Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation Security The Military

Auto Industry Teams Up With Military To Stop Car Hacking 114

An anonymous reader writes: A team of hackers is collaborating with military and industry groups to develop cyber security defenses for commercially available cars, in response to a growing threat from criminals and terrorists. In the U.K., hackers are now responsible for a third of car thefts in London and there are fears that while technology is progressing, older models will remain vulnerable to attack. Although there have been no reported instances of a car being completely commandeered outside of controlled conditions, during tests hackers come out on top every time – unlocking car boots, setting off windscreen wipers, locking brakes, and cutting the engine.
This discussion has been archived. No new comments can be posted.

Auto Industry Teams Up With Military To Stop Car Hacking

Comments Filter:
  • by Karmashock ( 2415832 ) on Wednesday November 26, 2014 @12:41PM (#48468101)

    1. Physical security.

    If you let the machine get into the hands of hackers... they will break it the controls. And that is doubly certain if the device is mostly functional regardless. It will interact and that will let people either exploit flaws in the security or just decrypt it.

    If you want to stop hackers from getting into the system then the first thing you have to do is make it pretty much impossible for a hacker to physically access the system. As in steel. And beyond that, the wireless connections are a serious vulnerability. Scale them back or secure systems from the wireless radios.

    If you can't do that, then at the very least don't let a hacker turn my engine off while I'm driving down the free way. Some features are simply not worth that vulnerability.

    • If you can't do that, then at the very least don't let a hacker turn my engine off while I'm driving down the free way. Some features are simply not worth that vulnerability.

      The sad part is that preventing this is really easy by following some basic principles of networking and security like properly sanitizing your inputs. But they're just not used to even having to think about that at all at the companies which build the PCMs. Some vehicles are clever enough to have a communications gateway in between systems but who trusts the gateways?

      • by bouldin ( 828821 )

        Product liability for software is in a weird limbo where vendors effectively have no liability. So they don't have much reason to care, beyond damage to their brand.

        If you read the EULA that comes with software you purchase, it disclaims ALL warranty, and the vendor is not guaranteeing the software will do anything, not even what it says on the box.

        I wonder if automotive software might be on different legal ground, since nobody accepts a software license when they buy a car.

      • The sad part is that preventing this is really easy

        Yes. I think it is pretty clear that the auto makers got themselves into this mess -- as they have often done -- by doing stupid shit they did not understand.

    • by Anonymous Coward

      BRING BACK THE FUCKING TAGLINE: NEWS FOR NERDS, STUFF THAT MATTERS.

      Also, FUCK BETA.

      Filter error: Don't use so many caps. It's like YELLING.

      AND FUCK FILTER ERRORS.

    • 1. Physical security.

      If you let the machine get into the hands of hackers... they will break it the controls. And that is doubly certain if the device is mostly functional regardless. It will interact and that will let people either exploit flaws in the security or just decrypt it.

      If you want to stop hackers from getting into the system then the first thing you have to do is make it pretty much impossible for a hacker to physically access the system. As in steel. And beyond that, the wireless connections are a serious vulnerability. Scale them back or secure systems from the wireless radios.

      If you can't do that, then at the very least don't let a hacker turn my engine off while I'm driving down the free way. Some features are simply not worth that vulnerability.

      First rule of Capitalism: Make money.

      Second rule of Capitalism: Actually give a shit how you make it.

      Good luck getting anyone to pay attention to any other rule but the one that counts.

      In other words, fuck your risks. The vendor is going to massively profit from those insecure features you never asked for, and won't stop installing them until enough people die to make it illegal (key word there being enough, that threshold is a lot higher than you think thanks to political gaming.)

    • by plover ( 150551 )

      The military is good at physical security. That's their mandate, after all. It seems logical to put them together.

      However, they seem to suck at this aspect of it. There is no reason that an American vehicle (or weapons system) left in the hands of an Iraqi army battalion should ever be able to be commandeered by troops who switched allegiance to ISIL. There should be an American satellite link required for occasional checking-in, and the vehicle should be disabling itself if it's failing to check in, or

      • No, the military's physical security is a soldier with a loaded rifle trained to kill you if you touch things you're not supposed to touch

        Lets say I took any bit of modern military hardware and just dump it in the middle of a hacker convention. What exactly are the odds that someone there won't be able to break the lockouts?

        Military gear is not designed to be hack proof. It is designed to be deadly and robust. How long did it take the Iranians to reverse engineer the drone we lost in their territory? They h

    • by dkman ( 863999 )
      At the very least:
      Separate the networks. Have essential processes (engine, breaking, steering) on a secure network
      Have infotainment, radio, bluetooth phone, gps, wipers, rain sensor, etc on a separate network
      Have anything wifi (door unlock) heavily vetted before you allow it into one of your other networks.

      Personally I feel that windows even belong on the infotainment network, as they aren't vital to the safety of the vehicle.
      Keep chatter between networks to a minimum. I figure secure (engine) would
      • I'm going to have to side with the Colonial Fleet on this one and say the systems should not be networked at all.

        Each of these systems has their own internal sensor package and programming. My fuel air sensors do not need to be coordinated with my anti lock breaks. The two operate just fine isolated.

        What is more, some systems should be dumb. Toaster simple. Simplicity means not just more secure but more robust. Simple systems tend to be less prone to failure and error.

        • by bws111 ( 1216812 )

          Your traction/stability control operates the throttle and brakes, so they need to be connected at some point.

          • Assuming that is correct, does that system need to be connected to anything else?

            If the traction control system is connected to the brake servos and throttle servo, does that system need to be linked to the wireless ignition system or my bluetooth stereo? What is more, I do want manual over rides for all these things.

            I have an older car and it is profoundly simple in the way that everything works. I don't see why I can't have all the relevant modern features without compromising the underlying robustness of

            • by bws111 ( 1216812 )

              Well, it is kind of hard to have wireless ignition (remote start) without having access to the engine controller, so they do need to be connected. And the remote start probably has connections to the body controller so it can do things like lock the doors, flash lights (for feedback) and monitor to brake pedal so it can kill the engine if the brake is touched (in order to shift into gear) without the key being present.

              As for the radio, starting next year all new cars in the US must have backup cameras. T

              • by dkman ( 863999 )
                The rear view mirror has a small section that can display the rear view camera (it just acts as a mirror when an image isn't being displayed). They do it this way in cars that don't have an LCD display, for cars with a standard stereo face.

                I do feel that the backup camera is just fine being on the infotainment network. If side camera go away I feel the same about them. Engine, steering, breaking - things where one might lose control of the vehicle if they don't function correctly belong on their own se
              • Depends on how complicated the system is actually.

                If all you want is remote starting, then have a simple radio/computer system that interfaces with another very simple non-programmable bit of hardware. All the radio/computer unit can do is send a "GO" command to the ignition unit. The ignition unit should have a hardware fail safe that prevents it from operating if the alternator is producing power. In this way, the remote start will only start a car that is off and will have zero impact on a car that is on

    • by mjwx ( 966435 )

      If you want to stop hackers from getting into the system then the first thing you have to do is make it pretty much impossible for a hacker to physically access the system. As in steel. And beyond that, the wireless connections are a serious vulnerability. Scale them back or secure systems from the wireless radios.

      If you want to stop 99% of malicious vehicle hacks you need to remove any wireless components from the system as well as physically securing it. This means not giving the infotainment system access to the CANBUS or anything else.

      The answer to vehicle hacking is stupidly simple... but this means they cant sell the new Craptiva with remote start technology so guess which one they're going to do.

      • I don't have to buy that feature. Most cars in fact don't have a remote starter. Remote door locks are pretty common but the starter is unusual.

        • by mjwx ( 966435 )

          I don't have to buy that feature. Most cars in fact don't have a remote starter. Remote door locks are pretty common but the starter is unusual.

          Like remote locks were in the early 90, remote start is uncommon now but it will become more common later. Its more common in Europe than the US because of the weather, most people would rather have breakfast than sit in their car waiting for it to warm up enough to drive.

          • Trust me, it gets every bit as cold in the US. US is a big place. Parts of it get a great deal colder then anything you'll see in western europe. Just saying.

            As to remote start, there are ways to do it that don't present a security risk.

            1. Isolate the system.
            2. Make it so it does nothing if the car is already on.
            3. Make a distinction between starting the engine with the remote start and authorizing driving. If what you want is to warm the car up then you don't need to unlock the steering wheel.
            4. Consider m

  • Overkill! (Score:2, Funny)

    by Anonymous Coward

    Nothing, and I mean nothing the security guys ever come up with will have anywhere near the effect of the six inch square piece of plywood with 25 six inch nails hammered through that i place under the driver seat of my car. The second a would be thief jumps into my car seat is the second they begin to understand just how bad their life choices have been. I also have a conventional car alarm that serves to let me know that i should call an ambulance for the 'tard, should but wont, baseball bat feels better

    • I'm wondering: is your car a 1960 VW Beetle or 2CV? Because those are the only cars I can think of where the seats can sag enough to make this a worthwhile proposition.

      Or, much more likely, you actually don't do any of this.

      • Or, much more likely, you actually don't do any of this.

        Probably not. But the springs break in lots of Mercedes seats, and so they're candidates too. A lot of people shore them up with a pool noodle. If you can find a fairly compatible spring, you can splice it into the broken section from below after removing the seat without even having to pull the upholstery, which you don't want to do.

  • Comment removed based on user account deletion
  • Technology can be hacked. Cars were 'hackable' when they were just mechanical: shims or tools to unlock doors, bypassing the ignition, random fun things I've seen on TopGear. There was one care where if you pulled out a fuse or something, put it in backwards, it started the car. Now there is more tech in cars, and tech is hackable, so cars are more hackable in 'elegant' ways as opposed to using a rock or screwdriver. Not really breaking news, but good to know and keep an eye on.
    • by Anonymous Coward

      In the UK in the nineties a very popular hatchback (Vauxhal Nova/Opel Corsa early models) had a large rectangular hazzard light switch which could be pulled out of the dash on a long stalk. The switch could then be rotated through 180 degrees and popped back into the dash with the effect that the cars electrics were now on, all a car thief then had to do was break the steering lock and bump start the car. This was corrected in later models but was bloody hillarious.

      Captcha: extracts

  • unlocking car boots, setting off windscreen wipers, locking brakes, and cutting the engine.

    If a hacker can do all that, why can't the car itself open the windows slightly if the temperature inside gets high and there is no rain outside? All the hardware is already there — the sensors know both the inside temperature and whether anything is hitting the windshield (so wipers can turn automatically in rain).

    Would've made returning to your car in the sunny lot more comfortable and even saved some lives [washingtonpost.com].

    • by koan ( 80826 )

      You want a machine to decide that for you...

      • by mi ( 197448 )

        You want a machine to decide that for you...

        No, I want it to decide for itself — when I am not there.

        • I have a heat gun/torch and I know how to use them!

        • by koan ( 80826 )

          LOL that's even worse.

          • by mi ( 197448 )
            Seriously? We are about to have self-driving cars — and some say, human drivers should be banned [gondwanaland.com] — you are afraid to trust the car to automatically open windows, when the inside gets too hot?

            This sort of logic was present and functioning on the first steam-engines [wikipedia.org]! You have such a system in your toilet — it closes the water-valve, when the "sensor" detects, the tank is full...

    • by sinij ( 911942 )

      A number of reasons this isn't a simple feature request:
       
      * continuous monitoring will drain your battery, so you will come to a dead battery every time you go on vacation;
       
      * the system will also have to monitor for precipitation, so additional sensors are needed (you wouldn't want to come back to wet seats now, would you?);
       
      * there are better ways to spend ~100$ in parts and 5lb of weight.

      • by mi ( 197448 )

        * continuous monitoring will drain your battery, so you will come to a dead battery every time you go on vacation;

        I have an outside temperature sensor, that radios figures to the display unit inside. Its puny little battery lasts a year... You too can get one at Home Depot.

        the system will also have to monitor for precipitation

        As I said, such sensors are already built into my car. The wipers start automatically, when the rain or snow hits the windshield.

        there are better ways to spend ~100$ in parts and 5lb o

        • Just need to teach the existing software a new trick.

          And I bet you the existing wetware will learn a new trick just as fast as you automate your car to crack the windows. Won't even need a wedge to slip in an opening tool.

        • by sinij ( 911942 )
          Now, I know you don't have a cheap car if it is already has all these features. Most people won't have a car with automatic rain-sensing wipers. This is certainly an upscale feature. I also have no idea what kind of power draw the infrared light and sensor require.

          On my car I can set fan to run for some time using residual core heat or cooling to maintain preset temperature. This feature good for about 30 minutes (but will run longer) and does not run if the battery charge drops past some threshold, but yo
      • by AmiMoJo ( 196126 ) *

        Continuous monitoring isn't an issue with EVs. When you have a 24,000Wh or larger battery remaining connected to a cellular network for weeks is no issue. Remember when your Nokia could run for a week on one charge? That's what the modem in the car is like, only it has a giant car sized battery to power it.

    • unlocking car boots, setting off windscreen wipers, locking brakes, and cutting the engine.

      If a hacker can do all that, why can't the car itself open the windows slightly if the temperature inside gets high and there is no rain outside? All the hardware is already there — the sensors know both the inside temperature and whether anything is hitting the windshield (so wipers can turn automatically in rain).

      Would've made returning to your car in the sunny lot more comfortable and even saved some lives [washingtonpost.com].

      Or perhaps you'll walk back to an empty parking spot where your car used to be.

      All a thief really needs to steal a car (or the contents inside) is access, which you're suggesting to now provide in a automated and unattended fashion.

    • by hawguy ( 1600213 )

      unlocking car boots, setting off windscreen wipers, locking brakes, and cutting the engine.

      If a hacker can do all that, why can't the car itself open the windows slightly if the temperature inside gets high and there is no rain outside? All the hardware is already there — the sensors know both the inside temperature and whether anything is hitting the windshield (so wipers can turn automatically in rain).

      Would've made returning to your car in the sunny lot more comfortable and even saved some lives [washingtonpost.com].

      Because opening the windows slightly only affects inside temperatures slightly? Yet it makes it much easier to thread in a wire to snag a door handle to open the door.

      A forced air fan to vent in cooler air from below the car 30 minutes before you return to the car would be more effective. And the only thing stopping that is cost vs benefit - not enough people would find it useful enough to add $xx to the price of the car.

    • by Pope ( 17780 )

      unlocking car boots, setting off windscreen wipers, locking brakes, and cutting the engine.

      If a hacker can do all that, why can't the car itself open the windows slightly if the temperature inside gets high and there is no rain outside? All the hardware is already there — the sensors know both the inside temperature and whether anything is hitting the windshield (so wipers can turn automatically in rain).

      It'd be way safer to get a fan going to circulate the air than to crack the windows open. You really want car makers to open themselves up to having cars stolen easier?

      • by mi ( 197448 )

        It'd be way safer to get a fan going to circulate the air than to crack the windows open. You really want car makers to open themselves up to having cars stolen easier?

        Spinning fan will drain battery quickly. A slightly-open window will not make theft much easier — and the alarm will still go on, if the door is opened.

        People do leave windows rolled-down a little on hot days as a matter of course. Would be nice, if the car could do it itself. And even close them back up, if rain starts.

    • So... all I'd have to do to break into your car is to increase the inside temperature? Provided it doesn't rain, of course...

      That's doable.

    • If a hacker can do all that, why can't the car itself open the windows slightly if the temperature inside gets high and there is no rain outside?

      It's safer to just put a solar panel on the roof, my car has it integrated into the sunroof. When the interior temperature rises sufficiently and the panel is sunlit then it runs the blower motor to keep the car cool. Sadly, it ignores the ambient temperature sensor and has no concept of humidity, so in some conditions the sun can hit your car, heat it up before the surroundings, and suck damp cold air into the vehicle and humidify it. In the normal course of the day, though, it will blow warm air through a

  • If they're going to team up with people who pretend to know about cyber security, they might as well team up with Valve and put Valve Anti Cheat on the cars. That system works peeeeerfectly.
  • by koan ( 80826 )

    Auto Industry Teams Up With Military To Stop Car Hacking

    Yeah only good things can come from this.

    • Auto Industry Teams Up With Military To Stop Car Hacking

      Yeah only good things can come from this.

      Yeah.... it'd be like Monsanto and the IRS teaming up to make children's lunches healthier.

      • I'm sorry, they just don't have the broad expertise in mass food preparation. Sure, they can grow crops and tax stuff, but can they make billions upon billions of Happy Meals? I think not. We clearly need to outsource this to McDonalds and Coca-Cola.

        • I'm sorry, they just don't have the broad expertise in mass food preparation. Sure, they can grow crops and tax stuff, but can they make billions upon billions of Happy Meals? I think not. We clearly need to outsource this to McDonalds and Coca-Cola.

          When I went to high school, (mid-seventies) CocaCola already had the drinks contract, (probably why I can't stand the stuff today) and the food was worse than anything McD's had ever produced up to that time. Recognizable bone meal in the hamburger. Looking back, I realize now that the food would be considered bargain dog food today.

          • by koan ( 80826 )

            Did you ever get the weird lumps in the milk, that was the last time I ate cafeteria food and always brought my lunch after that.

            • Did you ever get the weird lumps in the milk, that was the last time I ate cafeteria food and always brought my lunch after that.

              Only once, and never ordered the milk again. (Maybe they were trying to drive us to the corporate sponsor, Coca Cola?) The cafeteria was a huge multipurpose room, and kids would buy the milk cartons to use as "hand grenades", throwing them high in the air across the room and learning important lessons about splash damage.

              Similarly, had the hamburger once, didn't do that ever again. The burrito was... ok. The pizza was ghastly. (How can you ruin pizza??) The hot dog... I don't want to talk about it.

              The

    • by gweihir ( 88907 )

      Especially if you consider that many military vehicles do not even have lockable doors...

  • I know we've talked about it in Slashdot, in the context of more and more electronics taking responsibility for control of the car, mesh car networks, Windows controlling and potentially driving your car, but really -- hyperbole aside, is car hacking a real thing? And if so, is it really an effective tool for terrorists? (Or is that -- "terrorist" -- what we're calling experimenters and hackers these days?)

    I mean, if someone is being proactive about what might be a terrorist vector, I guess that's ok, but

    • To answer your question: yes, car hacking is a real thing. It's widespread among higher-end cars, especially luxury models. However, it's usually limited to stealing the vehicles to be parted out and resold.

      To answer your second question: Terrorists? WTF are you smoking? It's probably more likely to be abused by law enforcement.

      • > To answer your second question: Terrorists? WTF are you smoking?

        Whatever I'm smoking, it doesn't appear to be working. I was referring to this line in the article:

        > in response to a growing threat from criminals and terrorists

        Criminals, that's a given. You had a great example. Terrorists? I'm having a hard time seeing the connection.

    • by ahaweb ( 762825 )
      Car hacking is real, they can make a journalist's Mercedes in Los Angeles accelerate so it crashes into a tree and explodes. Hypothetically.
  • Car manufacturers want to double-dip by tracking you using your car. When you pair your phone with infotainment system, they can sell real-time location data (your car's GPS) strongly tied to your identity. Even if you opt out of OnStar and such system, they are still active.

    You also get your car pwned remotely, because not only they track you, they failed to secure the interface, ether out of ignorance or "in the interest of national security".
    • Car manufacturers want to double-dip by tracking you using your car. When you pair your phone with infotainment system, they can sell real-time location data (your car's GPS) strongly tied to your identity. Even if you opt out of OnStar and such system, they are still active.

      Let's be realistic here for a moment. When is your cellular GPS data not your real-time location?

      There is no opting out of being tracked if you own a cell phone, whether you own a car equipped with OnStar or not.

      And you signed away that GPS data about 17 EULAs ago.

      • by sinij ( 911942 )

        Yes, correct to the above. Only now car manufacturers also can do what telecoms have been doing for some time.
         
        Also, some phone manufacturers allow you to turn GPS off. I am not aware of a car manufacturer letting you do the same.

        • Also, some phone manufacturers allow you to turn GPS off.

          That's irrelevant. Read up on DTOA, differential time of arrival. TL;DR: It's like GPS in reverse, with multiple cell sites used to triangulate your position based on your cellular radio emissions.

  • If you MUST have a remote-control door lock, make it something that requires very close physical proximity that is very hard to override.

    For example, have a receiver that is on the car-facing side of the door handle using a very-near-field communications setup. You swipe your "key" under the handle and the door locks or unlocks.

    Yes, it might be possible for a thief to make a small "reflector" and tape it to your car door near the handle, but that's one more step he'll have to go through and one more opport

  • If they want better security then stop with the unnecessary technology. I don't want a car that unlocks or locks every time I walk up to it or walk away. The GPS should be isolated, not integrated and should do it's best to maintain privacy. There should be no possible way in the world for a radio signal to control anything, but the door locks. Cars should not be as Ford says "A computer on wheels". I'm quite happy with my luxury car from the 90's and although some modern features are nice I really think it

    • Cars should not be as Ford says "A computer on wheels".

      Ah yes, Ford. They went to 32-bit PCMs when Hitachi at least (and Bosch too, I think) was still using 6800-family chips. A computer on wheels, indeed.

      How about simple reliable cars that people can actually afford to buy.

      Like a Ford Fiesta?

  • What is next? Shoplifters as terrorists? Or people that ride public transportation without a ticket?

    Seriously, this is far beyond mere ridiculous. Possibly, this utter idiocy results from a deep desire to classify all hackers as "terrorists". After all, they can do things! That seems to scare the government badly.

  • >> during tests hackers come out on top every time
    BUT BUT BUT INTERNET OF THINGS
  • This is what we will be faced with in a world with 'autonomous' cars, but even worse if they have no manual controls and people don't know how to drive a car: Some script kiddie (or actual criminal/criminal organization) will take control of your vehicle with you in it, and you will have no way to take control back. So-called 'autonomous' vehicles must have full manual controls with an unimpeachable manual override and there must be a trained, certified, licensed driver at those controls at all times!

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...