Least Secure Cars Revealed At Black Hat 140
Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).
Bullshit. (Score:3, Insightful)
Bullshit.
They might be on the same network, but that doesn't mean they can talk to each other.
You're in a maze of twisty articles, all alike... (Score:3, Insightful)
We've been here before. Two days ago. [slashdot.org]
Re:Bullshit. (Score:2, Insightful)
Maybe they can't by design. But in a "radio" I worked on you could spoof CAN and we used that to test our software. Radio acted as if it were a few other devices. For their credit, brakes and the like were on a physically separate network, though.
I have also never met any sort of security concerns regarding internal data processing and communication protocols. Most internal protocols and implementations I've seen trust the sender 100%.
I once attended a meeting discussing navigation map data. They weren't the least concerned when the vendor told them their application(which runs as root, because...) would crash when given bad data, but it's okay because they check the self-reported SD serial number. Even if you don't care about your customer, opening up access to bluetooth, wifi, cellular networks, video recording and the like could cost you a few lawsuits.
Re:Bullshit. (Score:5, Insightful)
Yup. Are the brakes actually controllable via CAN though?
Old school brakes, like you'd find in a mid-70's muscle car? Nope.
Modern anti-lock brakes, that depend on computer control? You bet your ass they can be fucked with through the onboard computer.
I'm an old-school geek. I've been fascinated and excited by technology for over 40 years now. But in the last half decade, I've been noticing that we're growing way, WAY too fast. We're implementing things and putting them out in the real world as soon as we "can do it". We're not waiting until "we can do it safely".
It's consumer culture gone wild.