Jump to content
Sign In to follow this  
A Nonny Moose

Your Computerized Jitney can be Hacked.

13 posts in this topic Last Reply

Highlighted Posts

Posted:
Last Online:  
 

http://www.cbc.ca/news/technology/hacking-cars-what-can-consumers-do-to-stay-safe-1.3165698

Demonstrated.  If you can't password your car as a minimum, then the automobile industry are members of the Pollyanna Club.  Any computer that is on the Internet can be hacked.  Some auto makers are including WiFi modems in their cars.  Everyone should password these routers, and car systems need to be protected as well.

Someday, some security-unconscious outfit will kill us all.


Beware: Emancipated user.  No Windoze for me.
The teacher opens the door but the student must enter himself. - Ancient Chinese Saying

Every minute of hate in which one indulges oneself is sixty seconds of happiness lost.
Music expresses that which cannot be put into words and that which cannot remain silent. -- Victor Hugo
If you always do what you've always done, you'll mostly get what you've always got.
JohnNewSig.gif
"We have met the enemy, and he is us" - Walt Kelly

Come join us at the Moose Factory

Share this post


Link to post
Share on other sites
Posted:
Last Online:  
 

Passwords and whatnot are lovely but are also not uncrackable.

The thing that has me headdesking here is that someone thought it was okay to hook the car's critical control systems up to the same computer as the car's cell/wifi gizmos. Presumably this is done to save costs, and of course because automakers are predominantly mechanical experts more than computer experts so they're not good at getting digital things right. But, to anyone paying attention who knows what's up, this is a glaring hardware design flaw.

Two words: "air gap". If a car is going to have gizmos capable of communicating with exterior sources, this needs to be a completely separate system, disconnected from anything that controls how the car moves. If automakers would take this basic step, then it would be 100% impossible to remotely hack the car's critical systems, since they would have no connection to the outside world. Hackers could still potentially access the wifi, phone, and all that, but any comprimization would be contained to those non-critical systems.


If you always take the same road, you will never see anything new.
If you can read this, you deserve a cookie.

Share this post


Link to post
Share on other sites
Posted:
Last Online:  
 

Two words: "air gap". If a car is going to have gizmos capable of communicating with exterior sources, this needs to be a completely separate system, disconnected from anything that controls how the car moves. If automakers would take this basic step, then it would be 100% impossible to remotely hack the car's critical systems, since they would have no connection to the outside world. 

Not really.  As hackers demonstrated against Dell several years ago, it is possible to infect microprocessors that are never connected to any form of communication system.  You attack the factory machines assembling the chips and reprogram the machine to physically etch the malicious code into the processor.

Second, the NSA has been researching how to attack systems protected against intrusion via an air gap.  While it is extremely difficult to do, it is technically possible to use electromagnetic induction to attack an air gap protected system, even when it is metal clad.  The NSA has had some success using it to remotely attack disabled communication systems.


General Rules|Chat Rules

"Adherence to one's principles should not prevent satisfaction of those same principles."

Share this post


Link to post
Share on other sites
Posted:
Last Online:  
 

Scary stuff really, it's bad enough that cars have computers running the show, but connecting them up to vital systems is just plain dumb. The industry can whine all they like about not being computer people, enough experts have been warning them for years, they just choose to ignore common sense. Imagine a high speed car suddenly having the brakes applied on full with no manual override, now imagine just doing that for one wheel, that's a fine accident there. Given how BMW's I-series cars were hacked you'd think the automotive industry would wise up to this.

Then we are talking about the same industry that thinks touchscreens are a good idea in a vehicle, I always liked VW cars because all the controls just feel so perfectly placed - can't say I like their reliability - but when I've had one on loan/hire you just feel very quickly in-sync with the car. I can never find buttons on a touch screen without looking at it, when driving at motorway speeds, bear in mind here in Germany that can mean 200kph+ for many, you really shouldn't be looking anywhere except the road.


Head over to my Lot and Mod Shack to keep abreast of my latest developments.

Do you like custom textures, but don't like all the work involved creating them?, take a look at the Texture Automation options here. Change the look and feel of your transit networks, with the minimum of effort, for example customised versions of my Sidewalk NAM (SWN) and Terrain Grass NAM (TGN) mods, and much more besides.

New to the NAM? Check out my tutorials on YouTube. Latest upload: How to: RHW - MHO Roundabout Interchanges. (Nov 25).

p.s. - I'm MGB over on SC4D and a member of the NAM team.

Share this post


Link to post
Share on other sites
Posted:
Last Online:  
 

Another brilliant idea . Everybody get in line . You really need these options . How can you drive without them ?

Old news actually . http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/


Residing in West Virginia , Product Of Maryland , Viewer Discretion Advised . 

When I'm not on Simtropolis or playing SC4 HERE you can see what else I'm into . 

Share this post


Link to post
Share on other sites
Posted:
Last Online:  
 

Not really.  As hackers demonstrated against Dell several years ago, it is possible to infect microprocessors that are never connected to any form of communication system.  You attack the factory machines assembling the chips and reprogram the machine to physically etch the malicious code into the processor.

Second, the NSA has been researching how to attack systems protected against intrusion via an air gap.  While it is extremely difficult to do, it is technically possible to use electromagnetic induction to attack an air gap protected system, even when it is metal clad.  The NSA has had some success using it to remotely attack disabled communication systems.

Okay, but consider the application. Yes, hackers could get into the Chrysler factory and inject some code into the car's hardware and... then what? The computer it's on still has no internet connection, so the hacker's can't remotely control the car. They could only make it follow a preset list of instructions. This means this methodology is useful for vandalism for jolliies, but it cannot effectively be used to target a specific individual, nor can it readily be used for profit. So this is likely not a large practical threat, since it's not useful for the motives of most hackers... and Chrysler really should be taking security measures on their factory equipment as well.

As for induction, now we're getting into James Bond level stuff. Could the military pull something like that off if they really wanted to? Perhaps. Could a gang of criminals do it? I doubt it. For one thing... what is the source of the induction? One would need equipment capable of targeting a delicately controlled magnetic field at the car, and would need to be able to get it into position to do so.

An air gap would be very effective since it would remove any practical means of compromising the system.


If you always take the same road, you will never see anything new.
If you can read this, you deserve a cookie.

Share this post


Link to post
Share on other sites
Posted:
Last Online:  
 

 Okay, but consider the application. Yes, hackers could get into the Chrysler factory and inject some code into the car's hardware and... then what? The computer it's on still has no internet connection, so the hacker's can't remotely control the car. They could only make it follow a preset list of instructions. This means this methodology is useful for vandalism for jolliies, but it cannot effectively be used to target a specific individual, nor can it readily be used for profit. So this is likely not a large practical threat, since it's not useful for the motives of most hackers... 

One does not need internet access to remotely attack a car.  Most, if not all, modern vehicles contain a black box data recorder similar to airplanes.  Many of these systems contain wireless communication equipment to enable the system to maintain GPS tracking.  GPS spoofing is a real thing and can be used as a means to hijack a navigation system to remotely steer the vehicle in question.  Additionally, most modern vehicles contain additional wireless sensor systems that are vulnerable to attack.  Any ultrasonic range finding systems are vulnerable (especially if the computer management system is already compromised).  There have even been proof of concept attacks against the Tire Pressure Monitoring System to directly control the vehicle's engine management computer.

and Chrysler really should be taking security measures on their factory equipment as well.

That's nice in theory, but a lot harder in practice.  The problem is that no one really knows how vulnerable said systems are.  Prior to the Dell attack, no one had seriously considered the idea that chip fab equipment could be used to physically burn a virus into brand new PCB that had never been connected to the internet or any other form of communication system.

People have been talking about the dangers of using default passwords and weak network security on industrial control systems for years, but until Stuxnet was discovered, no one considered the idea that a worm could be so advanced that it could identify industrial processes by the type of installed equipment it found, migrate into the critical portions of the hardware's firmware, embed itself below the firmware, maintain real-time look out for security programs, self-sanitize when a security scan was detected, and then reinstall itself once the scan was complete.

Hacking industrial control systems is a relatively new field of cyber-security.  It's new enough, and the existing attacks sophisticated enough, that no one really knows if there is a practical limit to what a dedicated hacker can achieve.


General Rules|Chat Rules

"Adherence to one's principles should not prevent satisfaction of those same principles."

Share this post


Link to post
Share on other sites
  • Original Poster
  • Posted:
    Last Online:  
     

    A word about passwords.  A password that is long enough is such a pain to crack that many except the most dedicated hackers with powerful systems give up.  Mine, on average, tend to be 10 characters or more.  Some sites foolishly limit the length of passwords for "programming convenience" and as a result make their sites vulnerable.

    A password should be memorable, not necessarily made up of personal data, but something you can remember.  It could reference some issue in your past life that you consider not generally known, or some foreign word or phrase.  For example, in North America if your password is a foreign phrase such as 'gomen nasai' (11 characters) and was in mixed case such as 'g0Men Nasa1' good luck to the hackers.  [This example has never been used by me, BTW.]  And yes, Jimmy, passwords should be allowed to include spaces and even punctuation characters.  There is a lot of BS out there surrounding what a password can or should be.  It is all BS.  My rule: 10 characters or more, any characters, any case, any language.

    At the service end, passwords should be passed through a one-way encryption algorithm and only the result stored.  Never store passwords as plain text.  The only way a password can match is by passing it through the encryption and comparing it to the stored result.  Not perfect, there can be synonyms, but better than plain text by a thousand rows of Christmas trees.

    EDIT: This may have already been posted, but when I opened the reply box, it was there which I took as an indicator that it had not been accepted by the system.  It may have been an error in that the reply box was not cleared after the post.

    ----------------------------------------------------------------------------------------------------------------------

    That being said, looking at the immediate preceding post, my comment is basically one I've seen around for many years.  I attribute it to Sylavanus P. Thompson who was the author of a Calculus text I once had from the public library.  The quote is:

    What one fool can do, another fool can undo.

    This pretty much says it as long as embedded systems in appliances and automobiles are written in non-protected languages.  What ever happened to Ada?  DOD wanted it for systems embedded in cruise missiles.

    The Wiki article says it is alive and well.  However, I suspect the number of programmers around who know this well enough to use it in an application who are not in uniform are very likely to be few, far between and sworn to secrecy.

    GNU Ada compiler
     
    GNAT is a full-featured Ada 2012 compiler.  A quote from
    http://www.adaic.org says: "Easily reused and maintained, readable and
    user friendly, Ada code facilitates such massive software projects as the
    Space Station and the Paris Metro. It has proven to be extraordinarily
    robust in decades' worth of daily field tests under the most rigorous
    conditions in which millions of lives have been at stake."  Ada is the
    language for real-world, mission-critical programming.

    At the same time, Ada's radical type safety helps novice programmers avoid
    many common mistakes and deliver their software on time (see
    http://www.adaic.org/atwork/trains.html).

    This empty package depends on the default version of the Ada compiler for
    Debian, which is part of the GNU Compiler Collection. Its enforces the
    same version for all Ada compilations, as described in the Debian Ada
    Policy.

    The above is from the description supplied by the Ubuntu Synaptic Package Manager.  If the automotive companies are not aware of this language, they are really stupid, indeed.  One wonders what kind of IT people they hire.


      Edited by A Nonny Moose  

    Beware: Emancipated user.  No Windoze for me.
    The teacher opens the door but the student must enter himself. - Ancient Chinese Saying

    Every minute of hate in which one indulges oneself is sixty seconds of happiness lost.
    Music expresses that which cannot be put into words and that which cannot remain silent. -- Victor Hugo
    If you always do what you've always done, you'll mostly get what you've always got.
    JohnNewSig.gif
    "We have met the enemy, and he is us" - Walt Kelly

    Come join us at the Moose Factory

    Share this post


    Link to post
    Share on other sites
    Posted:
    Last Online:  
     

    Fiat-Chrysler decided to take a big hit at once. This and the Gas Tank/Axel location problem on some older model JEEPs are being bought back in a settlement.

    Great after years of driving beaters and saving up to one day buy myself a JEEP again, I bought a brand new one in March, and this is the kind of problem I have.

    Of course the company has a solution to the problem within hours/days of the report coming out. Makes you wonder how long before Wired  exposed it they already knew about it.


    I thought about this, and am still thinking about it because though I've thought about this, I still have more thinking to do as to stop thinking about it would mean not to think.

     

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • Posted:
    Last Online:  
     

    Fiat bought Chrysler.  Then instead of shutting it down, as they should have, they continued operating it with the same old bunch of bad boys.  "Fiat voluntas recallis".

    EDIT:  A thought that occurred to me this evening after dinner:  AFAIK no one has ever hacked a horse.


      Edited by A Nonny Moose  

    Beware: Emancipated user.  No Windoze for me.
    The teacher opens the door but the student must enter himself. - Ancient Chinese Saying

    Every minute of hate in which one indulges oneself is sixty seconds of happiness lost.
    Music expresses that which cannot be put into words and that which cannot remain silent. -- Victor Hugo
    If you always do what you've always done, you'll mostly get what you've always got.
    JohnNewSig.gif
    "We have met the enemy, and he is us" - Walt Kelly

    Come join us at the Moose Factory

    Share this post


    Link to post
    Share on other sites
    Posted:
    Last Online:  
     

    wait does this count as hacking a horse? I'm sure it happened in real life too.

    I mean the part where the horse is in heat and used to throw the other horse off with pheromones, not the Mountain's chop.


      Edited by philforhockey51  

    to clarify the hacking

    I thought about this, and am still thinking about it because though I've thought about this, I still have more thinking to do as to stop thinking about it would mean not to think.

     

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • Posted:
    Last Online:  
     

    You don't have to go that far back in history.  Horses were in use in WW I.  However, in the modern use of the work hacking, I don't think butchery is included.  You'd have a hard time taking over what little mind a horse might have.


    Beware: Emancipated user.  No Windoze for me.
    The teacher opens the door but the student must enter himself. - Ancient Chinese Saying

    Every minute of hate in which one indulges oneself is sixty seconds of happiness lost.
    Music expresses that which cannot be put into words and that which cannot remain silent. -- Victor Hugo
    If you always do what you've always done, you'll mostly get what you've always got.
    JohnNewSig.gif
    "We have met the enemy, and he is us" - Walt Kelly

    Come join us at the Moose Factory

    Share this post


    Link to post
    Share on other sites

    Sign In or register to comment...

    To comment in reply, you must be a community member

    Sign In  

    Already have an account? Sign in here.

    Sign In Now

    Create an Account  

    Sign up to join our friendly community. It's easy!  

    Register a New Account

    Sign In to follow this  

    ×

    Thank You for the Continued Support!

    Simtropolis depends on donations to fund site maintenance costs.
    Without your support, we just would not be in our 24th year online!  You really help make this a great community. *:thumb:

    But we still need your support to stay online. If you're able to, please consider a donation to help us stay up and running. This helps sustain a platform where we can share our community creations for years to come.

    Make a Donation, Get a Gift!

    Expand your city with the best from the Simtropolis Exchange.
    Make a Donation and get one or all three discs today!

    STEX Collections

    By way of a "Thank You" gift, we'd like to send you our STEX Collector's DVD. It's some of the best buildings, lots, maps and mods collected for you over the years. Check out the STEX Collections for more info.

    Each donation helps keep Simtropolis online, open and free!

    Thank you for reading and enjoy the site!

    More About STEX Collections