pcmhacking.net

As we all know, CAN is the protocol in pretty much all modern cars.
How scary is the thought of someone being able to patch in.. and just start steering the car, apply brake, disable vehicle or even deploy airbags
The 'black hat' possibilities in modern features is endless due to such poor security measures.

Just watch this vid.. anyone with an ELM could do the same..
[youtube]https://www.youtube.com/watch?v=3jstaBeXgAs[/youtube]

thats pretty freaky! But it was inevitable.

yeah your not wrong!

Well its not really new or only canbus. If there is an ALDL command to deploy airbags (rather than just for diags) you could implement such a thing on a car from 1993. 'Just' break in to the car and install your hardware which connects it to the mobile network. However to keep it real, if we count that as a vulnerability then so is tampering with the brakes which has been possible since brakes were first installed on cars. If you wanted to do nasty things you dont even need a data bus - you can stick gps based devices with mobile connectivity and use them as some kind of triger to any car. Just because they are now can bus changes the possibilities and makes more complex attacks quicker to install but overall its not as significant as the media makes it sound, and not necessarily more dangerous than what was possible before.

Having said that, I dont think there is much point baking in extra security. Once physical access to your cars electronics or mechanics has been gained all bets are off. Any generic security will be implemented also by 3rd partys similar to tuning tools now. Consider hacking game consoles to run homebrew apps. It happens too despite the security which attempts to prevent it. Rather physical security needs to be considered. Run data bus wires in places where they can not be externally tampered with. This is probably mostly the case now by default, but it might not be a design concern and should be.

I would think that this does create an argument for mechanical switches. The key switch on the ignition and mechanical hand brake cables to the rear brakes should remain physical. Im not a fan of cars where neither of these things are physical. They need to work when the data bus is broken, intentionally or not.

I do expect military and aircraft designers to keep publicly accessible wifi or radio comms channels isolated from critical vehicle/aircraft systems. This is a design criteria of those systems. Suggesting otherwise at the end of the article is just scaremongering for the sake of the story.

I like the 'our cars are connected to the internet' animation... no they are not... cars dont come with sim cards yet... someone can correct me if im wrong, or if ive been hiding under a rock, but the only thing ive sen with back to base access to the data bus is earthmoving equipment. if any cars have it first thing to do is snip that bloody wire.

cars dont come with sim cards yet...

Holden assist - remember the mirrors in VX-VZ with the tracking in them, dealer option I thought, gave ability to unlock remotely and shut down engine.

'Onstar' in the states was/is the same thing?

bit too big brother for my tastes... first thing I would do with any car with any sort of remote access to its functions is to disable them !

If they can demonstrate hacking an onstar system and taking over the rest of the car without installing anything custom then that is an entirely different thing.

Come to think of it saying you can hack the car remotely via the cellular network when you installed a device with cellular comms on the bus yourself, is kinda like saying all bbqs are dangerous because of the turbo. https://www.youtube.com/watch?v=QxpHJipB67g

antus wrote:Come to think of it saying you can hack the car remotely via the cellular network when you installed a device with cellular comms on the bus yourself, is kinda like saying all bbqs are dangerous because of the turbo. https://www.youtube.com/watch?v=QxpHJipB67g

TURBAQUE!! hahahahahaha. Love it

Yeah, I did think that was kinda stupid saying they had to custom install a cellular device into it all. Thats a bit stupid. And thats right, a car could be tampered in the physical sense from the day cars were made. I just wonder.. if we will be able to access the CANbus through the onboard bluetooth in these systems. Accessing the VE SS was as simple as entering 1234! And I havent even investigated into what I can actually inject yet or control using that, Id assume nothing interesting and it will be isolated to only 'LCD' stuff.

Apart from isolating the bus significantly, I figured at least they would make it so that the modules had "constant" changing seeds and require a key (Just like ECUs for tuning) to perform any "manual" requests such as shutting down the engine, or manually manipulating the car. I know it doesnt stop a true hacker... shit a few ELMs and custom programming and you can simulate any response for reverse engineering. But it makes it alot harder to tamper at least.