Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Transportation Security

Least Secure Cars Revealed At Black Hat 140

Lucas123 (935744) writes Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car's Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data. The two security experts didn't physically test the vehicles in question, but instead used information about the vehicles' automated capabilities and internal network. "We can't say for sure we can hack the Jeep and not the Audi," Valasek told Dark Reading. "But... the radio can always talk to the brakes" because both are on the same network. According to the "Connected Car Cybersecurity" report from ABI Research, there have been "quite a few proof of concepts" demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle's internal bus, known as controller area network (CAN).
This discussion has been archived. No new comments can be posted.

Least Secure Cars Revealed At Black Hat

Comments Filter:
  • by turkeydance ( 1266624 ) on Monday August 04, 2014 @07:18PM (#47603713)
    my apologies to the drivers. i thought it was them.
  • by gelfling ( 6534 ) on Monday August 04, 2014 @07:20PM (#47603727) Homepage Journal

    Because if it starts at all it may very catch on fire.

    • Didn't they have these episodes of "Cops" where the patrol officer would pull a car over for a "minor traffic infraction", run the plates, find out the vehicle was stolen, and a high speed chase would ensue?

      No offense to your 2004 Focus, but it has been years since I watched the program, but the stolen car was always a Saturn?

      I know that auto theft is a felony and the police are there to protect and serve, and this car was some poor dude's ride before it got boosted. But the cops engage in a high-speed

      • Well, the criminal then gets to pay for the damage he caused to the car.

        If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated. It does not matter that that something is not worth tens of thousands of dollars - it's still my money and my item.

        Now, whether it is worth to the public - yes, most likely. While I would probably be OK with the government buying me an identical car after the cops refuse to recover the stolen one, the number of car thefts

        • by mjwx ( 966435 )

          Well, the criminal then gets to pay for the damage he caused to the car.

          Awww, it's so cute you think rich people are stealing old Astra's.

          If something was stolen from me I would damn sure want to (preferably) get it back or at least get loss compensated.

          This is what we call "Insurance".

          In Australia people are taking to stealing keys as immobilisers have become so common and effective it's easier to break into a house and flog the keys before taking the car. I dont really care that much if they do this and steal my 14 yr old Nissan... It's insured for $13,500. Sure it would be a shame as it's a mint condition Silvia S15 but in the end it's a car I have properly insured.*

          If you dont have

      • by Arker ( 91948 )
        Simply letting him get away would be horrible, because of the prevention aspect. If that were standard practice on the part of the cops, then the rate of car theft would certainly go way up.

        But there is another possibility besides letting him go and flying off in a risky high speed chase. There's this old-school police technique called a 'tail' where you follow at a distance and let the target think he's getting away (while of course using your radio to get ahead of him.) Much less chance of injury or death
        • Yep, there's not too many cars that can outrun a Motorola...

        • In my country high speed chases in cities or highly populated areas are prohibited due to the high risk of collateral damage. It's far better to let the car thieves get away than to kill some innocent bystanders.
  • Bullshit. (Score:3, Insightful)

    by mythosaz ( 572040 ) on Monday August 04, 2014 @07:21PM (#47603731)

    "But... the radio can always talk to the brakes" because both are on the same network.

    Bullshit.

    They might be on the same network, but that doesn't mean they can talk to each other.

    • Re:Bullshit. (Score:4, Informative)

      by viperidaenz ( 2515578 ) on Monday August 04, 2014 @07:49PM (#47603899)

      They're on the same network, which is a broadcast network.
      Everything can talk to everything else.
      A CAN bus is not a switched network. Same goes with Flexray and all other automotive networks.

      • you type faster than me ;-)
        I just said the same thing. lol
        Also, CAN Buss is not new. It's been in Semis for a very long time.

        • by bonehead ( 6382 )

          you type faster than me ;-)
          I just said the same thing. lol
          Also, CAN Buss is not new. It's been in Semis for a very long time.

          Also, the people who write the software for this type of platform are, at least traditionally, much more concerned about available RAM than they are about security. In this arena, the old-school folks have always worked in an environment where isolation from the outside world was pretty much a given.

          As such, even the fairly ineffective security measures that are in place on the Internet haven't even been considered for use in these types of systems. Attaching wireless capabilities to them was very foolish

          • Re:Bullshit. (Score:5, Informative)

            by viperidaenz ( 2515578 ) on Monday August 04, 2014 @10:48PM (#47604623)

            Everything was fine until OnStar...
            With OTA updates and the rest of the systems in the car using the CAN bus for diagnostic messages and reprogramming, you've got problems.

            I haven't RTFA but I would assume the Honda Accord isn't as 'hackable' is because they use a separate K-Line bus for diagnostics instead of doing it over the CAN bus. Other than that, every single system in the Accord is connected in some way. The audio bus connects the radio to the aircon unit., The aircon unit is also connected to the body CAN bus (you'd need to reprogram it to make a bridge though). The gauge cluster connects to both the body CAN and the powertrain CAN bus. The ECU, ABS, Traction Control, Air bags, etc are all on the powertrain bus.

            If you took control of the powertrain bus, you could speed the car off down the street (thanks drive-by-wire), lock up the wheels on one side of the car and spin it sideways into a wall (traction control), while setting off the side airbags on the wrong side of the car to increase the impact the occupants receive (not sure if the airbags can be triggered from the CAN though, I doubt it. Can probably disable them though)...

            • Re:Bullshit. (Score:5, Interesting)

              by bonehead ( 6382 ) on Monday August 04, 2014 @11:21PM (#47604731)

              Everything was fine until OnStar...

              Well, yeah, now that I think about it, I'd have to agree....

              There's absolutely nothing wrong with these systems in your vehicle being able to communicate with each other. I think most of us can agree that there are many benefits to it.

              The problems only arise when the systems gain the ability to communicate to systems outside of your car. And especially when they can do it without your consent, or even knowledge. And OnStar was the first and most obvious example of that ability.

              The first time I ever really noticed OnStar was back when it first came out. A buddy of mine was driving, and we made a stop and he locked his keys in. This was "back in the day" so I immediately started trying to figure out where I could get my hands on a wire coat hanger. He pulled a card out of his wallet, called an 800 number, and a few seconds later all 4 doors unlocked. My initial reaction was "Damn! That's fuckin' cool!"

              About 10 seconds later I thought "Damn! That's fuckin' creepy!"

              And now it's not just OnStar that can do that. Now cars have bluetooth and WiFi, so if it's not secure (and they don't build them with security in mind"), any smart guy with a cell phone and access to Google can do similarly creepy things....

              SIDE NOTE: There's an alley at work where we all go to smoke (yes, I'm a smoker, get over it). On the other side of the alley is another company's parking lot. There are two nearly identical GM SUV's that park in that lot. One has a broken off OnStar antenna, the other has an intact OnStar antenna. All of us refer to the two vehicles as "the smart one" and "the dumb one".

              • one of these days, there'll be an antenna which you won't know about, the visible one being a dummy... easiest way to hide the antenna would be to put it behind a plastic body panel.
                • by bonehead ( 6382 )

                  That's why I said earlier in this thread that I have reinforced my belief that my next car will be a late 60's or early 70's muscle car.

                  Might not be as "green" as some would like. But it was built without any spy tech, and I could spot any suspicious crap that has been added on after the fact.

                  Not like today's models, which are basically just computers on wheels. Take out the factory radio to install a superior aftermarket model, and suddenly your heater doesn't work.

                  You can't tell me there's not a 3 lette

                  • That's why I said earlier in this thread that I have reinforced my belief that my next car will be a late 60's or early 70's muscle car.

                    Might not be as "green" as some would like.

                    My 1960 Dodge Dart (2dr/Phoenix) got over 20 mpg on the freeway, not too shabby. That was with a 240 hp 5.2 liter V8. If you added a high-flow cat to it, it probably would run relatively clean as well, in spite of being carbureted. That car always ran like a peach.

                    How about something in the middle, like a W126 300SD? Those get 30 mpg on the freeway in spite of the lack of a lockup torque converter.

                    • by sjbe ( 173966 )

                      My 1960 Dodge Dart (2dr/Phoenix) got over 20 mpg on the freeway, not too shabby. That was with a 240 hp 5.2 liter V8. If you added a high-flow cat to it, it probably would run relatively clean as well, in spite of being carbureted.

                      I think it is unlikely it would be particularly clean. A car that old would lack an evaporative emission control system which accounts for a fairly high percentage of emissions. It lacks sensors to detect and correct for emissions. It also is carbureted which is demonstrably less clean than fuel injection. Even with a modern catalytic converter, while it might run pretty well, I would find it very surprising if it was terribly clean on the emissions.

                    • and the unburnt fuel in the exhaust when the carb runs rich would clog up the catalytic converter.

              • I unplugged the On-Star module underneath the glove compartment in my G6. Then the cruise control stopped working. Taking it into the dealership, of course their solution is to plug On-Star back in, and then the cruise magically started working again. Tell me that GM isn't going to sabotage the cars of people who choose to disable On-Star... So I got a Ford instead. Not that My Ford Touch is any great technology either.

          • All thing's considered, this all just goes to reinforce my dream of owning a mint condition 1965 Plymouth Barracuda.

            And chasing down the tall man!

        • by MrKaos ( 858439 ) on Tuesday August 05, 2014 @02:55AM (#47605273) Journal

          you type faster than me ;-)
          I just said the same thing. lol
          Also, CAN Buss is not new. It's been in Semis for a very long time.

          I think the real question is: How much Buss would a CAN Buss Bus if a CAN Bus can CAN Can?

      • In addition, I would challenge Charlie's and Chris's assessment of this. I didn't dig into it myself, but I would guess that a stateless gateway allows the radio to talk to the brakes in most autos, not just the few identified.

        • Yup, Honda Accord's (not sure about current model, but definitely 2003 -> 2007, probably most Honda's actually...) use the gauge cluster as the gateway between the two can networks
          Not sure if every message is relayed or just a set of specific ones, it's copying between a 500kbit bus to a 33.6kbit bus...

      • by gl4ss ( 559668 )

        yeah so I can take over all wifi and bluetooth devices in vicinity?

        what I mean is that the research is just bullshit done by googling around. it's bullshit and should never have gotten greenlit to be presented without actual trials!

        • yeah so I can take over all wifi and bluetooth devices in vicinity?

          Given a reasonable toolbox, that's arguably a reasonable proposition these days, at least for many devices in your immediate vicinity. Yes, things really are that bad.

      • by Indes ( 323481 )

        Considering I wrote the CAN interface for an OEM; Yes, Anything can talk to anything else... BUT...
        That's why there's an interface which will only allow you to send data you're meant to send.

        They also point out two vehicles with the SAME available lineup of head units and identical CAN architecture, then claim they're both the most and least secure vehicles.

        Will one of my interfaces ever talk to a brake module? No, Not without a nasty firmware hack. So no, your radio won't be

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Maybe they can't by design. But in a "radio" I worked on you could spoof CAN and we used that to test our software. Radio acted as if it were a few other devices. For their credit, brakes and the like were on a physically separate network, though.
      I have also never met any sort of security concerns regarding internal data processing and communication protocols. Most internal protocols and implementations I've seen trust the sender 100%.
      I once attended a meeting discussing navigation map data. They weren't th

    • Re:Bullshit. (Score:5, Informative)

      by Charliemopps ( 1157495 ) on Monday August 04, 2014 @08:31PM (#47604103)

      "But... the radio can always talk to the brakes" because both are on the same network.

      Bullshit.

      They might be on the same network, but that doesn't mean they can talk to each other.

      Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks: http://en.wikipedia.org/wiki/B... [wikipedia.org]
      All devices send and receive on the same wire. So every device can talk to every other device on the network, all the time.
      This works as long as all devices on the network are trusted devices... but then you add bluetooth and wifi? Now you have a network of implicitly trusted devices with a giant hole in it.

      If the radio integrates media controls into the steering wheel and has song titles next to your speedometer, you're screwed. That bluetooth device has full access to the entire network. Now if it treats the bluetooth device like an audio input, and the only wires going into the "bluetooth PCB" are 12vdc, ground, and left and right outputs, then you're probobly ok. But there's no way most consumers are going to know which it is.

      I personally dismantled the radio integration into my Fords CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features. Why the hell is the head unit for my stereo controlling major functionality in my car?!!?!

      What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.

      • by Anonymous Coward

        CANN Buss which is very similar to old buss ...
        CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features.

        What, were you playing Scrabble and got stuck with a bunch of extra 'N's and 'S's? It's CAN bus [wikipedia.org] and DIN [wikipedia.org].

        • by bonehead ( 6382 )

          CANN Buss which is very similar to old buss ...
          CANN bus as soon as I got it. It was a nightmare. Parts of the dash didn't even work with the factory radio removed! I had to buy an after market CPU to plug into the buss to replicate some of the radios functions just so I could use a standard dinn mount head unit. All of this and the radio I got, that's not on the Buss, has more features.

          What, were you playing Scrabble and got stuck with a bunch of extra 'N's and 'S's? It's CAN bus [wikipedia.org] and DIN [wikipedia.org].

          You must be very insecure and unhappy in your real life.

          It's the only reason I can think of that you'd try to put down a very factually correct post based on a few irrelevant typos.....

      • Re:Bullshit. (Score:5, Informative)

        by TubeSteak ( 669689 ) on Monday August 04, 2014 @09:03PM (#47604267) Journal

        What's worse, in the newest cars as of next year... devices will be registered by mac address to the cars computer. As a result you'll need to log in with a $6k+ software package you can only buy from Ford, GM, etc... and register the mac addresses of new devices you install. You will not be able to remove or replace anything on your own at home anymore. In fact, I bet the dealer will be the only place you can get repairs done within 20yrs.

        Automakers agree to 'right to repair' deal
        http://www.autonews.com/article/20140125/RETAIL05/301279936/automakers-agree-to-right-to-repair-deal [autonews.com]
        January 25, 2014

        Last week, two trade groups representing automakers -- the Alliance of Automobile Manufacturers and the Association of Global Automakers -- announced an agreement with independent garages and retailers to make Massachusetts' law a national standard.

        [...]

        Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year, as the Massachusetts law requires. In return, lobbying groups for repair shops and parts retailers would refrain from pursuing state-by-state legislation.

        You couldn't be more wrong.

        • Re: (Score:2, Flamebait)

          That just means they're required to sell it to you. No limit on what they're allowed to charge, though.

          • "Welcome to Bittorrent".

            If the specifications are available online to one dealer, within short order they will be available illicitly worldwide.

        • by bonehead ( 6382 )

          Under the deal, all auto companies would make their diagnostic codes and repair data available in a common format by the 2018 model year

          If I offer something for sale for the low, low price of $10,000,000, I have complied with the requirement to make it "available". Ain't my problem if you can't afford it.

          Meaningful legislation would specify "make available at no cost", or at least set a cap on what they're allowed to charge.

          Like the vast majority of legislation these days, this sounds good on the surface, but has too many holes in it to do anyone any good.

      • They've been playing at this since the 1970s. Scan code systems that sell for $50K. "Open" protocols that you have to be a member of the society to get a copy of, membership fee: $25K plus a reason they deem as valid to join. This was last century.

        Just be glad that the OBD-III proposals with RFID communication requirements never got passed (or did they?) - with that, the same type of toll readers that are more and more common could as easily query your OBD port and read everything about your present vehi

      • Too much bullshit (Score:4, Interesting)

        by ArchieBunker ( 132337 ) on Monday August 04, 2014 @10:10PM (#47604513)

        I bought a 99 Volvo S80 and it has the fancy auto dimming rear view mirror. The car was used so of course expensive mirror no longer dims. You can't even swap out a junked mirror because of the address bullshit. You have to keep the circuitry from your mirror and swap only the mirror itself. Otherwise you need the dealer software to reprogram the main computer.

        • Check around my guess is you can get software online that will let you let you reprogram the computer. I used to own an Audi. On some versions of my car you could hold the unlock button on the fob for some number of seconds and it would roll all the windows down. Holding the lock button would roll them all back up. They wouldn’t enable it on my car because it wasn’t a feature on my model. Come to find out that my car supported it but that they had simply programed the computer not to do it. A fr

        • I bought a 99 Volvo S80 and it has the fancy auto dimming rear view mirror. The car was used so of course expensive mirror no longer dims. You can't even swap out a junked mirror because of the address bullshit. You have to keep the circuitry from your mirror and swap only the mirror itself. Otherwise you need the dealer software to reprogram the main computer.

          Did you bother asking the dealership what the cost to reprogram was? It might have been very inexpensive or even free.

          My local Volvo dealership plugs the cars into the computer and runs diagnostics and software updates as a matter of course (no charge) any time you bring the car in for service. Their labor rates are competitive with independent mechanics and they offer a free shuttle to/from work, so I just have my maintenance done there. They clearly want repeat customers (they need repeat customers) an

      • Modern cars are required by law to operate on a CANN Buss which is very similar to old buss networks

        Modern cars are required by law to pass certain crash tests, get enough mileage to get the automaker's averages up to a certain point, put out emissions below a certain point, have the headlights and taillights in a certain position, come with seatbelts, airbags, ABS and AYC, and speak one of four documented OBD-II protocols on their DLC. They're not required to use a CAN bus. In practice, they do, because CAN is the only OBD-II protocol which can be used for both a bus and a diagnostic link. However, there

    • No seriously they can. They might not out of the box, but the capability is there and chances are if someone has their way with the radio for a few minutes it very much will start talking to the brakes.

      Your statement would be 100% correct in a ideal world. We are not in an ideal world.

      • Re:Bullshit. (Score:5, Interesting)

        by Rich0 ( 548339 ) on Monday August 04, 2014 @09:31PM (#47604367) Homepage

        Yup. Are the brakes actually controllable via CAN though? If the pedal just operates a transducer which relays instructions via CAN, that seems a bit risky to me. I wouldn't want even a single PHYSICAL linkage as a point of failure for the brakes, let alone an electronic one.

        Granted, even if they have a cable backup, having a trojan apply full brakes without warning at highway speed would not be a fun experience (especially if it could disable ABS - which might or might not be possible but since ABS has self-diagnostics that need to report back to the dash it seems plausible that it could be tampered with). A cable backup would only prevent software from disabling your brakes - not prevent it from applying brakes.

        Really, something like a radio should not be on the same network as safety-critical devices. Heck, do you really want to even do the necessary rigor to ensure that a faulty radio design doesn't cause a safety issue? Nothing should be plugged into a safety-critical bus without serious testing and design controls.

        • The brakes are controllable on cars with collision avoidance.

        • Re:Bullshit. (Score:5, Insightful)

          by bonehead ( 6382 ) on Monday August 04, 2014 @10:14PM (#47604529)

          Yup. Are the brakes actually controllable via CAN though?

          Old school brakes, like you'd find in a mid-70's muscle car? Nope.

          Modern anti-lock brakes, that depend on computer control? You bet your ass they can be fucked with through the onboard computer.

          I'm an old-school geek. I've been fascinated and excited by technology for over 40 years now. But in the last half decade, I've been noticing that we're growing way, WAY too fast. We're implementing things and putting them out in the real world as soon as we "can do it". We're not waiting until "we can do it safely".

          It's consumer culture gone wild.

          • The manufacturers think they can do it safely. They even have multinational conferences where they get together and the 2 guys from every company who would rather travel than work sit around and agree with each other that they have put in enough safety checks to protect their customers.

            The problem is, most people can't mentally scale risk up to millions of copies. The basic engineer's metric is: "I tried it on my test rig as many ways as I can think of and nothing ever failed." Put this guy in a "world c

        • by AmiMoJo ( 196126 ) *

          You have to weigh up the merits of each system.

          Old style mechanical only brakes:
          - Immune to thus far theoretical remote hacks

          New style computer assisted brakes:
          - Safer (ABS, distributed braking force, 4 wheel steering etc)
          - Warns you of failures before you find out by crashing

          Since modern cars don't seem to be suffering from an epidemic of brake failures I don't think we can say that they are any less reliable than the old mechanical linkage. Thus your choice is between greater safety or protection from the

          • by Rich0 ( 548339 )

            None of those computer-assisted brake technologies require:
            1. That the brake pedal input be transmitted over a single electronic cable (or even a single physical cable for that matter).
            2. That the computers applying ABS communicate in any way with anything else in the car, other than perhaps turning on a warning light if there is a failure.
            3. That the failure warnings that appear on the dashboard be communicated using anything more than a single output line.

            I'm not against automation of safety systems.

  • by SlaveToTheGrind ( 546262 ) on Monday August 04, 2014 @07:23PM (#47603755)

    We've been here before. Two days ago. [slashdot.org]

  • Are we to stop driving and start using the bicycle?
    • Or scrap your Toyota's, Cadillac's and Jeep's and buy Audi's, Honda's and Dodge's

    • by Anonymous Coward

      or you could simply not react out of panic like a pathetic sheep, recalls, patches, and sheer unlikeliness of some of these exploits.. does that help you or do we need a media article to frighten you about something else instead

    • Yes.

      • Yes.

        Teenagers........are.......walking.......on.........our........lawns!!!

        that, and athiests are waging a war on Christmas.

        • "Teenagers........are.......walking.......on.........our........lawns!!!"

          Quickest way to be rid of them...

          Roll out the lawnmower, hedge trimmers, edgers, fertilizer and watch them set new world records as they leave posthaste!!!
          • "Teenagers........are.......walking.......on.........our........lawns!!!" Quickest way to be rid of them... Roll out the lawnmower, hedge trimmers, edgers, fertilizer and watch them set new world records as they leave posthaste!!!

            Ah, hit them at their weakest point.

  • They did not hack it (Score:5, Interesting)

    by manu0601 ( 2221348 ) on Monday August 04, 2014 @07:43PM (#47603845)
    They did not hack anything, this is just speculation based on documentation. BlackHat used to offer more serious stuff.
    • Good point.

      I have a Honda Accord with satnav. The satnav can always talk to the brakes, they're on the same CAN bus.
      The radio can talk to the satnav through a separate bus, which also talks to the aircon.
      The aircon talks to the body CAN network.

      Even without satnav, the radio can talk to the aircon and the aircon can talk to the body CAN.

      Infact... everything can talk to everything, because the gauge cluster acts as a bridge between the two CAN networks.

    • I can't understand it either. If they are accusing so many car makes of having vulnerabilities, they should have been able to get access to at least one to formulate an actual attack. If everything on the same network was considered vulnerable by default - the Internet would be vulnerable.
      • by Minupla ( 62455 )

        Here's the difference - we have firewalls on the Internet.

        What they're saying is that the Bluetooth is sitting on the same network as your anti-lock brakes and there is no firewall.

        Not sure about you, but where I work, if I didn't put a firewall between the internet, and my web servers and at least one more between my web servers and the database, I'd be looking for a new job. These guys hooked it up to the "internet" (bluetooth) and decided they didn't need any additional security between there and the "d

        • Here's the difference - we have firewalls on the Internet.

          Which explains why web site are never hacked, and why it happens everyday in cars.

          Oh, wait....

  • pure speculation, http://bit.ly/1qOrXX0 [bit.ly]
  • by nhtshot ( 198470 ) on Monday August 04, 2014 @08:11PM (#47604021)

    I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.

    That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.

    Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).

    Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.

    • Does nobody do signing or encryption of signals to control systems? Having had issues with VW's electrical systems in the past I wouldn't blindly consider a more complicated setup to be a benefit from them.
      • by nhtshot ( 198470 ) on Monday August 04, 2014 @08:39PM (#47604141)

        "Does nobody do signing or encryption of signals to control systems"

        VW/Audi does. The newest generation use 2048bit RSA signatures for everything. The previous generation used 1024, which is still pretty much unfactorable for a reasonable price.

        But, they can't use encryption of any consequence or signing on the bus. It's all real time and needs to be that way. Would you want your airbag to wait to deploy until it had verified even a 512bit signature on the "oh crap we've been in an accident" message?

        Same thing with ABS.

        The only real place they can use that (and they DO use it here) is for starting. When you're starting a car, there is no imminent danger. In VW/Audi, they have the "immobilizer" system. It uses RSA again. The instrument cluster, ECU and each key have a coded serial number. Each devices holds a hashed/signed copy of the serial numbers of the other 2 and the VIN. If the 3 don't all agree, the car won't start.

        There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

        • There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

          For a 2014 Audi, that might be true. For a 1997 Audi, you can buy a $100-200 device which will read the key codes from the PCM and program new keys.

          • by jandrese ( 485 )
            I have to imagine that things have changed at least a little bit in 17 years.

            I appreciate the theft deterrence aspect of this, but I wonder what it does to the third party parts market. For the key and immobilizer that's fine, but when every single part on the car needs a specific code that is baked into the ECU then repairs start to get tricky.
      • by sinij ( 911942 )
        I don't think it is possible, most of 'mission-critical' systems have to be real-time where response measured in milliseconds. There isn't enough time to preform any kind of authenticity or non-repudiation checks. What possible is properly isolating internal CANbus.
        • by 0123456 ( 636235 )

          You just need a pre-negotiated shared key. AES encryption is pretty fast.

          However, you still probably don't want to do it, because, if the encryption somehow gets screwed up, your ABS brakes will reject the readings from the brake sensors and cause you to crash when you lock the wheels. There are potential safety issues on both sides.

          • by sinij ( 911942 )
            Pre-negotiated shared key is very hard to do right, due to the need to perform secure key injection AND trust unverified third parties (e.g. independent mechanics). You also have to worry about have non-static configuration (e.g. what happens when your independent mechanic changes a sensor, how do you authenticate it?).

            About the only implementation I can think of is to have car run its own Trust Authority, with owner and not manufacturer (yeah, right) controlling it. This way adding new sensor will be a
          • by jandrese ( 485 )
            You don't have to pre-place keys everywhere in the car. You just need all of the asymmetric key exchange to happen when you turn the key. If it takes 50 ms then so be it. Hopefully nobody gets in a high speed collision 45ms after starting their car. After that each component will have negotiated a symmetric key that they can use for the rest of the communication. You can decode a 256bit AES key in a couple of microseconds on even cheap microcontrollers these days.
    • by plover ( 150551 )

      I figured as much. So since you're deep into the electronics, I have a question about my Ford that perhaps you can answer. Is the CAN bus extended out to the side mirrors that are filled with electronics, such as lighting, heaters, motors, and blind spot indicators? (My Taurus has all of the above.) Or is the bus terminated inside the panel of the door, and dedicated wires run to the various mirror assembly components? I've often thought that a thief who wouldn't mind trashing the passenger side mirror

      • by nhtshot ( 198470 ) on Monday August 04, 2014 @09:50PM (#47604437)

        I don't work with Fords, so I can't answer your question specifically. In general, the trend in cars is to have fewer controllers and devices on the bus controlling more and more things. In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

        At the same time, many of those modules and the wires between them are accessible easily under the hood. I can reach under a VW, remove a plastic underbody panel and get to the powertrain (most important) canbus without opening the hood. I'd come up greasy, but I could certainly do it from under the car. With a little practice, I could probably do it in under a minute.

        In the VW case though, that wouldn't do any good. I couldn't start the car or unlock the doors (door locks aren't on the powertrain can and the gateway won't pass through a door unlock message originating on powertrain). I could monitor their engine/transmission/ABS though and could turn off the car, change the gears or set/adjust the cruise control once the engine was running. I might even be able to trick the ABS into thinking the car is skidding and get it to lock up the brakes (I haven't played with ABS controllers much, so I'm not 100% certain of this one),

        • In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

          Central locking is still its own module, isn't it? It certainly is in my 1997 A8. Fords seem to tend to have a BCM which controls doors, windows and lights. In my 1997 A8, lighting is separate from locking.

      • " I've often thought that a thief who wouldn't mind trashing the passenger side mirror could access the CAN bus and unlock the doors."

        Heads to Hollywood script in hand for "Gone in sixty seconds...the mirror jackers....."
    • .. german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway.

      A separate CAN(N)BUS for each system? But the original POINT of the bus was to replace the expensive, custom, wiring harness - a bundle of special-purpose wires as thick as your wrist - with a power line and a pair of signal wires. One big party line with everything talking on it.

      • An alternative to restoring the bundle is for each user of the "big party line" to "recognize the voice" of those who can give it instructions - and have a list of what instructions each can give it. I won't go into details, but there is ample room for design here. An interloper would be reduced to trying to "mimic the voice" of a talker with enough authority to command the action, or DOSing by "shouting over" legitimate commands.

        Not with CAN. CAN has no concept of a sender address. It is thus impossible to determine where a CAN telegram originated.

        • by jandrese ( 485 )
          Not with the protocol itself (because you couldn't trust it anyway), but you could implement crypto on top of the bus to avoid that problem. Everybody signs the messages and only accepts messages from approved sources who have signed their messages correctly.
  • Next time the brakes fail on my 93 Ford Escort Wagon, I'll rest easy in the knowledge that it was a simple mechanical failure and not hacked!

  • by shadowrat ( 1069614 ) on Monday August 04, 2014 @11:36PM (#47604775)
    I guess the wrangler didn't make the list, but it can hardly count as hacking when the hood doesn't even lock closed.
  • Well, we all like to whack off, don't we? Oh, I'm sorry, what was the question? Do our little automakers need some more free press? If the damn computer is more reliable than good old mechanics, then stick with the black boxes and hope for the best. We're just rolling the dice (get it?) anyway.

  • OEM (Score:3, Interesting)

    by Indes ( 323481 ) on Tuesday August 05, 2014 @10:47AM (#47607025) Homepage

    I work at an OEM... I know for a fact The Dodge Viper and the Jeep Cherokee share the same line-up of head units and the CAN architecture is identical.

      How are they both the most and least secure?

      (Also, the Radio can't talk to the brakes, as much as they'd like you to think - I'd know, because I wrote the code for the interface that talks on the CAN network.)

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...