Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Transportation

Remote Exploit On a Production Chrysler To Be Presented At BlackHat 173

Matt_Bennett writes: A scary remote exploit is going to be published that enables someone connected to the the same wireless (mobile data) network to take over many [automobile] systems, including braking. This is an exploit in Chrysler's Uconnect system. Charlie Miller and Chris Valasek also demonstrated exploits in 2013 that could be done via a direct connection to the system, but this is vastly expanded in scope. The pair convinced Wired writer Andy Greenberg to drive around near St. Louis while they picked apart the car's systems from 10 miles away, killing the radio controls before moving on to things like the transmission.
This discussion has been archived. No new comments can be posted.

Remote Exploit On a Production Chrysler To Be Presented At BlackHat

Comments Filter:
  • by suso ( 153703 ) * on Tuesday July 21, 2015 @09:21AM (#50152321) Journal

    As I felt with their first video [slashdot.org], these "security researchers" play with the steering on a car moving 40mph on a public road. Now they've gone and done this. Playing with the driving controls on a 2 ton vehicle moving at 70 mph on a busy road.

    In this video they said "it wouldn't be anything life threatening" which shows that they don't have a clear view of reality in the situation. A seat belt won't
    you have a 70mph head on collision with a semi. The driver wasn't informed beforehand that he could bail out of the test by restarting the car, they waiting
    until he was panicing to try to tell him that.

    What if they made a mistake and turned the car into oncoming traffic? What if their computers were remotely controlled?

    Is the situation with car's vulnerabilities serious? Yes of course.

    Will this video help to drive home the problem to the public? Maybe, but probably not.

    Should they have done this demo on a public road? Absolutely not.

    Bottom line, when you are doing a test where there is physical risk, you need to be in control of the environment and not putting the public in harms way.

    This isn't your home computer and your email account. This is real life.

    • by Anonymous Coward on Tuesday July 21, 2015 @09:34AM (#50152409)

      Bravo gentlemen. The only way this will get the full and due attention of the media and the car companies is by demonstrating life-threatening risk in the UConnect system. If this were a track test, it would be dismissed by the car companies as contrived, and the media would rather talk about Trump. This will now assuredly end up on the front page unless killed by Chrysler via influence peddling. It's time digital security was a real concern when it comes to my family hurtling down the highway at 75mph in what can now be convincingly argued is a very real digital death trap.

      • Is the UConnect system optional or are they trying to make it standard on their cars?

        I had looked awhile back at a new corvette and last I heard you could NOT get the fscking OnStar system out of the car....

        So, wondering if this is another "feature" that isn't optional....

        Why is it so hard to get a car without it being fucking connected to everything? I just want performance, and nice looks...I drive a car, I'm not trying to do a spreadsheet while driving for God's sake.

        • by jenningsthecat ( 1525947 ) on Tuesday July 21, 2015 @12:16PM (#50153701)

          Why is it so hard to get a car without it being fucking connected to everything?

          Never mind that, why is it so hard to find fucking automotive engineers who have enough sense to keep the critical control buses and the frivolous entertainment/external communication buses separate and not connected to each other?

          I don't know whether this is the result of bean counters doing the shit they do, or the hubris of engineers who think, "they won't hack MY system!", but whatever, auto makers need to give their heads a shake and get their shit together. The fact that the exploit outlined in the article is even possible, at all, is just criminal.

          • I'm going to strongly speculate that it's about cost. Why? Because almost everything in business is about cost. Why duplicate things when you can reuse? Why put the wires and routing for two or three networks into a vehicle when you can put in one and run all the devices over them?

            And you'll see it elsewhere too. Those people with an IP routed, internet connected home security system - do you think that's on a separate network from their computer, their internet connected TV, etc? It probably isn't, eith
            • Thanks - those are all good points. Except the 'underestimating the lengths' part. We have more than a decade's worth of news stories about people who have gone to great lengths to hack hardware and software - sometimes because they want additional features, sometimes out of malice, and sometimes just to prove a point. I figure by this time there's no excuse for underestimating what people will do. I think you hit the nail on the head when you suggested cost as the reason.

    • by xxxJonBoyxxx ( 565205 ) on Tuesday July 21, 2015 @09:35AM (#50152419)

      Disagree, in fact I'll probably shake their hands at DEFCON (assuming they're there again).

      The fact that they demonstrated vulnerabilities and then showed automakers multiple ways how to avoid such things (#1 firewall or separate networks; #2 technology to detect and kill anomalous signals) and STILL the automakers shipped defective product...is the problem.

      >> Will this video help to drive home the problem to the public?

      No, but I'd expect a few class action lawsuits will get their attention. I've read a few attorneys' periodicals warming up trial lawyers for IoT product liability, and automakers and their big pockets are sure to be some of their first targets (I think I've seen one settlement already happen).

      • by suso ( 153703 ) * on Tuesday July 21, 2015 @09:45AM (#50152479) Journal

        I'm not really talking about automakers or the vulnerabilities of cars. I'm only saying that Valasek and Miller were irresponsible security researchers for conducting a dangerous test on public road. This is the kind of thing that will give all security research a bad name or at least bring it under heavy scrutiny.

        • Re: (Score:2, Insightful)

          >> dangerous test on public road

          I'd still rather have them do THIS when the systems aren't too popular than have some random swatter roll a minivan with 5 kids because he mistyped the IP address of the guy who just beat his speedrun. (Where "THIS" is a controlled test.)

          • by beelsebob ( 529313 ) on Tuesday July 21, 2015 @10:01AM (#50152615)

            But anyone sane on the planet would rather have them sit a car in a large, private, open space and demonstrate that they can control all of the controls without endangering anyone's life, especially people who didn't sign up to have their life endangered and were just driving down a public road.

          • by Isarian ( 929683 )

            Straw man. There's no reason these exploits couldn't have been executed in a parking lot (where, in fact, the rest of the test was performed). They would hold the same impact without endangering the public.

            This is the same reasons that dangerous medical research is performed in negative room pressure clean-rooms and vehicle safety crash tests are performed in controlled environments and not with vehicles on the interstate. You don't expose uninformed, uninvolved, and non-consenting members of the public whe

            • The vehicle was put into neutral. How is this any different than the loss of control of....running out of gas? Had this happen to me a couple weeks ago. I managed to merge from the left lane to an exit and eventually on the shoulder without rolling any vans.

              If you are unable to deal with an issue such as this happening, you really shouldn't be a driver as this is a common enough occurrence that they teach you how to deal with it in drivers ed along with what do do when your gas pedal is stuck or breaks f

          • by tlhIngan ( 30335 )

            I'd still rather have them do THIS when the systems aren't too popular than have some random swatter roll a minivan with 5 kids because he mistyped the IP address of the guy who just beat his speedrun. (Where "THIS" is a controlled test.)

            And what if the random swatter T-boned you in your car?

            Sorry, public roads are not for "testing". There's a reason why car ads all say "Professional drivers on a closed road" - because you can seriously injure someone else.

            Hell, these security researchers not only put thems

        • by gstoddart ( 321705 ) on Tuesday July 21, 2015 @10:12AM (#50152703) Homepage

          You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security.

          And, once again, we see that consumer electronics are almost completely incompetent at any semblance of security.

          Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicleâ(TM)s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek wonâ(TM)t identify until their Black Hat talk, Uconnectâ(TM)s cellular connection also lets anyone who knows the carâ(TM)s IP address gain access from anywhere in the country. âoeFrom an attackerâ(TM)s perspective, itâ(TM)s a super nice vulnerability,â Miller says.

          Which is pretty damned unbelievable if you ask me.

          In fact, it sounds like some pretty epic incompetence at security, and reaffirms that corporations need to be held to MUCH higher standards of liability with all of their computers, instead of just saying "oops, we didn't know".

          • by gtall ( 79522 )

            "You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security."

            No, it isn't, and that's a false choice. It is analogous to shooting a gun in crowded room, observing no one was hit, and then claiming it is a good way to show the police are not doing an adequate job of security. You'd better hope they don't pull this stunt again and cause the car's driver to lose control and wipe out half of y

          • by Anonymous Brave Guy ( 457657 ) on Tuesday July 21, 2015 @12:34PM (#50153857)

            You know, doing it in a real world setting and demonstrating it is a hell of a lot better than continuing to believe the lie these companies have done an adequate job at security.

            Not if it goes wrong and completely innocent third parties pay the price, it's not.

            I am struggling to believe that any rational and normally adjusted person would not see the deep ethical problems with the way this experiment seems to have been conducted, yet there are apparently multiple people in this thread defending it.

            Auto technology is certainly an area that needs a lot more attention and probably heavyweight regulation and laws with real teeth to prevent profits taking priority over safety and privacy. But this isn't the way you do it. In fact, this is the way you get the grown-ups to treat you with contempt and want nothing to do with your research, lest they become contaminated by your methods themselves.

      • They did not ship a defective unit. The unit was shipped worked fine. The problem was it was exploitable, which is not a defect, it is a lack of foresight.

        Any sufficient level of incompetence is indistinguishable from malice.

        • So you're saying it had a defect (the ability to exploit it), but it wasn't defective?

          In general, companies don't tend to know about significant defects when they actually ship the item. That doesn't mean that they're not defects.

          • by bws111 ( 1216812 )

            No, he is saying it is NOT A DEFECT. The cars are not designed to stop criminal actions. Is it a 'defect' that the windows can be 'exploited' by not being bullet-proof? Is it a defect that the body is not armored? Is it a defect that brake lines can be cut? Is it a defect that the car can be towed away by a criminal?

            • The cars are not designed to stop criminal actions.

              Mine has locks.

              • by bws111 ( 1216812 )

                The locks are a convenience feature and not actual security.

                • The locks are a convenience feature and not actual security.

                  This is Not true at all, the government has laws on vehicle security, intended to slow the rate of auto theft.

                  Automobile locks in the US MUST be certified their security.

                  See: "The Anti-Car Theft Act of 1992", "The Anti-Car Theft Improvements Act of 1996"

                  Your insurance company would refuse to offer theft insurance on your car if it was easy to steal.

                • What do you consider "actual security" then?

                  Because there's almost nothing under the sun that will keep out the most determined attacker by itself. Even gigantic safes, vault doors, etc, have a rating based on the number of man hours it's expected to take to breach them. The idea is that you want one that's long enough for the Police/SWAT/QRF to have arrived before the bad guys can breach it.

                  The locks on your car doors, alarms, etc are meant to deter and delay the casual intruder, and also to an exte
        • by sjames ( 1099 )

          That is what is known as a design defect.

        • by Coren22 ( 1625475 ) on Tuesday July 21, 2015 @12:48PM (#50153953) Journal

          From the nature of the exploits being described:

          They put this system on the CAN-BUS, which is used to control engine and control systems. There is NO REASON for an entertainment system to be on this bus. On-Star has the same issues. If you want these devices to have functionality that is on the CAN-BUS, it should be duplicated outside the CAN-BUS. Security researchers have been trying to explain this to the car industry for 10 years (at least) now, and the car industry keeps being willfully ignorant of the security implications of what they are doing. This is far past defect, it is more like intentionally dangerous and possibly malicious.

          • There is NO REASON for an entertainment system to be on this bus.

            My car has precisely one display on the dashboard, used to display all information, from radio frequency to fluid levels to outside temperature. I like having all of this information on one display. The only way to accomplish this is to have the entertainment system connected to the car's bus.

            • None of those items are required to be on the CAN-bus. However, if they are CAN-bus sensors, there is no requirement for them to be on the same bus that controls the engine/steering/transmission/brakes/accelerator.

              https://en.wikipedia.org/wiki/... [wikipedia.org]

              This is an operational communications bus used for the engine to comunicate to the computer. There are already several buses in a car, so it isn't like this hasn't been done before. There are also one way communications firewalls like the AC above me suggested c

      • by Mr D from 63 ( 3395377 ) on Tuesday July 21, 2015 @09:54AM (#50152555)
        Doesn't it matter what it takes to make this exploit work? For instance, if you have to physically access the vehicle and do something in order to enable the remote exploit. There is a widely know physical exploit called cutting the brake lines, but manufacturers are in no way responsible for creating hard to access and cut brake lines.

        These articles often are vague on the implementation requirements to achieve the exploit. That matters, IMHO.

        With that said, standard control architecture practices should keep the key controls like steering, braking, acceleration, etc separate from the data monitoring and other systems, and where you can't separate entirely there are methods to manage that as well.
        • by pixelpusher220 ( 529617 ) on Tuesday July 21, 2015 @10:21AM (#50152755)
          They aren't vague, it's the defined system by which the car connects to the internet, Uconnect. They accessed that over the internet from 10 miles away and controlled the car. This is no different than them using a buffer overflow exploit to gain remote access to a web server.

          It's a perfect example of why encryption back doors are a fools errand. I'm sure it would be nice to stop a criminal who stole your car by turning off the engine...but that opens up the ability to remotely turn off the engine that could be used by anyone gaining the appropriate access. You can't make remote connections 'secure', only levels of security that come with risks.
          • So, you are certain that they connected to a particular car that they had not accessed at all in any other way prior to hacking? I don't think it is clear at all on that part.
            • The video states that there was nothing done to the vehicle prior to the test. It's an internet connected computer, it has a specific address. Whether that's done via hacking the Uconnect servers that then relay commands to the car or by connecting directly to the car is really besides the point.

              Obviously the former is much easier to close, but since the 'fix' is a USB delivered patch me thinks they are directly connecting to the vehicle.
              • OK, that helps. Thanks. I just brought it up because it gets overlooked often in these types of articles.

                I guess I'll have to watch the vid, but cant' at work...., will be interesting to see how they knew the address of that particular car......did they find that specific car via owner account/name after hacking Uconnect?
      • by fred911 ( 83970 )

        "STILL the automakers shipped defective product...is the problem."

        Chrysler has been doing this for years. Perfect example is the head-gasket on the Neon. They produced an upgrade repair but NEVER upgraded the product.

      • by Yunzil ( 181064 )

        The fact that they demonstrated vulnerabilities and then showed automakers multiple ways how to avoid such things (#1 firewall or separate networks; #2 technology to detect and kill anomalous signals)

        Or, I don't know, how about not hooking up the car's controls to any network at all? Why is that even a thing?

        • Or, I don't know, how about not hooking up the car's controls to any network at all? Why is that even a thing?

          The brake lights work better when they are connected to the network of wires that connects the front end of the car to the back end of the car.

    • As I felt with their first video [slashdot.org], these "security researchers" play with the steering on a car moving 40mph on a public road. Now they've gone and done this. Playing with the driving controls on a 2 ton vehicle moving at 70 mph on a busy road.

      Excellant points. They could have made just as powerful a statement in a safe environment instead of running a test on an open road where they would endanger the driver and others if something went wrong. Expecting someone "not to panic" when they find themselves slowing down with no escape route and a semi on their tail is stupid at best and criminal at worst.

      They had the ear of some powerful Senators. You want to get things done? Find a safe place to show what you can do, such as a parking lot where the o

    • At least they're assholes in the public interest. Is what they did borderline criminal? I'll leave that up to public opinion. But what they've done is justify the fears that many may have had, that what they've seen in movies and television shows isn't fiction but reality. They're not be the heroes we need, but perhaps they're the heroes we deserve. Be thankful at least that no one was injured, and that the truth about this was revealed.
    • by gl4ss ( 559668 )

      to be fair, the "10 miles away" is arbitrary.

      "anyone who knows the carâ(TM)s IP address gain access from anywhere in the country. âoeFrom an attackerâ(TM)s perspective, itâ(TM)s a super nice vulnerability,â Miller says."

      though, I have to ask, why the car has a public facing IP in the first place? sounds like waste of ip. I assume it's provided cellular provider, which would make most of them sit behind.

      still pretty shitty design though.

  • As much as I want to lay the blame for this on it being a Chrysler, now Fiat, product it seems that all auto makers are making a mad rush to have these hyper connected cars. My current car has features I couldn't care less about but is still mostly mechanical linkages and not drive by wire, I'm not sure what I will get when I have to replace it as shortly after it was made the silliness of connected cars started taking off. Maybe I'll just have to get my MG Midget restored before I have to replace my curren
    • The last full-mechanical car which is vaguely recognizable as "modern" (it featured many firsts we now take for granted) is the Mercedes W126, e.g. 300SE, 300SD, 420SEL... The gassers get pretty poor mileage, though. The diesel will actually continue to operate (in spite of the automatic transmission — which is cable-controlled, and lacks a lockup TC, but does have OD in fourth) if the electrical system goes away completely. It can also be pull-started, in spite of the automatic. Push-starting, howeve

      • Re:Fix It Again Tony (Score:5, Informative)

        by Anonymous Coward on Tuesday July 21, 2015 @10:00AM (#50152607)

        I've taken all the sub-systems out of a 2005 Subaru WRX to build another car from the bits. Although there are a lot of electronic modules, very few of them are connected to each other. The cruise control, airbag, ABS, climate control, heating, entertainment, lighting, and engine control systems are all completely independent from one another. I can 100% guarantee that a compromise in any one of the systems cannot be used to control any of the others on this car.

        My experience tells me that it's mostly cars from the past five years or so that are vulnerable to this type of exploit. Anything pre-CANbus has pretty much zero chance of having complex interconnections. Even most early CANbus cars only use the bus for mundane stuff like sending speedo and tach signals to multiple systems. It's a pretty recent trend to start adding things like door locks and brakes to the main bus.

      • I have been driving BMWs mostly for the last 20 years and they up until recently seem to have stayed away from the excessive electronics at the base trim options. My current car is an 2002 325i (bought used a couple of years ago) with a manual transmission. It doesn't have the fancy infotainment center so when the head unit started flaking out it was just a simple replacement with a ~$100 aftermarket one. It also doesn't have an interment connection or stuff like that. the steering wheel still has a mechani
      • I've worked for a bit on my girlfriends W126 (a 500 SEL, it was her dad's car, bought in '82). It's a nice mechanic's car and easy to work on even for novices like myself; if you want a "project car" that offers plenty of comfort, and if you don't mind the crappy milage, then I would recommend the Benz. Just check for rust in the usual spots.
    • by mjwx ( 966435 )

      As much as I want to lay the blame for this on it being a Chrysler, now Fiat, product it seems that all auto makers are making a mad rush to have these hyper connected cars. My current car has features I couldn't care less about but is still mostly mechanical linkages and not drive by wire

      Drive by wire is not inherently bad. A lot of very good cars have DBW now.

      The problem is that drive control systems are being connected to entertainment and communications systems that have links to the outside world.

      There should be an air gap or at the very least a one way connection (as in the Tx pairs physically cut) between systems that have access to drive/engine controls and systems that have connections to the outside world. Sadly this wont happen until someone actually dies because of it (and

    • by ceoyoyo ( 59147 )

      They rated cars on various factors that they thought would predict vulnerability to hacking. The Jeep they hacked rated highest, IIRC, but right up there with it were the Escalade and a Lexus sedan. It's an industry-wide problem. Actually, it's worse than that. These things are really baby SCADA systems, and SCADA security is pretty crappy in all industries.

  • by Archangel Michael ( 180766 ) on Tuesday July 21, 2015 @09:49AM (#50152511) Journal

    I point you to Admiral Adama of (Battlestar Gallactica) wise words ... "Do not network the ships computers"

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday July 21, 2015 @09:58AM (#50152585)
    Comment removed based on user account deletion
  • by Anonymous Coward on Tuesday July 21, 2015 @10:10AM (#50152693)

    The Uconnect system is one buggy piece of software. Most of my interactions with the system is working around bugs. It updates without you knowing about it in the middle of the night over the Satellite system. It is very order dependent on things working correctly (even though running an automobile isn't that order dependent. The fact that there are remote issues doesn't surprise me all that much. I had a day where the tire system when bonkers and was reporting all sorts of surprising things. Then it stopped. I have had the car not start in a particular order. I have accidentally had the car started and instead of turning off, grind the starter. And because it is all software driven, there is nothing to do but wait. It is also tied into the Media system and bluetooth where I have a lot of interactions that just do not seem to work all that well. But I have been well trained on how to get it to work, until the fix a bug or add a new one, and my workflows have to change.

    • I hope you did not buy the vehicle that you are having problems with. If so, I would seriously looking at returning it for a full refund as defective merchandise.

      I am guessing all new cars are off the list now. GM has OnStar, Ford has shit that remembers where you drive, and Chrysler has buggy, remotely exploitable software. All of them have stuff that let's someone else control your vehicle.

      What the fuck? Who would buy something like that? Perhaps the consumer just does not know...

  • Not an issue, just patch it... It doesn't take that long, nor is it that hard...

    On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” reads a statement a Chrysler spokesperson sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”

    You can be sure any new vehicles will have the fix too.... Nothing to see here, move along...

    • by Jaime2 ( 824950 )

      Just patch your car

      Maybe in this case it's feasible. My Mazda3 cannot be customer patched and the dealership hates to do it because it takes two hours to do, but the factory only pays them for an hour of labor. I have zero trust that the auto industry will figure out patch rollouts in the near future. Also, even if they get patching right, it will just put them in the same shape that computers are now - which is sad shape.

    • by ceoyoyo ( 59147 )

      Sure, that worked so well for operating systems. And smartphones. After those had been patched once or twice there were no more exploits ever.

      If your smartphone gets hacked it's annoying. You format it, install the security update, and hope it doesn't happen too often. If your brakes get hacked you've got a bit bigger problem.

  • If the "car" part of the car were completely disconnected from any "outside" communication, the problem would go away.

    Now, there are times where allowing outside control of the car is useful, such as remote-start of the heating and A/C systems so the car isn't an icebox or oven when you get in, and (perhaps) a remote-slowdown or remote-prevent-engine-start command as part of an anti-theft-system, but if you are going to do this, you have to do it right and you have to assume that even if you do it right, so

    • If the "car" part of the car were completely disconnected from any "outside" communication

      my car has an FM radio

      can you break in through it?

  • by ShooterNeo ( 555040 ) on Tuesday July 21, 2015 @11:08AM (#50153167)

    I remember thinking in the 90s "no one would be stupid enough to put safety critical computer systems on a network at all..."

    And, here we are.

    If someone gave me a blank sheet of paper and asked me to sketch out the system for a car's braking controller, I'd slap down a CPLD or microcontroller, and have it use some locked firmware to read the various sensors and send out the control signals.

    Oh, they want networking? I'd isolate or use the inherent properties of a CPLD/FPGA programmed in combinatorial logic style (you can program a CPLD/FPGA to act like a microcontroller instead which is vulnerable)

    In combinatorial logic style, all the processing is through various gates, and is a boolean combination of flip flops and logic gates. So, say they want the ability to read(but not alter) the current state of the vehicle's brakes. A tiny communication processor (a low pin count PIC is one choice) would receive from the vehicle's CAN bus the command to give the vehicle's brake state. The communication processor would toggle high an outpin pin connected to an input pin on the microcontroller/CPLD that actually controls the brakes. That high pin state would mean that every few control loop cycles, the microcontroller/CPLD would blast out the current state on a serial output pin.

    Note that there's no opportunity for a hacker who got into that communication processor to do any worse than toggle a pin on and off. No effect on the steering/braking.

    Ok, maybe now we want to be able to change the "style" of steering and braking. So now there's a finite set of legal states that are stylistically desirable. That's when you'd isolate with the inherent property of an FPGA/CPLD state machine to not be capable of any other states BUT the states you defined. (there's no global memory and no stack, so nothing a hacker can do to affect the machine's behavior)

    • by Jaime2 ( 824950 )

      The answer is easy; no one who really cares about security was at the design table.

      Also, custom circuits seems to be expensive in the auto industry. I recently had to replace a daytime running light controller on a car - it cost about $130. I opened up the old one and it was nothing but about 20 discrete through-hole components on a custom circuit board, mostly transistors and resistors. If you build everything on a programmable general purpose platform, you only pay the hardware costs once.

      • it cost about $130.

        silly silly you, buying new parts to put in a used vehicle. It would have been $15 at a junkyard.

  • by kheldan ( 1460303 ) on Tuesday July 21, 2015 @11:29AM (#50153333) Journal
    Laptops have had hardware power switches for their transceivers for a long time now, if autos are going to have wireless access to their systems then why the hell isn't there a kill switch for that transceiver so the owner of the vehicle can turn it off?
  • by tompaulco ( 629533 ) on Tuesday July 21, 2015 @12:04PM (#50153613) Homepage Journal
    Why does a car have a wireless system, and why is this wireless system accessible from outside the car?
    • by jc42 ( 318812 )

      Why does a car have a wireless system, and why is this wireless system accessible from outside the car?

      So that the manufacturer can access the car, collect data on where and how it's been driven, and sell that information to anyone willing to pay for it.

      The idea of sending "data" to the car was an afterthought, when they realized it could be useful for things like disabling a car that's behind on the payments.

      Note that both of these motives contain the string "pay". That's the hint you need to figure out the other intended uses. ;-)

  • I am not a security expert, but does it strike you as insane that a car apparently has a public IP address? Anyone whatsoever can just portscan your car and look for vulnerabilities. I just have no words.

    • it is equally shocking that corporations like amazon.com have public IP addresses, anyone whatsoever can portscan them and look for vulnerabilities.

      • Amazon.com provides public services over the Internet by design. It would be pointless for them not to, as the whole point of the company existing is to do so.
        A car's purpose is to move its occupants from point A to point B. It has zero need to provide any public Internet services, so why the hell does it need to be publicly accessible over the Internet?

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...