Forgot your password?
typodupeerror
Transportation Security

In Letter To 20 Automakers, Senator Demands Answers On Cybersecurity 80

Posted by Soulskill
from the no-mr.-bond,-i-expect-you-to-die dept.
chicksdaddy writes "Cyber attacks on 'connected vehicles' are still in the proof of concept stage. But those proofs of concept are close enough to the real thing to prompt an inquiry from U.S. Senator Ed Markey, who sent a letter to 20 major auto manufacturers (PDF) asking for information about consumer privacy protections and safeguards against cyber attacks in their vehicles. Markey's letter, dated December 2, cites recent reports of 'commands...sent through a car's computer system that could cause it to suddenly accelerate, turn or kill the breaks,' and references research conducted by Charlie Miller and Chris Valasek (PDF) on the Toyota Prius and Ford Escape. 'Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN) ... Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another,' Markey wrote. Among the questions Markey wants answers to: What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points? What are automakers' methods for testing for vulnerabilities in technologies it deploys — including third pressure technologies? Markey asks specifically about tire pressure monitors, bluetooth and other wireless technologies and GPS (like Onstar). What third party penetration testing is conducted on vehicles (and any results)? What intrusion detection features exist for critical components like controller area network (CAN) buses on connected vehicles?"
This discussion has been archived. No new comments can be posted.

In Letter To 20 Automakers, Senator Demands Answers On Cybersecurity

Comments Filter:
  • Grumpy? (Score:3, Funny)

    by bob_super (3391281) on Wednesday December 04, 2013 @07:19PM (#45602755)

    There, get your ... campaign contribution... and stop asking questions.
    Just trust us, we know how to build cars and we know how to keep them safe. We're Totally and Extremely Professional and Competent Organizations, you can trust us with stuff that goes boom.

    • Re: (Score:3, Informative)

      by iiiears (987462)

      Have you read what researchers have written about the firmware for phones, your television, your router?

      A little poking around Blackhat Convention videos, Bruce Schnier posts and OpenWRT You bet your life it's well worth a few minutes of your time and a letter of support.

        Industry Average: "about 15 - 50 errors per 1000 lines of delivered code. Source www.forbes.com

       

      • I know this is a scary issue that needs to be properly addressed before I can't by a dummy car anymore (I'm currently 100% immune to remote hacking).

        I also realize that the senator has an election to win in 11 months.

        • I know this is a scary issue that needs to be properly addressed before I can't by a dummy car anymore (I'm currently 100% immune to remote hacking).

          I also realize that the senator has an election to win in 11 months.

          My vehicles are in the same category as yours. When I get that '72 Charger back on the road it might have some fancy stuff throughout the vehicle, but it will not have any go/stop systems that need to phone home for anything. Hopefully the government will stay out of my life enough to keep it that way too.

        • by Mspangler (770054)

          I feel your pain. I bought a second-hand truck with On-Star. They were really eager to turn it on for the three month free trial. then I read the Terms of Service. It was of the type "All possible liabilities shall accrue to you, and any possible benefits shall accrue to us."

          It too longer to find the box than it took to pull every connector off of it. Now the terms of service are "You leave me alone and I'll leave you alone." Much more acceptable. Still too much gadgetry on the truck, but at least the remot

          • Most car manufacturers dimension their batteries such, that a car parked with a full battery should be able to start after 2 months under normal circumstances. If your car only lasts ten days, either your battery or charging circuit isn't working properly, or you indeed have devices in the car that consume too much electricity in standby mode. If your radio is the culprit, it really needs to be replaced. Fortunately, car stereos follow an industry standard form factor and plugs, so replacing that should be

          • by AmiMoJo (196126) *

            Chances are the On-Star box did more than just contact On-Star. Probably controlled power management for the radio, and allowed remote locking of the vehicle. Since you pulled all the wires out the signals that control those features are now just floating (not connected to anything, subject to any EM interference that comes along) and so appear to randomly malfunction or simply not work at all.

          • by mcgrew (92797) *

            The truck also randomly locks it's own doors for no reason

            My 2002 Chrysler does that, but it's by design -- when the car reaches 15 mph, the doors lock. However, unlike yours, I can easily unlock them.

            I know for a fact I couldn't leave mine for a month, the blinking LED on the dash to show that the alarm is armed alone would drag it down (never mind the actual alarm circuits).

        • by drfreak (303147)

          (I'm currently 100% immune to remote hacking)

          100% Immune, eh? Mind that air-gap!

          • No audio input either.
            I've got the least technology available in any car made in the US after 2010.
            Unless you somehow find it a worthwhile challenge to try to reprogram the injection or the gauges by tapping rhythmically on the hood, go and play with my neighbors' easy targets instead.

            • Out of curiosity, does anyone know how much microwave radiation you have to submit a modern car to before the ECU craps out? I know S-band radar, which is basically what microwave ovens use, can disable an ECU. There are law enforcement agencies using such devices. But I haven't seen any numbers on the mW/cm^2 needed. I do know that brief pulses of 10 mW/cm^2 is the human safety limit for ovens, so it's probably in that ballpark.

              So I'm thinking, with a $50 oven magnetron at 1100 W and a parabolic reflect
    • i see what you did there, sneakypants.
  • Stupid Senator (Score:3, Interesting)

    by Ultra64 (318705) on Wednesday December 04, 2013 @07:19PM (#45602759)

    If you don't know the difference between "breaks" and "brakes", will you really understand the answers to your questions?

    • Re:Stupid Senator (Score:5, Insightful)

      by hey! (33014) on Wednesday December 04, 2013 @10:14PM (#45604153) Homepage Journal

      Ah yes, the culture of "zing". It's much more important to catch a politician (or more likely, one of his staff) in a typo than to pay attention to the substance of what he's written.

      My hat's off to you. You, sir, are obviously a genius.

      • Ah yes, the culture of "zing". It's much more important to catch a politician (or more likely, one of his staff) in a typo than to pay attention to the substance of what he's written.

        If either the pol or one of his staff is semi-literate, why should anyone take him seriously?

        • Re:Stupid Senator (Score:5, Interesting)

          by hey! (33014) on Wednesday December 04, 2013 @10:39PM (#45604341) Homepage Journal

          Ah yes, the culture of "zing". It's much more important to catch a politician (or more likely, one of his staff) in a typo than to pay attention to the substance of what he's written.

          If either the pol or one of his staff is semi-literate, why should anyone take him seriously?

          Well, that's begging the question. We don't *know* that Senator Markey or anyone on his staff are illiterate; we only know that they aren't as careful with proofreading as they could be.

          That said, I'll attempt to answer your question: because he (or his staff) is raising a serious, important point. That's not enough for you to listen to him? It's not enough that he served thirty years on the House Committee on Communications and Technology either? He (and his staff and the secretarial pool in his office) have to be *infallible* in matters of proofreading before you'll listen?

    • by slick7 (1703596)

      If you don't know the difference between "breaks" and "brakes", will you really understand the answers to your questions?

      American tax dollars at work. Shouldn't these bought dogs be looking to balance the budget? I'm sure with all the busy schedules for re-election, trying to make sense of what these bastards are doing to the American people becomes secondary.
      These CONgressMEN can only think of eliminating term limits for the presidency. A time will come when someone thinks up a way to eliminate all of THEM once and for all. I on the other hand would rather watch the new Doctor Who, where more reality is evident than what's s

    • If you don't know the difference between "breaks" and "brakes", will you really understand the answers to your questions?

      Why not? Typos, missed auto-corrects, or brain-farts aren't a reflection of one's intelligence. I'm sure the the senator knows how a car stops, despite his spelling mistake.

  • After all, there are factions within government and if one doesn't agree with another, you may find yourself the victim of an unfortunate accident. Only a tiny minority of government gets the secret service and paramilitary police protecting them you know.

    Perhaps we are seeing some government players waking up to the reality that even THEY have good reason to fear the government they are participating in.

  • Awesome (Score:4, Insightful)

    by onyxruby (118189) <onyxrubyNO@SPAMcomcast.net> on Wednesday December 04, 2013 @07:22PM (#45602791)

    Out do nothing congress is finally doing something useful. These are the kinds of questions we should be asking before problems start to occur and while there are chances to try to introduce standards. It's like the Toyota sudden acceleration thing, everyone assumed it was careless people until someone did a proper audit and discovered a complete lack of industry best practices that everyone assumed had been in place.

  • by alvinrod (889928) on Wednesday December 04, 2013 @07:24PM (#45602811)
    I'd tell him to pound sand until he can provide some answers about privacy protections and safeguards preventing the government from illegally spying on its citizens.
  • To prove their earnestness about cyber security.
  • why not pass the buck and make the uses pay for the dealer to do the updates and lock out DIY'er and 3rd party shops.

  • by Anonymous Coward

    Sir, our vehicles are just as secure as healthcare.gov.

  • Just lie. There are no repercussions.
  • ...showed as much interest in the security of Healthcare.gov, we might actually get somewhere. But of course, why worry about the security of a Big Government project, when you have some evil corporations to kick around.
  • by acoustix (123925) on Wednesday December 04, 2013 @08:21PM (#45603381) Homepage

    Stop calling everything computer related "cyber".

    • by Virtucon (127420)

      we shall now call it 'e' or 'i'. Wait, we've used those vowels. I suggest "y"

      yAttack..

      yDoit

      I like it.

  • I suspect - just like most industries providing consumer goods - the automotive engineers knew about and pointed out the potential of such vulnerabilities, only to be ignored by their PHBs and their R&D budgets for said issues zeroed-out by the true bosses: Bean Counters.
  • let's see.. According to Forbes... [forbes.com] In order of sales here's the largest 11 in the world.

    VW
    Toyota
    Daimler
    Ford
    BMW
    GM
    Nissan
    Honda
    Hyndai
    SAIC (Chinese)

    The top 10 up there represent the major manufacturers that sell cars in the US other than Tesla and Fisker is about dead anyway [delawareonline.com].. SAIC doesn't sell anything in the US, so really what's the other 8 on his list? Some guy in a garage building kit cars?

    • That list omits a few more or less independent automarkers. For US market examples, where are Mazda, Subaru, Mitsubishi, Suzuki and Chrysler?

      • by Virtucon (127420)

        Chrysler is now Fiat so they're not independent but I agree that the others aren't listed but again, that list was the top 10 worldwide. I'm thinking the good senator probably didn't realize that Chrysler and Fiat are one in the same (thanks to the current administration) and that Hyundai also owns Kia for example. I imagine there's a lot of duplication in his list. Having worked in software in automotive electronics for a short time awhile back (MSFT AutoPC... don't ask..) I can tell you that vulnerabil

  • Among the questions Markey wants answers to: What percentage of cars sold in model years 2013 and 2014 do not have any wireless entry points?

    Zero, all cars have wireless entry points. They are called windows, doors and vents and probably a few others.

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...