Team-BHP (https://www.team-bhp.com/forum/)

-   Technical Stuff (https://www.team-bhp.com/forum/technical-stuff/)

-   -   Hacking into a car's software to gain control of it (https://www.team-bhp.com/forum/technical-stuff/139469-hacking-into-cars-software-gain-control-3.html)

It will be a concern when a manufacturer is stupid enough to connect the engine control to the internet. Otherwise, it will be a concern only if a malicious person gets physical access to the car. In that case the malicious person can cause damage without hacking, but hacking can potentially enable subtle/"delayed" effects, maybe even enable remote controlling the car... [edit] reading the article, it looks like there was a vulnerability that let them communicate with the engine via the entertainment unit. Not sure how widespread such a "feature" is, or why Chrysler thinks the entertainment system should have any linkage with the engine. Their previous exploit involved wiring a PC to a car's onboard diagnostic port, but this one, they say, requires only knowledge of the car's IP address! One hopes manufacturers will take note and insulate the engine from other electronics.

A software can be robust but not impregnable. Look at Microsoft. They have been at it for years and still routinely we d/l patches. If it's a work in progress with them then the car companies are certainly not gonna be able to find this holy grail.
Carjacking is one thing but crippling a car in Delhi while sitting in Karachi is a whole new world. It is not about stealing but could create a whole new level of susceptibility.

Smart cars are upon us whether we like it or not and advances in technology will ensure that they will keep on getting smarter (http://youtu.be/7Pq-S557XQU). Cars will be connected to the net eventually.
http://in.norton.com/yoursecurityres...d=car_computer

Couple of hackers gaining control of a Jeep in motion over internet. Truly scary.

https://www.youtube.com/watch?v=MK0SrxBC1xs

I would like to respectfully disagree. Imagine upgrading your car by updating the firmware of your car. Already manufacturers like Tesla are discussing this feature. Connected cars will be the future.

The article and researchers are highlighting the lack of security on a car in production. All manufacturers should awake to this and incorporate security features. Its disheartening to see Chryslers response to the researchers inputs.

In future, car safety aspects should not be limited to only crash tests but also vulnerability tests. A simple option could be to give a control to the driver to override auto mode and switch to manual mode completely. (similar to aeroplanes)

Are we talking of something like this ?

http://gadgets.ndtv.com/internet/new...ome-editorpick

If they do this they deserve the security flak (and, in countries like America, lawsuits) that they will inevitably get. Firmware upgrades for the entertainment system are one thing, but firmware upgrades for the ECU should be done only at an authorised shop. Or, at most, by a knowledgeable customer who has downloaded the firmware image on a computer and know how to do the upgrade by connecting to the onboard port. Not via the internet! All software that controls the functioning of the car needs to be insulated from the internet.

Security experts used Fiat-Chrysler's telematics system Uconnect to hack into a moving Jeep.

Like with Smartphones, Fiat-Chrysler have come out with a security patch to plug this loophole. Where are we heading?!

Report from Reuters.

This is scary. Some points to note.
1. The head unit, touch screen or whatever it is called, must be connected to the public network/internet in some way. Wireless/3G/4G whatever and the hackers would require to first scourge the network to "search out" a suitable candidate i.e. the sacrificial lamb. Thankfully, it does not seem that one can hack this vehicle whenever it passes a doorstep/toll booth/restaurant. That would have been really freaky.

2. The OS/software on the head unit inherently has some vulnerability which has been exploited to "get access" into the head unit.

3. Once the OS access has been established, it is a question of putting in malicious piece of software which remotely accepts the commands and issues them on the vehicle's software/control bus. Frankly one need not know the exact bits and bytes of the protocol, all one needs to do is the ability capture and playback on demand the command sequences.

4. The question is how secure is the vehicular software bus and the head unit to these types of attacks.

I guess there would be many more points to chew on.

Interesting G+ thread here, particularly these comments from Michael Mol:

The solution is relatively simple in nature. Essential systems (e.g. steering, brakes etc) should be completely (physically) seperated from all the none essentials, e.g. radio.

Remarkebly, even on many modern airplanes that offer for instance WiFi access for passengers this is not the case.

Anything that cant be accessed (for lack of physical means) can't be hacked. Its that simple. Unfortunately, the IT crowd still believes that a logical separation is the same as a physical seperation, it is not.

Having said that, I'm not that concerned. I would like to understand a bit more in depth what it is they actually did. Especially the bit about how they issue commands to the engine and such. Here a lot of text on this little escape with remarkeble little technical information

http://www.wired.com/2015/07/hackers...-jeep-highway/

By the way, being able to remotely disable the engine is nothing new at all. In some countries (US States) it is considered a safety feature, so the cops can safely bring a vehicle to a full stop.

Jeroen

This is not possible since the same user interface needs to control both. E.g. :

1. Touch screen interface controls Audio as well as HVAC
2. Same interface Tunes suspension

An ECU update at an authorised outlet is no protection. The weakest link and all that....

These days smart phones get connected to headsets automatically. Soon these headsets will be employed to display ECU data and that is where the primary gateway into the vehicle appears -->smartphone --> headset --> ECU

What is the purpose of leaving redundant code interfacing entertainment system with steering, brakes or engine? Doesn't make much sense. Unless we are talking about a on the fly 4x4 control, suspension control and abs traction control possible using a touch screen. And that touch screen capable of being remotely controlled by a smart phone or such.

I don't know why these software developers run after enabling everything on a smart phone. It is such an insecure device, capable of beings hacked or stolen.

This journalist that apperently drove this car also reported that these hackers managed to completely disable the brakes and the car ended in a ditch.

I'm not familiar with these new Jeep Cherokees (only owned a 1998 Cherokke), but as far as I'm aware on any car the basic brake system is still hydraulics/mechanical. There is obviously a booster which usually works on vacuum and then there could be all sorts of electronics involved in functions such as ABS. Disabling the electronics, would/should never disable the actual brake function, which is still hydraulically/mechanically operated.

Anybody any thoughts on how you can remotely disable a brake system on a car? If they were able to shut down the engine, you are most likely to quickly loose the vacuum and thus the boost, but you still have normal braking capabilities, you just need to push the brake pedal harder.

Jeroen

And I thought this was stuff of the movies. I read the article of the car being controlled remotely and the first thing that came to mind was the chase sequence in Fast & Furious 6 where after hacking into Interpol HQ at London, when the bad guys were being given a chase by Toretto's people in BMWs they fire a remote transmitted and use it to jam the brakes on these cars.

But given that we are talking about the future of cars and Internet of Things, being able to control a car remotely will surely be one of the requirements.

Like they say, if its on the net, it can be hacked into. As the industry matures, I am sure loopholes or vulnerabilities will be plugged in - Fingers crossed