Thursday, August 26, 2010

What do you get when you cross a car with a computer?

A computer with wheels.

As software becomes more important to how cars work, the question is how much thought went into security? The answer is, as you'd expect, "none". Security wasn't an afterthought, it wasn't thought of at all.

Well, researchers are now turning their attention to the problem, and what they're finding is pretty horrifying. Like Computer worms that could hop from car to car, shutting off the engine and causing traffic jams from hell:
The idea would be to launch a worm that would spread on the Internet (in any of a number of well explored ways) looking for vulnerable smart phones. Smart phones have GPS devices in, so the worm, having infected the phone, could ensure it was only operating in some geographic area of interest (eg the US, or a particular city). The worm could then check if it was on a smart phone that happened to be plugged into a car, and if so compromise the car. It could then use whatever wireless opportunities were available to compromise any other cars within the attack range. It could also disable the car (eg by locking up the brakes, stopping the engine, etc).

The idea would be that the worm would seed itself into the small minority of cars that are Internet vulnerable and from there spread into the larger majority that are not.

If this worked correctly, the end result would be a city with all its major freeways and surface streets full of disabled cars, a situation that would paralyze almost all commerce. It would probably take weeks to straighten out the mess.
For extra credit, examine the effect of adding "Smart" electric power meter attacks to the rolling TEOTWAWKI. For maximum effect, make sure the code includes a 7 day delay, to allow the maximum spread, both to cars and homes. Then the logic bomb goes off.

This is the sort of scare scenario that gets security a bad name. We're a bunch of Cassandras, always looking at the downside - arguing about who killed who ...



"Plausible", as the MythBusters might say. The reason is well known:
Usually, when the security community comes across some new domain whose practictioners lack any understanding of security, it turns out that there are very large numbers of vulnerabilities of all kinds that are pervasive throughout the system.
Development teams are penalized for their feature not being ready for the new model year. Teams are not penalized if there's a huge, gaping security hole in their architecture (say, user devices like phones able to be attached to the network that accesses the engine and brakes).

Another reason to get that sweet GTO.

7 comments:

Mike Golch said...

That is one sweet ride. a neighbor down the street had one of these.he was the coolest kid on the block.

Anonymous said...

YES! Another GTO lover!

Now I've really got a reason for picking up a 69 Judge that I've been dreaming about it. Like I really needed a reason before...

-Raptor

NotClauswitz said...

But all I can afford is a VW Beatle...or a box-plain motorcycle.

Bob said...

And that is precisely the very GTO year I'd get, in precisely the same configuration and color. Great choice!

SiGraybeard said...

Borepatch, I trust you on matters regarding computer security. You're a professional; I'm a hardware engineer (radio, not even processor or digital). You sense by now that there's a "but" coming, right?

One thing bothers me. It's in this part: "The worm could then check if it was on a smart phone that happened to be plugged into a car, and if so compromise the car. It could then use whatever wireless opportunities were available to compromise any other cars within the attack range. It could also disable the car (eg by locking up the brakes, stopping the engine, etc)."

I'm right there with you until that. That's like that S. Harris science cartoon with the long equation derivation, when right in the middle the phrase "then a miracle happens" is written, and the equations continue.

My cars are 5 and 6 years old, so maybe I'm naive, but how does my phone get into my car to control it? The only thing I can do with my phone in my car is either charge it over the USB port (with an AC adapter in my car's 115VAC outlet), or run the audio into the auxiliary port on the stereo.

What gives? How do you get a worm/malware code chunk from my phone to my cars controllers?

Anonymous said...

I'd rate this one as disastrous if it did happen, but presently highly unlikely.

Wouldn't that be something, all the millions of throttle-by-wire cars dead in their tracks. At least with a cable throttle you could cobble together an open-source EFI setup, or a carburettor. (I can almost head Bender saying "Bite my low-tech wooden ass!" for some reason...)

Jim

Paladin said...

A litte off topic, but this reminded me of something. Having restored a couple of cars in my time, I've often thought about the future of car restoration. I know if seems hard to believe, but one day someone will salivate over the thought of restoring some 2001 Ford F150 junker to recapture the olde-timey feeling of their youth :)

Given the variance in skill found among home mechanics, I would fully expect a rash of accidental airbag deployment explosions to ensue - and resulting injuries to result. I've pulled dashes, gauges, and steering wheels on several cars in my life, and to be honest it would scare the crap out of me to do so on an airbag equipped vehicle.

Ever see an airbag detonated outside the car?... KABOOOM!