The World's Most Hackable Cars

ancientribe writes: If you're wondering whether the most tech-loaded vehicles are also the most vulnerable to hackers, there is now research that shows it. Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of security intelligence at IOActive, studied modern auto models and concluded that the 2014 Jeep Cherokee, the 2014 Infiniti Q50, and the 2015 Escalade are the most likely to get hacked. The key is whether their networked features that can communicate outside the vehicle are on the same network as the car's automated physical functions. They also name the least-hackable cars, and will share the details of their new findings next week at Black Hat USA in Las Vegas.

Results versus extrapolation

[TWX]

Given that this is something that can be tested, I'd like to see real-world results before jumping to too much conclusion. Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact. At the moment the Cherokee, Q50, and then new-model Escalade aren't in much demand for parts, and given that none of them are massively-high-volume sellers it's unlikely that theft-for-parts will ever be a big deal with these models.

The most stolen vehicles are the Honda Accord, Honda Civic, Toyota Corolla, and the full-sized trucks from American manufacturers. All high-volume, all in-demand for stock parts.

Re: Results versus extrapolation

[Anonymous Coward]

Don't know where you get your facts but in CA Escalades are one of the most stolen vehicles... I know people that stop owning them just because of this...

Re:

[augahyde]

Don't know where you get your facts, but you might want to check out the California Highway Patrol [ca.gov]'s website. In the trucks section of the report, it comes in at #35 with 137 stolen in 2013. Compared to Honda Civics and Accords with ~20,000 thefts, that's nothing.

Re:

[TWX]

I wish that they'd break-down their theft reports based on the platform generation of a vehicle, rather than based on model year, given that interchange usually is smooth between same-platform models across several years. A '94 Integra and an '01 Integra should be lumped-in together, and an '02 Dodge Ram should be lumped in with an '08.

Re:

[augahyde]

I wish that they'd break-down their theft reports based on the platform generation of a vehicle, rather than based on model year, given that interchange usually is smooth between same-platform models across several years. A '94 Integra and an '01 Integra should be lumped-in together, and an '02 Dodge Ram should be lumped in with an '08.

You're absolutely right about that. Though people would then want the generational differences annotated. And others would nitpick about what's a significant change. Eh, you can't please 'em all.

Re:

[drinkypoo]

Given that this is something that can be tested, I'd like to see real-world results before jumping to too much conclusion. Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact.

Auto theft is big business. It's often carried out literally, with a car carrier. As such, the hackability of the car is less interesting than you might imagine. They're going to pick up the car and take it away anyay, so that they can pick it apart at their leisure.

Re:

[mpe]

Auto theft is primarily driven by economics, the demand for parts, rather than a desire to have the vehicle intact.

It's possible for a vehicle to be worth more as parts than as a complete vehicle. As well as being less tracable in that form.
Keeping a vehicle largely intact would probably require it to be given the identity of a scrapped one. So that would also tend to make popular models more likely to be stolen.

Re: Results versus extrapolation

[James Buchanan]

Personally, I'm interested. But like hacking, their are two colors of hats, just like the the possibilities of a car remotely controlled to hurt/kill someone. And so I still wonder why? And where I live the reason someone steals a car, is to go somewhere. They,the crook left them unharmed, he needed a ride. The next was insurance to get a next better ride.

These are not HACKABLE, these are INSECURE

[coder111]

Slashdot of all places should know the difference.

Hackable- I can install Debian on it and tweak the engine to play mp3s.

Insecure- Some asshat will ruin your day because the vendor doesn't provide timely patches, or the patches they provide make things worse so you cannot install them, or there is no way to patch things at all, or it's so tedious nobody does it.

--Coder

Re:

[Zero__Kelvin]

Not exactly. If I take advantage of a security hole to add functionality, such as rooting my phone to install a custom ROM, I have hacked it, not cracked it.

Re:

[drinkypoo]

Not exactly. If I take advantage of a security hole to add functionality, such as rooting my phone to install a custom ROM, I have hacked it, not cracked it.

Someone else cracked it, so that you could hack it.

Re:

[Zero__Kelvin]

You don't know what cracking means.

Re:These are not HACKABLE, these are INSECURE

[TWX]

We get that you're still upset that the media has managed to take the term "hacker" and turn it into a pejorative, but I don't think that you're ever going to get it back. Probably time to just let it go move on.

How's educating those new Usenet users since September 1993 going?

Re:

[Anonymous Coward]

Doctors don't call plasma "blood" just because it's a common mislabeling.

We are no more beholden to common misuse of terms by laypersons.

Re:

[TWX]

I would expect people with highly advanced degrees in a special discipline to have specific terms for very specific things that they use correctly.

I don't expect a community slang term to necessarily be used correctly, if the nature of the evolution of slang even allows for a hard and fast definition.

Re:

[mpe]

Doctors don't call plasma "blood" just because it's a common mislabeling.

On the other hand plenty appear quite happy to call lipoproteins "cholesterol". Which is more or less exactly the same kind of mislabeling.

Re:

[Anonymous Coward]

Indeed man. Reading the title I thought this was about cars that have the best potential for modding.

Re:These are not HACKABLE, these are INSECURE

[Dutch Gun]

I saw the article headline and immediately thought "Cool! Someone figured out how to do neat things with the hardware in the car?" I thought maybe even the car companies were cool enough to enable truly extensible functionality with their entertainment systems or whatnot (wouldn't that be something?). However, in this case, "insecure" wouldn't have been enough, since that would probably refer to their physical security.

I'm not naive - the masses will never use the admittedly ridiculous term "crackers" rather than "hackers" - it just doesn't have the same ring to it. Personally, I love applying the term "script kiddies" to anyone who does harm, even if it doesn't technically apply, since it's rather demeaning. Anyhow, that battle has long since been over. But Slashdot is not a site for the masses. I thought at least "hacking" here was still a term mostly used for clever if sometimes unofficially unauthorized use of one's own hardware in interesting ways. You know, hacking a videogame's cameras or input devices, for instance...

We're getting old, aren't we? Sigh...

Re:

[xded]

I guess we will have to find ourselves another term to replace "hack", like we did for the MiB [wikipedia.org]. And we will cringe every time we read it.

It's called a security landscape

[Zero__Kelvin]

Yes. I was totally wondering if increasing the vulnerability landscape created more vulnerabilities!

Correction

[tehlinux]

The 2014 "SRT" Viper

The Next Step in Remotely Controlling a Car

[Fnord666]

So this is just a basic attack surface analysis of a networked system. According to the article, the researchers are saying that these vehicles are vulnerable because operational components (brakes, etc.) are on the same network as non-operational components (radio, etc.).

By contrast, the 2014 Jeep Cherokee runs the "cyber physical" features and remote access functions on the same network, Valasek notes. "We can't say for sure we can hack the Jeep and not the Audi, but... the radio can always talk to the brakes," and in the Jeep Cherokee, those two are on the same network, he says.

This does tie in well with and extend their presentation last year where, given access to the car's network, they were able to manipulate its steering and braking systems. The trick will be to subvert one of the remotely accessible systems and then generate the necessary commands on the network in question using that subverted system. Maybe they are saving that presentation for 2015.

Re:

[Anonymous Coward]

If by 2015, you mean 2011, then yes [nytimes.com]. UW and UCSD demonstrated hacking a car via its cellular connection and disabling its brakes, among other things. There's no discussion of taking control of the steering, so maybe the car they worked with didn't have drive-by-wire steering.

Re:

[ihtoit]

fucking about with the EMS via a remote exploit and killing the engine hence the power steering is taking control of the steering. Albeit, in a terminal sense.

Not fun if you're chugging along at 80kph and your Alanis Morissette CD suddenly shoots out and bisects your fifth passenger at the waist.

Blood is hard to get off a CD.

Re:

[ihtoit]

nah I use them to keep the rugrats in line.

(because it's difficult to steer and polish the shotgun at the same time)

Re:

[Ungrounded Lightning]

maybe the car they worked with didn't have drive-by-wire steering.

Don't need drive-by-wire steering (depending on definition, of course).

Drive-by-wire steering (my understanding of the usage) would mean that the steering wheel sent messages to the steering gear electronically, rather than being physically connected, as the normal way of steering the car. Interfere with, or take over, these messages and you either disable or override the driver's input. I doubt the automakers are about to do that - especia

well

[sociocapitalist]

This concept ought to make things interesting when combined with the trend towards self driving cars - a new meaning for the 'hot wiring' of a car (or truck, whatever) maybe.

First auto-drive may be auto-car-theft.

[Ungrounded Lightning]

... a new meaning for the 'hot wiring ...

We've already seen:
- In the wild: A contactless box that opens the doors on parked cars. (Not clear whether this is spoofing the remote-door-unlock keyring fob receiver or getting on to the car's bus to issue unlock commands.)
- Proof-of-concept demonstrations for getting on the bus by successful attacks on communication stack vulnerabilities in more than one of: Cellphone radio (remote help service), handsfree "car is the headset" bluetooth transce

VW Beetle

[Bing Tsher E]

The most hackable car would probably be the VW Beetle. So many cool addons and mods exist. I am talking about the original Beetle, of course, not the rounded-Rabbit.

Hacking is supposed to be good stuff here, right? Or did something change?

Re:

[bmo]

Hacking is supposed to be good stuff here, right? Or did something change?

Yes, something changed.

An Internet media "giant" bought Slashdot. Thus the "media" definition of hack, not ours. Jerks.

Our definition of hack would relate more to hot-rodding instead of this system-smashing claptrap.

>vw beetle

I agree.

--
BMO

I have a fully networked car

[viperidaenz]

Doubt its very hackable though

The keyless entry system is on the body-can network which accepts RF signals.
The keyless start system is too, which accepts RFID.
The body-can is connected via a bridge to the fast-can, which carries all the ECU/Transmission/etc data.
The satnav has a microwave antenna and IR receiver for VICS and is attached to the fast can.

The important thing is, no diagnostics are done on the CAN bus. It's all done via a K-Line interface on the obd connector.

Diagnostics should be on a separate physical network.

Re:

[drinkypoo]

Your car sounds like my latest car, a 1997 A8. The Radio in mine is the boring old Delta CC, and the RNS units this old don't have any internet connection (the predominant unit in the USA has a CDROM) so there's not much remote hack value there.

As far as theft goes, however, a device which will read key codes from memory and program a new key is only $100-200. You drop the ignition switch from the column, slap a programmed key blank into the keylock so that its signal is picked up by the immobilizer antenna

Re: I have a fully networked car

[James Buchanan]

I would not to see at this conference the new paper circuitry miniaturized yet. Did enjoy the articles on paper capacitors and transistors. Maybe ic circuits next. Closer and closer to one time destroyable circuits.

Maybe

[jklovanc]

I think the issue with this article is that it concentrates too much on networks. It assumes that separating features into different networks is less hackable. Then it states this;

"Each feature of the car is separated on a different network and connected by a gateway,"

Here are two scenarios;
1. All systems run on one network. The entry points to the network are very secure and almost impossible to crack. All entry points only allow specific commands to go through. For example the radio portal will not allow a brake command to pass.
2. All systems run on different networks connected by a gateway.

Re:

[discomike]

Well unless you take over the gateway it does indeed do filtering. It does not simply forward packets but decodes the data and repackages it for different networks. The frames that should be forwarded is statically configured, that is which frames (or individual "signals" from a frame) from which bus should go to where. So unless there exists a functionality for the infotainment system to send brake frames to the BCM already. You are left left with exploiting each gateway on the way to gain control.

Re:

[jklovanc]

How do you know the inner workings of a gateway you have never seen? I agree that such a gateway should be programmed the way you describe but it is possible for a gateway to just forward messages along with no filtering. My point is that filtering can be done at the entry point just as well as the gateway.

Re:

[discomike]

Ok, slashdot just lost my lengthy reply so I'll do it quick one (OK it got ranty torwards the end).

Generally the industry follow standards such as MISRA/OSEK/AUTOSAR, these stipulate static configuration, to do that you use automatic tools, for cost reasons(big driving force in automotive) they optimize the frame packaging for each network so you use less memory and can use cheap parts.

Due to limited bandwidth you have different frame packaging on different networks as well, so in a gatewaying scenario the

Re: Maybe

[James Buchanan]

But cutting a hose leaves a mark, traceable. A paper circuit, a hack, a corrupted code doesn't. Both leave the brakes not working at the "worst/inopportune/correct" time. Get the Jon done, but if the car doesn't burn our mangle enough, there is visable evidence of a crime. Conjecture? Or fact, now provable to the court? But its getting closer.

They also name the least-hackable cars,

[The Grim Reefer]

Anything that uses a distributor with points? Hell, anything that has a distributor has a very limited ECM at best, and certainly not one you can access wirelessly, or via a simple port of some kind.