nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Jeep drivers can be HACKED to DEATH: All you need is the car's IP address

FAIL

Just why are these systems not air-gapped?

Why oh why?

36
0

"Just why are these systems not air-gapped?"

Difficultly, laziness, and convenience. The radio wants to know how fast the car is going to adjust the radio volume and the radio also wants to connect out the world to stream music and/or get cd info. The satnav connects out to get traffic data and accident alerts. Building all that in (let's not discuss the merit of some of that, just accept that some people want it) means air-gap doesn't work. Apparently there are gateways and IDS for CANBUS, but that's where laziness and cost come in.

My car does most of the above functionality via bluetooth over a smartphone app; I'm not sure if that's better or worse. I'd lean towards better, as I can always cut the link via my phone.

13
2
Silver badge

Never mind air-gapped internally, why are any incoming connections accepted at all?

46
0
Black Helicopters

I find your lack of faith disturbing...

"Never mind air-gapped internally, why are any incoming connections accepted at all?"

But, citizen, you forget that it is essential that the agents of security can remotely neutralise the threat from paedoterrorists and rogue ninjas who might otherwise escape them.

You should not question these design decisions, citizen - they are for your safety..

46
0
Anonymous Coward

@skelband

Just why are these systems not air-gapped?

Because it makes life extremely difficult for the Feds when they need to make someone disappear.

https://en.wikipedia.org/wiki/Michael_Hastings_%28journalist%29#Allegations_of_foul_play.2C_and_assertions_to_the_contrary

24
1
Anonymous Coward

How else are the spooks supposed to track you in your car? I mean apart from the cameras, your phone, your credit card spend...

Welcome to the Internet of Tat.

13
0
LDS
Silver badge

No need to get those data from the same sensors attached to vital functions. Radio can get speed from the GPS, non need to get it from wheels or engine. It can use mics to get noise and correct for it.

It's just a bad, cheap design.

19
2

The Swiss Army Knife Effect

A few months ago I was involved in a "brainstorming session" for a proposed new product. The product never got into development, but is illuminating about the way some of these products develop - this one too.

In the case I mention, it started off being a simple safety feature for outdoors people. I pointed out the world already has very good, cheap EPIRB/PLBs. Slowly the proposed product grew features: GPS tracking, a Facebook interface that updated your position on a map, a camera to instantly update your friends with photos on your social media...

So in the end we had something that was basically a ruggedised phone without voice but with some extra safety gizzmos that would kill a battery in a day. The PLB I carry has a 7 year battery life. It just lives in my pack. I can forget it is there until I need it.

The proposed device was no longer any good at providing its core service: being a safety device because it was compromised by all the extra crap that had been added. Most of the rainstorming discussion had gone into discussing the feature sets/details of the ancillary functions: how many Mpixel camera? soft keys or a hardkey Facebook button,... The actual core function got little attention.

Exactly the same happens on those massive 20+ function Swiss Army Knives. Each function is poorly implemented and each addition detracts from the core function of being a knife. Having carried a wide range of Swiss Army knives, I now carry an Opinel: a knife that is just a knife: light cheap and very effective.

A product like car infotainment system has a similar genesis. Each added function detracts from the core function of the unit. More effort goes into making the DVD player work than into making the car control work. The need to run Linux or Windows to support the ancillary functions compromises the simplicity and robustness of the core functions.

It is made worse by the chip vendors who provide an infotainment reference design/BSP. Their purpose is just to demonstrate their chip running an infotainment function set. They do not concern themselves with all the serious design issues such as security. The product designers just start with such a reference design and tweak it to make a product. What they should really be doingi s throwing away the whole lot and designing from the ground up.

The IoT industry is heading down exactly the same path. Most IoT devices are just slight tweaks of IoT reference designs.

This industry is not going to improve any time soon.

63
0
Silver badge

"why are any incoming connections accepted at all?"

How else will the dealer/finance company disable the car when you miss an installment ...?

17
1
Silver badge

@AC: "How else are the spooks supposed to track you in your car?"

Follow the clouds of blue smoke and the drops of gear lube on the pavement.

4
1
Silver badge

" The radio wants to know how fast the car is going to adjust the radio volume and the radio also wants to connect out the world to stream music and/or get cd info"

But why does the radio need to be able to control the speed?

8
2

Why are we using GP computers/OS's...

with all the bells and whistles for limited functionality applications?

It would not surprise me at all to learn that like with IoT devices, computerised cars are loaded down with tens of megabytes of code which serves absolutely no useful purpose except to provide an expanded attack surface for potential miscreants.

Recall this old joke?

Windows 95/98, (n): 32 bit extension and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprossessor, written by a 2 bit company that can't stand 1 bit of competition.

This joke is why black hats have such an easy job.

13
0
Silver badge

simplez

"But why does the radio need to be able to control the speed?"

That's obvious, the range of volume the radio can put out is limited so if you are going to fast for your music the radio needs to be able to break your car.

9
3
MJI
Silver badge

Speed to radio

Pre CANBUs this was just one wire with speed info. Single was traffic.

Personally I think the only way safety critical systems should be communicated with is via the diagnostics port

5
0
Anonymous Coward

to automatically boost the volume as speed increases. to overcome road noise.

1
7
Bronze badge

why are any incoming connections accepted at all?

Because car manufacturers want to be able to upload patches directly to your car when it is parked on your driveway. This will be vastly cheaper than the current system where they have to pay a dealer x minutes during your yearly service to update the firmware, and across the world, those minutes add up. As an example, shaving a 30 seconds off a full vehicle ECU reset saved the OEM I worked for £1/2m per annum in dealer charges.

3
1
Silver badge

"" The radio wants to know how fast the car is going to adjust the radio volume and the radio also wants to connect out the world to stream music and/or get cd info"

But why does the radio need to be able to control the speed?"

More importantly, why does the radio want to adjust the volume in the first place? My radio, and every other than I've ever seen, has a volume control. If I can't hear my music well enough, I turn the volume up. There is no reason I would ever want the radio to adjust the volume itself. Especially since my phone constantly tries to adjust the volume automatically and does a fucking terrible job of it - apparently I might damage my hearing if the volume is too high, but since it has no idea whether I'm using headphones, speakers, in the car over bluetooth, or trying to forcibly insert the phone into my ear, it has no idea what "too high" actually means yet tries to tell me off anyway. I very much doubt a car stereo will be any better programmed.

So this isn't a case of some useful functionality compromising security due to the connections it needs. It's a completely pointless function of no use to anyone, that also compromises security as an added bonus.

13
2

Air Gap

I won't be buying any car without an air gap.

That's the air gap between the engine and the mechanically operated clutch. I'd far rather that there's also no possible control of the steering, gearbox or brakes by the computer. Failing which, they must at most be servo-assisted with mechanical override possible via the major controls, not "drive by wire" through a computer.

There's going to be a Ford Pinto moment for someone in the auto industry in the near future.

1
0
MJI
Silver badge

My car has that - 1 wire

0
0
Megaphone

why does the radio want to adjust the volume?

So you can still hear it when you leave town and accelerate to out of town speeds, and conversely, so it doesn't blow your ears off when you get to the next slow spot.

My nearly twenty year old car does it, and it's very useful. One less reason to take your eyes off the road.

In the grand scheme of things, not a massive advance, but it's the little things like it that make me appreciate my car's design.

It's a Volvo by the way.

4
2
Silver badge
Facepalm

Re: why are any incoming connections accepted at all?

Because car manufacturers want to be able to upload patches directly to your car when it is parked on your driveway.

So kill everything that's listening for incoming connections as soon as the vehicle starts moving.

6
0
Facepalm

"to automatically boost the volume as speed increases. to overcome road noise"

That "road noise" is actually good, it needs to be heard by the driver, someone should remind the auto manufacturers that hearing the engine and being aware of the world outside the car is a vital part of driving.

6
1

Why is road noise that important unless you're driving like a complete bellend in an old "V-Tec just kicked in yo!" Honda Civic or some other ridiculous "I think I'm in The Fast and the Furious" motor on the public highways?

And engine noise? My car, even though it is a diesel, makes barely any engine noise (from inside at least!) at the best of times and its pretty much silent when cruising at a steady speed.

1
3
Bronze badge

Conspiracy theorists would say it is because the manufacturer put a back-door in the software to allow the police to remotely disable the car. Whether or not that is more or less plausible than complete incompetence, I'm not sure.

0
0
Silver badge
Happy

Two words

Induction roar.

0
0
Anonymous Coward

Re: why are any incoming connections accepted at all?

"Because car manufacturers want to be able to upload patches directly to your car when it is parked on your driveway."

Irrelevant.

Manufacturer does not need to send connect request to car for that, update app on car can send periodic connect request to manufacturer. Update app on car can have restricted capabilities too, if required and sensible (and why wouldn't it be sensible).

Next.

2
0
Headmaster

Road noise is important because you are aware of what's going on around you, you can hear the motorcycle or cyclist you just ran over and didn't noticed, or the person behind you trying to get your attention because your car is leaking fluids or has a flat tire, or hear the train comming on the train crossing you are about to cross, and so on; and it's important to hear the engine to make proper gear changes on manual cars, also, the engine tells you if something is wrong when it makes an unusual noise.

As a car driver you are operating a machine that needs your attention, isolating the driver from the machine is a bad, you are operating a dangerous machine, it requieres all your senses, you are not sitting on a sofa in your living room listening to your favorite music, sipping coffee and smoking a cigar like car manufacturers want you feel like when driving, pay attention to the damn thing.

6
1

What a load of absolute bollocks! So according to your little list deaf people shouldn't really be driving?

"you can hear the motorcycle or cyclist you just ran over"

Being able to hear them once you've ran over them is a little bloody late! Correct use of mirrors and proper observations, like you should be doing anyway can prevent harming anyone that isn't doing their very best to end up under your wheels themselves.

"the person behind you trying to get your attention because your car is leaking"

Proper maintenance prevents, and regular checks alert you to, those sort of things, that and on-board sensors.

"or has a flat tire"

If you can't tell if your car has a flat tyre then there is something wrong. very wrong. Then again its understandable if you can't feel a deflated tyre in those over-sized wallowing barges you call cars.

"or hear the train coming on the train crossing you are about to cross"

I'm not sure how it works in the States (where I presume you're from given your spelling of 'tyres') but most rail crossing in the UK have some form of physical barrier and/or warning sirens and lights, or sometimes gates, which one has to get out of a vehicle to open. If anyone is dumb enough to cross an open crossing, without turning down their music and making proper observations, then they probably deserve their eventual Darwin award.

"and it's important to hear the engine to make proper gear changes on manual cars"

I don't need to hear the engine to know when to change gears, neither does anybody I know given the preponderance of manual cars over here. If you need engine noise to know when to change gear then its probably best you stick to the auto-boxes you're so fond of that side of the pond.

"the engine tells you if something is wrong when it makes an unusual noise"

Again, proper maintenance and regular checks will prevent this and unless you're driving a properly old shit-box then your car will have a whole array of sensors and warning lights/display that will alert you to the fact that something is wrong long before you "hear" it.

"isolating the driver from the machine is a bad"

Again, in practice, with regards to being able to hear "road noise", what is the difference between having loud music or being deaf? According to you being deaf would similarly be a "very bad thing" when it comes to driving.

"it requires all your senses"

Taste?

"you are not sitting on a sofa in your living room listening to your favorite music, sipping coffee and smoking a cigar like car manufacturers want you feel like when driving"

That may be how cars are advertised over there, not over here.

Your post sound more like a list of your inadequacies as an owner and driver of a "dangerous machine".

2
3
Silver badge

"It's just a bad, cheap design."

No, it's software engineers. When all you have is a hammer, everything looks like a nail.

Why would a software engineer even consider adding extra microphone hardware when s/he can just tap into the engine ECU and read the rec counter?

There's too much specialization and not enough cross pollination between disciplines.

1
0
Coffee/keyboard

@Shades

According to your logic, it is ok to make a chainsaw with a built in screen where you can watch your favorite show or movie on Netflix when you are cutting a tree, of course as long as it has been given proper maintenance, machines never fail even if they are brand new, just like the Jeep mentioned on the article.

Thank Odin that you are driving on the U.K. and not around here, it gives me a little peace of mind. BTW, no, I'm not from the US, as shocking as it sounds for you, there's a whole world out there with lots of countries aside from the US and the UK with people able to speak english as well (or even SEVERAL LANGUAGES!!).

0
0
fnj
Alien

Re: why does the radio want to adjust the volume?

That's bullshit, and if one can't live a perfectly happy life without the sodding automatic volume control, one is brain dead. It's time for Darwin, but don't kill me in my car because you want to design for the helpless jellyfish.

0
0
Anonymous Coward

@ skelband

Why the hell are these systems there at all!! There is no remotely good reason why a car should be connected to the internet - ever.

And those who say for safety reasons (I'm sure there will be people who think this) it is just nonsense.

0
0
Anonymous Coward

Re: why does the radio want to adjust the volume?

@ Anomalous Cowturd

Amazing! All that technology to make a radio louder or softer.

I had a Renault where I was able to do that to MY satisfaction, with a very simple steering wheel stalk to control volume, station switching, all without taking my eyes off the road, or my hands off the wheel. It also worked better than the subsequent Mondeo I had, whereby if you pulled the up and down buttons at the same time it instantly muted the radio. Do it again and it unmuted again.

I really don't think you need a bloody computer to do what a couple of switches and your fingers can do - and more accurately as well.

0
0
Anonymous Coward

@ Shades

My dear Shades.

Has anyone ever told you that you come across as a pompous, know-it-all prat?

I'm surprised if they haven't!

1
0
Silver badge

Vauxhall Vectra...

I've had my car for 18 years, and it has a setting that adjusts volume based on speed. No GPS, no cellular intcoming internet. No need!

0
0
Silver badge

A start, but...

"$5,000 fine"

No, lets start with $500k for failing such a penetration test, and go upwards from there. Only if profits are seriously threatened will those morons who decide to make everything software-controlled (by the cheapest code monkeys they can find) start to get the message.

And yes, I have designed control systems and even written code for an engine management computer project in the distant past. So I'm no Luddite, but someone with a heightened sense of how critical such systems are and how piss-poor most designs end up.

Rule #1 no external connection unless ABSOLUTELY necessary. There is no necessity for brakes, steering and throttle control to be externally accessed.

Rule #2 have hardware & software with no single point of failure.

Rule #3 software is never 100% trustworthy, so have hardware limits, watchdogs and cut-outs that can override ANY software command.

Rule #4 big red switch for power. That stops EVERYTHING if needed.

<edited to add>

Rule #5 don't trust something that has not been independently audited. Not even your own code.

51
1
Anonymous Coward

Re: A start, but...

Or how about, $5000, per car, per week or part thereof that said car is left vulnerable and $1M per crash that is attributed to said vulnerability.

If there's 10 cars that are vulnerable and they take 3 days to address the security issue, that's $50000.

If there's 1000 cars and they drag their feet for 8 weeks, $5000 × 1000 x 8 = $40000000 ($40M).

That might encourage them to stop and think. I can't think of a good reason why you should be able to control the steering/brakes/accelerator from a position other than the driver's seat either.

The nasty bit about this is that it'll probably kill or maim those who have nothing to do with a Jeep other than being unfortunate enough to be near one when one misbehaves.

23
0
Silver badge

Re: A start, but...

Past experience shows that bankrupting the car manufacturers won't help, since the taxpayer will be on the hook to bail them out. Jail time for the executives is the only deterrent that will work.

46
0
Anonymous Coward

Re: A start, but...

That sounds like a standard. which will have to be complied with.

now await the compliance is not security brigade.

0
0
Vic
Silver badge

Re: A start, but...

Only if profits are seriously threatened

A $5,000 fine for each violation does seriously threaten profits.

$5000 for each violation. One on each of 200,000 cars - that $1B. That should make them think[1].

Vic.

[1] It won't - there seems to be a new breed of management at the moment who *genuinely* believes they'll never get caught, no matter how egregious their wrongdoing...

13
0
Vic
Silver badge

Re: A start, but...

I can't think of a good reason why you should be able to control the steering/brakes/accelerator from a position other than the driver's seat either.

It's very useful for automated testing \ but you do it with a physical cable, not over an IP link from the ICE...

Vic.

6
0
Silver badge

Re: A start, but...

[1] It won't - there seems to be a new breed of management at the moment who *genuinely* believes they'll never get caught, no matter how egregious their wrongdoing...

That's the "I'm smarter than..." effect and it seems to be endemic in humans, not just specific to managers. However, when it does rear its ugly head, it's the manager's egregious behavior that makes the Evening News (or suitable web page).

We also run into the "there oughta be a law..." effect as well. Whatever law does get passed will be effectively toothless since Congress gets a large pile of money from the auto/vehicle/home/... industries. If it had teeth, then bankrupting the industry just forces another takeover. Oh, I forgot. Aren't the Teamsters part-owner of GM? That makes them bulletproof.

4
0
Silver badge

Re: A start, but...

As already pointed out: start aggressively jailing managers who fail to enforce proper safety processes in product design, testing, and support.

Industry won't go bankrupt, and after a few execs are doing jail time the behaviour will improve remarkably.

7
0

@Vic Re: A start, but...

Th sharpen their attention,the Directors and managers that signed off the 'bad' design/implantation are personally libel jointly along with the company.

1
0
Silver badge

Re: A start, but...

You are not thinking.

5000 is OK. If it is per affected vehicle.

0
0
Silver badge
Devil

Re: A start, but...

Indeed. Like I suggested on another subject a while back, it should physically affect the idiots that allow such a situation to (continue to) exist.

2
0
Anonymous Coward

Re: A start, but...

"$5000 for each violation. One on each of 200,000 cars - that $1B. That should make them think[1]."

Maybe. But there's already at least one example of billion dollar penalties in the US alone. Do you think anybody relevant noticed or cared? Personally I favour the "lock up the directors responsible" method as a means of really focusing management attention.

Over a year ago, in March 2014, Toyota agreed to pay a $1.2 billion criminal penalty in a settlement with the U.S. Justice Department, after the company acknowledged having misled consumers about safety problems related to unintended acceleration of a number of its vehicles. Problems related to sudden acceleration resulted in the recall of millions of vehicles from 2009 through 2011.

The court case, and the dubious engineering, behind this is described in a few places including

http://www.eetimes.com/document.asp?doc_id=1319903 25 Oct 2013

"Could bad code kill a person? It could, and it apparently did.

The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly. This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code. The plaintiffs' attorneys closed their argument by saying that the electronics throttle control system caused the sudden acceleration of a 2005 Camry in a September 2007 accident that killed one woman and seriously injured another on an Oklahoma highway off-ramp. It wasn't loose floor mats, a sticky pedal, or driver error."

[article continues]

A billion dollar penalty was subsequently imposed for the (mis)handling of the recall:

http://www.nytimes.com/2014/03/20/business/toyota-reaches-1-2-billion-settlement-in-criminal-inquiry.html?_r=0

Eric H. Holder Jr., the United States attorney general, talked in impassioned tones on Wednesday about Toyota’s behavior in hiding safety defects from the public, calling it “shameful” and a “blatant disregard” for the law. A $1.2 billion criminal penalty, the largest ever for a carmaker in the United States, was imposed.

Mr. Holder said the department’s four-year investigation of Toyota found that the company concealed information about defects from consumers and government officials, putting lives at risk because of faulty parts that caused sudden, unintended acceleration in several of its models.

[continues with reference to inquiry into similar issues at GM]

2
0

Re: A start, but...

"No, lets start with $500k for failing such a penetration test, and go upwards from there."

How about lets make it mandatory that a car passes a pen-test before release to the public?

Prevention is better than cure... and ensure that any software updates are also pen-tested before release!

And the cost of pen-testing should be low, otherwise you will hit the problem of companies not releasing bug fixes as they don't want to pay the pen-test fees.

"Rule #5 don't trust something that has not been independently audited. Not even your own code."

Very good rule!

0
0
Anonymous Coward

You can't fix STUPID !

How many deaths and injuries do we need to see in the transportation field before companies are held accountable for the safety and security defects in their products? 25 years ago Microsucks should have been nailed to the wall for selling such evil O/Ss so now every fool who writes defective, irresponsible code claims that they can't check all of the code because it has xx (fill in the number) millions of lines of code. That is 100% B.S.

Wait until autonomous vehicles get hacked or have computers that crash and then the shit will hit the fan as the paid liars cash in on the incompetence of unscrupulous companies and programmers.

13
12

This post has been deleted by a moderator

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing