honk until their batteries died.
I hope car makers have sense, and don't take the IoT bait. It will mean certain loss of life in the future, when some intruder disables the power brakes on vehicles at random (for example.) Or for cars that are totally drive by wire, just disable the steering wheel, or have it turn randomly. Nobody could prove that it was anyone's fault but the driver's in that condition.
Re: (Score:3)
Re: (Score:3)
What is needed is a data diode with a CAN firewall. This way, there can be two CANs, one for the data that can crash the vehicle, and one for the gewgaws. This way, the radio can know how fast one is going and so on, but can't decide to interrupt spark plug timing.
Easy in theory, but can this be done by companies, even auto makers? Hopefully, but not many companies have a good reputation for security when heavily attacked.
Re: (Score:2)
Indeed. An application-level firewall (in Internet-terminology, CAN is likely a bit different) is what you need here and it needs to be hardened. Not magic at all, but you need to know what you are doing and it does cost some money.
Re: (Score:2)
There are no working "data diodes" on network level. That is a marketing-construct. If you need working data diodes, what you do is burn to write-once media on one side, carry it over, then destroy the medium.
Re: (Score:2)
I've made them before, although not truly network level. Two PCs, each on separate subnets connected to each other with a serial cable that had the Rx line cut. Data on the secure network would hit the first PC and go out the serial port to the second PC that would spool the data to disk. Nothing is 100%, but barring physical access, it would be extremely hard for an intruder to try to affect the PC on the secure network in any way, even if the machine on the receiving network was completely rooted.
Re: (Score:2)
Right, so you need a device sitting on the essential bus that copies that traffic onto the auxiliary bus but never the other direction. Ideally it does it with 2 back to back controllers linked only by an opto-isolator that connects tx on the secure bus controller to rx on the auxiliary bus controller.
Re: (Score:3)
Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.But then how would I get my downloadable security software upgrades into the components on different CANs without duplicating my download mechanism across both CANs? That might cost me as much as a couple dollars per car - the horror! (I'm not being that sarcastic here about the cost - in the volumes these guys deal in, a nickle cost savings can translate to millions of dollars on the company's b
Re: (Score:2)
And there you describe a simple zone concept, like the ones usually presented in one of the first lectures of a course on secure system architecture. Apparently they either did not have those basic knowledge, or management did override the experts.
Re: (Score:2)
The problem is that separation of function and defense in depth tends to be set aside because it costs money to implement, and in my experience, "security has no ROI" is quite a mantra for some PHBs... just because there are little to no consequences that will happen to a company if there is a breach.
The VW engineer is enlightening. It is actually surprising to me to find a company engineering security, as opposed to strapping it on after everything else is done as a token gesture. Now, if VW could start
Love my old car (Score:1)
I love my old car. No 3G connection, no wifi. Runs fine.
Re: (Score:2)
Re: (Score:2)
Do you need your calculator hooked up to the network of networks to function properly though?
Re: (Score:2)
How do you fully prevent hacking? (Score:2)
We have armies of security specialist working on securing systems across the globe, and still we get issues where data is broken in.
If there is a lock, that can be unlocked, someone will find a way to unlock it without their permission.
Automotive advantage to security is the fact that the access point is always moving, so it would be difficult to maintain a consistent connection. However its disadvantage is there is such a large lage in automotive design that the computers are already out of date by the ti
Re: (Score:2)
Solving one problem by creating another, in my opinion. Maybe not. But a car that's always attached to a network seems a whole lot more hackable than one that is not.
Re: (Score:3)
The most I expect from car makers, or really any engineers for this stuff, is to recognize they're going to lose. So, with that in mind, design their cars to lose gracefully, or more importantly, safely. When I hear that cars can be turned off remotely, etc (think OnStar). I'd say their failing that. I don't need some intelligent hackers turning off my car while I'm running from them and jacking me while I try to figure out why my car isn't working anymore.
Re: (Score:2)
No we don't. We have armies of wannabes saying they are working on this. But I guarantee you most of them have no clue. I get stupid questions like "why is not having a password insecure?" to "must I patch?" to "but it's not on the internet" to all kinds of nonsense.
I guarantee you there wasn't anyone security related, whose sole function was security, working on these things, because they are unencrypted and have been for years.
Again, duh ... (Score:4, Insightful)
And until there are legal penalties for companies who fail to implement proper security, or to keep personal information safe ... this will continue to happen.
When a company can sell your private data (because they embedded something in an EULA), or has no consequences for being incompetent, they'll just say "oops, bummer" and keep doing it.
So until there are real data protection laws, with real consequences ... just assume these companies are incompetent, indifferent, and not accountable.
Because, let's face it, they are.
But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.
All products which have marketing driving features probably have ZERO security. Because marketing all need a kick to the head and don't understand security, and explicitly don't WANT security or constraints, because that limits how they can make money with and would mean they need to do a better job of engineering.
Most modern tech is rushed out the door, with zero thought of security and privacy. And since it doesn't matter if they suck at both, they'll continue to do it.
Re:Again, duh ... (Score:5, Insightful)
But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.
That's the whole purpose of corporations - to remove accountability. In fact, it meshes perfectly with the very purposes of government - to socialize losses and privatize gains, and if, in exchange, corporations can funnel nearly unlimited money to political campaigns to satisfy politicians' thirst for power, you have a nearly perfect arrangement as far as most of the concentrated-interest players are concerned. No-plead deals have become all the rage with prosecutors over the past two decades, super-charging corporate malfeasance.
Just look at Wall Street before and after the partnerships reorganized as corporations for a case study of how it works. Or even better, the public benefit corporations prior to Reconstruction (when JD Rockefeller bribed Congress to let him make Standard Oil into a permanent corporation) fulfilling the very mercantalist nightmare the former Colonists tried hard to avoid recreating.
"Corporations are People, my friend" - special people who never die, can handle unlimited resources, face no penalties for their behavior, and encourage corruption without remorse. Stan Lee would call those kinds of people "supervillains".
Re: (Score:2)
But for some reason people seem to think it's unnatural to make companies accountable.
Not that I necessarily disagree with your overall point, but there's a fuzzy line between holding a company accountable and making them unreasonably liable for things. e.g. obviously my bank should be expected to keep my information safe, but what if I use a weak password? Or if an attacker wins the lottery and randomly guesses my password on the first try (because I'm old and can't comprehend how to use 2-factor authentication)? Or what if someone claiming to be me provides the appropriate credentials and
Re: (Score:2)
I don't know, auto manufactures recall and replace parts when it's a concern of safety. I've had working parts replaced for free because of designs flaws that might cause the breaks or seat belts to fail, the dealership even contacted me and scheduled it.
Sen Markey (Score:5, Insightful)
We've had computers in cars for quite awhile. You are correct that these newer systems are more vulnerable to hacking and identity theft. The biggest question you should ask is why do we allow our information systems whether they be in cars, financial institutions or healthcare systems to be this vulnerable. The federal government is also slipshod when it comes to protecting information and it's time that was stop pointing fingers and produce legislation and a constitutional amendment that protects privacy.. The only way we'll change the behavior is to include penalties for not thinking about security and putting our PII and lives at risk.
Re:Sen Markey (Score:5, Insightful)
The problem is there will be a whole bunch of people who will loudly proclaim that having penalties for corporations failing to protect this information is tantamount to socialism.
There are a lot of people who seem to think corporations should be free to do anything they want, and that if consumers want privacy they can choose to buy from companies who give it.
Of course, those people are morons who think the magical free market solves such problems.
As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.
And no idiotic "free market" will change that.
Re: (Score:2)
I believe I implied that. Regulation to some degree is necessary but with the assaults on our privacy and being hacked in ridiculously simple ways that needs to have some associated degree of pain. If a company loses your PII the FTC comes in and says "bad company" slaps them on the wrist with a fine and they go and promise not to do it again. In the meantime the victims are left scrambling around to recoup their credit ratings and lost assets without any assistance. That's one dimension to this problem
Re: (Score:2)
What we're talking about here sounds more like civil law (e.g. lawsuits for product liability), not criminal law.
But, there is such a thing as criminal negligence: http://en.m.wikipedia.org/wiki... [wikipedia.org]
Re: (Score:2)
As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.
And no idiotic "free market" will change that.
So Impose a financial penalty for screwing up and let the free market do the rest?
Socialist computing vulnerabilities? (Score:2)
It isn't down to the corporations that our computing infrastructure is so insecure, but our own Governments. As in order to protect us they need to keep us under constant surveillance. Some of us might still be able to recall when the NSA helped Microsoft secure Skype [arstechnica.com]. See also where your Bitlocker [cryptome.org] keys are stored
good luck with that (Score:2)
What about medical devices? (Score:2)
Re:What about medical devices? (Score:4, Insightful)
Or, how about data privacy and protection laws in general? You know, actually hold companies accountable for treating security and privacy as optional?
Start fining them 10's or 100's of millions of dollars for being clueless idiots, and they'll get the message.
Keep letting companies do nothing and bear no consequences ... nothing at all will change. If you're not hitting them where it counts, corporations won't start acting differently.
Re: (Score:2)
Government! Start with thyselves! (Score:1)
The good Senator can begin by introducing legislation, that bans from public roads any and all electronic payment systems, that do not offer the anonymous option.
One can buy a prepaid cell-phone anonymously, but not a prepaid "EZ-Pass", for some reason. One can add money to a payment card (such as phone- or tranist- one), but can not simply add value (cash) to an "EZ-Pass" account. Heck, you can't even take your EZ-Pass with you from one car to another — it is registered to a particular license-plate
Re: (Score:2)
You're not required to take a toll road.
Re: (Score:1)
You are not required to buy a (new) car either.
Re: (Score:2)
I'm not sure what you're getting at.
Re: (Score:1)
TFA is about people buying new cars, which are, supposedly, loaded by remotely-explotaible electronics.
I — a crazy Libertarian — pointed out, that, as usual, the main threat to our privacy (as well as money) comes not from competing manufacturers, but from government and government-backed monopolies.
You objected to that by saying, taking a toll road is never a requirement. I countered that statement (not entirely accurate one, BTW), by reminding, that buying
Re: (Score:2)
I countered that statement (not entirely accurate one, BTW),
Oh this should be good. Why is it not accurate?
Re: (Score:1)
Thank you for accepting all of my other points.
I'll surrender this one.
Re: (Score:2)
I'm not accepting anything since you haven't really made any point. So thanks for at least admitting you were wrong.
Re: (Score:1)
Let me enumerate my points for the slower among the audience:
Re: (Score:2)
Corporations, which — like EZ-Pass — are given monopoly by the government.
The government gives monopolies to all sorts of companies. This is nothing new. Though in this case it's the state governments doing the granting rather than the feds. I thought your type was all states rights nonsense.
The government's threats against us evolve and aren't limited to the old known evil of unwarranted eavesdropping.
What that has to do with cars is beyond me.
The Senator in TFA is scoring cheap points by harking at car-manufacturers over imaginary threats from hypothetical hackers, rather than going after the clear and present dangers enumerated.
You mean the threat of your car being tracked by EZ-Pass? The threat you can avoid BY NOT TAKING TOLL ROADS.
Somewhere in Chicago a community is missing its organizer.
And you seem to be missing any sort of common sense. I'm done with you.
Re: (Score:1)
In the context of this discussion, there is no difference between Federal and States' governments. Try to keep up.
As you came to understand upon typing the next sentence below, I'm talking about tracking vehicle movement through de-facto mandatory EZ-Pass. That is, what it "has to do with cars".
Yes, and the t
Re: (Score:2)
You're not required to have a car (or feet) or a home, or eat. Yes, you are perfectly free to starve in the gutter if you like.
That poor dead horse has been whipped into a chunky sauce by now. Next lame excuse please!
Re: (Score:2)
Oh please. You're comparing taking a toll road to having a house? Get real.
Re: (Score:2)
Considering that the toll road almost inevitably relied on an exercise of eminent domain "for the public good", I would say that attaching loss of privacy to it's use is quite impermissible.
My argument was reducto ad absurdem.
My point stands, the ability to avoid a public resource with varying degrees of discomfort, inconvenience, or harm does not and can not excuse violation of privacy or other rights. The horse is still dead.
Re: (Score:2)
My argument was reducto ad absurdem.[sic]
Hey, you said it.
Re: (Score:2)
I don't think they really enforce the Pass matching the plates though. I've used mine with rental cars, or along with my parents on a trip, etc. and never seen an issue with them claiming any sort of violations. I think it only comes into play if you report the Pass stolen.
Re: (Score:1)
You are violating your contract, if you use it with another vehicle. They may come down at you if they choose to — and, them being a monopoly, you'll have no option but to pay up whatever they decide to demand (a $50 "administrative fee" for a $0.50 payment is normal). And, being a government-backed monopoly, they will hold your driver-license or car-registration hostage until you pay up.
Incant the demon that is APK (Score:2, Funny)
CLEARLY, the fix for all these problems is a good HOSTS FILE MANAGER
Re: (Score:1)
No, no, CLEARLY the fix for all of these problems is to integrate all your car's features into systemd, and ensure that all car vendors adopt systemd.
Ugh (Score:1)
Here I found out 2 days ago my car is dying and have been looking online at other vehicles. Granted I love computers and all, when it comes to cars I'm more of a minimalist - less shit that can break and go wrong. The last thing I want is for my CAR to get hacked!
Funny timing on this article, though... (Score:2)
Conspiracy theorists, discuss amongst yourselves...
</ tinfoil>
Protections you say? (Score:2)
He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."
Same as in the tech industry - somewhere between "absolutely none" and "we intentionally use it in a harmful or invasive manner, that's our business model...and the NSA demands access too."
Demo of such on 60 Minutes 2/8/15 (Score:4, Interesting)
Self-Driving Cars, yay! (Score:2)
Welcome to the next generation of theft, rape, murder, and kidnapping done by cyber assaliants hijacking self-driving cars.
Re: (Score:1)
Re: (Score:2)
No computer part is simply made in a vacuum, from operating systems, to CPUs, to HDs. all components have slowly evolved over time.
It is very much unlikely that any radical leap in technology is going to power the first self driving cars. Its simply putting together what we have today. Its very likely self-driving cars will be mostly techn
Give me market choices ... (Score:2)
So obviously DRM is the answer (Score:2)
The sad thing is, the obvious answer the car industry is going to come up with is to encrypt the canbus and use DRM to control access to the bus. This will provide a (false) sense of security, while locking out those pesky people that want to mod their vehicles and add all those cheaper after market parts like remote starts. And in the end this is bad thing for all of us.
Why? (Score:1)
Self driving, Internet-ready cars are a really bad idea, imho.
I can just see some 13-year old script kiddie 'hacking' into your car and controlling it with his racing wheel. Better yet, testing his script on your car in an effort to work out the real-world bugs...
No thanks.
Interesting juxtaposition... (Score:2)
Between this story about the need to secure on board systems against hacking, and Friday's story about the NEED to hack farm equipment....
http://tech.slashdot.org/story... [slashdot.org]
In other breaking news... (Score:2)
Fish found to be good at swimming! News at 11!
false concern (Score:2)
The government is hacking every router, server, and computerized device in the country. Yet they will lean "for our protection" on car manufacturers and vehicle computerization. I don't believe this is nearly as much concern. You want better security? Open the sources and especially open what the government is doing to subvert and work around security measures and end them. Otherwise? STFU.
Michael Hastings (Score:2)
It has been claimed that Michael Hastings might have been assassinated by hacking his car:
https://en.wikipedia.org/wiki/... [wikipedia.org]
I'm not sure whether he actually died that way, but it's theoretically possible, if you've pissed sufficiently rich and powerful people off enough, and he may have done.