I've worked on autonomous driving / ADAS, and have read a few university lectures on related software engineering subjects. On one occasion, my presentation was followed by that of a military researcher whose job is basically to study new threats enabled by digital technology.
To my surprise, the military researcher wasn't particularly concerned about software vulnerabilities in cars and similar vectors. We discussed some specific instances of remote car software exploits. His point was, in essence, that all cars with advanced software can potentially be exploited, but that it's not a real threat because all such exploits require special knowledge, equipment and money. For someone looking to assassinate a specific individual, there are far cheaper and simpler methods that are also more reliable, including several methods that involve physically tampering with a car. For someone who wants to cause mass chaos, such as attacking many vehicles in an area, the researcher estimates it requires the capabilities of a state actor or at least a large organization, and they also have cheaper and simpler ways to plunge a city into chaos.
> For someone looking to assassinate a specific individual, there are far cheaper and simpler methods that are also more reliable, including several methods that involve physically tampering with a car. For someone who wants to cause mass chaos…
Most of us tech people are good at imagining ways technology might be abused, but we’re not as good at thinking like actual criminals.
It’s a simile story with smart home gear: Tech people go to great lengths to imagine how their smart locks might be compromised by hackers who will break into their homes, but real burglars will just break a window and go around it. Tech people imagine how their wireless security cameras might be vulnerable to WiFi jamming, but criminals will just wear a face covering and park around the corner.
I’m sure high value targets have specialized vehicles where these systems are removed, replaced, or disconnected. For the rest of us, the biggest concern would be if a hack enabled vehicle theft, as that would be more likely to be abused than a movie-style assassination where someone locks up our brakes from a drone or something equally complicated.
Same for car thefts. People imagine it happens in the dead of night at their house and that they'll be around to hear their alarm, but chances are high it'll be in a carpark while you're at work and no-one will think twice about an alarm in a carpark.
It is trivial to secure windows with plastic foil, glass will literally become bullet proof.
Real problem is if attackers would activate ALL alarms in entire city, night after night. Or your "smart doors" would tip attackers that owner is away from home/
I guess it depends on who is trying to break in and why.
I remember reading a reddit AMA from a former burglar and he said that these windows did stop him, because he would be looking to get in and out as quickly and inconspicuously as possible and these would slow him down enough that he would try elsewhere instead.
So, for a random opportunistic burglar, they may work quite well, but for somebody determined or someone with more time (eg if you live in a secluded area and they know you're away for long enough), there's always a way in. I've watched enough lockpicking videos to know its not that hard and enough defcon talks to know that lockpicking is rarely necessary. If someone determined wants to get into your home, they will.
> It is trivial to secure windows with plastic foil, glass will literally become bullet proof.
Here's some $50k windows that Nordstrom in Seattle was using that used that film. The windows couldn't stand up to Antifa with hammers, which makes me question the bulletproofness claim. It might not be the same exact stuff that you're claiming, but I'm guessing it is due to the description ("due to their thickness and a protective film that internally self-adheres after strikes or damage"), and that this has happened numerous times to them in the last year and I'm sure they're tired of replacing them and went for the best, strongest windows they could. $50k-70k EACH seems quite expensive for a single display window.
Having worked on those very windows. They are also expensive because of other films and treatments to that glass that filter certain light that damages the items displayed behind it. Also they are just really big pieces of thick glass.
> I've worked on autonomous driving / ADAS, and have read a few university lectures on related software engineering subjects.
For clarity: this exploit isn't to the autonomy or vehicle control system, it's to the infotainment system. It can command auxilliary systems like wipers and doors, and in theory it could do somewhat nefarious stuff like present incorrect data to the user or provide faked waypoints to the navigation system. But it can't actually drive the car.
Really the security model here is fairly reasonable: car control over the motion and autonomy systems is handled by distinct hardware that talks only to one system over a specified protocol, with audited capabilities. And that system then runs the bluetooth and wifi and USB and user interface where the attack surfaces lie.
> this exploit isn't to the autonomy or vehicle control system, it's to the infotainment system. It can command auxilliary systems like wipers and doors, and in theory it could do somewhat nefarious stuff like present incorrect data to the user or provide faked waypoints to the navigation system. But it can't actually drive the car.
Doesn't sound that reassuring, though. For a self-driving car it wouldn't matter, but as long as a human driver is in control, the infotainment system does affect motion of the car, by proxy of the driver. Could the infotainment system, or the wipers, make a driver crash their car? I find it highly likely. Imagine speeding down the highway - suddenly, your in-car speakers start blasting your ears with 80dB music, while the wipers start to dance and the car keeps spraying the cleaning fluid all over your windshield.
Obviously security bugs are bad and need to be fixed. But the point is that the security architecture seems to have made the right choices here. It's the same defense in depth strategy that puts reverse proxies in front of our web applications, or runs a database server behind a managed protocol such that SQL commands can never come from the front end boxes.
Or, for a glib answer: if you need to stop the car safely, engage autopilot and unbuckle your seatbelt. The car will turn the hazards on and pull over on its own.
Does anyone know if the glib answer works? Does the steering column selector stalk go through the ui (and therefore is interceptable by the supposedly compromised interface) or is it directly connected to the 'backend' below?
Calling the critical ui interface the 'infotainment' system for a tesla is slightly misleading.
>Does the steering column selector stalk go through the ui (and therefore is interceptable by the supposedly compromised interface) or is it directly connected to the 'backend' below?
It is directly connected to the 'backend' below and doesn't go through the infotainment system/UI.
You can manually kick off a reboot of the infotainment system on a Tesla while you are waiting at a traffic light, and still drive like usual just fine if the light goes green a second after. The only non-functional stuff will be the visuals on the screen and anything infotainment related (like playing music). All driving aspects are preserved even with the infotainment system being broken/in the middle of a reboot.
Imagine said drone hovering in front of your windshield and igniting a dozen flashbulbs in short succession STASI-style.
Apparently they are still available for about a dozen bucks per dozen. I remember having much fun with them in my youth. Single use, blinding white light, small 9-volt battery sufficient to light them up.
Exactly! Because in the Jeep case there was an architectural failure where the attack surface (the radio controller) was connected directly to the vehicle control system via a CAN bus, speaking bare unauthenticated protocols that were designed before the idea of internet-accessible cars was conceived. So once your initial attack face was compromised, the game was up.
What I'm saying is that Tesla seems to have learned from that experience and gone with a very different architecture where vehicle commands simply aren't accessible to the public-facing computer, from which motor/brake/steering control systems only get general direction (e.g. waypoints).
That's not saying it can't have a hole. But they don't seem to have made the kind of messup that would permit an attack like the Jeep hack.
> What I'm saying is that Tesla seems to have learned from that experience
Maybe. From a few decades in the industry in and around security, I have no faith in assuming that a serious vulnerability triggers any kind of change in the culture that led to it.
"state actor or at least a large organization, and they also have cheaper and simpler ways to plunge a city into chaos."
I'm not sure that's true. If I were China or the US, I would totally be interested in an exploit that would allow me to hack even a single model across the entire country and set the accelerator to be unconditionally floored and the car no longer able to turn off. Heck, that second one is even optional, given how many people are going to panic. Getting multiple models would be an even bigger bonus.
As others in the thread point out, we have publicly-known instances of companies that collect vulnerabilities. It's hardly a stretch to imagine that state actors already have the vulnerabilities, or even already have this capability essentially turnkey for whenever they need it. I mean, fund a decent hacker group of ~10 people for a year and they could probably build "the button to crash every Tesla, Ford truck between 2018 and 2020, and all Volvos after 2015 on the road in the US"... our impression of how hard security work is is colored by civilian researchers who are incredibly poorly funded. How many of our reports of deeply broken things come from people working in their spare time? I wouldn't underestimate what someone systematically collecting vulnerabilities could do with not much funding, relatively speaking.
The problem is, it's not even that you can turn a whole city into chaos... you can turn a whole country into chaos for cheap enough that it's worth adding to your portfolio.
In my opinion, the only reason to be unworried about that is precisely that there are so many other things that can be done that this somehow doesn't even rate as "interesting" and that is far from good news!
Some may find 'unconditionally floored' unrealistic, but hackers have already been able to activate the parallel parking feature while a car is travelling forwards - jerking the steering wheel rapidly to the side.
If the hacker could detect speed and make the cars swerve when they've been at highway speed for X seconds, it would be pretty horrific.
I'm sure you're right and it is being added to a portfolio somewhere - it's also a valid point that for a state level actor, there are some inexpensive and effective ways to cause mass chaos that they've already got.
For instance. the Aquaducts that feed water to the city of LA go through some deserts north of there that are remote - and the giant pipes are exposed. There are no guards, nothing.
For a state level actor, a small explosive charge on one of those is probably trivial to do and would lock up LA in fear and panic for a long time - and essentially untraceable. Every major metropolis has some equivalent to this (contamination in a specific water supply, or damage to a specific bridge).
Being able to do similar things to vehicles of different types is also interesting, but the space is rapidly changing, and exploits would lose 'potency' rapidly compared to that small block of C4 and knowing someone who would place it for you. So more an R&D type interest than a practical operational capability one.
It's also easy for us to look at the trajectory, know the tech, and say 'this will change the world and we need to be prepared' - but most militaries and intelligence agencies tend to focus on what they already have experience with, or what happened last time. The old quote 'Generals always fight the last war' is very applicable. Part of the reason why is because until it has happened, you don't have any real data - just endless speculative paths, all of which are too divergent from each other to prepare for all at once, and too theoretical to justify funding because the projected costs of it happening are too divergent.
You saw it with COVID - we suspected something like this would happen soonish, we'd even had some scares recently like H1N1/swine flu - but even if you'd asked the most prepper types of us if they'd be willing to spend 100 billion to stop what happened - they'd go 'yeah right, that's not going to happen', or 'that would be a waste of money'
Now, I'm sure you'd get 75% or more of the popular vote on such a measure nation wide and everyone would consider it dirt cheap. Even if the odds of a repeat surprise event are quite low now.
"For instance. the Aquaducts that feed water to the city of LA go through some deserts north of there that are remote - and the giant pipes are exposed. There are no guards, nothing."
Which is still a body on the ground in one place. These hacks can go country-wide pretty easily. It still seems like something that would be worth digging into because that digital scale can't be replicated by any physical action.
Plus attack-in-depth is a thing. If you can cheaply add "mess up all civilian automotives", you might want to do it, even if you are also blowing up aqueducts and such.
100% agreed on all points. The cyberwar (hate the term, but it’s what’s used) equivalent of chemical warfare or a nuke is going to be..... incredibly nasty.
For sure - what I was referring to is a state level actor can (and almost certainly does) afford to have thousands of those 'couple guys' already identified and in an action plan somewhere in their top secret list of dirty tricks, against pretty much anyone they think likely (or even not likely) to want that kind of ability against some day.
Someone COULD go to the store, grab a hammer, and smash my computer. It's a different type of situation however when someone has figured out what model of hammer they would want, from which store (and if it is in stock or not), how they would pay for it, and who they would call to do all these things in a way that I couldn't figure out who ordered or paid for it, to smash my particular workstation at my home on a specific desk tomorrow at 6am - if they wanted to.
It's important to keep in mind capabilities, inclinations, and consequences - when that person with that plan is playing against me in competitive gaming the next day, I need that workstation to win, and I just bet them $10k I could beat them in front of all of my friends.
Thankfully most of us don't have to deal with this in our daily lives, but we can still be collateral damage when someone else is playing these kinds of games. And nation states do on the regular.
This sounds like an extremely naive and optimistic outlook. Large scale command and control situations are getting increasingly close to reality. Anyone who has followed US foreign policy and the like won’t be too surprised that this guy worked for the military (which is sad, really).
That's not the US military by the way - despite persistent rumors to the contrary, other countries do exist.
I also find the outlook a bit optimistic admittedly, but there are definitely plenty of better targets than cars for a sophisticated actor. Car software is very different from model to model, and there's a large variety of models on the road - even if you can cause all cars of model X in an area to accelerate to dangerous speeds (something far beyond the capability of current exploits), that will only affect a small proportion of all cars in the area. It will undoubtedly cause chaos, but nothing on the scale you can get by attacking some weaker systems.
Even a coordinated attack against traffic lights is easier to pull off and has no less potential damage.
But it only takes one car (or truck) to cause chaos on a freeway.
As to versions, you may be familiar with Cellebrite? Their stock in trade is having a huge database of exploits for every popular phone. And cars frequently have common software and computing components. It's just a matter of time before script kiddies can pop an unpatched car -- as soon as their is an external wifi / 3g connection. At the moment most only have Bluetooth to the stereo.
I'm curious as to what weaker systems they were thinking about. Obviously the OT at various plants, but that can be air gapped. Most traffic light systems have in built low level safeguards to prevent conflicting states, and the high level system is centrally managed and patched. Attacking requires a multi-stage attack, maintaining access requires continual maintenance, so it just doesn't have the impact an unpatchable vuln in embedded devices does.
> But it only takes one car (or truck) to cause chaos on a freeway.
And that's back to the original point, if you are looking for such small scale problems, make a spike strip and deploy it on the highway. Same scale of destruction as taking one car over, orders of magnitude less skill and money required.
Cars have standard components, but even for cars that don't take digital security seriously (Tesla has that reputation), no driving functions should be on the same network as the external 3G/4G. Yeah you have the infotainment or door opener there, but any ECU running an ASIL-qualified function should be on a separate network, and treat anything connected to the external world as untrusted. That was definitely one of the core architecture assumptions in all car software I've seen. The infotainment system is considered to be compromised and possibly sending malicious data. All the important communication happens on a different network, where internal signing and authentication mechanisms are also used.
And at that level, the internals are too different for the same exploit to work everywhere. What you need to send on the network to make the car brake, or what data format represents the gearbox position, those are different.
I think the major overlooked point is that the modern digital world provides a means for people to commit crimes they otherwise would not have done, simply because they can and because they feel there is low risk of getting caught.
A spike strip, you have to be in the area. A remote attack, you don't have to particularly care about any specific area enough to physically travel to it.. someone can cause chaos simply because they are bored.
And immediately after, they can go do something else.
Tech vulnerabilities aren't yet accessible enough to these types of people, but soon enough they will be and it is not like security is in a temporary poor state. A lot of these systems will remain unchanged for a long time because they are part of an already working business model
Police are quite practiced in finding armed robbers and other people who might use a spike strip (which is pretty tricky to deploy IRL if you want to hit a specific car). But organised crime car theft (with access to key cutting/duplication, remote unlock repeaters, engine immobilizer bypass codes, etc) is a significant problem. I don't see any reason why OCGs wouldn't be enthusiastic users of hacks, the same way that card skimmer gangs operate.
A centralised and timed attack against a tech stack that has significant dominance in the market in the future has one of the biggest potential ceilings out there. Cars are effectively kinetic weapons and if you could say, get 30% of vehicles to turn into on coming traffic on a Friday afternoon the outcome could be seriously ugly.
I guess targeting their phones works better. Phones can provide a lot more data, and with iOS and Android you have just two platforms that cover the vast majority of phones. If you're a state-level actor, you have the NSA, GHCQ or equivalent with full-time teams working on compromising both platforms, so probably have quite a few options available.
There's probably not a single new car that doesn't come with at least one microphone in the cabin. You need at least one for Bluetooth handsfree and for voice commands.
Cars sold in Europe since 2018 need to have a system to automatically call emergency services in the event of an accident. So, there's that microphone.
European airbag regulations also allow for smaller airbags that explode with less force since US regulations require automotive manufacturers to assume an unbelted driver. ECE specifications are based on people wearing seatbelts.
That's great. But mandating an embedded cell phone? Hopefully it is a fully independent system that only turns on after a collision, but it still has a spooky big brother aspect to it.
I don't know what your point is about airbags. Some sort of weird defence of European safety standards?
I looked at the insurance plans that give a safe driving / low km bonus, they use a device that plugs I to the car diagnostics port. But it's actually a sham -- you get a discount on the next year, not the past year, so it's just a trick to get you to renew.
I thought the seatbelt thing was a dig at Americans, who I never mentioned, and blatant whataboutism, but whatever.
For the countries with the highest death rates (~80/million), which are poorer former Eastern Block countries, they predominantly occur in urban areas. Making cars 0.1% safer for Germans/French/Swedish, who have >50% of fatalities in the countryside, makes cars more expensive for the whole block, delaying the changeover to cars with massive safety features, like monocoque passenger safety cells, ABS/ESC and airbags.
Incidentally,10% of US fatalities occured where no seat belt was worn.[1] In the UK this was 30%, but with a quarter of the fatality rate. All you can say is that people without seat belts on die.
I have to admit I don't know if you're sarcastic or not, but it certainly exists in Europe. You can have reduced rates (by quite a bit) if you install some special hardware to record how you drive.
I had no idea, I don't use any of those features. I just checked my car and it does have phone features. I'm honestly shocked. I want to get rid of the microphone.
The newest car that I've had without Bluetooth hands-free was actually a 2005 BMW. But it was basically the last year facelift model based on a 90s design. I think the completely new model came out in 2006 and had Bluetooth handsfree.
It's probably way later than 2005 when pretty much every car included Bluetooth handsfree.
In general the likelihood an exploit will be exploited can be thought of as a relationship between it's ease and payoff. Just because something is exploitable doesn't mean it's likely to be exploited unless it's easy to do so or there is a good reason to put in the effort required.
I guess if it was possible to remotely take over or disable the brakes on an entire fleet of self-driving cars then we could have problems. Likewise, if it was possible for school kids to "prank" their teacher by downloading some exploit software from the internet we could have problems. But in both cases you would hope security would at least be good enough that these types of events could not happen.
Remember someone with a bit of knowledge could easily tamper with your mechanical car today if they wanted to. Digital tech provides new attack vectors for someone seeking to do damage, but if designed correctly any new digital attack vector shouldn't present any greater risk than the existing mechanical attack vectors.
It's actually quite difficult to tamper with a car. You have to find the car in an unattended and out of sight place. That opportunity isn't available for high value targets, and doesn't scale to 100k cars.
Just a DOS attack would require every car to be taken by tow truck to the garage or visited by a tech to patch it, and the resulting reputational damage would be huge. I'm sure Ford/Toyota/etc would pay a ransom to avoid that.
Everyone is focusing on the assassination angle but I stopped when it said that it could unlock the doors and trunks. Sure we exist in a world where people break into cars a lot, but generally it's at least somewhat destructive. No-one is 'picking' locks (because picking increases the time they are 'on target' and could get caught), they are smashing windows or are forcing locks with leverage. These actions look to an observer like what they are.
In this new scenario, someone could have a remote rootkit loaded on their phone. Trigger it from across a parking lot or approaching the target and then simply walk up to the car and pull anything valuable out of it. They would look like the owner to most observers.
In some parts of Europe, digital attacks on proximity unlock systems are becoming a common way to break into cars. Especially for a system based on Bluetooth, it's difficult to defend against an amplification attack.
The key here is that one person can make a tool and sell it to many common criminals, and even if the auto manufacturer notices that they are doing this, there isn't an easy way to patch the issue. For something like a Tesla, it's difficult to imagine a software vulnerability that cannot be fixed with an OTA update, but for a manufacturer that doesn't have OTA update capabilities, I could definitely see cyber hacking tools being distributed and used in a similar way.
Right, but direct physical access is a bit different from "can mess with your car from 100 m away". A security camera will effectively deter one but not the other.
Yes, but isn't it more about the message? "We can get anyone, anywhere, and get away with it?" If nobody knows it was them, does it then work for making an example out of someone?
Yes, though your assets may end up on camera tampering with the car and their physical modifications may be found. If you can do it from a drone or from the internet all digital evidence may be destroyed in the fire if you did not remotely wipe it already.
One thing that might change this is if V2V, where cars communicate to each other on the road, becomes more relevant. Then you'd only need to compromise one particular make and/or model of a car to start sending false information to a whole bunch of cars.
V2V and V2X serve as additional ways for a car to get data, to complement the car's own sensors. They're not command protocols. V2V shouldn't make your car do anything dangerous, as all the usual software logic still applies. E.g. your car may get info over V2V that an ambulance with sirens is coming up behind you, so your car slows down to make room, but that's an internal decision of the car, it's not a "slow down" command over V2V channels.
In that vein, rogue traffic signs or other objects designed to confuse a car's inputs are probably more of a threat.
False V2V inputs could cause a car satnav to divert to an alternative route. If the data fusion is done wrong, or if external visibility is very poor, it could rely on single source data (V2V without confirmation from an on-board sensor) and swerve or engage emergency braking. If an attacker has access to disable/deceive, e.g., the microwave sensors (via software attacks, or by jamming) then it becomes quite possible.
There is lots of research in the topic though, so I'm fairly confident most V2V systems will be robust, but it depends on regulation. If they froze capability at a specific 'approved' version then attacks could become serious. Especially for systems using lots of ML, at higher levels of autonomy. At the moment it seems like Looney Tunes attacks (draw a picture of a tunnel with the word TUNNEL on it, paint the road markers towards it) work amazingly well.
> but that it's not a real threat because all such exploits require special knowledge, equipment and money
In other words they (that military research lab) have the resources and you don't. Sounds like the ideal vulnerability from their perspective.
In any case, that overstates the difficulty. Plenty of examples of low budget research teams finding remote vulnerabilities in newer cars.
Also, remember that a vulnerability is laborious to find, once. After it's out every script kiddie can do it.
> physically tampering with a car
That doesn't scale. If you're after one single specific person it's done, but if you want widespread ability to cause mayhem, you'll take the remote vulnerability.
This is a descendent of a 1990 Usenet post. "Problem #2: is that white noise, or is it a one-time pad ? I dunno. Awfully hard to prove, isn't it ? Unless, of course, I left my radioactive source and oscillators lying around. Big deal, you zap me for a misdemeanor. You still don't get The Master Plan, unless you resort to the rubber-hose technique of cryptanalysis. (in which a rubber hose is applied forcefully and frequently to the soles of the feet until the key to the cryptosystem is discovered, a process that can take a surprisingly short time and is quite computationally inexpensive)"
I find this attitude VERY disturbing. Cars are target comparable to industrial infrastructure, but with weak security. USA has many enemies, there is constantly some sort of hacking scandal.
Next time there is a mass scale hack: a few dozen people die, grid lock for couple of days, hardware worth of billions bricked.
And US government can bomb any country it marks as an attacker....
> A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. However, the researchers explained, “This attack does not yield drive control of the car though.”
Two things.
I feel the title of the article should have included this information, eg. "Tesla Car's Infotainment System Hacked Remotely.." to make the headline a little less scary.
Secondly, though, can someone explain how "modifying steering and acceleration modes" does not "yield drive control"? This sounds like it does affect the driving of the car.
> Secondly, though, can someone explain how "modifying steering and acceleration modes" does not "yield drive control"? This sounds like it does affect the driving of the car.
I have a car (2019 Seat Leon) with Dynamic Chassis Control. Modes are Eco, Normal, Comfort and Sport. Of these, only Eco really has any special characteristics like reduced acceleration. So while it may indeed affect how the car drives and steers, it’s nothing dramatic. I’m sure it’s relatively similar in a Tesla. But maybe I’m just numb. :-)
It might have some effect. On a car with electronic steering the drive mode changes how "heavy" the steering wheel feels, same for electronic suspensions (google drive-by-wire). my non expert assumption is that the wheels are controlled by some electronic system and the feedback provided through the steering wheel actuator.
Someone already mentioned but wanted to say it is surprising that theres essentially no real drive-by-wire car in production. And really there doesn't need to me. It's just added complexity and liability. Eventually they'll migrate that way as they work towards getting rid of the steering wheel but as long as thats around, the wheel will be directed connected to the power steering systems.
This becomes obvious in a Tesla when you play that racing game on the MCU with the steering wheel as input. It moves the wheels. If the car was drive-by-wire they wouldn't move as thats just causing excess wear for no reason.
The same way lane assist worked before: using the actuator that is already present in virtually all modern cars for the power steering system. You can easily fight against it by holding the steering wheel.
But if i were asleep at the wheel or distracted at the wheel it could certainly drift me into the oncoming traffic lane which i might or might not notice.
Those modes are calibration settings. "Sport" mode allows a stiffer feel to the steering wheel, "Chill" acceleration prevents access to the top end of motor power, etc... You cannot command the car to turn or accelerate with them, they just change how it responds to command input from the user.
There's been at least one car[1] where hackers gained access to the car electronics through the infotainment system.
Not sure about the Tesla, but several other cars[2] have their infotainment connected to the rest of the control systems. So in general, it's not "just" the infotainment system.
I also remember a fairly recent (within last couple of years) where a hacker remotely killed a journalists Jeep while he was on the freeway. It was part of the story he was working on so thankfully it wasn’t unexpected. But I think they should have been in a parking lot and not on a freeway screwing around like that.
Fascinating as the exploit itself is, it makes me wonder how long manufacturers will "support" these newer connected vehicles. Having an outdated smartphone is one thing, you risk your personal data being targeted if the manufacturer decides to no longer support it after a few years - but the risk seems much larger if you've got say, Teslas (though I'm sure it applies to most other vehicles these days), with unpatched, well documented vulnerabilities which could endanger the life of the occupants if exploited.
The one saving grace here is perhaps "This attack does not yield drive control of the car"... I'd be fascinated to know what the separation of systems looks like in a modern connected vehicle. I'm assuming it's not likely to be physically possible to gain drive control of the vehicle through its infotainment system?
The future will be interesting. Imagine what havic you could wreak with a worm that is able to control a car (this worm was not).
Let the worm spread for a while through the fleet and activate a malicious piece of code at a set moment that accelerates and steers the cars into an object. There's not enough medical personnel to tend to all these accidents. Total chaos.
Am I wrong in thinking that with the passing of time the probability of such an event tends to 1?
> Am I wrong in thinking that with the passing of time the probability of such an event tends to 1?
You're forgetting to factor in the human element. Technology doesn't progress independently. There are dampening effects when the "real world" decides technological possibilities don't fit the world they want (for example, copyright applies artificial limits to the infinite copying potential of digital assets, or the recent EU politics around AI).
So I suspect relatively isolated cases like this will eventually lead to a push for legislation on automotive digital security. Cynically, I suspect in a way that raises barriers to entry to the market after the incumbents have secured their market share, but that's still probably better than the alternative.
I certainly think we'll have a new cause of death "computer - AI", whether malicious or not it's something we need to start tracking and keeping tabs on.
I wonder if, as we do at the moment with human piloted cars, we'll just shrug it off and offer a passing "poor human" (in the case of injury/death) and continue with our day.
Death is around us 24/7 and I am not convinced even if cars were hacked and told to drive into objects we'd care very much, we'd probably fix the bug and move on.
Yes but when you can sue for wrongful death... problems get taken care of. Insurance companies will learn that their bottom lines are deeply connected to car computer security and then either the network or the vulnerabilities will be gone. A $10 insurance surcharge can move mountains.
Agreed, and there are other viable attack vectors too. Instead of a worm, an unfriendly state or other bad actor with deep enough pockets could hack the update servers that cars get their over-the-air updates from. Employees of the car manufacturer could be compromised to make that easier.
Tesla is a software company and probably has a lower chance of getting hit due to expertise and funds being poured into security (even tho not infallible as this post shows), but there’s a race to the bottom and soon enough Car companies that couldn’t pull of decent navigation will have some form of computer-controlled-steering as stockholders are looking at Tesla stock price and breathing down their necks.
I have been worrying about this for some time, even tho I am also a tech lover and Tesla driver. was thinking of writing a blog post about this, but seeing this comment, maybe it isn’t a new thought and everybody is already aware of this risk.
I think you are right about medical personel. But also: if you make everyone crash around rush hour, you take out a significant share of the working population. And how do you clean up the infrastructure to let trucks and ambulances through again. Not to mention the catastrophe of cars crashing into stores and pedestrians in city centers.
Terrorists would probably have an easier time exploiting this button, which isn’t exactly safe either, than update servers. Or not, but it does introduce yet another attack vector, or technology that could have a bug that makes it trigger by accident.
On a general aviation aircraft this would be the power switch for the ECM. Super easy to add a kill switch, if the car manufacturer chose to do so. No idea what a self driving car would do if it lost its ECM and related controllers.
I think it should be possible to have two mandatory requirements for all car designs: the steering wheel and the brake pedal override everything else, and that has to be hard-wired in a way impossible to bypass without modifying the hardware.
You're wrong. Computer "worms" as people think of them are not the problem here. They're actually well understood. And while propagation seems like it could be so fast it's overwhelming, I think there are a lot of reasons to consider that exceedingly unlikely. These "worms" are the equivalent of catching a communicable illness that is *physically manipulating* the car (even if it's just software).
What's the bigger issue?
Adversarial manipulation of the sensor inputs. This can be equated to verbal or visual manipulation in humans, something that becomes much harder to detect. While most of these attacks would be against a local target, I could also see a widespread deployment that goes unnoticed and slowly degrades many neural networks, and those being erroneously propagated.
The latter is a much bigger problem than "worms" because it's effectively invisible. We can audit and identify malicious code, there's an entire industry built around that. But, neural networks are for the most part still a black box solution. How does one detect and solve manipulation in a black box solution?
Well, maybe my Tesla will meet your Tesla in therapy and they can talk about it.
The code-based manipulations are relatively well understood by cyber security professionals, which Tesla undoubtedly has on staff. There are existing solutions to at least slow the spread of these, even if it's as rudimentary as an emergency shutoff as soon as Tesla recognizes an anomaly.
Don't forget that the "Move fast and break things" motto was born out of the software world. So claiming something is a software company works both for and against them in this case. Think of Heartbleed to understand why having software engineers and literally millions of eyes on a problem might still mean nothing in the grand scheme of things. And understanding a problem only takes you one step closer to solving it. How you solve it, and how you keep doing this day after day going forward makes a lot of difference either way.
The truth is the moment it's technically possible to hack a car remotely, cars will be hacked remotely. We've had computers of all kinds for decades and couldn't manage to make them "hack-proof". Consoles are as close as it gets and I'm sure if they were as critical as a car they would have been thoroughly hacked by now.
Having any kind of "self driving" feature means safety critical systems (acceleration, braking, steering) can be controlled entirely by the car's computer. And having OTA updates means there is some link between that critical computer and the outside world. And in that outside world people managed to hack airgapped computers in a military nuclear facility. If only that facility was "a software company"... they could have CI/CDed the malware in their infrastructure.
Iran has cyber security professionals - and physical controls over the hardware - but thus far that doesn't seem to be perfect protection against stuff like Stuxnet. The idea that cars can't be effectively and rapidly hacked seems overconfident.
Am I alone in thinking that in case of a war between advanced countries every single one will come to a halt because of no power, no gas, no water no anything? No bombs required.
Contingency plan: go back to the technology of 50+ years ago. Remember the old unwired unhackable Battlestar Galactica vs the newer ships hacked by Cylons.
I think the scary scenario is advanced countries thinking a sneak attack will succeed and/or be deniable.
Something like https://www.wired.com/story/how-30-lines-of-code-blew-up-27-... applied on wide scale to a developed nation's power infrastructure has the potential for enormous numbers of deaths without the "well obviously the rest of the world will hate us" consequences of nuking someone.
But, private corporations can be wound up. Nobody is ultimately obligated to maintain this kind of work.
If shit hits the fan, then it's not obvious that "Tesla, Inc." will stick around to deal with the consequences. (If it becomes medium-term unprofitable, then it seems to me obvious that it won't.)
>(If it becomes medium-term unprofitable, then it seems to me obvious that it won't.)
I'll add that while I think it's unlikely ANY incorporated publicly traded business would stick it out to deal with the consequences... TESLA seems to have treated medium-term unprofitablity as a consequence of failing to meet quality and production goals without heavy divergence from long-term profitability plans.
In short: Google still hasn't figured out how to stop black people from showing up in Photos searches for "gorillas" (hence, such searches return no results; go ahead, try it). The irrevocable "poisoning" of computer vision systems is a real threat.
The real fun will begin when some new technology comes along that appears similar but operates differently from what it's replacing, leading to complications with the vision systems. We already had a traffic-related version of this happen: when LEDs began replacing incandescent bulbs in streetlights, engineers had to add heaters to make up for the fact that LEDs didn't melt the snow that accumulated on the housing.
I dunno - you don’t need much more control than killing the engine, which can be done remotely on many vehicles today.
Yeah, if you have visions of the Joker hacking control of the Batmobile turning into a large RC car then we are safe from that. But that’s far from saying that remote control isn’t an issue.
This is why I intend to keep my 2009 car for decades. The only thing it does for me is a bit of traction control and the only radio it has in it plays music and jesus stations.
My biggest fear with these scenarios is not really the hacking but law-enforcement agencies undermining civil rights by forcing Tesla or other self-driving car-makers to redirect cars against a customer's will. I feel like an episode of Westworld alluded to this scenario at some point. I come from a country where minorities have historically had a bad time at the hands of authorities, and I can see said authorities salivating at this prospect.
Cars can already be stopped when stolen, it has been available for many years I think, it's not about Tesla or self-driving.
The new thing with some current and most future cars is that everything will be controlled by a computer that has software that is connected to internet and even Wi-Fi, which makes it prone to "computer hacks" we know so well.
From that point, the problems being faced come from both worlds: car world (stealing, accident, ...) and computer world (access to location or cameras, ransomware, ...).
Car chases are dangerous, seems like it would be good to put a stop to them permanently. Cops can already mess up your day pretty badly if they decide you're a threat; if anything, taking over the steering of my car would be the most non violent option.
(I actually don't know, and to lazy to research. Just going off stuff I've heard here.)
If I had a big enough faraday cage, a flat bed, and winch; it might be an appealing target though? Oh yea, a lot of motorcycles are stollen by two guys lifting the bike onto a pickup--locks, and all.
You document and report a vulnerability to Walmart, Northrop, some random BigCo that nobody thinks much about and you get nothing. You document and report an equivalent vulnerability to a tech BigCo and you make the front page of HN.
It's not about having a working exploit you can monetize. These hackers aren't gonna steal cars. They're showcasing their skills and picking their targets for that purpose.
Had they hacked a Daweoo wearing Chevy clothes or an FCA product nobody would blink twice. The comments would all be people saying you get what you pay for or repeating the typical Reddit tropes about the big3 being crap.
They picked one of the brands that starts with T, ends with A because those brands are sacred cows of the upper middle class and have rabid online fan-bases who will greatly amplify and publicize these hackers work.
A lot of the big safety wins (seat belts, airbags, side airbags, backup cams, crumple zones) came before the start of the electronics takeover. You can easily find a decently safe car that doesn't spy on you. And for a few hundred bucks you can easily install a new stereo in them that'll work with Carplay and Android Auto.
This. The safety improvement from successive features is logarithmic or close to it. Seatbelts win you the overwhelming majority of the safety. Bucket seats with headrests get you most of what's left. Stiff passenger cabin (i.e. the difference between a car from 1981 and 2001) gets you most of the remainder.
Airbags, crumple zones, belt pre-tensioners and all the other high tech stuff that the internet worships are basically a rounding error compared to "a strong cabin and some basic stuff to keep the occupants in the right place inside it".
I don't know, small overlap crashes (which include impact on only about one fifth of the bumper on the driver-side) have only recently been prioritized (circa 2014) and that's when all of the technology seeped into every car model, even on the low end of the new car market.
Sure, you can do with no electronics but with electronics you can do that and more.
These days, even the cheapo cars have stuff like ESP, Crash Prevention, Blind Spot monitoring, Lane assist and more systems that compensate greatly for driver skills and human errors.
The electronics are good at crash prevention and in the pre-electronics, the crash prevention is non existent besides for lightning, markings and the horn.
Safety, against remote vulnerabilities, is literally the topic that favors older cars.
Also, you don't need to get a 60s car. Any car up to early 2000s (and many models even into earlier 2010s) is still safe from remote exploits while having all the benefits.
That's a beautiful car. My favourite vintage car is the Renault Alpine A110. But these cars are not very safe if you get into an accident in comparison to modern cars.
> Intel was also informed since the company was the original developer of ConnMan, but the researchers said the chipmaker believed it was not its responsibility.
...
Very strange position when Intel sinks 7 digit sums into salaries of top tier computer programmers working on it.
Does it do it for nothing then?
It's these situations when people can't tell what the heck they are doing what they do for for $200k a year which signal of company's dysfunction.
That's not fair. ConnMan was written primarily by Marcel Holtmann while paid by Intel to work on Moblin and Meego back when they were a thing. But it is, was, has been and was always intended to be a 100% open source effort provided to the community (including Tesla!) under the GPLv2 free of charge and with a warranty disclaimer included in the license.
Demanding that employers be somehow magically responsible for the community contributions of their employees in perpetuity is the easiest way to make sure employers never let their employees contribute to the community.
Whether ConnMan, which is semi-abandonware now, was a good choice for Tesla to have integrated is sort of a different question. Personally I was never a fan. But that's the magic of free software, we all get to choose what works for us.
Seriously, the warranty disclaimer is is really clear in the GPL. They even put it in caps:
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Hm. While I usually avoid Wifi where- and whenever I can, recently I couldn't. Booted some live Distro into RAM, fiddled whith settings(because not used to WiFi, got it?), almost had screaming fits, until I discovered I could switch from that Networkmanagercrap to Connman and everything worked. The GUI which enabled that was this https://github.com/andrew-bibb/cmst
Where the use-case was a simple connect to that fucking T-Offline hotspot at the edge of reception and automagically point some browser tab to the captive portal, FAST!
Also RECONNECT fast!
It has always upset me that development of vehicle software hasn't been aporoached with the same care and unyielding professionalism as that of the space shuttle.
It has always upset me that development of vehicle software hasn't been aporoached with the same care and unyielding professionalism as that of the space shuttle.
Maybe it has. Could it be that you could remotely hack the current space crafts, but nobody is allowed close enough for bluetooth to work?
Maybe one day car manufacturers will be required to tell you how to disconnect your car from wireless networks. Or even better, it will be illegal to opt you into them. (but I don't see any of those happening with the current government)
I have heard of some people that would just disable the antenna and haven't heard of starting issues.... but I have doubts about it being 100% effective. IE: Once I wrapped a wireless device in aluminum foil and it could still transmit... I think that to be 100% effective as a Faraday cage, it needs to be grounded too but of course it is a different story for an antenna but...
Is navigation not part of the infotainment system?
I'm imagining a hack that puts the empty parked car into self-driving mode and makes it drive away, effectively stealing itself.
I would design a "kill switch" in the car that makes it a "dumb" car as in 1990s. In the event of a detected compromise, flip the switch and enjoy the drive!
Does it matter? All these cars are still vulnerable, and state actors can probably kill you right now with a byte sequence -- investigators will find that you weren't using Autopilot properly. It's a sad state of things with no foreseeable solution.
killing with a byte sequence is as effortless as it gets. And it's one of the more plausibly deniable ways to do it. Why create additional ways for state actors to kill people? They could at least add "Power off all modems" option to all cars, and stop relying on over the air updates.
> Why create additional ways for state actors to kill people?
State actors can destroy buildings, so I guess we shouldn't make buildings /s.
Or less sarcastically, state actors can compromise laptops, so I guess we should stop allowing "over the air" security patches to laptops? Should we just stop using computers?
The reality is that state actors murdering people is an incredibly low risk threat. If state actor really want to kill someone, that is, assassinate someone, they can do it with a gun or a poison or whatever. If state actors casually want to kill one person, finding novel exploits is a pretty expensive way of doing it. If state actors want to kill a lot of people, you're basically at war, so we can use actual weapons.
Laptops and buildings are a necessity, while cars with wireless modems and always on internet connections are not. All the usecases are solvable with Apple/Android/Car with infotainment serving as a dumb terminal, without any connection to anything important in a car. Since we already always have government surveillance devices on us (mobile phones) why add additional ones, which have the ability to crush us into oncoming traffic? Cars also had perfectly functional navigation with SD cards.
>"over the air" security patches to laptops?
Yes. Over the air security patches are a very very bad thing. The fact that this issue still hasn't been solved is a disgrace, with all the formal verification advances. Still laptops are a necessity, and can't kill us directly.
>State actors can destroy buildings,
That's not very plausibly deniable method. Buildings don't collapse or blow up by themselves. It leaves lots of material evidence of foul play.
>with a gun or a poison or whatever.
Not if they want to avoid suspicions and make it look like it was something natural, which is almost all the time.
>murdering people is an incredibly low risk threat.
Not if you are an activist and are up against an authoritarian regime, which can even follow you abroad. There is also surveillance you can't turn off like you can with a phone -- i.e. you can't talk with people in a car about anything important.
“Laptops and buildings are a necessity, while cars with wireless modems and always on internet connections are not.”
Hear hear and well worth repeating.
I’m waiting for the (probably not too distant) day when insurance companies demand access to car telemetry in order to obtain reasonable insurance rates.
What more effective ways? Send goons with chemical warfare agents? Nothing would happen with the exploit if it's done with a fake base station or through other low-range wireless thing.
There's a low upper bound on efficacy. You can only kill someone once. Realistically both methods leave evidence.
To do a code exploit you need to find something, sit on it hoping its upatched, and then hope nobody can figure out that you did it when they do their extensive analysis of why a car suddenly did something extremely rare and dangerous, else you lose the exploit.
Exactly, and the real risk is if you fail. Brakes can overpower motors on these cars. Even if you can exploit the system well enough to trigger full power (you can't) you'd then have a high risk that the person would notice, hit the brakes, and stop in time.
If they didn't stop in time, you'd have the risk that the accident wouldn't be fatal. This can easily lead to an investigation and a failed assassination.
The lowest risk option is the one that works every time, despite how fun the movie plot scenarios are to think about.
>car suddenly did something extremely rare and dang
In absence of anything else, and cleaned up dram + fake logs is really an absence, it's always ascribed to driver oversight, distraction, loss of control.
>Realistically both methods leave evidence.
Yes, computing leaves "evidence" in form of heat(entropy).
I'm not a security expert but I find this idea to be unlikely.
That someone could hack into a car, force it to drive into a guaranteed lethal accident, and successfully remove all traces, and manage to fool the telemetry analysts into thinking that it was just a fluke when things like this never happen is extremely improbable to me.
Sure - they can’t turn your car into the equivilent of an RC car but they don’t have to. Simply killing the engine while you are in the middle of traffic is more than enough to cause chaos, sew distrust in our infrastructure, etc.
General purpose computers do general things. As much as people say things like 'safety first' or 'security first' (do people even say security first?) it is quite clear that getting products to market is the priority. If you don't get to market, then security doesn't matter.
As you add components to a computer enabled product, you add surface area vulnerable to attacks. This would indicate that you should have a small number of well designed and tested components, but remember your product does not exist in a vacuum, a competitor will release a product with more capabilities; customers cannot easily compare security, but they can easily compare a feature list and a price point.
“Tesla patched the vulnerabilities with an update pushed out in October 2020.” Begs the question, how or when did his hack take place given article is from this month? Unpatched Tesla?
To my surprise, the military researcher wasn't particularly concerned about software vulnerabilities in cars and similar vectors. We discussed some specific instances of remote car software exploits. His point was, in essence, that all cars with advanced software can potentially be exploited, but that it's not a real threat because all such exploits require special knowledge, equipment and money. For someone looking to assassinate a specific individual, there are far cheaper and simpler methods that are also more reliable, including several methods that involve physically tampering with a car. For someone who wants to cause mass chaos, such as attacking many vehicles in an area, the researcher estimates it requires the capabilities of a state actor or at least a large organization, and they also have cheaper and simpler ways to plunge a city into chaos.