[Playbookjoe]

If only there was a company that specializes in security and car systems..

Article:
Carmakers ignore hacking risk, security expert says

Features like collision avoidance systems make cars attractive targets for hackers

As high-tech features like adaptive cruise control, automatic braking and automatic parallel parking systems make cars smarter, it's also making them more vulnerable to hackers ? a risk that an automotive security researcher says carmakers appear to be ignoring.

"There's no culture of security," said Chris Valasek, director of vehicle security research at the computer security consulting firm IOActive, in a keynote speech at the SecTor IT security conference in Toronto this week.

That's a concern, he said, because of the potential damage that can be caused by a remotely hijacked car.

"Unlike regular PCs, if your car is breached, there?s a chance for physical loss and not just financial loss," he said. "Smashing your car into a pole or braking and starting a traffic jam are things that aren't easily fixed."

'Right now, security seems like an afterthought' for car manufacturers, said Chris Valasek, director of vehicle security research at the IT security consulting firm IOActive. (Emily Chung/CBC)
In recent years, security researchers at the University of Washington showed they could hack a car and start it either via the systems used for emissions testing or remotely using things like Bluetooth wireless connectivity or cellular radio to start the car.

Others showed they could hack a car remotely via a cellular-based car alarm system to unlock the doors and start the engine.

Valasek himself and his research partner Charlie Miller, a security engineer at Twitter, have been starting to experiment with remote attacks after demonstrating that a laptop inside the car can be used to disable brakes and power steering and confuse GPS and speedometers.

He said that while there have been no attacks on the public so far, he expects that to change as the growing popularity of high-tech features in cars drastically increase the number of potential targets available to would-be car hackers.

"Technology is driving auto sales," he said, pointing out that GM commercials in the U.S. Toutes their cars' WiFi capabilities.

Just Thursday, Ford announced new technology available starting 2015 that will detect pedestrians using radar and camera technology and automatically apply the brakes.

Already, automatic braking systems and adaptive cruise control that speeds up or slows down the car in response to the car in front of you are installed in "way more cars than you think," Valasek said in an interview following his talk.

He suggests that it's not too early for national leaders and others who might face targeted attacks to think about the security risks of their car's technological features.

"The average consumer doesn't have much to worry about, but as these become more and more ubiquitous within all vehicles, we do potentially see public attacks."

Insecure technology built into cars, required by law

In his talk, Valasek showed how the design of in-car networks makes them vulnerable to hacking. The communication between software and braking and steering systems is designed so that if the system receives a message that it understands, telling it to apply the brakes, for example, it will comply.

"It doesn't ask where it came from and doesn't ask who sent it."

Researchers have shown that such messages can be sent via other systems in the car that don't directly control the car, such as its Bluetooth connections, remote keyless entry or infotainment systems. Those could, in turn, be used to indirectly hijack the car's control systems.

The challenge is that the insecure messaging systems found in cars are generally standardized and required by law for purposes such as emissions testing, Valasek said.

Chris Valasek and his research partner Charlie Miller, a security engineer at Twitter, have been starting to experiment with remote attacks after previously demonstrating that a laptop inside the car can be used to disable brakes and power steering and confuse GPS and speedometers.
Meanwhile, he added, car manufacturers generally say little about what they are doing to mitigate the risks of systems like that.

As far as he knows, they haven't developed any means to detect attacks.

Toyota has said it protects its cars with a firewall, but Valasek said similar simple solutions have proven ineffective at protecting PCs.

He's also concerned that car manufacturers lack a system for distributing security patches or upgrades to cars, other than sending customers a letter by mail and asking them to drive to a shop for service. He suggested that asking customers to do that "after a 10-hour work day and picking up the kids and walking the dog" isn't going to work.

Valise likened car manufacturers to throwbacks from a previous era in information technology who haven't learned from the past mistakes of software makers.

"Right now," he?said, "security seems like an afterthought." Part of that may be simply a lack of transparency and a reluctance of carmakers to talk about security, he acknowledged.

Things could be finally be changing, he added, noting that in September, GM appointed its first cybersecurity chief.

In the meantime, he said, car buyers shouldn't worry too much before choosing a car with automatic braking or other collision avoidance systems.

"The odds of these things saving your *** as opposed to being used against you in an attack are two separate ends. These things will definitely make you safer, not more safe."

Carmakers ignore hacking risk, security expert says - Technology & Science - CBC News

Posted via CB10

[BACK-2-BLACK]

If only there was a company that specializes in security and car systems..

Article:
Carmakers ignore hacking risk, security expert says
for hackers
.......

Others showed they could hack a car remotely via a cellular-based car alarm system to unlock the doors and start the engine.

Valasek himself and his research partner Charlie Miller, a security engineer at Twitter, have been starting to experiment with remote attacks after demonstrating that a laptop inside the car can be used to disable brakes and power steering and confuse GPS and speedometers.

Thanks for posting. Great article..... scary.

Can you imagine what this will do to the whole Driveless Car movement !!!!?!


BB and QNX to the rescue !!!

[Zirak]

THIS.. is the stuff BB/QNX should be a leader in. The connected car is here, if not coming. Hopefully they are deep into working on this behind the scenes.

Sent while driving from my Crackberry.

[zephyr613]

+1^

[Troy Tiscareno]

In many cases, QNX is already the OS being used. But it wouldn't matter if it was Linux or something else - the problem here isn't the OS, it's the implementation by the developers. The OS may have the equivalent of an un-pickable, un-breakable lock, but if the developers write the code to leave the door standing open, then the lock that's on the door is meaningless. That's what's going on here: the developers are assuming that the only source of commands for the system have to be coming from their code - they've created nothing to authorize those command messages, so if someone else gets their own commands into the system, they'll be accepted as genuine and will be implemented.

Security is not as simple as buying the right brand of something. Implementation is a huge factor, and so is the procedures used on a daily basis. If people do stupid things, such as "leaving a key under the mat", then even if they lock up the house and use that awesome lock to secure the front door, they have no more real security than if they left that door open.

That's why the article talks about "not having a culture of security." QNX won't save you from some developer's poor implementation.

[BACK-2-BLACK]

Interesting to know Troy.

So if this "lock" was compromised, would this result in an update/fix of some sort from the vehicle manufacturer? A recall? The car would not be safe to drive until the patch/fix came out. This would cause chaos....

I thought vehicle makers were concerned about safe end-to-end points so that when cars were programmed there wouldn't be any issue....sort of like how it is now with BYOD, and BlackBerry is there with their BES..

[MmmHmm]

This seems like the kind of thing you read about in scary sounding articles, but never happens in real life. Hackers can have many different goals, like stealing money, stealing private pictures, just causing trouble to know they can, etc. But they are not typically cold blooded serial killers trying to disable someone's brakes on the road to cause potentially fatal accidents.

[Aljean Thein]

I feel like I read this before months ago. It's not new news

Posted via CB10

[Prem WatsApp]

Scary stuff 8-o

Looks like he's working on it:

http://edition.cnn.com/video/data/2....urity.cnn.html

Posted elsewhere, worth watching.

***PPosted by PPrem WatsaPP***

[BeautyEh]

This seems like the kind of thing you read about in scary sounding articles, but never happens in real life. Hackers can have many different goals, like stealing money, stealing private pictures, just causing trouble to know they can, etc. But they are not typically cold blooded serial killers trying to disable someone's brakes on the road to cause potentially fatal accidents.

Agreed but it's probably easy to imagine some attractive scenarios with this technology in cars, and hacker's ability to get at them. How many politicians (not just high level - what about state level, or prominent ones in smaller cities or demographic areas) will be driven around by beefy security guards in nice new cars? How many of these cars will have this tech, and thus be vulnerable? How about in various countries around the world, maybe poorer nations? What about their leaders? You could easily see situations where cars would be attractive targets for assassinations.

Posted via CB10

[early2bed]

It's one thing to pitch that security is in your DNA to consumers and other users but it's another thing to make that claim to a large IT organization. Are car makers really going to believe that only Blackberry can make a secure OS? Perhaps the ones that believe that Volvos are safer than other cars or that Hummers are the best off-road vehicles.

[Prem WatsApp]

It's one thing to pitch that security is in your DNA to consumers and other users but it's another thing to make that claim to a large IT organization. Are car makers really going to believe that only Blackberry can make a secure OS? Perhaps the ones that believe that Volvos are safer than other cars or that Hummers are the best off-road vehicles.

Or iPhones the best, most functional phones... ? :-)

I read in another post yesterday that someone's VW has a bluetooth authentication that does pairing automatically every single time the car is started... no code apparently and all it takes is to press the accept button on the phone. No way to change this behavior... OUCH!

If that's really the case (as reported by the person posting), it's screaming for cars to get infiltrated and manipulated that way.

http://appleinsider.com/articles/14/...ly-compromised

Only BlackBerry make a secure OS... probably, at least not Google with this attitude :

"...
Earlier this year, Pichai outlined Google's a very different approach to security in Android, staying, "we do not guarantee that Android is designed to be safe; its format was designed to give more freedom. When they talk about 90% of malicious programs for Android, they must of course take into account the fact that it is the most used operating system in the world. If I had a company dedicated to malware, I would also send my attacks to Android."
..."



? ? ? Passposted via CB Chen ? ? ?

[Carrtman]

I would never buy a car with forced connectivity in it it's just too dangerous. I also don't think hackers are serial killers but the thought alone of having a 2.000 + lbs vehicle controlled by someone else without being able to do anything about it, is just downright scary to me.

I applaud Ford for going back to physical buttons and less connectivity inside their cars. If I want to be connected while driving I'll stop, look at my phone and then continue driving.