Some examples of security violations that I know happened under controlled testing environments.
1) Anti-lock brake system disabled
2) Spoofing vehicle speed sensors while on cruise control, causing vehicle to accelerate well beyond set point.
3) Changing power steering boost and making steering inputs unstable.
Most people already share too much information with the vehicle, using when pairing phones to head units, but those will not lead to injury or death. Messing with SW and data on vehicle connected buses can lead to injury or death.
I don't use those, by and large, but when I have, at least I know that they are present and how to set their controls. And delete anything they "heard". (If you can actually believe that anymore.)
I am opining on the possibility of being eavesdropped on in the vehicle without knowledge. Playing devil's advocate. I really don't know much about OnStar or any of these communications options other than I can link my phone via bluetooth to speak hands free.
There's nothing civil about this war.
But siri doesn’t come permanently installed in all houses yet, and isn’t necessary for a house to do house stuff.
Auto emergency braking: carjacker’s paradise. I might have a need to run something over or smash something with a vehicle one day.
Constant connectivity. I can leave my cell phone at the house or turn it off and put it in a faraday.
There was a Terminator novel where Skynet re-routes all of the autonomous cars back to major population centers before nuking the cities.
Imagine the possibilities if enemies of the country foreign or domestic have the ability to gain control of operable vehicles while simply sitting behind a computer.
Hey, we don’t need cops because your car will never again exceed posted speed limits or perform other illegal maneuvers. Or insurance companies will demand access to that data for all drivers rather than it being an opt in program.
im strong, i can run faster than train
Bricked is a huge concern. Ever hear about all the Nest thermostats that got turned off by a faulty update?
In terms of ongoing support look at Microsft not supporting Windows 7, or various smartphone companies stopping security updates after 2 years.
Security isn't stable. It requires ongoing support to eliminate newly discovered vulnerabilities. Thats not a problem when you have controlled hard wire access, but it is huge when you connect it to the rest of the world.
I won't be buying connected appliances for similar reasons. I have zero confidence these companies will maintain security for as long as I'd like to keep a fridge, oven, washer, etc.
I like my 2006 Tundra. Its pretty analog for a modern car. Toyota gets a lot of flack for not updating the Tundra, Tacoma, 4Runner, etc, but in my mind it makes them more appealing.
Reading this thread, I suppose that the new definition of "Luddite" will be anyone who wants to have control and make decisions for themselves.
Here be dragons.
There's nothing civil about this war.
Did you read the article I linked above? It documented an actual attack leveraging a real vulnerability in the target vehicle. Now add on top of that an ability to deliver updates OTA resulting in an open path being available on each and every vehicle. Now add on top of that the inherently poor security in most consumer products (think IoT devices like smart appliances, thermostats, etc). Do you *really* want to risk that in a vehicle you could be hurtling along at 60+mph?
If you consider car systems to be "operational technology" and not "information technology", then experience shows that security is not a core concept of those systems. Mainly because until recently, most OT was not connected. The control and access was locally significant. Adding remote management, internet connectivity, and now OTA to OT without appropriate controls and a security-focused development cycle is a recipe for disaster. Even in IT systems where the general risks have been known for decades, we're still routinely uncovering new threats and vulnerabilities that require ongoing development. This is why when a company like MS finally stops support of an OS, you're advised to dump it ASAP or why you should keep your phones updated with a current version of IOS or Android that is receiving regular updates.
At the moment, the risk of an attacker taking over your car and driving you into a wall is slim, but as cars add more self-driving capabilities, that risk will grow. However, an attacker could turn off critical systems, force the car to do things that would damage itself (shift into low gear at high speeds, turn off cooling systems, tinker with engine controls, etc), or just turn the car off at inconvenient or dangerous times (crossing a train track maybe).
Just so you know where I'm coming from on this...
24 years in IT, 20 of that in security (FedGov and private industry).
I managed a global SOC for a large international telecom.
I've designed and launched multiple commercial security services.
I've consulted on security monitoring projects specifically related to connected car concepts (this is an example of "connected car").
I hold two security-oriented industry certifications (Certified Information Security Manager and Certified Information Systems Security Professional) and one privacy-oriented certification (Certified Data Privacy Solutions Engineer).
Chris
@mtnbkr
I’m not terribly knowledgeable about you’re magical electron world so I have a question.
Let’s assume that some of the car’s electronic components are produced in China. How difficult would it be for that company to hide a bit of code that acts as a back door for the CCCP to brick every car produced with said component if they decided an infrastructure hit on the US was a good thing.
im strong, i can run faster than train
Not @mtnbkr. But, trivial. Supply chain security is a huge deal.