Don't Hack My Ride, Bro ! . . . (Too Much Technology ?)

Could your new car be remotely taken over by hacker pirates ?



I read this recent article and wondered if we’re ready for some of this sophisticated complication that’s being built into cars.



Detroit Free Press - John Markoff / New York Times article link:

http://www…-be-hacked



Do you want manufacturers putting this cellular and Bluetooth wireless technology in your new ride ?



Is this going to raise insurance rates and cause law enforcement headaches ?



CSA

I don’t know about the other brands, but if you buy a GM car or truck, it will have OnStar. I use the service in both my wife’s van and my daughter’s Cobalt. It seems to me that taking over the car while it’s moving could be denied with proper software programs. I like the idea of locating and opening the doors in case of problems. Will it insurance go up? Not yet. We’ll see if such remote controls lead to more thefts in the future. And it won’t be a casual thief. Someone will need the equipment and training to do it.

When something like that happens in the real world, I will be concerned. Besides, I can still buy a car that doesn’t come with Bluetooth, or turn it off if I don’t use it. Does your GPS have an “off” switch?

It has NOTHING to do with too much technology…It has EVERYTHING to do with the manufacturers not taking the time and money to make it secure. It’s NOT that difficult to make 100% secure. I work with SECURE Bluetooth wireless technology. It can be made secure…it’s just a matter of the manufacturers doing it.

Most manufacturers don’t consider it a threat until it happens. When it happens on a regular basis and threatened to be sued…then and only then will they even begin to think about it.

Nothing, especially in the digital world, is 100% secure. If it’s a target that’s desireable, then the minute you deploy your new WonderSecurityProtocol, there’s a team of very bright crackers hard at work figuring out how to get around it. This is why the Pentagon, which has arguably some of the best security in the world, gets penetrated from time to time.

The thing is, as Whitey alluded to, cars aren’t overly desirable targets. There are a lot of ways to steal a car that are much easier than hacking it, especially since I’m unaware to date of any cars where the CD player is hooked into the door locks. (the latest car hacking method is to include malicious code in an MP3 on a CD).

If I were a professional car thief, I wouldn’t be hiring a computer hacker to help me steal cars. I’d keep using the same tow truck I’d been using for decades.

About the only person who might have an interest in hacking your car would be a crooked mechanic who might, depending on the system, be able to make your check engine light illuminate and therefore hopefully gain some business to “diagnose” it. It’s almost inevitable that he’d eventually be caught.

Can everything be hacked…sure…But NOT EASILY…in fact it could take YEARS to hack some of the systems I’ve worked on and helped design…even with the fastest super computer ever made.

This is why the Pentagon, which has arguably some of the best security in the world, gets penetrated from time to time.

They get penetrated because they’re NOT secure OR because they have an inside position. Every single security breach into secure systems in the US have been because of security standards were NOT adhered to.

Now there’s a HUGE difference between one large cluster with hundreds if not thousands of computers and entry points…as opposed to one system. It’s much easier to secure just ONE system then it is a large cluster.

Can it be done YES???..Can it be done in a reasonable amount of time that would make it worth the effort???..NO.

There’s a case right now that’s being brought to the Supreme Court because the police want to gain access to a mans encrypted PC because he is suspected of having Child Pornography on it. The police…FBI…and even the CIA have been trying to break into this guys PC for a couple of years…All the files are encrypted and no one has been able crack this simple PC using the most sophisticated hacking techniques. They courts want to force the man to tell them his 64-bit encryption key…that’s a total of 18,446,744,073,709,551,615 possible combination’s. Contrary to what you see on TV…breaking a 32-bit encryption key (let alone a 64-bit encryption key) can NOT be done in 5 minutes.

The very nature of MP3 codecs means that all you have to do to breach most security walls is put a CD in the player. That’s fairly irrelevant to PCs because they have firewalls and antivirus software, but cars do not.

Nothing you worked on with bluetooth would help, since this method of attack bypasses bluetooth. The trouble with cars that makes them inherently easier to hack than the systems you speak of is that they are, quite reasonably, not hardened against digital attacks. Why would they be? As I said, who is going to want to hack your car. Just because a thing can be done does not mean anyone will jump at the chance to do it. After all, it is possible to swim in a manure lagoon. Dunno about you, but I’m not going to be first in line for that either.

Rather than hacking the car, a thief is going to just steal it. And a crooked mechanic is just going to make crap up like they’ve been doing for over a century. Hacking even a completely un-defended car is more effort than it’s worth.

Now, to address your specific points, let’s say that we secure the car. The first line of defense is to be sure that whoever is inserting that CD is the actual owner of the car, and so we’re going to need a password. I don’t know about you, but I find it highly annoying just having to hit “OK” every time I start the car in response to my nav system’s “don’t stare at this while you’re driving” splash screen. If it demanded a password (secure, of course, which means a combination of l3ttErs, numb3rS and cAsE) I’d be pretty mad.

The second line is to install a firewall and an antivirus. These of course need to be updated, which means we have to have a reliable way to transmit data to the car. Acura already does this for other services, so you’d probably just use that same satellite link. Of course, now you have to be sure that Snidely Whiplash isn’t going to send a false signal to “update” the car with his nefarious hacker code, and so you need to implement security protocols on that channel as well.

In short, you have to expend an awful lot of effort securing a system against something that probably is never going to happen.

Regarding your child porn example - Assuming some weirdo decides to hack a car, it’s going to be to mess with the car’s function in some way. It won’t be to collect data from the car. Since cars use various sensors, to determine how to make the car function, the hacker is going to send spurious signals to the ECU. He’s not going to try and crack into existing files. So unless you’re willing to make the car cost thousands more by hardening all the sensors and all possible data inputs, protecting the files with an encryption key is going to do precisely nothing.

This follows along the lines of my TPMS hacking story where if the manufacture followed simple protocols in data transmission the hacking would be praticaly impossible, all the public is asking for is the manufacture to implement the same protocols that are used on the internet,in the automobile. This is the conclusion that the Rutger University study that looked at the same problem came to. The technology already exists to making this potential hacking,whether it would be the way a thief would choose to do his work or not, praticaly impossible. The idea that you should view any system you come in contact with as being potentialy hacked came up in security class. The instructor wanted students to send phish type emails out on the school email system seeing who would respond and attempt to give up their password and username. I objected to this test and presented the idea that I wanted students to believe that any email they got on the school system (like an emergency, "we have a situation"type) as genuine and not to first analyze them as being a potential hack. I presented that the test could be done without making it appear the schools email(and emergency notification system)had been hacked as I felt this presented a dangerous degradition in the faith students should have in messages they recieve via the schools email system.Students should look at emails asking them to either give up or change their password (the school does send you an email every two years asking you to change your password though)with a bit of caution, but emergengy emails come on the same syatem so I say “no phishing on the school system even if it is a test”? The instructor won, the phish type emails were sent,the help desk was flooded,a lot of people’s time was wasted as the help desk was not notified the test would be made. I feel this test was completely irresponsible.

I read a story on how an idea that a world event that involved the US military was at least taking place. The “recon” people noticed the level of pizzas delivered to the Pentagon when all was well in the world. They then made a comparison to the level of pizzas that were delivered to the Pentagon before an event involving the US military was announced,the number of pizzas delivered went way up before the event was announced. The result was all pizzas were to be made in house to the Pentagon. At times your information gathering technique does not have to be so technical or so exact, you only need a hint that an event is taking place to make it so you put out more “feelers” to get the story maybe an hour before some other news agengy.

Should it be allowed to use torture to make the man give up the key to the PC that may contain child porn? perhaps it is a picture of your child? believe me when I say some would tourture the man to give up the key.

shadowfax,you need to address your complaints about the reports on this circumstance (as they are getting more and more coverage in the press) to the people creating the story,not to the people relating the story to the forum. It is not at all irresponsible of myself,csa,Mike, to bring these reports to the forum. You seem to be the odd man out in regards to just what this vulnerability could mean,and the people that disagree with you are not simple laymen in the field.

The very nature of MP3 codecs means that all you have to do to breach most security walls is put a CD in the player. That’s fairly irrelevant to PCs because they have firewalls and antivirus software, but cars do not.

I agree 100%…But that doesn’t mean they CAN’T put firewalls in place. I can be done. Right now no ones really tried to hack these systems…the work/reward isn’t worth it. But it CAN be made secure.

It can, but as noted above, if you make a car 99% secure (since you cannot make anything 100% secure) it’s going to add a lot to the cost of the car. People aren’t going to want to pay an extra 5-10 grand for a car just so that there’s a firewall and secured checks between the sensors and the ECU.

Oldschool, I don’t know that I’ve ever called any of you who have discussed this issue on the forum irresponsible, and if I did, I certainly apologize, as I don’t think discussion of anything is by nature irresponsible.

As to what the vulnerability could mean, I stand by what I’ve said all along: Any goals of a car hacker can be more easily met via conventional means. If they want to steal the car, they can do that a lot easier with a flat bed or even a car dolly, or by forcing you out of it at gunpoint. If they’re a crooked mechanic and want to futz with the data the ECU gets so that you’ll pay them a lot of money for unnecessary repairs, they can just drop metal shavings into the transmission pan like crooks have been doing since before any of us were born.

The point that I’ve been trying to make is not that cars cannot be hacked. They can. The point I’ve been trying to make is that no one is going to do it except for IT guys at universities who do it to see if they can.

Oh, and as for who to address my complaints to - this is a discussion forum. If you bring up a topic that I want to contribute to, I will do so. If I wrote an angry letter to every journalist who sensationalized an issue, I’d never stop writing.

When I brought up this story some months ago all the “get the tin foils hat” comments came out. A good bit of a stir (like saying my source was bunk) now the story re-appears and quite a different reaction. The reaction seems to be very dependant on who brings the info, no so good a comment on our overall objectivity.

I believe I have been consistent with my responses.

I can think of several situations that never have happened and we are still concerned about them.

If Dad can start his Buick from London for his daughter with an I-Pod app, how hard would it be for someone to start it without a code? BTW, that’s a real question, not rhetoric. The situation is the subject of a new Buick commercial I saw on TV this evening.

Yes, I remember that conversation. I wasn’t the one making the tinfoil hat comments. I was saying the same thing I said in this thread - Sure, it can be done, but it won’t be.

BTW, your thread was somewhat different from this one, as it only addressed using TPMS to hack the car - -an even more unlikely scenario than using a malicious mp3 to hack the car since you’d have to deal with the range issue. :wink:

I wonder what is driving these “hack your car” type articles. Is it just a group of writers that are searching for a new subject to write about or an Editor that really thinks that this is important stuff? I guess if you can write a story that has an “invasion of privacy” coupled with a “there is no way to stop them” theme it will sell magazines or newspapers. I will say I am seeing more and more of similar (but as you say not exact) articles. I can think of 3 in the last 4 months on this subject.It is not like people are throwing just anything out there hoping something will stick. The Rutgers study looked like a very disciplined, well thought out piece of research.I have not checked but I would not bet against finding something similar to the TPMS or the Mp3 hack covered in Popular Science or Popular Mechanics recently.

From MIT’s Technology Review:

http://www.technologyreview.com/computing/25339/

http://www.technologyreview.com/communications/25962/

I was ready to back off on this one but now it is MIT doing the study. It appears this issue is not going to be talked away.

if you make a car 99% secure (since you cannot make anything 100% secure) it’s going to add a lot to the cost of the car.

My group designs secure systems all the time…It’s NOT that difficult to do. Cost would be minimal.