Least Secure Cars Revealed At Black Hat 140
Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).
Re:Bullshit. (Score:4, Informative)
They're on the same network, which is a broadcast network.
Everything can talk to everything else.
A CAN bus is not a switched network. Same goes with Flexray and all other automotive networks.
Re:Bullshit. (Score:5, Informative)
Bullshit.
They might be on the same network, but that doesn't mean they can talk to each other.
Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks: http://en.wikipedia.org/wiki/B... [wikipedia.org]
All devices send and receive on the same wire. So every device can talk to every other device on the network, all the time.
This works as long as all devices on the network are trusted devices... but then you add bluetooth and wifi? Now you have a network of implicitly trusted devices with a giant hole in it.
If the radio integrates media controls into the steering wheel and has song titles next to your speedometer, you're screwed. That bluetooth device has full access to the entire network. Now if it treats the bluetooth device like an audio input, and the only wires going into the "bluetooth PCB" are 12vdc, ground, and left and right outputs, then you're probobly ok. But there's no way most consumers are going to know which it is.
I personally dismantled the radio integration into my Fords CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features. Why the hell is the head unit for my stereo controlling major functionality in my car?!!?!
What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.
Re:Opinion from industry insider (Score:5, Informative)
"Does nobody do signing or encryption of signals to control systems"
VW/Audi does. The newest generation use 2048bit RSA signatures for everything. The previous generation used 1024, which is still pretty much unfactorable for a reasonable price.
But, they can't use encryption of any consequence or signing on the bus. It's all real time and needs to be that way. Would you want your airbag to wait to deploy until it had verified even a 512bit signature on the "oh crap we've been in an accident" message?
Same thing with ABS.
The only real place they can use that (and they DO use it here) is for starting. When you're starting a car, there is no imminent danger. In VW/Audi, they have the "immobilizer" system. It uses RSA again. The instrument cluster, ECU and each key have a coded serial number. Each devices holds a hashed/signed copy of the serial numbers of the other 2 and the VIN. If the 3 don't all agree, the car won't start.
There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.
Re:Bullshit. (Score:5, Informative)
What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.
Automakers agree to 'right to repair' deal
http://www.autonews.com/article/20140125/RETAIL05/301279936/automakers-agree-to-right-to-repair-deal [autonews.com]
January 25, 2014
Last week, two trade groups representing automakers -- the Alliance of Automobile Manufacturers and the Association of Global Automakers -- announced an agreement with independent garages and retailers to make Massachusetts' law a national standard.
[...]
Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year, as the Massachusetts law requires. In return, lobbying groups for repair shops and parts retailers would refrain from pursuing state-by-state legislation.
You couldn't be more wrong.
Re:Bullshit. (Score:5, Informative)
Everything was fine until OnStar...
With OTA updates and the rest of the systems in the car using the CAN bus for diagnostic messages and reprogramming, you've got problems.
I haven't RTFA but I would assume the Honda Accord isn't as 'hackable' is because they use a separate K-Line bus for diagnostics instead of doing it over the CAN bus. Other than that, every single system in the Accord is connected in some way. The audio bus connects the radio to the aircon unit., The aircon unit is also connected to the body CAN bus (you'd need to reprogram it to make a bridge though). The gauge cluster connects to both the body CAN and the powertrain CAN bus. The ECU, ABS, Traction Control, Air bags, etc are all on the powertrain bus.
If you took control of the powertrain bus, you could speed the car off down the street (thanks drive-by-wire), lock up the wheels on one side of the car and spin it sideways into a wall (traction control), while setting off the side airbags on the wrong side of the car to increase the impact the occupants receive (not sure if the airbags can be triggered from the CAN though, I doubt it. Can probably disable them though)...