illumined

As an experiment the author of this article had two hackers use a software exploit to hack into his Jeep while he was on the highway to see what they could do, and as it turns they can do almost anything. Not necessarily because the car is heavily computerized but because they're all networked together.

I mean I get wanting to provide features like internet connectivity, wifi, etc. But does that really need to be directly linked to key systems like the transmission? The only truly secure connection is no connection at all and I would hate for there to be a tragedy to make auto makers realize this.

70cutty

I would like to see them try to hack my Cutlass

joe_padavano

The only thing that surprises me is that people were surprised by this.

In L.A. last week I was talking to a Tesla owner who was bragging about how he went out to his car one morning and there was a notification on the touch screen that the manufacturer had downloaded a software update. One of the updates was the addition of a hill-holder feature that sensed when the car was on a hill and engaged the brakes so it wouldn't roll backwards.

I'll state that a little differently:

Without the owner's knowledge or consent, an outside party remotely altered the software that controls the car's brakes.

What could POSSIBLY go wrong?

Of course, the government is pushing for connected car communications. Yeah, that will end well...

I rest easy knowing that I'll never own a car with a touch screen, throttle-by-wire, wifi, or other connectivity.

MDchanic

I used to say that. Then I got my 2001 BMW, which has no throttle cable.

I have to say, it works fine (well, more than "fine," really).

The car has no screens, no navigation, and no OnStar / internet / cellular connections at all, though, and I plan to avoid those in any car I get in the future.

I'm 99% certain it has an event recorder, though, which does not make me happy.

- Eric

oldcutlass

Late model cars connectivity have concerned me for years. Why in the world do you want a rolling computer on the road that can be connected to any mobile phone. I foresee something really bad happening in the future and just hope I'm not in the way.

Why do I love my Olds, the simplicity, cars were never intended to be rolling information centers that are as complicated as the space shuttle. I think all the gadgets in cars contribute to more accidents than anyone is willing to admit.

kitfoxdave

Yeah, I am thinking instead of a new truck, maybe an older one with a kick but engine and transmission would be a better way to go...

joe_padavano

It has airbags, so it has a data recorder. Be sure to smash it if you're ever in an accident that deploys an airbag.

The shuttle was designed in the 1970s and pretty much used the same computer technology as a CCC 307 or early TBI system. This is one of the reasons why it WAS so complex (along with two-fault tolerance on critical systems, which often added new and novel failure modes). There was a big computer upgrade towards the end of the program, but that was more driven by parts obsolescence.

When you're searching ebay for 8086 chips, it's time to upgrade.

MDchanic

You mean, like, if you had the right programming skills, you could crash 20 planes into buildings using 4 guys, instead of crashing 4 planes into buildings (or the ground) using 20 guys?

So, what if the planes are all well secured, but the cars are not?

How about if you crash 200 cars? 2,000? 20,000?

My bet is, you'd get noticed.

- Eric

MDchanic

But it's such an upgrade from the 8080.


"Several" years ago, when the Pentium chip was ubiquitous, a buddy of mine was in Intel in the Navy.
His ship needed to replace and upgrade some of their equipment, and he was involved.
He told me that since the approval and specification process took several years to complete, he was limited to procuring equipment with xx286 and xx386 chips, which meant that they had to search high and low for obsolete equipment to use to replace the obsolete equipment that they had (some of which still used vacuum tubes).
And this was so that they could protect the Free World.

- Eric

oldcutlass

I took courses back in the 70's that were called electronics classes. They were still teaching tube theory. Pinball machines were still relay and score motor controlled. Pong was just released as a video game, yawn. Juke boxes were xy plotters with electromechanical stops. The first computer I worked on had core memory and took up a room that had to remain at 68 degrees cause the thing would overheat.

I still believe there is a place for technology and entertainment, just not in a car.

Destructor

My audio gear is all tube. People fall for gimmicks, society is convinced we need all this garbage. As Rev Wright would say, The chickens have come home to roost.

oldcutlass

I love tube amps and vinyl, its the best sound in the world.

Destructor

And if we ever get hit with EMP my tube gear will still operate and I'll still be able to drive around in my Cutlass.

Professur

Fiat has announced that Canuck Jeeps are immune to this ... until 2017 when they finally get similar connectivity.

Personally ... I fix computers and cell phones for a living. Have done for the last 20 years. Trust one with my life? I don't think so.

joe_padavano

So long as you have a point-style distributor and an external, mechanical voltage regulator.

Destructor

I do have a points distributor and an electro mechanical regulator, the only thing I'm not sure about are the diodes in the alternator, are they sufficiently heavy duty enough not to short out. Otherwise the only other semiconductors in my Cutlass are in the stock radio which no longer works. No one will be transmitting anyway.

cherokeepeople

exactly.i have foster kids and one we have now just turned 14.i got out the old 66 pontiac catalina and she wanted to go for a ride.so off we go and she went to roll the window down and couldn't find the button.i had to tell her thats what that crank is for.she said"thats so cool"then she says"whoa thats a skinny steering wheel".then "damn" this things bigger inside then my bedroom.i was just laughing.then she says "when i turn 16 you are giving me this car"to which i had to reply"YEAH RIGHT"

Professur

Transistor level electronics aren't adversely affected by EMP folks. Traces are too big to burn out over that short a period. It's when you get down to fractions of a hair that they fail

Fun71

This has been discussed on the local Jeep forum here in Phoenix:

Don't buy into the "hackers disable Jeep" article you're going to see

Key points of the discussion are the "hacker" did it to his own vehicle so he had all the time in the world to accomplish the task, which would not be the same for a "random" vehicle out in the world.

BlackGold

Having all of the time in the world is pretty much the definition of a malicious hacker.

While this one experiment may have been staged, security of computer-operated control systems is a big issue that has not received enough attention. It is now, but it'll take a few years for all this stuff to get into the field. And then there's still all the old, non-secure equipment out there.

joe_padavano

You assume that a hacker would be trying to target a specific vehicle. The reality is that a hacker just needs to know the serial number format for the device, then starts trying alphanumeric combinations until one gets in. This is how China hacks into government and commercial systems. If you have access to thousands of students, you have all the time in the world to brute force your way in. As for the connectivity being off unless you're using it, the trend it to more and more usage. As cars use music streaming instead of radios, and as V2V communication is mandated by the government, hacking will only become easier and more prevalent.

MDchanic

+1 with Joe.

Key point: Nothing on the car was modified to allow this to happen.

These guys (only two of them) took their time and figured out the "key" to the "lock" that would let them into the car's computer.
Now that the format of the key and the way to use it are known, any of these cars can be targeted.

Note that they also gave Fiat several months' notice before releasing the information, so that they would have time to patch the hole.

The cat is out of the bag, though, and these sorts of hacks will become more common.
Remember that any part of your car that is controlled by the computer, instead of a hard switch, is potentially open to exploitation.
Even if your car doesn't have brake and steering control that can be modulated by the computer, if it has one of those "cool" red "Start" buttons, and it's got a cellular internet connection, someone can probably figure out a way to turn it off while you're driving it.

- Eric

Professur

It's worth noting that the jeep belonging to a teacher sitting in the parking lot is regularly accessible by L'il Johnny at lunch time every day, while he's sitting playing with his DS or PSP .. both wifi ready.

I attended many seminars on computing in the past. One was hosted by Cisco to show off their new Wifi security options. I recall vividly the speaker's first words. You can encrypt wifi with as many keys as you like ... it's still wide open to anyone that is willing to put the time into taking it. Your security starts on the other side of your DMZ (same as mil-speak). They're going to crack your encryption, and they're going to get your DMZ server. And that's where they stop. They're not going to get any further. This is how. Then went on for another 3 hours. Somehow, I don't see an automaker managing to harden up their infosystem to anything like those levels. Even with the best security ... if you have one device talking to another over an open media (wifi), it's going to be seen, scanned, recorded, decrypted, and used.

joe_padavano

Given that pretty much all of my cars have turned themselves off while I was driving at one time or another (), this alone does not worry me. The problem is that most drivers have never driven a car without PS/PB or with those systems failed, and just assumes the steering and/or brakes don't work anymore. I've had this argument with people on more than one occasion.

Of course, on cars with a mechanical shift linkage, the system is designed so that you cannot lock the steering unless the shifter is in PARK or NEUTRAL. I don't know if or how this interlock works on newer cars where everything is solenoid actuated as opposed to a hard linkage.

And don't get me started about the stupid START buttons...

I had a VW Jetta rental in L.A. last week that had that. I STILL had to carry the massive key fob in my pocket (since I KNEW I'd leave it in the car otherwise) and the way the VW is configured, you need to get the fob out and press the buttons to lock and unlock the doors anyway (yeah, some cars use RF instead, but this one doesn't). Tell me why, since I already have the fob in my hand (and it already has a metal flip-out key built in to unlock the doors if the battery is dead), why I need the START button also.

And since I'm in Andy Rooney mode already (NOW you've done it...), I'll never get an OnStar or similar system either. Keep in mind that those systems can remotely unlock the car and disable it while driving (the latter capability was well publicized a few years ago in a carjacking case). If OnStar can access the car remotely, others can also.

Koda

From what I understand of it, the ECU communicates on something called the CANbus typically in the industry. These communications include things like 02 sensor readings, timing signals, ABS sensors, the Hall Effect sensor on your fly by wire throttle, and things like that. These have progressed in over the past 30 years or so starting with the GM e-quadrajets and the computer controlled distributor and such like we see on 80s Olds's.

In the recent past, like ten years, much development has occurred on media platforms. Media's big thing is connectivity, and the problem with that is that you have to patch the system often. It's not enough that it works, it has to not not work, if you get my logic, because dicks exist that just like to **** things up, just like in your desktop PC and Windows. So, patches, and a way to download them, exist, to keep the car updated as a price of connectivity and the wifi and the streaming and the XM and the like.

Now the REAL problem is, somehow, sometime, SOME of these things got into the CANbus, and the mission critical network of the car is exploitable. I'm Toyota employed, as most here know, so I looked at the Prius today with a coworker, and the verdict on it is that, yes, you can hack into it via the same methods used, but the amount of stuff you can control is limited to the radio microphone and such. So there's a question of both, is it able to be hacked, and, what can you do with it?

While Fun, Joe, Eric, and the Prof have good points, and I agree with them, I think the drive here is going to be to create a DMZ firewall between the media devices, and the mission critical car devices. The hard part will be then patching the ECU, since it won't talk remotely anymore, and also doing the current Master Display which shows both radio stuff, and hybrid drive stuff, for instance.

Glad my daily driver is only about 50% or less done.

joe_padavano

Car hacking was the top-of-the-front-page story in today's Washington Post. Over three full pages devoted to the issue. They actually bring up some very good points, one of which is the vulnerability of aftermarket bluetooth devices that plug into the OBD II port.

The reality is that Microsoft sends out an update every Thursday with patches for vulnerabilities, and hackers still walk all over their products. The automotive world is much less well protected. The only saving grace so far has been the limited functions that can be accessed. Just wait for V2V technology.

What could POSSIBLY go wrong...

Of course, one could ask, why do you NEED to have software that controls your steering? Do you really suck that much as a driver that you can't parallel park or keep the car in a lane? If so, maybe you should be using Uber instead. People who want all this connectivity get what they deserve. I can't wait for this to trickle down to Google cars.

joe_padavano

Oh, one other item in that Wash Post article was that the two Jeep hackers, once they were able to hack their own vehicle, found that they could also now access hundreds of other Jeeps with the same protocol. At least, that's what they claim.

MDchanic

And, for those who are not aware, if you have a car with the OnStar equipment installed (pretty much every GM made in the last 15 years or so, I believe), but you do not have the service activated, and you press the button, a friendly voice will immediately appear and offer to activate your system in exchange for your credit card number.

What this means is that even if you do not use the system, if the hardware is present in your car (and it was installed in all of them, I believe), then it can be used to gain access, even if you don't "have" OnStar.

- Eric

Professur

The wife's 2005 Malibu doesn't have Onstar. Remarkably, it doesn't have ABS either.

Fun71

Disconnecting the system's RF antenna will prevent any remote access.

MDchanic

Agreed. But this is beyond the average person's ability to do.

- Eric

toymobile

I can't believe no one has brought up TOYOTA CARPET ON THE THROTTLE PEDAL, One belonging to a patrol officer and his family trained to drive in unusual conditions.
And Toyota got away with it???

Koda

Well, I guess why no one has brought it up is that it is as relevant as other non-related recalls. I mean, we could talk about GM ignition switches, but it's not relevant either. I've got a post somewhere about the details of that recall, the problems, and the fixes, if you want to know more.

Joe, here's what I'm worried about. I drive an 07 Tacoma standard cab for my daily driver; it was the cheap model. What I am concerned about is that many companies, mine included, are eliminating the lower selling options in exchange for more capacity to make the higher selling ones. Plus, the assembly cost to make the stripper model is the same to make the El Pimperino Deluxe model, yet the sticker is often double. So, it makes financial sense to make more expensively optioned cars, and they can force you into buying one by artificially placing a glass floor on the cars available. You can't buy a 15k car if the cheapest available is 25k.

What I mean is that we may be forced into cars with this crap, or drive used until they or we die out.

toymobile

Quote:
Originally Posted by toymobile View Post
I can't believe no one has brought up TOYOTA CARPET ON THE THROTTLE PEDAL, One belonging to a patrol officer and his family trained to drive in unusual conditions.
And Toyota got away with it???
Well, I guess why no one has brought it up is that it is as relevant as other non-related recalls. I mean, we could talk about GM ignition switches, but it's not relevant either. I've got a post somewhere about the details of that recall, the problems, and the fixes, if you want to know more.


My point was that the DRIVE BY WIRE was NEW at the time, I didn't go for the CARPET ON THROTTLE then and this only enforces my thoughts OF the time.

Johnny

joe_padavano

No one brought it up because is it completely unrelated to the topic of this thread. I can't believe you DID bring it up. And since you did, I still fail to see how that was Toyota's fault. Training or not, the driver was an idiot. Shift into neutral and turn the car off, don't keep accelerating while you make a cell phone call. I lost all respect for CHP driver training after that.

Sorry for the disruption, we now return to our regularly scheduled thread.

Professur

I wonder if anyone remembers when people discovered that the teflon bushings of their gas pedal linkage didn't like WD-40. A quick spray as part of the usual maintenance suddenly led to gas pedals that didn't return when you lifted your foot.

joe_padavano

Drive-by-wire was about a decade old when this happened, and the problem had NOTHING to do with the electronics. It was a MECHANICAL problem of the pedal binding on the carpet. How is that remotely related to car hacking?

By the way, I've had this happen in an Olds with a cable throttle, where the floor mat got bunched up under the pedal. I also didn't run off the road at 90 MPH.

joe_padavano

You SHOULD be worried about that, as that's EXACTLY what's happening. As you are well aware, profits are MUCH higher on the high-end, loaded vehicles. The feds are compounding the problem by mandating all these integrated electronics (V2V, stability control, backup cameras, ABS, TPMS, adaptive cruise, auto-braking, etc, etc.). With luck I'll be driving for another 30 years or so. I'll just have to keep my old cars running that long. After that, it won't be my problem (assuming the Feds don't legislate un-connected cars from the roads ).

MDchanic

As much as I wish to, I just can't bring myself to fully ASSume that.

These people (in the "Gummint") are capable of anything.

This morning I listened to a radio show on which a congresswoman from Long Island in NY was talking about her bill to mandate alcohol interlocks for all new cars sold in the US.

- Eric

oldcutlass

They are moving all this tech to houses also, can't wait to see how that goes over.