FBI Warns That Car Hacking Is a Real Risk (wired.com) 129
An anonymous reader writes: The FBI and the U.S. National Highway Traffic Safety Administration are voicing their concerns about the potential risk of cars being hacked. In an advisory note, they urge the public to be aware of cyber-security threats revolving around connected vehicles. From the advisory, "Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience. Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats." They are also advising drivers and manufacturers to ensure the vehicle software is up-to-date, and keeping an eye out for recalls.
Okay, this is getting ridiculous (Score:2)
Is anyone compiling a list of new cars you can get without this crap in them?
Re: (Score:2)
Re: (Score:3)
Yeah, it's pretty simple: don't get a car with OnStar (I think there's a competing service out there like this from one of the other makers), and don't pair your Bluetooth phone to the car. Viola! Your car is now immune to hacking.
If there's no way to actually communicate remotely with your car, then there's no way to hack it remotely.
It would be nice if the system architectures in cars were open and all their interfaces publicly documented, so we could see what attack vectors are possible. A well-archit
Re: (Score:3)
I wouldn't be so sure about this... high line TPMS sensors can be commanded to report using a LF transmitter. This triggers the sensor to broadcast it's status, thereby allowing the capture of the sensor's serial number. Even low line sensors transmit every 5 to 10 minutes. With a little patience, one can copy and replay the TMPS sensor data... modify it to show low tire pressure and high temp, etc. and cause the console to show a tire flat condition. Admittedly a lame hack, but easy way to vex a partic
Re: (Score:2)
Not all cars have TPMS sensors. Mazdas don't; they use a cheaper method with the ABS system that just looks for differences in tire rotation rates over time. It's of course not as sensitive or convenient as the systems with sensors, but it's cheaper and you don't have to worry about batteries dying, tire shops screwing them up, having to buy a new set for your winter tires, etc.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Two problems here:
2012 was 5 years ago (model year wise). They don't make those cars any more.
ABS has been standard in all cars since the 1990s. There's absolutely no possibility your 2012 cars don't have ABS, unless you're in some 3rd-world country where it's not required.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Wow, that's really crappy. My 1994 Integra had ABS, and it wasn't exactly the most expensive car on the road back then.
A little bit of research shows that apparently, ABS was not mandatory in the US until 2012 when it was required in conjunction with electronic stability control (ESC).
Why on earth would you buy a car so cheap it doesn't come with ABS? If you're that hard-up for cash, you can get a much better deal on a used car than getting a stripped-down new one.
Re: (Score:2)
All you need is a vulnerability in the TPMS parsing code, and you have an exploit of the module that houses it. Near 100% odds that module is on a CAN bus and could be your foothold into more destructive systems.
As far as cars that “don’t have” TPMS, don’t be so sure that absense of the light on your dash means it’s not there. I’d be shocked if there aren’t at least some vendors that ship one system with a radio receiver integrated for all models. Program it to n
Re: (Score:2)
As far as cars that âoedonâ(TM)t haveâ TPMS,
All cars sold in the US are *required* to have TPMS, and have for several years now.
Not all cars have TPMS sensors inside the wheels; many cars use a passive system instead as I described earlier. The passive system is cheaper and simpler.
It's very doubtful there'd be a radio receiver for a car with passive TPMS, because that model is going to have that same system in every market. Radio receivers cost money, and they're not going to spend money p
Re: (Score:2)
Don't forget about the most popular radio receiver in the car... the actual AM/FM head unit. FM broadcasts have a sub-channel for providing the name of the song, the name of the artist, etc. which is displayed on the infotainment system. One does wonder how secure that system is too. These systems are admittedly harder to compromise than say, the insurance industry's OBDII dongles, or the cellular data systems, but they are all there and all present a little opportunity to hack in. The funny thing is, j
Re: (Score:2)
<slow clap>news for nerds, AC's sexual fetishes that matter</slow clap>
Re: (Score:1)
Yeah, it's pretty simple: don't get a car with OnStar
Can you even get a new GM vehicle w/o OnStar?
(I think there's a competing service out there like this from one of the other makers),
I don't know how many of those currently ship models w/o this, but I imagine it won't be too long before you can't even by a vehicle that doesn't come with this.
I don't know about the newest vehicles, but I have two GM cars from the early 2000's that came with OnStar. it was 2 or thr
Re: (Score:2)
How many of these systems actually have cellular modems? My Mazda doesn't; it relies on Bluetooth from your phone for any kind of remote data. I was under the impression that most automakers except GM were like this these days. That cellular connection is extra money just for the hardware (Bluetooth radios are cheaper), plus someone has to pay the cellular provider for the monthly data charge.
Re: (Score:1)
Re: (Score:3)
No Mazdas do. That system is available for my car, but if you look closely at the site you'll find this nugget:
"MMS hardware must be purchased and installed in your vehicle."
The car, from the factory, does not have a cellular radio for this system to work. So to get MMS, you have to purchase the system and have it installed, which obviously includes a cellular radio. And of course, you have to pay a yearly fee for it to keep working.
Of course, there's no telling if it'll stay this way or if they'll forci
Re: (Score:1)
Re: (Score:1)
Fuck off, asswipe.
Re:Okay, this is getting ridiculous (Score:5, Informative)
Yeah, it's pretty simple: don't get a car with OnStar (I think there's a competing service out there like this from one of the other makers)
I'm afraid your information is out of date there. Maybe it's different where you are, but if you look through the web site of almost any mid-range or high-end brand here in the UK, connectivity features are all the rage and pretty much everyone now has them.
Audi has Audi Connect [audi.co.uk].
BMW has various features including Teleservices and Emergency Call [bmw.co.uk].
Volvo has Sensus [volvocars.com].
Ford has Ford SYNC [ford.co.uk].
And the list goes on. Some of these seem, at the moment, to be primarily about things like hooking in your phone, presumably so you can do exciting things like kill someone while distracted by your car awkwardly mispronouncing the e-mail you just received. A few, the Volvo Sensus for example, sound downright creepy to me in terms of auto-updating software in your vehicle without any user interaction.
And if you think every major car manufacturer and every major car insurer isn't eyeing up the possibilities of phoning home with driver performance data whether you like it or not, I know a prince in Nigeria who has a really great offer that might interest you.
Re: (Score:2)
And if you think every major car manufacturer and every major car insurer isn't eyeing up the possibilities of phoning home with driver performance data whether you like it or not, I know a prince in Nigeria who has a really great offer that might interest you.
Insurers, perhaps, but manufacturers, I'm not so sure. If they really wanted to, wouldn't they have done so by now? But not every carmaker has put a cellular modem in their vehicle yet. Perhaps the cost of the cellular service per-car isn't worth t
Re: (Score:2)
uConnect does have cellular - they're Dodge. You see it in the Ram, Charger, Jeep, etc...
If you want something without it then go for a fleet vehicle. You can order them by going to the dealership, you don't need to buy them in bulk. I've never ordered any online and never noticed a way to order them online. You probably can.
My suggestion is to find a nice, reasonable, older car and get it full restored and then maintain it properly. It's usually much nicer on the environment than the costs that go into mak
Re: (Score:2)
Insurers, perhaps, but manufacturers, I'm not so sure. If they really wanted to, wouldn't they have done so by now?
Realistically, the two have to go in sync, because manufacturers with phone-home technology are only likely to directly profit from it once they have deals in place with insurers or other third parties.
Perhaps the cost of the cellular service per-car isn't worth the data they'd get from it.
That is extremely unlikely, particularly when high-end cars increasingly have built-in data connections for sat-nav and similar facilities and these features are slowly working their way down into the mainstream.
Finally, you're already proven my point. The systems you list do not have any kind of data connection.
Some do, some don't. Volvo cars with their Sensus scheme do, for example. As I said in my first po
Re: (Score:2)
Just because you didn’t pair with Bluetooth doesn’t mean there isn’t an attack against the BT stack. Anything with an antenna attached to anything with a processor can be fuzzed remotely. Best-worst case is you over run something and DoS it, causing “weird” stuff for the interface in the car. Worst-worst case is you 0wn it and have access to the CAN bus to do more.
Michael Hastings (Score:2)
Re: (Score:3)
Yes, here it is:
1.
Re: (Score:2)
Suddenly.... having to replace your points occasionally or clean out a needle valve is looking quite attractive isn't it?
Re: (Score:3)
All of my cars were made in the '90s. They all have electronic fuel injection, but none of them has a transceiver (other than the AM/FM radio). No need to go back to carburetors, unless you really want to for other reasons.
(And yes, I drive cars that old on purpose, because of this issue.)
Re: (Score:2)
My Mazda was made in 2015, and it has a bunch of receivers: AM, FM, XM (yuck), GPS, and precisely one transceiver: Bluetooth. If you don't pair it with your phone, it has no ability to connect to the outside world.
Re: (Score:2)
How sure are you of that?
Even if you weren't neglecting the other obvious communications devices -- the ones to communicate with the tire-pressure monitoring system, the keyless entry / push-button start, etc -- I would have no confidence whatsoever that there wasn't a cellular modem hidden away somewhere, just waiting to be activated by a Stingray or something. Hell, even if they did
Re: (Score:2)
How sure are you of that?
I'm 100% sure of it.
Even if you weren't neglecting the other obvious communications devices -- the ones to communicate with the tire-pressure monitoring system,
There's no such system in my car. It uses passive TPMS.
the keyless entry / push-button start
You have a point there, I did overlook that one. It does have keyless entry. However it's one-way: the car has no way to transmit back to the keyfob, it can only receive. You can't communicate with something over a one-way data li
Re: (Score:2)
Does your radio support metadata for song title etc. transmitted over FM? Lots of even older cars had the capability even if very few radio stations in the US transmit anything. Wouldn’t surprise me much if even some basic radios that don’t have screens to display the info are ultimately built on chips that include the decode capability & just never display it. Find an exploit in the parser for metadata, 0wn the radio. Is the radio on CAN bus? Good chance that it is. Next stop, the ant
Re: (Score:2)
I have three cars: a '90 Miata, a '96 Ranger (with an aftermarket radio that does not support metadata), and a '98 Beetle TDI. Only the Beetle has any chance of having a CAN bus, and I don't think it does because the early '98s actually used some leftovers from the VW MK3 platform instead of being proper MK4s. For example, my Beetle is one of the few that came without anti-lock brakes, and when I got a chip tune the tuner had to de-solder the memory to re-flash it instead of uploading the tune via the OBDII
Re: (Score:2)
My better half has an '01 VW Cabi (another MK3.5...). It's not standard CAN bus, but it does have a fair bit of integration between the various modules, all accessible through the OBD port. Radio is queryable (or was when it was still factory...), which suggests that attack against radio would be a starting point to the rest. The other "interesting" stuff like ABS, etc. shows up too. It's not as strongly integrated as the newer standard CAN bus V/A Group cars are, but still a lot of stuff that can talk to o
Re: (Score:2)
I know, tbh even my most recent motorcycle had fuel injectors.
Though, I do occasionally think there is some benefit to using technology I can reasonably disassemble and troubleshoot. I would rather not do it, but I feel more comfortable rebuilding a carb, though in truth fixing the new car is probably easier...nothing to rebuild, the equivalent job is done by parts that you would just junk and replace rather than clean or repair.
Re: (Score:2)
Another neat option for the paranoid would be a '70s or '80s Mercedes diesel. Those things had completely mechanical fuel injection and (obviously) no ignition system, so if you were willing to bump-start the car it could be used with no electrical system at all. Totally EMP-proof.
Re: (Score:2)
Is it really even paranoia? Sure an EMP is very unusual but, we certainly have the ability to make them and there are some rare natural events that could cause similar disruptions; and forget EMP, far more mundane things can happen to remove one from easy access to the comforts we know and love today.
There are a whole host of scenarios that, while each one is of very low probabiliy of happening on any given day....given a time horizen of a few decades, the probability of one of them happening gets pretty hi
Re: (Score:2)
Is anyone compiling a list of new cars you can get without this crap in them?
Cars are expensive. It likely doesn't take all that many people to say "thanks anyway" and walk off the lot before the message is received.
Re: (Score:1)
Cars are expensive. It likely doesn't take all that many people to say "thanks anyway" and walk off the lot before the message is received.
Until a major incident occurs, damn near everyone in the public will remain totally oblivious to this issue. I've brought it up in conversation with quite a few tech people I know and not one has thought about it at all, and most never knew it was an issue.
Re: (Score:2)
I think he's talking about car salespeople, not tech people.
Re: (Score:1)
Re: (Score:2)
VW is selling completely restored and refurbished beetles from the 60's at very competitive low 20Ks. My next car will be one of these... or a dump truck or a mining truck (you know, the ones with tires 10 feet high).
Same pollution per mile in those options. Although I would likely go with the haul truck (that is was they are called), I wouldn't mind having a 5MW mobile generator on hand just in case.
Re: (Score:2)
There is! The car you are looking for is called a Used Car and as an added bonus it is significantly cheaper than any new car on the market! Even better is with the money you save you can not only purchase a full set of tools to maintain and repair the car, so you won't need to take it to an overpriced mechanic!
Seriously? (Score:5, Insightful)
Re: (Score:2)
Indeed. I was just going to post that phone hacking is also a Real Risk.
Re: (Score:2)
Re: (Score:2)
Agreed there is no way the Government can win, since if they outlaw encryption only criminals will have encryption. And Apple turning off encryption does NOTHING to help or hinder the government, since the bad guys would simply add thier own as you say. However, if they turn it off, then everyone else suffers since they have no security - which Apple currently provides. Not all of Apples several hundred million iPhone users are geeks. I would hazard a guess that most aren't.
Re: (Score:2)
Re: (Score:2)
I think the FBI is content with having a publicly known method (IE real courts, not FISA) that they can access devices of not-all-that-savy criminals via standard warrant procedures. I doubt there are many at FBI that believe they can actually stop a highly dedicated adversary from using off the shelf encryption to prevent access. They’re looking for a non-extralegal way to get the low hanging fruit.
For everything else, it’s entirely plausible that NSA has a catalog of bootloader exploits for
Re: (Score:2)
No.
The FBI is in a legal battle with Apple, because back in 2013 Apple didn't try hard enough (in hindsight) to protect consumers from people breaking into the computer Apple was selling at the time. Thus it turns out that with some minor changes to its firmware, it'll be pra
Re: (Score:2)
They're not bruteforcing the crypto. Not really. They're bruteforcing the PIN. It's not really a semantics argument. At least not in my head. This just just attacking the implementation of the crypto and not the crypto itself. Make sense?
You can't have it both ways... (Score:5, Insightful)
Re: (Score:2)
That's because you don't understand their logic.
Their logic is that what they want Apple to do is to put in a back door so they can get the data on anyone's iPhone. They simply don't believe that this back door could possibly be used by anyone else.
It's just like those dumb TSA master keys.
Re: (Score:2)
Some people speculate the FBI would like to mandate broken security. That's a believable speculation (and it got more believable after the president's "black boxes" comment); I am not going to say you're wrong.
But if you're trying to imply the Farook iPhone 5C case is about mandating broken security, then you are definitely wrong. That particular phone already has broken security.
(How do we know it's already broken? Because the FBI has identified a plan to bruteforce the crypto in a reasonable amount of tim
Re: (Score:2)
Be afraid. Be very afraid. Sincerely, the FBI.
PS: We are here to protect you.
Classic Cars (Score:3)
Re:Classic Cars (Score:5, Interesting)
I sympathize, but don't get in no accident. I remember my little rocket from '94, fun but no sun-roof, no power windows, no power locks, had to jury-rig a chirp-chirp alarm/kill-switch, no side-airbags, no anti-lock brakes. Fast, but it did NOT crash well.
Not quite the suicide machine as my college car, a '72 Olds with NON-POWER DRUMS on ALL WHEELS (you had to stand on the pedal to stop hard... if it worked at all due to a flaky master cylinder), but still, by today's standards, even my '94 was a death trap.
Now, we're going to see all cars with automatic braking in six years [computerworld.com]. More electronics, more complexity. But if it works, it will save lives. Shit, I used to think anti-lock brakes were too complex to mass-produce and work well, like I didn't want some jiggy contraption getting between me and my brakes. Sho' nuff, it's 2016 and they work great. They even got 'em on motorcycles [americanmotorcyclist.com].
So, particularly if you got kids, you're way better off in a new car then taking your chances in some old bolt bucket. Maybe car hacks raise the risk of theft, but older cars are child's play to break into. Maybe some monster hack might tinker with your car while you're driving, and that would be bad, but I'll warrant the BEST ODDS of that happening to you are TINY compared to being T-boned by a drunk. So, you're WAY better off in a new car, hackable or no.
Re: (Score:2)
Re: (Score:2)
I love my '98 Volvo V70 wagon. Most comfortable car I've ever had. I travel and rent a lot of the newer cars and none of them I'd want to have to spend +$30k to "upgrade." Yeah, the new Avalon is very nice, but not $30k nicer. Did I mention that I got the V70 for $1,800. It has traction control, ABS, power windows, 4 wheel disc, sun roof, and the nicest power leather seats.
Even my 2001 Volvo S60 has side bags.
Re: (Score:2)
Oh, it has a fucking ashtray too!
Re: (Score:2)
Ashtray??? Fuckin' WORD!
Kids today expect cupholders, but back in the day we had ashtrays! My '94 had back seats that no-one bigger than a tween would fit into, but they had a fuckin' ASHTRAY!
Re: (Score:2)
Even my 2001 Volvo S60 has side bags
Side bags? How quaint? Why would you want airbags? The current Volvo S60 barely crash at all with collision avoidance systems, auto breaking on the highway, lane keeping technology, driver alertness detection, better automated highbeams, adaptive cruise control, queue assist to help you not screw up in stop / start traffic, cross traffic alert while reversing, and some other older features like traction control too.
Point is, for every "good car" you can quote from 15 years ago, if you compare them to curren
Re: (Score:2)
From now on I'm only buying cars built in the 20th century.
I've got a 93 Escort Wagon that I'd let go... for the right price.
More seriously - I use this thing mainly for the few-mile trip between our house and the transit station. It's been pretty reliable, all things considered, and has saved us a ton of money (having to put $1000 or so into it every two or three years is nothing compared to most car payments). But we are looking at replacing it mainly because I don't particularly want my daughter driving a car without air bags or antilock brakes.
Re: (Score:2)
Dude, that car is your namesake. It's your moniker. You can't just let that go. That's against the rules. It either needs to be kept and treated accordingly, perhaps like a shrine or, alternatively, it needs to go out in spectacular fashion which may, or may not, cause injury, maiming, or death. Seriously, you can't just let that car go. No way... That'd be against some sort of rule. I don't know which rule but it's certainly a rule.
At the very least, it needs to go in spectacular fashion. This can be as si
Re: (Score:2)
Knowing me, I'll find a way to hang onto it. Thank you!
And the only thing that'll save us... (Score:2)
Therefore we need LESS encryption, right? (Score:1)
Your friendly neighbourhood FBI agent.
The manufacturers should be forced to... (Score:1)
Wait until they claim they need access (Score:2, Insightful)
Yeah, and next week the FBI will say they need to be able to remotely control/track our vehicles to be able to catch terrorists -> criminals -> tax evaders -> jaywalkers -> politically inconvenient people. It will be totally secure though, because only the FBI/Government will be able to do it, and it's completely legal because of 16th century English common law and they have secret court rulings we can't read to back them up.
FBI's help? (Score:1)
No kidding.... (Score:2)
The Real Threat (Score:1)
It IS the real threat! (Score:3)
You say that like you're trying to make an Onion-style joke headline, but -- like the Onion often is -- it turns out to be more valid than you think.
However, I'd say the bigger threat in that case [wired.com] is copyright law and DRM, rather than the FBI.
Re: (Score:1)
new automatic brake rules (Score:1)
promoted in the spirit of safety (which is laudable in an era of distracted driving, etc)... but, did anybody else see this as a way to mandate that law enforcement had a means of remotely/electronically disabling your vehicle?
http://www.usatoday.com/story/money/cars/2016/03/17/automatic-emergency-braking-coming-all-cars-2022/81907516/
Naturally, for your own safety... (Score:3)
The FBI would like to have the keycodes to open every car in America. It stands to reason that terrorists are using cars to get around their bombing/gunfight missions. To screen for potential terrorists, the FBI will now use the All Writs Act to force all car manufacturers to give the FBI the key to every car sold.
Is this why Verizon (and now Sprint) block IRC? (Score:1)
"Before the researchers report was released, the cellular carrier for the affected vehicles blocked access to one specific port (TCP 6667) for the private IP addre
Re: (Score:2)
I still use IRC and no network I know of only uses that port. heck, a couple even run servers that will take connection on any port
good guy with backdoor access (Score:3)
The only thing that can protect you from a bad guy with backdoor access to your secured system is a good guy with backdoor access.
Government be like (Score:1)
Hey I know you are trying patch the security holes in your product but please, just for us (wink wink), add a security hole for us to get in...
Dear FBI.... (Score:3)
Dear FBI,
No shit.
Signed,
Everyone in the universe who's been paying attention
how long has captain obvious worked for the FBI? (Score:2)
Wasn't this in the news over a year ago. I though by now everyone knew this... I guess not the US Gov...much like the fact that you can do things... good and sometimes bad with computers.. this must be a recent and frighting revelation for them.
...but they need to be able to do it (Score:3)
Unintended consequences (Score:2)
The internet of things (Score:1)