In-brief:Caught between nifty new wireless features and ossified attitudes, automakers are just beginning to wake up to the security problems in vehicles. Strap on your seatbelt.
Sean Gallagher over at the web site Ars Technica has an excellent write-up of the state of play in the arena of automobile hacking that also got noticed by Cory Doctorow over at Boing Boing (always a sign that you’ve written something interesting).
There’s not much new information in Sean’s piece, but it is an excellent summary and analysis of recent events that have really pushed the discussion of hacking as a danger for connected vehicles from ‘hypothetical’ to ‘actual’ threat. Among other things, Sean does a good job of sketching out the various features of modern day connected cars that form the “attack surface” that hackers are finding ways to compromise. Caught between nifty new wireless features and ossified attitudes, automakers are just beginning to wake up to the security problems in vehicles, Gallagher concludes.
From the article:
The “attack surfaces” of cars that get the most attention are the ones designed to keep people from driving away with cars they don’t own—electronic keyless entry systems or locks and vehicle immobilizers that use low-power radio to detect the presence of a valid car key before allowing a car to start for example. Both of those types of systems, which use cryptographic keys transmitted by radio from a key or key fob, have been targeted by researchers. Engine immobilizers for a number of luxury brands were successfully attacked as part of a study by researchers at Radboud University (that was suppressed by Volkswagen’s lawyers for two years). Remote keyless entry systems have also been targeted in a number of ways, including signal amplification attacks and brute-force crypto breaking (as detailed in research by Qualys’ Silvio Cesare).There are still areas of potential radio hacking that haven’t been fully explored. For example, tire pressure monitoring systems use radio communications to alert low tire pressure. Some commercial vehicles use remote automatic tire inflation systems, activated by pressure sensors, that communicate wirelessly. These systems could be targeted by hijackers to potentially fool a driver into pulling off the road or to blow out the tires on a trailer if an attacker successfully fooled them. (Though because of the design of some of these systems, a blow-out seems unlikely.)
Sean also talks about the very different responses from automakers. Tesla represents the more enlightened approach: embracing both researchers and their work, and lauding discoveries of previously unknown security holes. Chrysler Fiat and other Detroit mainstays, on the other hand, are more typical of entrenched, old-school manufacturers: skeptical of the work of security researchers and resistant to engaging with them in any way – especially in the wake of ‘in-your-face’ demonstrations like those carried out by Charlie Miller and Chris Valasek with Forbes reporter Andy Greenberg and at the recent Black Hat conference.
[Listen to our podcast interview with Chris Valasek about his work on the Chrysler Jeep Cherokee here.]
Josh Corman of the group IAmTheCavalry talks with Sean about how demonstrations by Miller and Valasek may have set back efforts to bring those companies to the table on issues around vulnerability disclosure and cooperation with the security community.
Read more over at Ars Techica: Highway to hack: hy we’re just at the beginning of the auto-hacking era | Ars Technica
