Your car can be hacked

[txchamps]

In a recent post, the subject of privacy was discussed vis-a-vis data in our black box. What about security as well? This is frightening, and another good reason to stay lo-tech:

http://www.washingtonpost.com/news/morn ... ?tid=sm_fb

[SoundEfx]

That's a scary thought.
There are other noted events where an angry employed bricked numerous ecu's over the internet.

[szh]

Yeah - this one is very unusual and quite scary.

The systems that I know about (on my company's data network) are more secure than this, as far as I know. But we are going to lok into the fine details about how this specific case was done.

If physical access to the car was required (perhaps to install a gadget onto the CAN bus!) or a hack into the Chrysler servers, then I am less surprised, because that would allow all sorts of possibilities (and be less of a general and arbitrary threat vector), but we need to know more to determine the exact mechanism of the failure.

Z

[MinisterofDOOM]

The big question I have is: why are critical operational systems not airgapped? This is uber-basic network security stuff. Yes, cars now have incoming network ports and yes, cars also have electronic control systems. The question we shouldn't have to ask is why in earth these systems can talk to each other in the first place.

[darylzero]

The big question I have is: why are critical operational systems not airgapped? This is uber-basic network security stuff. Yes, cars now have incoming network ports and yes, cars also have electronic control systems. The question we shouldn't have to ask is why in earth these systems can talk to each other in the first place.

They should be air gapped, and if they are, are they doing via a VLAN or or some software way that can be exploited?

OnStar need to do things remotely so that is probably why some of these systems talk to each other.

We need to know how the hack was done. Did the driver already have his phone bluetooth paired with the car? A lot of new cars will use your phone to communicate over the internet and phone home. For example reading how many miles the car has gone and sending an email to the owner to remember to get an oil change.
So did the hacker have to hack the wireless carrier and then into his phone or through Jeep's internal network? Lots of questions.

[BusyBadger]

Here's a writeup on the same thing from Wired.

[Dattebayo]

"Hacked"

I hate it when people misuse this term. Just like everyone thinks they have a virus on their computer when it acts up, it's just not so. I am not comparing some kind of malware to this kind of attack, though...

This seems more like a permissions thing, where someone knew the passwords and protocols to entirely re-write code to do what they wanted. Not at all the same thing, IMO.

[txchamps]

"Hacked"

I hate it when people misuse this term. Just like everyone thinks they have a virus on their computer when it acts up, it's just not so. I am not comparing some kind of malware to this kind of attack, though...

This seems more like a permissions thing, where someone knew the passwords and protocols to entirely re-write code to do what they wanted. Not at all the same thing, IMO.

I'm not a tecchie, so I'm not sure I grasp the distinction between hacking and a "permissions thing". Are you saying that this is much ado about nothing, or do we still have something to be concerned about?

[txchamps]

Welp, this was quick:

http://www.vox.com/2015/7/24/9034325/ch ... ll-hackers

I guess they decided take some pre-emptive action....

[Dattebayo]

Without getting too complicated, I'm saying it sounds like you'd have to know exactly what you were doing and have all the "keys" to get that kind of access to a vehicle's computer like that...

Hacking would be more like someone actually going though the code via custom written programs and scripts and exploiting security holes in the software... if you have the passwords, then it's not a hack. You have access already. This is what I mean.

[numbnuts240]

http://www.thecarconnection.com/news/10 ... t-messages

[youtube]http://www.youtube.com/watch?v=-CH9BvFl ... l=mrlanrat[/youtube]

[OriginalWheelman]

Without getting too complicated, I'm saying it sounds like you'd have to know exactly what you were doing and have all the "keys" to get that kind of access to a vehicle's computer like that...

Hacking would be more like someone actually going though the code via custom written programs and scripts and exploiting security holes in the software... if you have the passwords, then it's not a hack. You have access already. This is what I mean.

Hack vs Exploit. Exploit is using the system as it is engineered but not as it was intended to operate. Hacking is changing the program or hijacking.

[Dattebayo]

Okay, if I give you the password to my Facebook and you get in, you are uber 1337 cause you hacked my system, y0.

That pretty much what they're describing.

That's what happens when you use an off-the-shelf product in a mass-produced vehicle.

[OriginalWheelman]

Maybe I didn't explain clearly. You're right Dattebayo.

Hacking is picking the lock on your front door. Using an exploit is like taking the doorknob apart by pulling out a poorly placed pin.

[Fezzik]

They got into the JEEP pretty easy. They had to have physical access to a tesla (and having to take apart the car a lot) to do it and now that was patched over the air before even the anouncement.

[szh]

More information available now that the Black Hat conference is done.

Here are the details of the Chrysler car exploitation - not as easy as it was made out to be, but of concern nevertheless: http://illmatics.com/Remote%20Car%20Hacking.pdf

In our implementations (for cars and other devices), we block the specific mechanism that Sprint had apparently left open (and has locked down now) for general access.

Z

[Dattebayo]

Maybe I didn't explain clearly. You're right Dattebayo.

Hacking is picking the lock on your front door. Using an exploit is like taking the doorknob apart by pulling out a poorly placed pin.

I apologize, I wasn't trying to come off as being "elitest" or whatever, but labelling things as an "exploit" doesn't mean much to me either. I should have elaborated in my original post.
It seems very simple that making something a system was programmed to do to happen in a abnormal way isn't either, it's just a security hole.

Maybe I just don't fully get how they use said terms these days, it's possible...