People love drama – and no I don’t mean Vince’s brother on Entourage, but he’s a bud too. No, I mean that there always seems to be some problem that gets its fifteen minutes of fame in the media and keeps some people up at night. One of the latest is the news that a lot of new connected cars – whether via built in connectivity or the added-on insurance company digital dongle – can be “hacked.”
Hacking is a word that has entered the general lexicon as part of the computer age. It goes way back, however unlike the youthful hijinks of War Games where an unknowing teen innocently sets the clock ticking toward nuclear armageddon, the threat today is someone turning your car off on the freeway, possibly setting off your airbag, or – for the love of god – changing your radio station pre-sets.
Yes, this is a first-world problem. But then, so is identity theft and that’s a real problem, don’t ask me how I know. The question is, as cars get more complicated and more connected, is the threat of hacking something that you take seriously? Can you imagine accidentally cutting someone off and instead of retaliating by simply flipping you the bird they grab their smart phone and lock your cruise control on wide open throttle? Is car hacking something that keeps you up at night?
Image: USBIndustry
Hooniverse Asks: Is Car Hacking Something You're Worried About?
By Robert Emslie
Aug 17, 2015
Jeff Glucker
Not really. My main car only has the OBD2 port for access. Give my CEL never came on until we tried the Snapshot thing (set that garbage back to them, it is not built for NJ driving, also they said I couldn’t get a discount on the car that I never drove and instead their little device ran my battery dead)
The Chrysler has a hard drive in the stereo that I am certain is connected to all systems in the car, but again, you’d need a bluetooth, USB or OBD connection to get to it.
Most of the “Hacking” has to do with open ports of access. I mean, leave any network open and you run the risk of someone doing something nefarious with it.
So am I worried? No.
But I don’t have an alarm system on my house either, but I lock my doors when I go to bed.
A guy who graduated from my Master’s program last year works (or worked) for Big National Carrier’s connected car program with Big Car Company. Man was a security genius, had several papers published while a Master’s student. Pretty sure he’s going on to PhD.
Anyway, the point is that the guys working on the connected car aren’t numbskulls, but their hands are tied to a degree, as they have to meet strict price points, as with everything related to automotive supply. I recall him ranting about how he couldn’t make it as good as he wanted (important note: he didn’t say good in what way — must be careful about NDAs).
Given his love of security and frustration with the program in which he was involved, I’m betting that’s the “good” about which he was concerned.
How secure can you afford?
The interesting thing is security will most likely be a legislated thing by NHTSA. Which will mean it will never be very good. I mean, our government a) isn’t good at understanding technology and b) isn’t very fast to change things. Considering computer security is an ever-evolving field, the legislated level of security will be good for about 3 hours.
3 hours? You’re quite the optimist. I’m guessing that it will be obsolete before the paper describing the legislation is completed.
Unless, of course, they describe the need in terms that do not explicitly state the technology that must be used, only the resiliency in terms of an externally-referenced standard, which will itself evolve without the government’s intervention.
I’m fighting every attempt to purchase a car post-2002 with everything I’ve got.
http://bookriotcom.c.presscdn.com/wp-content/uploads/2014/08/nerd-fight-gif.gif
So, no.
But I am also honestly and deeply concerned about the privacy and potential political exploitation of big data collection. Combined with a regularly proven belief in human’s incapability to understand what they’re doing (myself included) there’s a nice recipe for chaos.
There are plenty of post-2002 vehicles without an option for telematics. Without a satellite or cellular connection, the only way you’re going to get hacked is with a wired connection to the OBD-II port. Which, frankly, to which you can monitor access fairly easily.
DAB, RDS, BT, TPMS…
https://www.nccgroup.trust/globalassets/resources/uk/presentations/2015/august/ncc-group-15-davis-broadcasting-your-attack-security-testing-dab-radio-in-cars.pdf
2005 Honda Odyssey — I think there might be a wireless connection between the key and the car’s CPU to prevent the car from being started with a screwdriver, but that’s about it. I adamantly refuse to get one of those ODB2 ding-a-lings for insurance purposes. Too much privacy invasion, and too much stress over following rigid rules like acceleration, braking, and turning rates, precise speed limits, and where I’m driving at what time. I’ll give a computer complete control of driving before I let a computer monitor how I drive.
1981 Merc 300SD — You’d have more effect on the car with a brick than a computer. But you still wouldn’t have much effect. Airbags, TC, ABS — all things that were available on the W126, but ain’t on mine!
Yes, I am deeply concerned about having to hack into a brand new thing I just bought when I should be able to do what I want with it. We were almost at a reverse-engineered api for remote controlling a vehicle, but I think that got squashed. It may still work if you point the car to your private DNS server so it can’t get OTA updates (maybe someone can write a patch and distribute it on flash drives), then you may get a fully remote controlled car, but not from the manufacturer. I like how fast people manage these things and how slow the companies respond, it provides endless amusement in the mornings.
Cars are a commodity product with a fan base that is largely focused on mechanical upgrades (and computer upgrades that affect mechanical performance), as they’ve had over 100 years to futz about with those things, while microcomputers only started worming their way into cars in the last 30 or so years, and wireless connectivity within the last 20 years (if you count OnStar as the progenitor).
In short, no one is going to sell you a white box that you can install your own hardware into — you’ll always need to be doing some hacking about when it comes to cars. At least, that’s the foreseeable future, I think.
So, don’t complain about car companies wanting these things to be secure just because it doesn’t fit with your personal automotive agenda. Do you want granny’s car to be easily hacked and driven into a bridge support by someone with your skill but not your ethical standards?
2 things, first: I haven’t exactly been forthcoming about my ethical standards. And second: secure does not mean limiting options for the user. I don’t need to go into the million-and-a-half things that can be done beneficially but are locked out because the companies either don’t want to deal with it, or want to sell you their own.
I’m thinking of getting a new car, it’ll either be a 2000-2006 Honda Insight, a Tesla (probably in a few years when the new model 3 or whatever is out), or something pre-1980. The Honda is cheap and easy to work with (and doesn’t have the five-years-out-of-date-when-it-was-new prius infotainment system, it has a regular DIN upgradeable one), the Tesla I’ve seen torn down and I respect their design and customer service, and anything else will be for style/ease of repairs.
I was giving you the benefit of the doubt about ethics, as you referred to hacking into something you just bought. I assumed you’re someone who wants to make the most of what they’ve purchased.
As far as limited options goes, for the purposes of liability, it benefits the car makers to keep users out of most things, or give them very limited control over certain aspects. They can ensure the vehicle isn’t pushed beyond its design limitations, which keeps the lawyers and bean counters happier. Money. Also, it costs development resources to give the end user more options. Money.
For example, say you want to take control of your adjustable suspension in your new, warrantied, luxury car. The computer just gives you three options: comfort, normal, sport. You don’t have any idea what’s actually being adjust there, in terms of spring rates, damping, rebound, and so forth, and the manufacturer is not interested in telling you. So, because you’re a curious tinkerer, you find a backdoor into the car’s software and manually adjust the suspension parameters.
You inadvertently push something beyond its design limitations, which you weren’t privy to, and a suspension component breaks. At best, you’ve partially crippled your car, and are out a serious load of cash, as the dealership will find logs on the car’s computer (if it hasn’t already phoned home, as a Tesla will) that will indicate what you’ve been up to (unless, of course, you can also find and delete those logs, but their absence could be damning, in which case you had better edit the logs, but they might be encrypted, so you’ve got the break the encryption before you can even do that). They won’t honor a warranty, as you’ve broken the seal, so to speak.
At worst, something breaks while you’re moving and you have an accident, potentially harming yourself and others. Insurance companies get involved. Lawsuits. Money.
This is interesting because there’s a push by some automakers right now to have car computers included under the DMCA so that modification by the owners of these cars is now a federal offense. The manufacturers say they are doing it for safety purposes (the case you site in the last paragraph), but that’s crap. They are worried about the liability on themselves.
If I were in charge, automakers would be shielded from litigation due to the modifications done by consumers. This gets them off the hook. Additionally, anyone who modifies a car and those mods cause an accident do not have to be covered by their insurance company. For example, you drop a Ford GT engine in a V6 Mustang but don’t bother upgrading the brakes and suspension then wind up smearing yourself all over PCH you (or your family) get nothing.
Liability, and thus money, was the overall theme of my comment. We agree here.
I somewhat understand the concern of the Car Makers about keeping amateurs out of their systems. On my 2014 for example, the electric release for the trunk won’t open if the car is moving. This is an easy example of the interconnectedness of the sensors and systems. I don’t know how many other systems are interconnected but there are plenty of computer controlled systems from which to choose.
The fans, windows, locks, and lights can all be controlled by an app on my phone. The car notifies the dealer if it requires immediate service. Of course the engine is fly by wire, and the transmission is too as is the computer controlled electric steering.
The nav and enyertainment systems -seem- to be isolated from the car control systems though, so that avenue of attack is isolated (I hope)
“If I were in charge, automakers would be shielded from litigation due to the modifications done by consumers. Additionally, anyone who modifies a car and those mods cause an accident do not have to be covered by their insurance company.”
The trouble with that idea is that now accountability for under-engineered faulty parts gets more fuzzy. Let’s say Walmart starts importing front suspension parts for a Ford Mustang, made from the cheapest Chinese castings. Part breaks on the freeway, and puts an innocent guy in his newly-restored Isetta in a coma. Was that breakage due to the cheap part, or due to the consumer abusing/mis-installing said part? If the company can get away with tying the case up in courts for years they will, to avoid paying the Isetta-guy’s medical bills.
Whereas the current “if it’s possible to mis-install/abuse the part, than it’s the company’s fault” doctrine leads to stupid customers, but at least Isetta-guy gets paid quickly.
Yes. I am always astounded to buy a car and later discover a previous owner did a hack repair job, including the clutch that burned out after a year because the wrong clutch fork was used.
My oldest vehicle was made in 1966; my newest vehicle was made in 2004. The 2004 is so basic, it has a tape deck.
I’ve heard survivalists remark that having deep pantries has the added side-benefit of never having to worry about problem food from the factory. By the time you’d eat your recalled canned goods, the recall’s been out for a month of Sundays.
No, because the Kizashi’s only connectivity is Bluetooth. True, that is still digital and wireless, so I guess theoretically I should be worried more than I am. I just don’t foresee a passenger in a car next to me wanting that desperately to shuffle my playlist or call Ho Chi Minh City on my cell phone. And if they did, they’d probably just hack my phone directly.
It’s the long-range telematics (cell net, satellite) that I do fear. Fortunately, not something any of our cars are equipped with at this point.
Did you read that 50 Cent owns a Kizashi too?
Yeah, we hang some.
Lyrical late nights on the Kizashi forums?
They eat their Kashi while they talk Kisashi.
Only if saws are involved.
I ain’t worried, I have a Mac.
You funny.
It’s usually the case that Apple products are a bit more difficult to hack, but once inside, the bounty is remarkably bigger due to, on average, more affluent and well connected owners. We’ll have to hope you took the Galactica approach and didn’t network your entire fleet…
GMT400 for lyfe! I keep toying with the idea of replacing my tired Silverado. It sits unused for long periods, and I no longer trust it for long distances. Yesterday, I had to get gas for the lawn mower, and if I’m filling gas cans, I might as well fill them all, so I loaded them in the truck. Aside from being a bit down on power and having a slight vibration at highway speeds, it really drives nicely. Now I’m thinking about fixing her up.
I live in constant fear that someone will connect to the Bluetooth in the XJ Cherokee and blast Ke$ha or One Direction through my stereo.
If someone hacks the Bluetooth on the stereo in my ’71 Corvette, the worst that can happen is maybe they change to a country station. While certainly painful, I could deal with this until I find a safe place to pull over. None of my other cars are hackable. Until I buy a new car, this doesn’t concern me.
Both of my cars are too old to have digital anything except the upgraded stereo with CD player..
No. Although the technique for hacking and stealing my aging OBD-0 cars was once widely known, there are fewer and fewer thieves who know how to drive them.
I would be if my wifes Mazda 2 had some sort of cellular connectivity. It just has a usb port and we don’t even plug a phone into that for charging. Really it’s only once the car has some sort of connection to the outside world that it becomes a major issue and CAN-BUS starts to look really stupid. There’s talk of moving from CAN-BUS to ethernet for a lot of car systems. That still has its share of issues, but it’d probably be easier to create an in-car DMZ to isolate the entertainment bits from the rest of the car, Of course one argument would be that there should be no physical connection between infotainment and the rest of the cars driveline/safety systems, but seeing as a lot of cars let you adjust damper settings and stuff through these systems these days, I’m not sure how you’d do that and keep that functionality. Maybe just get a cars damper and throttle settings right first time chaps rather than a million and one comfort/sport/sport plus settings? I’m looking at you BMW..