"Once you add a web browser to a car, it's open"

"I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers."

Black Hat 2014 At last year’s Black Hat USA, Charlie Miller, security engineer at Twitter and Apple-cracker extraordinaire, and Chris Valasek, director of security intelligence at IOActive, showed delegates how to hack a car. This year they demoed a system that can stop any such hacks dead.

Over the past 12 months, the duo have been going through publicly available information about car systems and hacking their own vehicles. The results of their research is that while it is possible to remotely hack – and in some cases take limited control of a vehicle – it’s very difficult and will only work with certain models.

What's interesting is the method.  The rush to "Internet-enable" the car means that they're web-enabling the car, which means - well, you know what that means.  But the news isn't all bad - this looks to be pretty promising:

But, as it turns out, protecting against car hacking is a relatively simple matter, and the two have put together a cheap little board and software – dubbed the Can-no hackalator 3000 – which can be fitted to any car – or so we're told – and stop hacks using a old, and much maligned, piece of security software: an intrusion detection system.

"IDS sucks in computers, but it turns out they work for cars because cars are simple," said Miller.

While IDS systems on big networks can fail to spot dodgy traffic, with cars the networks are so basic and the messages sent so simple that an IDS system is really effective. Furthermore the device is car agnostic and very easy to use, it was claimed.

Simplicity FTW.  More security news tomorrow, because it's Black Hat season and there's a lot to talk about.