PDA

View Full Version : Cars are getting hacked now



MR2 Fan
July 21st, 2015, 05:16 PM
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/?mbid=social_fb

All of this great big beautiful connected tomorrow :|

thesameguy
July 21st, 2015, 09:18 PM
I think we have a piece of this technology on the Fiat, and it's pretty terrifying from a user perspective. Hacks aside, security is WEAK. Thank God the Fiat 500e is different than all the cars electronically. Half the "things" that dealer tools can do with regular cars don't work at all on the e version.

It's absolutely crazy that amidst all the other widely-publicized hacks of things nobody at Chrysler said, "Hey, maybe some security here."

Godson
July 21st, 2015, 10:18 PM
Fucking yikes.

samoht
July 24th, 2015, 11:15 AM
Fiat Chrysler recalls 1.4 million cars after Jeep hack (http://www.bbc.co.uk/news/technology-33650491)

MR2 Fan
July 24th, 2015, 11:38 AM
the big question for me is....is this something where only individual cars can be hacked, or is it possible for all cars of a certain make be hacked at once? (which is VERY scary)

The359
July 24th, 2015, 11:47 AM
From what they mentioned in the video, they're going through the car's onboard cellular system, which requires them to know the number for that specific car, which they easily were able to get because it's their own Jeep. The only way to get into random guy's Jeep is if they know that car's number. So no, they couldn't just hack into all Jeeps at once and control them all at once. It'd have to be a single vehicle only. And I'd think commands would vary from vehicle to vehicle.

This is similar to the hacks before where people managed to get through the car's onboard Bluetooth systems.

thesameguy
July 24th, 2015, 12:56 PM
You do have to know the car's IP, but it doesn't take long to scan a whole mess of them. Since IPs are tracked by carrier, it wouldn't take long to find out what block is assigned to whomever carries Chrysler and then scan all of those. Since IPs on connecting systems don't typically change very often, it would not be difficult to spend a month scanning a block of IPs, find the Chryslers, and then hack them all at once. All good hacks take time and patience, this one would be no different.

That assumes you don't just set up a fake cell tower and do it that way. For example, an IMSI catcher. https://en.wikipedia.org/wiki/IMSI-catcher. Plop one of those down on a limited access, high-traffic roadway (like a bridge) and make all the Jeeps plow into each other. Not had to imagine, not all that hard to do (apparently).

Kchrpm
July 24th, 2015, 12:59 PM
The article disagrees with the video, then, or is at least unclear.


Sitting on a leather couch in Miller’s living room as a summer storm thunders outside, the two researchers scan the Internet for victims.

Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.

thesameguy
July 24th, 2015, 01:01 PM
The article disagrees with the video, then, or is at least unclear.

That sounds exactly like I'd expect the attack to work. This attack against cell phones has been demonstrated numerous times - a car is no different.

MR2 Fan
July 24th, 2015, 02:27 PM
You do have to know the car's IP, but it doesn't take long to scan a whole mess of them. Since IPs are tracked by carrier, it wouldn't take long to find out what block is assigned to whomever carries Chrysler and then scan all of those. Since IPs on connecting systems don't typically change very often, it would not be difficult to spend a month scanning a block of IPs, find the Chryslers, and then hack them all at once. All good hacks take time and patience, this one would be no different.

That assumes you don't just set up a fake cell tower and do it that way. For example, an IMSI catcher. https://en.wikipedia.org/wiki/IMSI-catcher. Plop one of those down on a limited access, high-traffic roadway (like a bridge) and make all the Jeeps plow into each other. Not had to imagine, not all that hard to do (apparently).

And this is where, IMO, it comes down to the idea of need. Do we need our cars to be remotely connected like this all the time? I know Teslas have been great for getting upgrades and updates to their interface and more efficiency IIRC, but the potential bad side to this is pretty scary.

The359
July 24th, 2015, 03:13 PM
To be fair, I think the better question is why something like UConnect would have any control over vehicle functions. I can understand the AC being connected, but not the brakes. It should be a one-way connect of data to UConnect, not both ways.

thesameguy
July 24th, 2015, 03:17 PM
CAN. :)

Sad, little man
July 24th, 2015, 05:13 PM
Yeah, the CAN protocol pretty much allows any module to address any other module on the network. So, as long as you are sending the right commands to the right module, the receiving module doesn't really care what module it comes from, AFAIK.

That said, this is the area of auto technology that I've been working with for the past three and a half years, so here's my opinion... First, even after this article, I'm not very worried about hacking of cars in the near term. I think the really key piece here is that it took these very intelligent hackers years of work to be able to pull this off on just one model of vehicle. I'm immensely impressed they were able to do it. The procedures for controlling items in a car like this are not publicly available. And it would be very very hard to just figure it out on your own. Hell, at work we have all the necessary info at our fingertips, and it's still hard for us to get things to work properly sometimes. Imagine trying to speak a foreign language without any real guide as to how to speak it aside from listening to others speaking it. Oh, and since it's a computer network, you have to speak it flawlessly, or the computer on the other end won't understand you.

However, putting a cellular connected module into a vehicle is crossing a really sacred line I think. The previous hacks shown on cars were extremely unrealistic and alarmist since they required a hardwired connection to the car. This is a different ball game. However difficult, once you put cell connectivity into a vehicle, hacking like this does become a legitimate possibility. So, ultimately it is really stupid of automakers to cross that line without putting necessary security measures in place.

Rikadyn
July 27th, 2015, 01:31 AM
https://youtu.be/NT4yhrKLPcc?t=3m46s

IMOA
July 27th, 2015, 03:58 AM
After reading this a little more closely I do have 2 clear lines of thinking

1 - At what point do standards address this sort of thing requiring say and entertainment canbus and a control canbus so only the entertainment one can access internet

2 - The current Porsche ecu has not been successfully hacked so tuning is a major pita. What the fuck are these two guys wasting their time with hacking Jeeps for, they need to be getting us access to the porsche ecu for some sweet sweet tunes!

Rikadyn
July 27th, 2015, 07:37 AM
They're not car guys, they're hackers who hunt vulnerabilities to alert companies to them. Most likely with hopes of being hired to fix it, usually though they just get criminal charges laid against them.

There is a good possibility that this isn't new and has been around for awhile and might not be limited to just one brand or one make, as people and communities that do this sort of thing are quite good at keeping their mouths shut to outsiders.

thesameguy
July 27th, 2015, 09:27 AM
There is a good possibility that this isn't new and has been around for awhile and might not be limited to just one brand or one make, as people and communities that do this sort of thing are quite good at keeping their mouths shut to outsiders.

For reals.

Crazed_Insanity
July 27th, 2015, 01:22 PM
Hyundai's blue link claims that they can not only track but also slow down moving vehicles once it's reported stolen.

I can also lock/unlock doors and start engine with an app... I can only presume that my car is hackable if someone were determined enough to hack it.