Hackers Remotely Kill Jeep on the Highway

Forums › Transport (cars, bikes and boats) › Hackers Remotely Kill Jeep on the Highway

1 | 2 | 3

2096 posts

Uber Geek

#1349867 22-Jul-2015 15:42

frankv:
wasabi2k:
pdath: This is nothing new. Still could be worse, you could own a Ford or a Toyota. There vulnerabilities are bad enough that a hacker could kill you.

http://www.independent.co.uk/life-style/gadgets-and-tech/researchers-hack-cars-to-remotely-control-steering-and-brakes-8733723.html

via OBD port IN the car - so significantly less of a risk. Same guy if I read correctly?

But if you have access to the car, you could add a device to connect the OBD port to the Internet via cellphone.

But that is a barrier orders of magnitude greater than a hack over the air.

I can put my car in a locked garage, install an alarm etc and provide physical security, I could notice a dongle sitting in an OBD port.

If you have this online system (uConnect) you're open to attack always, everywhere with NO evidence until your car explodes.

gzt

17122 posts

Uber Geek

Lifetime subscriber

#1349946 22-Jul-2015 17:17

surfisup1000: My personal opinion is that punishments for hackers need to be exponentially increased.

The USA has the right idea.

Make the very idea of hacking so scary it is just not worth going there.;

USA has exactly wrong idea. They have virtually no law that requires manufacturers to actually address the issues.

+plenty of law to attack users that demonstrate reported issues have not been resolved.

It is way way way out of balance.

robjg63

4098 posts

Uber Geek

Subscriber

#1349962 22-Jul-2015 17:30

While punishing hackers should always be done when they can be caught, it is simply unacceptable to have a car that can be hacked to the point where brakes,steering and handling can be got at.

It's just p!ss poor design.

Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

Beccara

1469 posts

Uber Geek

ID Verified

#1350008 22-Jul-2015 19:08

nakedmolerat:
frankv:
wasabi2k:
pdath: This is nothing new. Still could be worse, you could own a Ford or a Toyota. There vulnerabilities are bad enough that a hacker could kill you.

http://www.independent.co.uk/life-style/gadgets-and-tech/researchers-hack-cars-to-remotely-control-steering-and-brakes-8733723.html

via OBD port IN the car - so significantly less of a risk. Same guy if I read correctly?

But if you have access to the car, you could add a device to connect the OBD port to the Internet via cellphone.

For Ford & Hyundai, if you were to attach anything, it will be super obvious as there is a cap over it (it will need to be left open).

I think alot of people are getting fussed over the port location, The loction is often just a plug + extension from the ECU wiring harness. There would be nothing stopping anyone popping a module into the can bus at many,many points in the car. The use of such a module could allow for a deliberate murder to be masked as a mechanical failure at worst or simply spying at best.

I would certainly expect more security in fly by wire and associate critical systems

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

Aredwood

3885 posts

Uber Geek

#1350133 23-Jul-2015 00:15

Haven't bothered reading that article. But presume you were driving that car. You crash into someone and kill them. You get charged with murder.

You would then be able to argue that the reason for the crash is due to your car being hacked. As if you are driving a known insecure car. How would the prosecution prove in court that the car was not hacked?

1eStar

1604 posts

Uber Geek

#1350167 23-Jul-2015 08:24

The use of the word 'hacker' is the anomaly in the story. Hacking implies access without consent. These 'researchers' simply obtained remote access to the automobile controls, with full consent of the driver. Allegedly. Any photographic evidence? The term 'Hacker' is just clickbait these days.

frankv

5680 posts

Uber Geek

Lifetime subscriber

#1350183 23-Jul-2015 08:51

Whilst the major part of the story is about a vehicle that was 'attacked' with the driver's consent & knowledge, it was also done without his intervention, and *could* have been done without his consent or knowledge. The paragraph below suggests to me that they (or any actual hacker possessed of their tools, skills, and knowledge) could have done exactly the same things to at least the Jeep Cherokee in California.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

RUKI

1402 posts

Uber Geek

#1350354 23-Jul-2015 12:41

Somebody is just making a media noise.

Remote hacking of cars via internet makes no sense as anything and everything over the Internet is tracked and traced and stored for future reference.

If somebody were in need to damage the car remotely they could've done it "old-fashioned" way "007" style without fiddling with the car electronics.

Re: CAN Port - is of no difference from LAN in a sense, that you do not need to plug anything into the physical port. CAN is running all over the car and there were reported incidents of getting access to that network in Mercedes or BMW (do not remember which one of those) via "natural holes" e.g. rear lights in the car body.

The really scary part in modern cars is electronically operated brakes and steering - these two critical car functions are delegated to electronics leaving you without control in case of the electronic malfunction. Introduction of ROHS made electronic devices even less reliable.

So, you are afraid of hackers but trust electronic brakes and explosive airbags?

Good car is the car without any electronics at all :-)
https://imgur.com/cug082O

DeepBlueSky

547 posts

Ultimate Geek

#1350390 23-Jul-2015 13:19

RUKI: Somebody is just making a media noise.

Remote hacking of cars via internet makes no sense as anything and everything over the Internet is tracked and traced and stored for future reference.

If somebody were in need to damage the car remotely they could've done it "old-fashioned" way "007" style without fiddling with the car electronics.

I doubt its noise more an FYI and I doubt it needs to make sense, these guys may in the end create a GUI interface where you choose the vehicle (Jeep, Merc etc.) what disability you want to afflict the car have the vehicle show up on Google maps (maybe live video coming soon with the new micro satellites that are planned to provide live real time video), and have it blamed on a car accident. Its not an if more a when so its imperative the security is properly sorted from the ground up in a car design.

So, you are afraid of hackers but trust electronic brakes and explosive airbags?

Good car is the car without any electronics at all :-)
https://imgur.com/cug082O

I have to agree when it comes to electronic parking brakes pushing a button makes me nervous, what happens if the car looses the electrics through a surge or failure etc. are the parking brakes on an isolated circuit?. It seems from this article the standard brakes have been isolated also from the hydraulics hence the lose in brakes and going into a ditch. At least with the good old fashioned pull hand brake you have a physical cable you can STOP the car with, one the security has been sorted I'll be much happier to try this.

gzt

17122 posts

Uber Geek

Lifetime subscriber

#1350408 23-Jul-2015 13:42

Would you put your factory production PLCs on the same network as your office WiFi? Not in your right mind. Now you is can design car controlz.

RUKI

1402 posts

Uber Geek

#1350440 23-Jul-2015 14:44

Vintage cars will be more and more expensive then for those who are paranoid.
It is happening with the old flip mobile phones already. Those are rare and sellig for a prime price. Who needs a smartphone on wheels (e.g. Tesla)?

Mark

1653 posts

Uber Geek

#1350784 23-Jul-2015 20:54

I don't mind that they did the hack, it's a good example of how automakers suck at software and security which should be shown up.

But I do detest the way they showed off their exploit to the press by messing with the car on a public road, and also that they think it's smart to release parts of how they did it out into the wild without giving Chrylser a chance to patch ALL the affected vehicles and come up with a better solution in future ... to me their words of :

"The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review"

is utter stupidity .. they just want nerd glory at the risk of someone using their code to harm, and if someone does get hurt I bet they'll try to avoid all blame!

gzt

17122 posts

Uber Geek

Lifetime subscriber

#1350857 23-Jul-2015 22:34

Jeep responds. Software update available:

http://www.forbes.com/sites/thomasbrewster/2015/07/21/jeep-vulnerability-fixed/

The researchers believe the issue affects any Chrysler Fiat with Uconnect manufactured late 2013 thru 2014 to early 2015.

gzt

17122 posts

Uber Geek

Lifetime subscriber

#1350859 23-Jul-2015 22:35

Mark: I don't mind that they did the hack, it's a good example of how automakers suck at software and security which should be shown up.

But I do detest the way they showed off their exploit to the press by messing with the car on a public road, and also that they think it's smart to release parts of how they did it out into the wild without giving Chrylser a chance to patch ALL the affected vehicles and come up with a better solution in future ... to me their words of :

"The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review"

is utter stupidity .. they just want nerd glory at the risk of someone using their code to harm, and if someone does get hurt I bet they'll try to avoid all blame!

I agree this does not look exactly like responsible disclosure.

On the other hand it took a long time for PC O/S makers to come to a kind of consensus of responsible disclosure, and even now some researchers release after a period frustrated at no action. So I think the auto industry will have to study that history and understand the environment.

Jeep have responded very well to this challenge and have not dug a deeper hole or tried to bury the reseachers, so I think Jeep has done very well and are looking pretty good. Based on the response time to a resolution it is very good support for their customers.

Batman

Mad Scientist
29763 posts

Uber Geek

Trusted

Lifetime subscriber

#1351757 25-Jul-2015 22:45

surfisup1000: My personal opinion is that punishments for hackers need to be exponentially increased.

The USA has the right idea.

Make the very idea of hacking so scary it is just not worth going there.

Problem is the russians / chinese / middle eastern countries are only too happy to hack western countries and cause damage.

these are hacked from the interweb. you cannot control the interweb.

plus, you make something to be bad, the more curiosity it causes, making every 14 year old want to try it.

you live in an online world, there are side effects, consequences.

i'd like my car to talk to nobody thank you very much. same with my airbus 380.

1 | 2 | 3