Remotely hacking cars on highways
#41
At least in that case it's only idiot homeowners and not something mandated by the feds.
#42
The best firewall is to be unplugged. I am fine with AM/FM, CD, and a USB port for my phone to charge and play music. Currently have AM FM CD and cigarette lighter. Hell, I'm fine with AM/FM and I'll plug in a phono splicer input.
This is going to spool up to be Terminator Judgment Day.
This is going to spool up to be Terminator Judgment Day.
#45
The best firewall is to be unplugged. I am fine with AM/FM, CD, and a USB port for my phone to charge and play music. Currently have AM FM CD and cigarette lighter. Hell, I'm fine with AM/FM and I'll plug in a phono splicer input.
This is going to spool up to be Terminator Judgment Day.
This is going to spool up to be Terminator Judgment Day.
#47
This has been discussed on the local Jeep forum here in Phoenix:
Don't buy into the "hackers disable Jeep" article you're going to see
Key points of the discussion are the "hacker" did it to his own vehicle so he had all the time in the world to accomplish the task, which would not be the same for a "random" vehicle out in the world.
Don't buy into the "hackers disable Jeep" article you're going to see
Originally Posted by aroundincircles
So to be able to hack into this car, you have to know 1) the serial number of the device in the car, which would require hacking on the car system its self by plugging a computer directly into it, or pulling it from the dash, and getting the serial directly from the unit. 2) you would also have to know its IP address. Again this would require you to hack directly into the unit itself by plugging in directly. and 3) the device would have to have an active connection to the network (most mobile devices turn off data while it is not actively being used, not sure if this applies to a device in the car) and 4) you would have to know the cell tower the devices is roaming on.
to obtain the first two pieces of information would require a significant amount of time with the vehicle. the last two would be a lot of guess work and knowing the driver's habits.
this article is about 10% fact and about 90% hype and fear mongering. Simply the amount of effort alone is enough to make it so unlikely to be a possibility.
So to be able to hack into this car, you have to know 1) the serial number of the device in the car, which would require hacking on the car system its self by plugging a computer directly into it, or pulling it from the dash, and getting the serial directly from the unit. 2) you would also have to know its IP address. Again this would require you to hack directly into the unit itself by plugging in directly. and 3) the device would have to have an active connection to the network (most mobile devices turn off data while it is not actively being used, not sure if this applies to a device in the car) and 4) you would have to know the cell tower the devices is roaming on.
to obtain the first two pieces of information would require a significant amount of time with the vehicle. the last two would be a lot of guess work and knowing the driver's habits.
this article is about 10% fact and about 90% hype and fear mongering. Simply the amount of effort alone is enough to make it so unlikely to be a possibility.
Key points of the discussion are the "hacker" did it to his own vehicle so he had all the time in the world to accomplish the task, which would not be the same for a "random" vehicle out in the world.
3.) I've actually never seen a mobile device that automatically turns off data or wifi when not in use because technically it's always in use, if not for any other reason than to tell the other computer "hi, i'm still connected to you".
4.) Again, someone with the technical skill to do all of what I've said before can realistically locate the cell tower without too much trouble. In fact here's an article from the Electronic Frontier Foundation about mobile phone security and how even things like setting up fake cell towers is possible. I'm not hacker so I don't really know the specifics, just that it can be done.
Originally Posted by Destructor
My audio gear is all tube. People fall for gimmicks, society is convinced we need all this garbage. As Rev Wright would say, The chickens have come home to roost.
#48
The issue, as I mentioned in my original post, is that the computing system that handles the entertainment system is the same one as what handles mission critical car functions like the brakes and transmission. There is absolutely no good reason for this, it should have it's own, physically separate computer system.
BTW ,I noticed on the news tonight that Fiat-Chrysler is doing a recall on this system.
#49
BTW ,I noticed on the news tonight that Fiat-Chrysler is doing a recall on this system.
#50
I'd pay money to that KickStarter campaign.
- Eric
#51
Ha ha ha. Picture of Dr. Evil comes up on Nav monitor, along with maniacal laughter on stereo system, and power door locks locking, as car accelerates, and nav screen switches to showing credit card accounts linked to entertainment systems being drained.
I'd pay money to that KickStarter campaign.
- Eric
I'd pay money to that KickStarter campaign.
- Eric
#52
I'm not going to attempt to argue the definition of "real problem."
I will say that targeting a specific vehicle requires access to the vehicle first, or getting the owner to give you specific info (which also changes randomly over a short time).
Many things in the article are simply outright BS. Source: Been a network engineer for over 30 years. Know a lot of people in cellular ops, and asked them to confirm, they did.
Therefore, until they present some evidence, the entire article should be considered hype.
I will say that targeting a specific vehicle requires access to the vehicle first, or getting the owner to give you specific info (which also changes randomly over a short time).
Many things in the article are simply outright BS. Source: Been a network engineer for over 30 years. Know a lot of people in cellular ops, and asked them to confirm, they did.
Therefore, until they present some evidence, the entire article should be considered hype.
agreed,
I worked in the cell business for a while (its been a few years, but not a lot has changed) and have had a lot of experience with wireless security. These run off a cellular network, Sprint if I remember correctly which is a CDMA network and not a GSM network.
I worked in the cell business for a while (its been a few years, but not a lot has changed) and have had a lot of experience with wireless security. These run off a cellular network, Sprint if I remember correctly which is a CDMA network and not a GSM network.
its not BS as much as lacking information. and of course you're not going to just give all that information out online.
Then mention right in the article. you have to know the vehicles IP address. With most cell devices, your IP address can change very frequently, it often changes when you hop from tower to tower, or if your phone is inactive for a while or if you power it off an power it back on again. how would you get that IP address and make the changes before it changes again? Then you have to have an uninterrupted amount of time to rewrite the code. How long does that take? 15 minutes, an hour, 4? So that's another issue to consider, if you have all your ducks lined up, you pulled the IP, now you are ready to write the code, the person drives to the store, and all you need is 15 minutes, but their drive lasts 7, and your code is only partially updated. Now they shut off the car, and when they start again, they have a new IP address, and a half piece of code...
I agree that this is an issue, but Not anything anybody should get their panties in a bunch over.
Then mention right in the article. you have to know the vehicles IP address. With most cell devices, your IP address can change very frequently, it often changes when you hop from tower to tower, or if your phone is inactive for a while or if you power it off an power it back on again. how would you get that IP address and make the changes before it changes again? Then you have to have an uninterrupted amount of time to rewrite the code. How long does that take? 15 minutes, an hour, 4? So that's another issue to consider, if you have all your ducks lined up, you pulled the IP, now you are ready to write the code, the person drives to the store, and all you need is 15 minutes, but their drive lasts 7, and your code is only partially updated. Now they shut off the car, and when they start again, they have a new IP address, and a half piece of code...
I agree that this is an issue, but Not anything anybody should get their panties in a bunch over.
That's still not very realistic overall. My bet is that we will find these guys had access to the vehicle in order to get info from it and/or modify it first. Just attacking a vehicle over the cell network is a very remote/unlikely possibility.
Many of the "OMG vulnerability" articles you read in mainstream media have ZERO impact on us because they require such ridiculous steps to execute. Like you could walk up to some of my servers and with some software and specialized knowledge, take over them. But they are in a locked cabinet, with alarms, inside a huge facility with armed guards and crazy access controls. So it's a potential problem, but not a realistic problem. It's not a lie that they are "vulnerable," but the lie comes in actually being something people could do.
Same could be said about being able to find and attack a car over the cell network.
Many of the "OMG vulnerability" articles you read in mainstream media have ZERO impact on us because they require such ridiculous steps to execute. Like you could walk up to some of my servers and with some software and specialized knowledge, take over them. But they are in a locked cabinet, with alarms, inside a huge facility with armed guards and crazy access controls. So it's a potential problem, but not a realistic problem. It's not a lie that they are "vulnerable," but the lie comes in actually being something people could do.
Same could be said about being able to find and attack a car over the cell network.
Last edited by Fun71; July 25th, 2015 at 01:45 PM.
#53
Well if it's such BS then how come this has triggered a recall of 1.4 million cars? Did Chrysler just do that for the heck of it? Some of these other things that he mentioned can be resolved by setting up fake towers to trick the car into thinking it's connected to the same tower when it isn't, and there's no way to know it either. According to his explanation, it shouldn't be possible to do things like intercept cell phone conversations, but it is. There's a device law enforcement uses to do this very thing called Stingray. Is it really so inconcievable that someone couldn't use something like this to hijack a cars wireless network signal and hack into its systems using software exploits?
#54
From the link you posted - not so much a recall as a software patch the owners can load themselves.
Originally Posted by
Customers participating in the recall will receive a USB flash drive, which they can insert into their cars and upgrade their vehicles' software.
Last edited by Fun71; July 26th, 2015 at 11:23 PM.
#55
I cannot believe the authorities did not charge the journalist with traffic and other violations for knowingly allowing hackers to interfere with his Jeep's operating systems while on a public highway. You would think the journalist would have had the common sense to conduct his "experiment" on a closed or private roadway, so as not to place other unknowing motorists in possible harms way.
#56
Here's some more info from the local Jeep club web site:
Notice the dash completely removed in one part of the video. So it wasn't a remote hack, you have to gain physical access to it and do a lot of work. Dumb. All cars can be "hacked" via their OBD ports or with a simple off the shelf $50 interface to the CAN bus. So this is just as stupid as I originally thought.
https://www.evernote.com/l/AALFa0UXY...r7IB/image.png
https://www.evernote.com/l/AALFa0UXY...r7IB/image.png
#57
The Jeep club is in denial and FCA will never issue a press release that could possibly be interpreted to say there was a vulnerability - their lawyers won't let them make the lawsuits easy.
The fact remains that any computer that has an IP address or other wireless connectivity can be hacked. As more and more cars get this capability, more and more will be compromised. It's only a matter of time. As I noted previously in this thread, Tesla has the ability to download software patches that affect the brakes (and presumably other systems). How long before this link gets exploited?
Do you really think that automakers have better software security in place than, say, Microsoft?
The fact remains that any computer that has an IP address or other wireless connectivity can be hacked. As more and more cars get this capability, more and more will be compromised. It's only a matter of time. As I noted previously in this thread, Tesla has the ability to download software patches that affect the brakes (and presumably other systems). How long before this link gets exploited?
Do you really think that automakers have better software security in place than, say, Microsoft?
#59
I wouldn't say the Jeep club is in denial; it is the opinion of a network systems engineer with 30 years experience in high security government installations that the probability that this could be done to a random Chrysler/Jeep vehicle on the roadway is extremely small.
#60
Assuming what they say about their experience is true (and that is a really big if, anyone on the internet can say anything) that still doesn't address that the technology does exist to get into cellphones at will. Wikipedia has an entire article on cell phone surveillance, including general descriptions on techniques and technologies like Stingray. Furthermore, there have been documented cases of the NSA getting into several foreign heads of state's cellphones and spying on them. In addition, what's this network systems engineers explanation for the News of the World phone hacking scandal? According to what he said that should have been nearly impossible, but not only was it possible it was surprisingly widespread.
#61
The N.O.W. phone hacking scandal is of significance, but not for technological reasons.
That scandal used the most basic of hacking skills, and relied, as all good hacking does, on the weaknesses of human beings.
Specifically, the reporters figured out that every phone account includes a way to phone in for your voicemail on any regular telephone line, by typing in your phone number and a 4-digit PIN. Of course, most cell phones these days check voicemail through a separate internal digital channel, and you never have to type in any PIN to get it (how many of you even remember dialing a 7-digit phone number, then typing in your phone number and your PIN in order to get your voicemail?). What this meant was that there were millions of of cell phones out there whose PINs were set to the system-default 0000 or 9999 or 1111 or whatever, and their owners didn't even know it, so it was a simple matter of dialing a phone-owner's network's access number, dialing their phone number, and then dialing 0000 to get their voicemail.
This is not high-tech hacking, but it is the type of hacking that is the most real and the most effective, and the thing that these companies have a very hard time protecting against.
- Eric
That scandal used the most basic of hacking skills, and relied, as all good hacking does, on the weaknesses of human beings.
Specifically, the reporters figured out that every phone account includes a way to phone in for your voicemail on any regular telephone line, by typing in your phone number and a 4-digit PIN. Of course, most cell phones these days check voicemail through a separate internal digital channel, and you never have to type in any PIN to get it (how many of you even remember dialing a 7-digit phone number, then typing in your phone number and your PIN in order to get your voicemail?). What this meant was that there were millions of of cell phones out there whose PINs were set to the system-default 0000 or 9999 or 1111 or whatever, and their owners didn't even know it, so it was a simple matter of dialing a phone-owner's network's access number, dialing their phone number, and then dialing 0000 to get their voicemail.
This is not high-tech hacking, but it is the type of hacking that is the most real and the most effective, and the thing that these companies have a very hard time protecting against.
- Eric
#62
that still doesn't address that the technology does exist to get into cellphones at will. Wikipedia has an entire article on cell phone surveillance, including general descriptions on techniques and technologies like Stingray. Furthermore, there have been documented cases of the NSA getting into several foreign heads of state's cellphones and spying on them. In addition, what's this network systems engineers explanation for the News of the World phone hacking scandal? According to what he said that should have been nearly impossible, but not only was it possible it was surprisingly widespread.
#63
The feds are pushing for connected vehicles (V2V technology) that is supposed to make cars "safer" by allowing them to communicate with each other and with traffic signals. These "features" open up all sorts of new potential hacking entry points.
#64
If a trained police officer is driving a car and the throttle hangs to the floor and he or somebody in car has time to make a phone call about it,well.........
#65
#66
#67
I agree and as I said, hopefully the attention over the Jeep "hacking" will prompt auto manufacturers to actually think about security when designing these systems.
#68
Keep in mind that the hacker doesn't have to be malicious to cause a safety problem.
Picture this: Company XYZ distributes an innocent virus into vehicle computers for the purpose of spying on the drivers so that XYZ can market to them later. (It could be your local dealership or service station doing this.) Only problem is, XYZ has no experience in control-system design. They may know their virus eats up an additional 2% of the processor throughput, and they think that's insignificant. But they have no idea that the 2% amounts to a 90-degree phase shift in the system response at some critical frequency. Later, cars start crashing mysteriously when subjected to just the right input parameters, and no one can figure out why.
It's important that the hardware -- or at least the operating system -- knows whether or not the software that's about to execute is legit. There's too much at stake.
Picture this: Company XYZ distributes an innocent virus into vehicle computers for the purpose of spying on the drivers so that XYZ can market to them later. (It could be your local dealership or service station doing this.) Only problem is, XYZ has no experience in control-system design. They may know their virus eats up an additional 2% of the processor throughput, and they think that's insignificant. But they have no idea that the 2% amounts to a 90-degree phase shift in the system response at some critical frequency. Later, cars start crashing mysteriously when subjected to just the right input parameters, and no one can figure out why.
It's important that the hardware -- or at least the operating system -- knows whether or not the software that's about to execute is legit. There's too much at stake.
#69
Given that pretty much all of my cars have turned themselves off while I was driving at one time or another (), this alone does not worry me. The problem is that most drivers have never driven a car without PS/PB or with those systems failed, and just assumes the steering and/or brakes don't work anymore. I've had this argument with people on more than one occasion.
Of course, on cars with a mechanical shift linkage, the system is designed so that you cannot lock the steering unless the shifter is in PARK or NEUTRAL. I don't know if or how this interlock works on newer cars where everything is solenoid actuated as opposed to a hard linkage.
And don't get me started about the stupid START buttons...
I had a VW Jetta rental in L.A. last week that had that. I STILL had to carry the massive key fob in my pocket (since I KNEW I'd leave it in the car otherwise) and the way the VW is configured, you need to get the fob out and press the buttons to lock and unlock the doors anyway (yeah, some cars use RF instead, but this one doesn't). Tell me why, since I already have the fob in my hand (and it already has a metal flip-out key built in to unlock the doors if the battery is dead), why I need the START button also.
And since I'm in Andy Rooney mode already (NOW you've done it...), I'll never get an OnStar or similar system either. Keep in mind that those systems can remotely unlock the car and disable it while driving (the latter capability was well publicized a few years ago in a carjacking case). If OnStar can access the car remotely, others can also.
Of course, on cars with a mechanical shift linkage, the system is designed so that you cannot lock the steering unless the shifter is in PARK or NEUTRAL. I don't know if or how this interlock works on newer cars where everything is solenoid actuated as opposed to a hard linkage.
And don't get me started about the stupid START buttons...
I had a VW Jetta rental in L.A. last week that had that. I STILL had to carry the massive key fob in my pocket (since I KNEW I'd leave it in the car otherwise) and the way the VW is configured, you need to get the fob out and press the buttons to lock and unlock the doors anyway (yeah, some cars use RF instead, but this one doesn't). Tell me why, since I already have the fob in my hand (and it already has a metal flip-out key built in to unlock the doors if the battery is dead), why I need the START button also.
And since I'm in Andy Rooney mode already (NOW you've done it...), I'll never get an OnStar or similar system either. Keep in mind that those systems can remotely unlock the car and disable it while driving (the latter capability was well publicized a few years ago in a carjacking case). If OnStar can access the car remotely, others can also.
#70
While it may be possible to hack, who would actually do it? The fellas in the current debate targeted the Jeep/Chrysler U-Connect system on the Sprint network. Very specific set of parameters there.
#71
Well, there's more news about automobile hacking, this time with OnStar and even a mention of BMW:
http://www.foxnews.com/leisure/2015/.../?intcmp=hpbt2
http://www.foxnews.com/leisure/2015/.../?intcmp=hpbt2
#72
Yes, I would say that the NSA, CIA, FBI, DEA, or any number of federal acronym agencies are fully capable of hacking into your vehicle that has wireless access. Are you really afraid that those federal agencies are going to hack into your vehicle and disable the brakes while you're speeding down the highway? Note the post that said while these things are technically possible it is UNLIKELY for this to be perpetrated by the random individual out in society and therefore is not a concern (at this point, anyway. Maybe this will prompt auto manufacturers to actually think about security when designing infotainment systems).
While it may be possible to hack, who would actually do it? The fellas in the current debate targeted the Jeep/Chrysler U-Connect system on the Sprint network. Very specific set of parameters there.
1.) They want to get into your system to implant malware, most likely ransomware that would lock you out of your car and demand payment. I had one of these end up on my desktop and believe me they are really nasty and a total pain to get rid of, I would hate for something like this to get into a car.
2.) This kind of car problem is a kidnappers and possibly even an assassins best friend. With the former scenario they wouldn't have to come up with elaborate grab plans, instead they could simply "guide" your car to a remote area and conduct the kidnapping with complete privacy. For an assassin, all they would need to do is cause a massive fatal accident of some kind that would be a virtually untraceable way of killing someone.
If this stuff sounds far fetched consider that hacking in general moved beyond some kinds having fun in their parents basement, organized crime has moved in in a big way.
Last edited by illumined; July 30th, 2015 at 07:22 PM.
#73
This is already being done by some lien holders in lieu of physical repossession. Of course, the deadbeats who missed a payment are outraged that they can't drive their car.
#74
Actually for now, the electronics that lien holders use are independent of the cars operating system. I've removed a bunch of them on cars that were taken in on trade. There are also stand alone systems used on commercial vehicles.
Thread
Thread Starter
Forum
Replies
Last Post
jensenracing77
Parts For Sale
0
October 25th, 2009 05:22 PM