Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Transportation United States

Report: Automakers Fail To Fully Protect Against Hacking 100

An anonymous reader writes with news about a report by Senator Edward Markey on the security of new vehicles. "Automakers are cramming cars with wireless technology, but they have failed to adequately protect those features against the real possibility that hackers could take control of vehicles or steal personal data, a member of the U.S. Senate is asserting. Basing his argument on information provided by manufacturer, Sen. Edward Markey has concluded that "many in the automotive industry really don't understand what the implications are of moving to this new computer-based era" of the automobile. The Massachusetts Democrat has asked automakers a series of questions about the technologies — and any safeguards against hackers — that may or may not have been built into the latest models of their vehicles. He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."
This discussion has been archived. No new comments can be posted.

Report: Automakers Fail To Fully Protect Against Hacking

Comments Filter:
  • by gweihir ( 88907 ) on Monday February 09, 2015 @11:55AM (#49018495)

    ...with regard to IT security. What a shocker. This really is not surprise at all. Hopefully their customers will react a bit less forgiving that the mindless masses that cheer for insecure OSes and applications. But I somehow doubt it.

    • Exactly... as has been opined about dozens of times before... you can never fully protect against hacking, so automakers are always going to fail at it.

      • by Jawnn ( 445279 )

        Exactly... as has been opined about dozens of times before... you can never fully protect against hacking, so automakers are always going to fail at it.

        Yeah, but...
        Though TFA is pretty short on details, it's a safe bet that the auto makers have made only a half-assed attempt at security, at best. Time will tell, of course, but I've got money to wager that within the next few years, we're going to see just how little those companies knew and/or cared about security.

      • by cayenne8 ( 626475 ) on Monday February 09, 2015 @02:05PM (#49019605) Homepage Journal
        Well they could go a LONG way in letting users secure their own cars, by allowing a SIMPLE method for de-activating all this un-needed wireless connectivity. I have a phone/gps I don't need my fscking car wired to the fscking internet.

        Lord, I'm really about to start upping my efforts to buy a restored 70's muscle car. No excess computers, nothing connecting to anything, basically a nice beefy engine, a drivetrain, possibly no catalytic converter (depends on the year)...simple and fun to drive.

        Ok, I will update the suspension, and swap out the 8-track for a bit more modern stereo, but seriously, I would rather have a simpler car that just MOVES and is fun. I don't need it to be a connected device that likely transmits far too much information about me and my driving habits for my comfort, and is a target for hackers.

        What customers are actually ASKING for all this shit in cars today? Seriously?

        • by mjwx ( 966435 )

          What customers are actually ASKING for all this shit in cars today? Seriously?

          Most of them.

          Nowdays people expect connectivity from a base model Korean hatchback. Its more important to buyers than airbags and seatbelts. All you have to do is look at the ads for a Ford Fiesta to realise their marketed as fashion accessories for a chic lifestyle with their iwhotsits connectivity, bluetooth, satellite navigation. Having their phone play music through the speakers is more important than a car that actually works. It started with BMWs and Mercs in the early 00's, now its expected in a K

      • by gweihir ( 88907 )

        That is exactly not what I am saying. What I am saying is that they went cheap and did not have independent outside evaluation. Of course that will almost always fail. You can make these things secure enough that nobody will hack them (because it is too much effort), but that costs money.

    • Easy fix... (Score:5, Insightful)

      by mlts ( 1038732 ) on Monday February 09, 2015 @12:19PM (#49018749)

      This is fixed pretty easily:

      Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.

      One CAN for the basic stuff that is vital to life safety. As for wanting to turn the climate control system on and off via an app? How about no. Automobiles are dangerous, and there is a point where you just can't let the entire Internet have access to a vehicle, in the name of security.

      Even things like OnStar are disasters waiting to happen. If/when it gets breached an attacker can turn an evacuation into an epic disaster by disabling all GM cars trying to get out of an area that is about to get nailed by a hurricane. A microcosm of this happened in Austin when a car dealer's immobilization system (the buyers of cars had to type in a code each week or else their vehicle was disabled) got "hacked" (by an ex-employee who knew the manager's user info), and all cars that were in that dealer's system shut off and made to honk until their batteries died.

      I hope car makers have sense, and don't take the IoT bait. It will mean certain loss of life in the future, when some intruder disables the power brakes on vehicles at random (for example.) Or for cars that are totally drive by wire, just disable the steering wheel, or have it turn randomly. Nobody could prove that it was anyone's fault but the driver's in that condition.

      • Don't put the fscking radio, XM satellite stuff, BlueTooth toys and other garbage on the same CAN as the ECM/TCM.But then how would I get my downloadable security software upgrades into the components on different CANs without duplicating my download mechanism across both CANs? That might cost me as much as a couple dollars per car - the horror! (I'm not being that sarcastic here about the cost - in the volumes these guys deal in, a nickle cost savings can translate to millions of dollars on the company's b

      • by gweihir ( 88907 )

        And there you describe a simple zone concept, like the ones usually presented in one of the first lectures of a course on secure system architecture. Apparently they either did not have those basic knowledge, or management did override the experts.

        • by mlts ( 1038732 )

          The problem is that separation of function and defense in depth tends to be set aside because it costs money to implement, and in my experience, "security has no ROI" is quite a mantra for some PHBs... just because there are little to no consequences that will happen to a company if there is a breach.

          The VW engineer is enlightening. It is actually surprising to me to find a company engineering security, as opposed to strapping it on after everything else is done as a token gesture. Now, if VW could start

  • by Anonymous Coward

    I love my old car. No 3G connection, no wifi. Runs fine.

    • by magsol ( 1406749 )
      My abacus works just fine, too. Doesn't mean it's reached the ultimate apex of utility.
      • Do you need your calculator hooked up to the network of networks to function properly though?

        • Well Apple told me the latest update to my calculator app will make it run 0.00000001% faster on all calculations!
  • We have armies of security specialist working on securing systems across the globe, and still we get issues where data is broken in.

    If there is a lock, that can be unlocked, someone will find a way to unlock it without their permission.

    Automotive advantage to security is the fact that the access point is always moving, so it would be difficult to maintain a consistent connection. However its disadvantage is there is such a large lage in automotive design that the computers are already out of date by the ti

    • The most I expect from car makers, or really any engineers for this stuff, is to recognize they're going to lose. So, with that in mind, design their cars to lose gracefully, or more importantly, safely. When I hear that cars can be turned off remotely, etc (think OnStar). I'd say their failing that. I don't need some intelligent hackers turning off my car while I'm running from them and jacking me while I try to figure out why my car isn't working anymore.

    • No we don't. We have armies of wannabes saying they are working on this. But I guarantee you most of them have no clue. I get stupid questions like "why is not having a password insecure?" to "must I patch?" to "but it's not on the internet" to all kinds of nonsense.

      I guarantee you there wasn't anyone security related, whose sole function was security, working on these things, because they are unencrypted and have been for years.

  • Again, duh ... (Score:4, Insightful)

    by gstoddart ( 321705 ) on Monday February 09, 2015 @12:00PM (#49018533) Homepage

    And until there are legal penalties for companies who fail to implement proper security, or to keep personal information safe ... this will continue to happen.

    When a company can sell your private data (because they embedded something in an EULA), or has no consequences for being incompetent, they'll just say "oops, bummer" and keep doing it.

    So until there are real data protection laws, with real consequences ... just assume these companies are incompetent, indifferent, and not accountable.

    Because, let's face it, they are.

    But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.

    All products which have marketing driving features probably have ZERO security. Because marketing all need a kick to the head and don't understand security, and explicitly don't WANT security or constraints, because that limits how they can make money with and would mean they need to do a better job of engineering.

    Most modern tech is rushed out the door, with zero thought of security and privacy. And since it doesn't matter if they suck at both, they'll continue to do it.

    • Re:Again, duh ... (Score:5, Insightful)

      by bill_mcgonigle ( 4333 ) * on Monday February 09, 2015 @01:21PM (#49019271) Homepage Journal

      But for some reason people seem to think it's unnatural to make companies accountable. Because we couldn't possibly impose conditions on corporations ... they have to be free to make a profit without any accountability.

      That's the whole purpose of corporations - to remove accountability. In fact, it meshes perfectly with the very purposes of government - to socialize losses and privatize gains, and if, in exchange, corporations can funnel nearly unlimited money to political campaigns to satisfy politicians' thirst for power, you have a nearly perfect arrangement as far as most of the concentrated-interest players are concerned. No-plead deals have become all the rage with prosecutors over the past two decades, super-charging corporate malfeasance.

      Just look at Wall Street before and after the partnerships reorganized as corporations for a case study of how it works. Or even better, the public benefit corporations prior to Reconstruction (when JD Rockefeller bribed Congress to let him make Standard Oil into a permanent corporation) fulfilling the very mercantalist nightmare the former Colonists tried hard to avoid recreating.

      "Corporations are People, my friend" - special people who never die, can handle unlimited resources, face no penalties for their behavior, and encourage corruption without remorse. Stan Lee would call those kinds of people "supervillains".

    • But for some reason people seem to think it's unnatural to make companies accountable.

      Not that I necessarily disagree with your overall point, but there's a fuzzy line between holding a company accountable and making them unreasonably liable for things. e.g. obviously my bank should be expected to keep my information safe, but what if I use a weak password? Or if an attacker wins the lottery and randomly guesses my password on the first try (because I'm old and can't comprehend how to use 2-factor authentication)? Or what if someone claiming to be me provides the appropriate credentials and

    • I don't know, auto manufactures recall and replace parts when it's a concern of safety. I've had working parts replaced for free because of designs flaws that might cause the breaks or seat belts to fail, the dealership even contacted me and scheduled it.

  • Sen Markey (Score:5, Insightful)

    by Virtucon ( 127420 ) on Monday February 09, 2015 @12:02PM (#49018571)

    We've had computers in cars for quite awhile. You are correct that these newer systems are more vulnerable to hacking and identity theft. The biggest question you should ask is why do we allow our information systems whether they be in cars, financial institutions or healthcare systems to be this vulnerable. The federal government is also slipshod when it comes to protecting information and it's time that was stop pointing fingers and produce legislation and a constitutional amendment that protects privacy.. The only way we'll change the behavior is to include penalties for not thinking about security and putting our PII and lives at risk.

    • Re:Sen Markey (Score:5, Insightful)

      by gstoddart ( 321705 ) on Monday February 09, 2015 @12:06PM (#49018619) Homepage

      The problem is there will be a whole bunch of people who will loudly proclaim that having penalties for corporations failing to protect this information is tantamount to socialism.

      There are a lot of people who seem to think corporations should be free to do anything they want, and that if consumers want privacy they can choose to buy from companies who give it.

      Of course, those people are morons who think the magical free market solves such problems.

      As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.

      And no idiotic "free market" will change that.

      • I believe I implied that. Regulation to some degree is necessary but with the assaults on our privacy and being hacked in ridiculously simple ways that needs to have some associated degree of pain. If a company loses your PII the FTC comes in and says "bad company" slaps them on the wrist with a fine and they go and promise not to do it again. In the meantime the victims are left scrambling around to recoup their credit ratings and lost assets without any assistance. That's one dimension to this problem

      • As long as we consider corporate greed to be a replacement for regulating them, this is exactly what happens. If corporations have zero penalty for doing a crappy job of security, they'll keep doing a crappy job of security.

        And no idiotic "free market" will change that.

        So Impose a financial penalty for screwing up and let the free market do the rest?

      • @gstoddart: "The problem is there will be a whole bunch of people who will loudly proclaim that having penalties for corporations failing to protect this information is tantamount to socialism."

        It isn't down to the corporations that our computing infrastructure is so insecure, but our own Governments. As in order to protect us they need to keep us under constant surveillance. Some of us might still be able to recall when the NSA helped Microsoft secure Skype [arstechnica.com]. See also where your Bitlocker [cryptome.org] keys are stored
  • seriously. i hope security is increased or connectivity decreased.
  • Maybe this is a sign of politicians waking up to tech. Hopefully someone will start to ask these questions about medical devices, too. https://www.youtube.com/watch?... [youtube.com]
    • by gstoddart ( 321705 ) on Monday February 09, 2015 @12:18PM (#49018731) Homepage

      Or, how about data privacy and protection laws in general? You know, actually hold companies accountable for treating security and privacy as optional?

      Start fining them 10's or 100's of millions of dollars for being clueless idiots, and they'll get the message.

      Keep letting companies do nothing and bear no consequences ... nothing at all will change. If you're not hitting them where it counts, corporations won't start acting differently.

      • I'm for this, now who gets the bill when the ACA gets hacked? We all know it's a matter of when not if.
  • The good Senator can begin by introducing legislation, that bans from public roads any and all electronic payment systems, that do not offer the anonymous option.

    One can buy a prepaid cell-phone anonymously, but not a prepaid "EZ-Pass", for some reason. One can add money to a payment card (such as phone- or tranist- one), but can not simply add value (cash) to an "EZ-Pass" account. Heck, you can't even take your EZ-Pass with you from one car to another — it is registered to a particular license-plate

    • by Enry ( 630 )

      You're not required to take a toll road.

      • by mi ( 197448 )

        You're not required to take a toll road.

        You are not required to buy a (new) car either.

        • by Enry ( 630 )

          I'm not sure what you're getting at.

          • by mi ( 197448 )

            I'm not sure what you're getting at.

            TFA is about people buying new cars, which are, supposedly, loaded by remotely-explotaible electronics.

            I — a crazy Libertarian — pointed out, that, as usual, the main threat to our privacy (as well as money) comes not from competing manufacturers, but from government and government-backed monopolies.

            You objected to that by saying, taking a toll road is never a requirement. I countered that statement (not entirely accurate one, BTW), by reminding, that buying

            • by Enry ( 630 )

              I countered that statement (not entirely accurate one, BTW),

              Oh this should be good. Why is it not accurate?

              • by mi ( 197448 )

                Oh this should be good. Why is it not accurate?

                Thank you for accepting all of my other points.

                I'll surrender this one.

                • by Enry ( 630 )

                  I'm not accepting anything since you haven't really made any point. So thanks for at least admitting you were wrong.

                  • by mi ( 197448 )

                    I'm not accepting anything since you haven't really made any point.

                    Let me enumerate my points for the slower among the audience:

                    • The main threat to our money and privacy are not competing corporations like car-makers, but our government and, even worse:
                    • Corporations, which — like EZ-Pass — are given monopoly by the government.
                    • The government's threats against us evolve and aren't limited to the old known evil of unwarranted eavesdropping.
                    • The Senator in TFA is scoring cheap points by harking at ca
                    • by Enry ( 630 )

                      Corporations, which — like EZ-Pass — are given monopoly by the government.

                      The government gives monopolies to all sorts of companies. This is nothing new. Though in this case it's the state governments doing the granting rather than the feds. I thought your type was all states rights nonsense.

                      The government's threats against us evolve and aren't limited to the old known evil of unwarranted eavesdropping.

                      What that has to do with cars is beyond me.

                      The Senator in TFA is scoring cheap points by harking at car-manufacturers over imaginary threats from hypothetical hackers, rather than going after the clear and present dangers enumerated.

                      You mean the threat of your car being tracked by EZ-Pass? The threat you can avoid BY NOT TAKING TOLL ROADS.

                      Somewhere in Chicago a community is missing its organizer.

                      And you seem to be missing any sort of common sense. I'm done with you.

                    • by mi ( 197448 )

                      I thought your type was all states rights nonsense.

                      In the context of this discussion, there is no difference between Federal and States' governments. Try to keep up.

                      What that has to do with cars is beyond me.

                      As you came to understand upon typing the next sentence below, I'm talking about tracking vehicle movement through de-facto mandatory EZ-Pass. That is, what it "has to do with cars".

                      You mean the threat of your car being tracked by EZ-Pass? The threat you can avoid BY NOT TAKING TOLL ROADS.

                      Yes, and the t

      • by sjames ( 1099 )

        You're not required to have a car (or feet) or a home, or eat. Yes, you are perfectly free to starve in the gutter if you like.

        That poor dead horse has been whipped into a chunky sauce by now. Next lame excuse please!

        • by Enry ( 630 )

          Oh please. You're comparing taking a toll road to having a house? Get real.

          • by sjames ( 1099 )

            Considering that the toll road almost inevitably relied on an exercise of eminent domain "for the public good", I would say that attaching loss of privacy to it's use is quite impermissible.

            My argument was reducto ad absurdem.

            My point stands, the ability to avoid a public resource with varying degrees of discomfort, inconvenience, or harm does not and can not excuse violation of privacy or other rights. The horse is still dead.

    • by Aereus ( 1042228 )

      I don't think they really enforce the Pass matching the plates though. I've used mine with rental cars, or along with my parents on a trip, etc. and never seen an issue with them claiming any sort of violations. I think it only comes into play if you report the Pass stolen.

      • by mi ( 197448 )

        I don't think they really enforce the Pass matching the plates though.

        You are violating your contract, if you use it with another vehicle. They may come down at you if they choose to — and, them being a monopoly, you'll have no option but to pay up whatever they decide to demand (a $50 "administrative fee" for a $0.50 payment is normal). And, being a government-backed monopoly, they will hold your driver-license or car-registration hostage until you pay up.

        I think it only comes into play if you report

  • by Anonymous Coward

    CLEARLY, the fix for all these problems is a good HOSTS FILE MANAGER

    • by Anonymous Coward

      No, no, CLEARLY the fix for all of these problems is to integrate all your car's features into systemd, and ensure that all car vendors adopt systemd.

  • by Anonymous Coward

    Here I found out 2 days ago my car is dying and have been looking online at other vehicles. Granted I love computers and all, when it comes to cars I'm more of a minimalist - less shit that can break and go wrong. The last thing I want is for my CAR to get hacked!

  • ...that it came out right after the one on farmers being blocked out of their "own" equipment [slashdot.org] by hard system protections.

    Conspiracy theorists, discuss amongst yourselves...

    </ tinfoil>

  • He also asked what protections have been provided to ensure that information computers gather and often transmit wirelessly isn't used in a harmful or invasive manner."

    Same as in the tech industry - somewhere between "absolutely none" and "we intentionally use it in a harmful or invasive manner, that's our business model...and the NSA demands access too."

  • by peter303 ( 12292 ) on Monday February 09, 2015 @12:53PM (#49019021)
    DARPA has a car-hacking app. The 60 Minutes correspondant was driving a new car in an empty parking lot. The DARPA rep turned the brakes off, the accelerator off, the wipers on at various times from a Wifi enabled laptop. The driver was flustered.
  • Like many other ideas, self-driving cars seem cool, until you realize how shit like this applies to them.

    Welcome to the next generation of theft, rape, murder, and kidnapping done by cyber assaliants hijacking self-driving cars.

    • Welcome to '69 Mustangs being cooler than ever.
  • ... because I'll never choose a vehicle that sends a single byte of data about itself or me to the Cloud.
  • The sad thing is, the obvious answer the car industry is going to come up with is to encrypt the canbus and use DRM to control access to the bus. This will provide a (false) sense of security, while locking out those pesky people that want to mod their vehicles and add all those cheaper after market parts like remote starts. And in the end this is bad thing for all of us.

  • Why do we need wireless services in our cars? GPS I can understand (although I don't use it myself). Wireless? Internet? Why?

    Self driving, Internet-ready cars are a really bad idea, imho.

    I can just see some 13-year old script kiddie 'hacking' into your car and controlling it with his racing wheel. Better yet, testing his script on your car in an effort to work out the real-world bugs...

    No thanks.
  • Between this story about the need to secure on board systems against hacking, and Friday's story about the NEED to hack farm equipment....

    http://tech.slashdot.org/story... [slashdot.org]

  • Fish found to be good at swimming! News at 11!

  • The government is hacking every router, server, and computerized device in the country. Yet they will lean "for our protection" on car manufacturers and vehicle computerization. I don't believe this is nearly as much concern. You want better security? Open the sources and especially open what the government is doing to subvert and work around security measures and end them. Otherwise? STFU.

  • It has been claimed that Michael Hastings might have been assassinated by hacking his car:

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    I'm not sure whether he actually died that way, but it's theoretically possible, if you've pissed sufficiently rich and powerful people off enough, and he may have done.

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...