Thursday, August 7, 2014

"Once you add a web browser to a car, it's open"

"I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers."
Black Hat 2014 At last year’s Black Hat USA, Charlie Miller, security engineer at Twitter and Apple-cracker extraordinaire, and Chris Valasek, director of security intelligence at IOActive, showed delegates how to hack a car. This year they demoed a system that can stop any such hacks dead.

Over the past 12 months, the duo have been going through publicly available information about car systems and hacking their own vehicles. The results of their research is that while it is possible to remotely hack – and in some cases take limited control of a vehicle – it’s very difficult and will only work with certain models.
What's interesting is the method.  The rush to "Internet-enable" the car means that they're web-enabling the car, which means - well, you know what that means.  But the news isn't all bad - this looks to be pretty promising:
But, as it turns out, protecting against car hacking is a relatively simple matter, and the two have put together a cheap little board and software – dubbed the Can-no hackalator 3000 – which can be fitted to any car – or so we're told – and stop hacks using a old, and much maligned, piece of security software: an intrusion detection system.

"IDS sucks in computers, but it turns out they work for cars because cars are simple," said Miller.

While IDS systems on big networks can fail to spot dodgy traffic, with cars the networks are so basic and the messages sent so simple that an IDS system is really effective. Furthermore the device is car agnostic and very easy to use, it was claimed.
Simplicity FTW.  More security news tomorrow, because it's Black Hat season and there's a lot to talk about.

3 comments:

  1. "Car agnostic" as long as the car has a CAN bus, judging by the name of the widget. But I suppose cars without a CAN bus probably don't have browsers to hack.

    The more I learn about cars, the more I miss my old Pinto. At least I knew what the risks were when I drove it into town.

    ReplyDelete
  2. Dave, probably all modern cars have a CAN bus.

    ReplyDelete
  3. Modern cars are just too darn complicated. The only worry I have with my Jeepster is that my cassette player won't work....

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.