The Shoddy State of Automotive Wireless Security

angry tapir writes "Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged. While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles, said Wenyuan Xu, a computer science assistant professor at the University of South Carolina, who was a co-lead on the study. The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington DC."

Disconnected from reality...

[http]

FTFA:

Xu said that while it is possible to track someone by their tire IDs, the feasibility of doing so would be quite low. "Someone would have to invest money at putting receivers at different locations," she said. Also multiple tire manufacturers have different types of sensors, requiring different receivers. Each receiver in this test cost US$1,500.

Oh yeah, good thing RFID detectors are so freaking expensive. Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure.

If you've got a toll tag...

[pongo000]

...the government is tracking you already (where I live, toll tag transponders can be seen on telephone poles miles from the toll roads). If you have OnStar (even if it's "disabled"), GM can still locate your vehicle. I suspect it's even possible to monitor a vehicle's CANBUS for unique signatures that would identify a specific vehicle. Hell, your cell phone will give you up.

For some reason, I'm not too worried about the RFID tags on my tire valve stems.

Turn off the brakes

[drop table user]

Why bother with the tire pressure when you can make instruments give false readings, kill a car engine remotely or turn off the brakes [bbc.co.uk] ?

Re:Disconnected from reality...

[Anachragnome]

"Plus, someone covertly tracking you is going to be really upset if they can't read your tyre pressure."

I think you fail to recognize the seriousness of the capabilities of a simple RFID system.

Most people do not think much about the RFID chips in their tires until they realize (are told) that EVERY stoplight out there has multiple sensor grids built right into the roadbed (to sense the presence of cars and be able to control the lights accordingly). The looks on their faces usually change the moment comprehension dawns on them.

Those very same grids can be used to detect the RFID chips in your tires. In short, any car with tires made since 2000 can be tracked by the very roadbeds they ride upon.

Seriously. All this technology to check your TIRE PRESSURE? Who the fuck is kidding who?

Go try and buy new tires and see how far you get when you refuse to tell the dealer your name. He (or rather, the government) wants a name associated with the tires RFID chips, and usually ask for all sorts of additional info--for "warranty reasons". Even paying with cash, they will argue with you about not giving them a name (but usually crumble when you say you'll just shop elsewhere). Why is it SO important they have a name? So they can help you join the next class-action against a tire manufacturer?

Media jumped all over the Firestone story, fear-mongered it into something bigger and we end up with this. Tracking tags in our cars. More security theater. Yay.

Re:Probably the right design choice

[Anonymous Coward]

Risk Management doesn't work if you don't understand all the risks (Which most people don't) which is why State Correctness should be used instead, especially in this relatively small system. These sorts of security issues arent just poor security, it's poor system development. Security and assurance of any system, whether it be from an unintentional problem or a malicious actor, should be considered an equal requirement of any well designed system.

This is a suprise.... How?

[Platinumrat]

Typically, I find that the engineers that work in these industries (automotive/transport/white goods/manufacturing) have very little motivation to think about security. The pressure is all on building features into products. They are generally led by electrical or mechanical engineering managers, who are pushed with limited budgets and time-to-market constraints to get something out the door. So they do the most limited research on how to add widget X to the product. As engineers, their dangerous enough to think they know how to program, when most of their experience is microcontrollers or some simple scripting. Security is something that just adds cost in most of their minds.

Re:Lets skip to the heart of the matter

[Gordonjcp]

You can use the ABS sensors to detect a soft tyre. Some Volkswagens can actually have a soft tyre warning added, by a firmware update!

Basically what you do is you measure the output of all four wheel sensors (as the ABS unit does anyway), and see if one is consistently a higher speed than the others. Soft tyre == smaller rolling radius == faster rotation for the same road speed. It won't catch if all your tyres are equally flat.

Re:Disconnected from reality...

[marten_77]

It should be pointed out that sometimes these tracking features (such as OnStar) can be used in ways that actually do not serve the interests of the government. For instance, in my jurisdiction, police recently set up a sting operation designed to catch car thieves. Undercover agents set up a storefront for purchasing stolen cars, and collected dozens of vehicles over about a half-year period. When car thieves would come in to sell the cars, they would be paid in marked bills, and the undercover agents would drive the cars into a hidden parking deck. The agents didn't want to blow their cover early, though, so they didn't immediately return the stolen cars. (After all, in their minds, catching criminals was considerably more important than returning stolen property.) They left the vast majority of the recovered vehicles in the hidden parking deck for months, without ever notifying the victims that their property had been recovered. This, of course, translated into a significant financial loss for the victims (and their insurance companies). There was one class of victims, however, who got their cars back in short order -- the ones whose vehicles were equipped with OnStar. When asked by law enforcement to keep the operation secret from the vehicle owners so as not to hinder the sting operation, OnStar flatly refused, notifying police that they would immediately provide the GPS coordinates of the missing vehicles to their customers so that the customers could begin legal actions to recover them. Faced with this problem, the undercovers immediately drove the OnStar-equipped cars out to an abandoned lot and then anonymously notified local law enforcement that they had been discovered. The cars that were not so equipped sat in the hidden deck until after the entire sting operation had concluded.

Relevant experience

[AlecC]

A colleague recently got a call from his wife: her car dash had lit up with warning lights. After about half an hour he traced it to a single fault: an under-inflated tire, presumably reported (correctly) by one of the sensors described in TFO. One tire warning light - OK so far.But the tire warning system had talked to the ABS system, which had decided for inscrutable reasons that it wouldn't work with an underinflated tire. And that had talked to the central monitoring system, which had turned on the "Safety Critical Fault" light. And maybe a few other things. The result was, like Three Mile Island, a single underlying fault had turned into a christmas tree of warnings that an unskilled interpreter (the wife) was terrified of and a skilled engineer (my colleague, a very good hardware engineer) took half an hour to troubleshoot.

The point being that there is a possibility for a dangerous prank here. By fooling cars into thinking their tires are dangerously underinflated, you can give the driver a serious fright - with possibilities comic to the simple minded, but potentially dangerous if the driver is distracted or does something unexpected like braking to a sudden halt.

Re:Turn off the brakes

[drop table user]

All of this requires physical access to the car

That used to be true. While some hacks still require physical access [smartplanet.com], others can be executed remotely [wired.com]. Cars are getting online and the security problems go with it.

It's all FUD by a researcher trying to get noticed

[Lumpy]

Sorry but you will not figure out how to bomb a embassy by reading the tire pressure in my front left tire. All this is nothing but FUD and fear-mongering by a researcher that is late on the scene to automotive hacking. Many of us in the automotive hacking circles have done this stuff for well over 30 years. Now suddenly just because one guy who decided to make a lot of noise about it it's a problem?

it is not a problem, ignore this attention whore.

You cant send a virus down the tire pressure comms channel to the ECM and cause the car to explode or disable the brakes. (Except for toyota cars... JOKING!) and his demos with wirelessly changing the dashboard and other "hacks" are via a 3rd party wireless device he installed in the car.

If I buy a new windows server and install VNC without a password can I demonstrate to the world how horribly insecure the newest windows server release is? It's the same thing. Everyone glosses over the fact that none of his hacks are possible without having the target's car for a few days and installing a lot of gear in it.

The ONLY wireless OEM hack I have ever seen is the one where you blast mp3 files to bluetooth devices with the codes set to 0000 or 1234.. and that was to a BMW. Unfortunately it did not allow me to take control and steer the car or control the brakes. It did allow us to play audi adverts to the guy.

The A380 Runs on WEP

[static416]

Well the entire A380 doesn't run on WEP, but the entire cabin entertainment system does.

And having been involved in other parts of the A380 design, I can tell you that data security problems were not even on the product development radar. Non-IT engineering companies view IT the same way that the rest of the world does and generally doesn't design against malicious uses, only accidental failures.

Re:This is a suprise.... How?

[sjames]

That's the real problem. Until they started adding wireless, the cars were perfectly secured by simple physical means. Security on the wire was irrelevant since the wire was entirely within the car. If you could access the wire, you could just add a tracking device or cut the brake line.

Now that they're going wireless, security in the communication is starting to actually matter but they have no experience there.