Vehicle hacking, it was inevitable.

[B C]

So, networking and computer folks: would this sort of vulnerability to hacking be avoided if automakers didn't use CAN bus networks for their electronics systems?

 

http://video.wired.com/watch/hackers-wireless-jeep-attack-stranded-me-on-a-highway

 

http://money.cnn.com/2015/07/21/technology/chrysler-hack/index.html

 

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/



Old cars ftw

[KaiserRolls]

These dudes can do that. But my laptop can't recognize my phone.

Neat

[brandonbio]

That's why I'll stick to older cars

[straight6pwr]

*crashes car while drifting* 

'sorry officer, someone hacked my car and I had no control.'

[i_love_cars]

every alternative to CAN bus uses some sort of messaging protocol to control devices in the car. CAN bus is 20+ years old so it still operates on some low level command processing, which is what these guys were using to control the vehicle. The only reason it hasn't been done until recently was due lack of networking into cars from satellites and wifi and shit. Now that there is a gateway in to the car, companies need to secure their messaging systems. Most technology today revolves around APIs that just provide an abstraction layer for accessing data and operations on the device. But that layer needs to be secured. Think of it simply like a car's basic operations as a web API would look like:

 

http://shittyGMproducts/ChevyVolt/drive/accelerate

http://shittyGMproducts/ChevyVolt/drive/brake

http://shittyGMproducts/ChevyVolt/power/startBatteryOnFire

 

This is how most software developers are going to interact with ECU systems because the code that actually runs the electronics in the car is all super low-level machine code. That's why re-flashing an ECU with a Cobb takes so long. 

 

I work with a guy who did some work at GM years ago and he took over control of an employee's Chevy Volt with his laptop in a matter of hours. 

 

Most of these systems are like "once you're in, you're in" so if you can get into the car, you can do anything. Car manufacturers need to up their game to secure things at a more granular level rather than making assumptions. It's no different than bush-league security on any other type of product. Except for the fact that potential ramifications are much more lethal. 

 

This is why information security people are getting paid, like, ridiculous amounts of money in 2015 if they are good. Ridiculous amounts of money.  

[B C]

Great info, Jordan! While I highly doubt it would ever happen, id like to see if a megasquirt powered car using the add-on GPS data unit could ever be compromised

[straight6pwr]

why can't they separate the wifi entertainment system stuff for the cars main ecu/control computer?

also any car that the computer has control over driver inputs like braking and steering should be avoided like the plague.

[YoungCR]

Yeah I was kind of shocked that the steering/braking could be affected. I don't understand why these aren't isolated systems from engine computers. The only data infotainment needs to get is if the car is moving or not to block some features while driving. I think digital climate control through infotainment should be banned for that reason too.

[i_love_cars]

it's difficult to separate all the channels in a car that way. ECUs require a good amount of protection from vibration, shock, heat, and cold. If you ever look at an ECU box it isn't exactly tiny. There's no getting around that. So simply installing more boxes isn't exactly an option. It's not like an iphone that you just carry around in your pocket so it won't get damaged unless you drop it like a bumbling baboon.

 

There's only so much wiring that can plug into an ECU, and it has to be able to interface with OBD-II on a hard connection for emissions testing still, although there are companies nowadays like BMW that have the ability to remotely connect to a car's ECU for diagnostics and coding and I'm sure one day soon emissions centers will have similar tech available for modern cars equipped with technology packages. But right now it's all proprietary. Either way, separating it all out is a lot of logistics, wiring, and circuitry. And at the end of the day, it can all still be hacked. Even if a manufacturer were to create (conceptually) separate "ports" for different channels of input, and locked certain ones down so only proprietary technology that the manufacturer owns could get in, someone will eventually be able to hack it. 

 

There is also a logistical challenge there of what exactly to separate. IF you separate out media/speakers connectivity, what happens when you crash and BMW emergency calls your car? Today you get a call instantly from BMW to provide assistance or 911 calls, etc. But how does the car know it's been in an impact like that? Is it tied to airbags going off somehow? And if it is, how do you bridge that gap if you've separated vehicle communication features from airbag communication? What about any emergency shutoff switches in the car? If my car has iDrive which has integrated systems in the navigation head unit, how do you separate the features that impact driving, safety notifications, safety controls, etc. from media and nav?  

 

These things aren't insurmountable but they require a lot of engineering. It's infinitely easier to have a single control unit that can tie everything together in the same spot, and then just secure it. Reliability/consistency of today's automated systems in cars is pretty critical and need rigorous testing. The quality assurance that has to be built into a process to develop that kind of isolation of features would be...staggering.