Monday, August 20, 2012

Drive like lightening. crash like thunder

I've been saying for years that in their rush to add new computerized, Internet accessible features, car manufacturers have been blowing off security.  Seems that I'm not the only one, and a well known company is putting their money where their mouth is:
McAfee has hired the infamous Barnaby Jack to hack into cars, reports PC Pro UK.

Jack is a researcher who shocked the world when he demonstrated ways that crooks can force ATMs to give them cash. He also showed off a trick that causes medical pumps to spit out lethal doses of insulin.
OK, things are fixin' to get really interesting, really fast.  My suspicion is that the design teams are about to go from zero to damn how do we fix that in 5.3 seconds.  Never mind their lame denials:
Yet, Ford spokesman Alan Hall said his company had tasked its security engineers with making its Sync in-vehicle communications and entertainment system as resistant as possible to attack. "Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset," he said.
Translation: now that it's getting all real and in our faces, the next version will suck at least 50% less.  Fortunately for Ford, their competitors are all in the same leaky boat:
Toyota said it was not aware of any hacking incidents on its cars and said it had built-in protections. "They're basically designed to change coding constantly. I won't say it's impossible to hack, but it's pretty close," said Toyota spokesman John Hanson.
And I won't say that Toyota spokesman John Hanson is an idiotic PR flack who spells "security" as S-E-K-U-R-I-T-Y, but his statement is nothing but Bravo Sierra.
Car makers are rushing to make it easy to plug portable computers and phones to vehicles and connect them to the internet, but in many cases they are also exposing critical systems that run their vehicles to potential attackers because those networks are all linked within the car.

"The manufacturers, like those of any other hardware products, are implementing features and technology just because they can and don't fully understand the potential risks of doing so," said Joe Grand, an electrical engineer and independent hardware security expert.

Grand estimates that the average auto maker is about 20 years behind software companies in understanding how to prevent cyber attacks.
I would bet big money that every word of this is Gospel Truth.  Demonstration attacks have been created that use the CD player, and that come into the car via MP3.  It's almost a certainty that WiFi, bluetooth, or (shudder) Internet (hello, 3G!) could be the vectors.  A moment thinking like an attacker can give you scenarios galore.  How's this: An SMS to a targeted user causes a map to get downloaded from the Internet.  The map contains malware that causes one tire to deflate, the throttle to firewall, and the brakes fail, but only when the car reaches 70 MPH.  It also wipes any logs so that the accident is hard to reconstruct.

All of my gentle readers can add their own scenarios, no doubt.  And so the term "Detroit Coffin" seems to be coming literally true.  Drive like lightening to add the Internet and computer control.  Mission accomplished!


Ruth said...

I want my '91 civic back dammit....

Dave H said...

Somebody needs to attack the car belonging to Toyota's CEO and have it play pop-up ads for porn sites on the GPS while his wife is in the car.

Old NFO said...

Yep, quicker than you think... Just sayin...

kx59 said...

only perfect hack protection is the off switch.
Lovely. I can see the Norton or Maceff-me annual subscription for my car coming in short order.

bluesun said...

kx, correction, the perfect hack protection is to not include those features in the first place. As my uncle the mechanic (who drives a Studebaker Champ or an old International Travelall) says: "If it doesn't have it, it can't break."

Anonymous said...

A true para-noid would say this is deliberate and the gubmn't wanted it so. So that people it found inconvenient could be removed from the game we call life whenever they felt like it. As validation for this para-noia the Gubmn't would institute a program to get older vehicles off the road with a financial incentive.
Just as well I'm not para-noid.