[acurafan]

Quote:

Originally Posted by Jeroen

Anybody any thoughts on how you can remotely disable a brake system on a car? If they were able to shut down the engine, you are most likely to quickly loose the vacuum and thus the boost, but you still have normal braking capabilities, you just need to push the brake pedal harder.

Jeroen

Most actuators in the car can be controlled through the System CAN bus. There are some protections to avoid running malicious code to access the safety CPU and thereby accessing the system bus but for a dedicated hacker it is fairly straight forward. Unfortunately it is not some thing that can/should be discussed in a public forum.
I have seen cars been hacked before, just not publicized. Actually one of the group just to prove to us that it is possible, hacked a rental car which they had rented the same day from the airport. Although they needed a access to the system through diagnostic port, as the car didn't have telematics.

[Jeroen]

Quote:

Originally Posted by acurafan

Most actuators in the car can be controlled through the System CAN bus. There are some protections to avoid running malicious code to access the safety CPU and thereby accessing the system bus but for a dedicated hacker it is fairly straight forward. Unfortunately it is not some thing that can/should be discussed in a public forum.
I have seen cars been hacked before, just not publicized. Actually one of the group just to prove to us that it is possible, hacked a rental car which they had rented the same day from the airport. Although they needed a access to the system through diagnostic port, as the car didn't have telematics.

Specifically on the brakes; there is (my understanding) a mechanical linkage between the brake pedal and the brake master cilinder and then a hydraulic linkage (via ABS pumps etc) to the actual brakes. So how can that be disabled remotely?

Anybody familiar with the brakes on this Jeep?
R jeroen

[DerAlte]

Quote:

Originally Posted by Jeroen

This journalist that apperently drove this car also reported that these hackers managed to completely disable the brakes and the car ended in a ditch. ...

Perhaps he didn't know / remember that with engine off there is no brake boost and one has to press harder.

Quote:

Originally Posted by Jeroen

... as far as I'm aware on any car the basic brake system is still hydraulics/mechanical. There is obviously a booster which usually works on vacuum and then there could be all sorts of electronics involved in functions such as ABS. Disabling the electronics, would/should never disable the actual brake function, which is still hydraulically/mechanically operated.

Anybody any thoughts on how you can remotely disable a brake system on a car? ...

You are right/ Lack of boost is the only plausible reason that one feels the brake is disabled. The only other way is to hack into the ABS ECU and flag all valves to Open state (the ECU will report this as error - watchdog loop which checks for anomalies). But, that is not a trivial task - considering the ABS ECU doesn't have any open interfaces to communicate over.

[apachelongbow]

Quote:

Originally Posted by Jeroen

This journalist that apperently drove this car also reported that these hackers managed to completely disable the brakes and the car ended in a ditch.

Jeroen

Just saying, imagine having the new fangled green car with hybrid technology, connected to the Internet via smart phone and all kinds of gizmos, having regenerative breaking capability where in the electric motor reverses to act like a brake. What if the hacker ensures that your electric motor free wheels or even accelerates when you brake????

[acurafan]

Quote:

Originally Posted by Jeroen

Specifically on the brakes; there is (my understanding) a mechanical linkage between the brake pedal and the brake master cilinder and then a hydraulic linkage (via ABS pumps etc) to the actual brakes. So how can that be disabled remotely?

Anybody familiar with the brakes on this Jeep?
R jeroen

You may want to read this
http://illmatics.com/car_hacking.pdf

In fig 6, page 19 you can see which ECUs can be accessed through HS-CAN and regular CAN.
The attack on braking system is discussed around page 54. Anti-locking Brake ECU can be accessed through HS-CAN bus. There is a diagnostic command to bleed brakes, the author is talking about Ford here but it will probably be the same for GM. When the command is issued, one cannot depress the brake pedal. Only catch is that the command can be issued only when the vehicle is moving at less than 5 mph. Therefore I can see why the vehicle didn't stop and end in the ditch.

[VeyronSuperSprt]

Audi is going to make it easier for folks to hack Into your car with their "self parking cars".

Hack and steal would be the new tag line:

[Jeroen]

Quote:

Originally Posted by acurafan

Most actuators in the car can be controlled through the System CAN bus. There are some protections to avoid running malicious code to access the safety CPU and thereby accessing the system bus but for a dedicated hacker it is fairly straight forward. Unfortunately it is not some thing that can/should be discussed in a public forum.
.

Actually, these discussions are very much on public forums already see the post from Acurafan. It is what Internet is all about. There is of course a downside to it, but in general I believe openness and transparency are good. I for one, would really like to understand and make up my own mind what is possible, how difficult is it etc.

I don't have any great confidence in either the hacker stories or the manufacturers counter claims to speak. Anybody that claims, trust me I know what I'm doing and doesn't provide in depth insights, raises suspicion, at least with me.

Jeroen

[rsidd]

Fiat-Chrysler has issued a recall for 1.4m vehicles, to update the software and (presumably) stop the hack. But the real problem is the lack of separation between the engine and the radio. Will they (and other manufacturers) take this more seriously in future cars?

[TMRT]

Considering the fact that US legislators are setting their eye on implementing secure car legislations, the analysis brought forward in some of the threats that warn of danger signs deserve some merits and kudos rather than just getting into the critic war.

A buyer must be aware about any glitches, vulnerabilities or bugs in the automobile he/she is investing (perhaps for the buyer's lifetime ) in. And I won't hesitate to say that manufacturers for that matter must offer to fix these issues free of costs if not recall the affected cars.

[acurafan]

Quote:

Originally Posted by Jeroen

I don't have any great confidence in either the hacker stories or the manufacturers counter claims to speak. Anybody that claims, trust me I know what I'm doing and doesn't provide in depth insights, raises suspicion, at least with me.
Jeroen

Some more details on the fiasco.
http://www.wired.com/2015/08/chrysle...int-jeep-hack/

[Jeroen]

Quote:

Originally Posted by acurafan

Some more details on the fiasco.
http://www.wired.com/2015/08/chrysle...int-jeep-hack/

Thanks for sharing. They are saying the exact same thing I mentioned in my first post on this topic. You need to have physical separation between the two systems. Whether this warrants a class action is not so much an automotive as more a cultural topic.


The fact that Chrysler recalled these vehicles for an software update doesn't prove much in terms of how vulnerable from a technical point of view the system really is/was. Companies are as much worried about Brand and PR damage as they are worried about technical facts.

We lived in the USA for three years and in many ways the original settler spirit and attitude is still very much present. You look after yourself and don't expect anything from anybody least the government. Against that mind set we never understood this also very American approach to sue first, sue hard, sue without facts approach to legislation.

If there is one thing all that live in the (self proclaimed) 'greatest nation in the world' agree upon is that going through formal legislation, i.e. Through court, doesn't necessarily bring the truth or attach blame or innocence in an appropriate, balanced matter. To much theatre, to much money, to many stakes involved etc. etc. really a shame for such a great nation.

Jeroen

[rusticnomad]

Here's a list of most hackable cars:

http://www.dailymail.co.uk/sciencete...-hijacked.html

[TMRT]

This month's InfoSec Magazine by ISC2.org has an interesting read on this topic which makes me believe there is a great momentum happening in this area.

Some direct quotes from the article:

"Over the coming years, information security professionals will have increased contact with connected vehicles of all classifications. Turning a car or truck into a data communications hub makes it more plausible that connected vehicles—executive fleets, freight carriers, utility trucks—
will, by degrees, fall under the supervision and oversight of chief security officers and their ICT management colleagues, who would bear some responsibility for protecting them from cyberattacks and ensuring data assurance."

"Connected vehicles of all kinds are increasingly using mainstream IT operating environments in preference over the proprietary software systems found on earlier generations"

What the second quote means is tech savvy mind of next generation will have to do less to exploit open systems in automobiles unless secured using strong counter measures. E.g. What I used as specialist tools few years back have become mainstream tools for troubleshooting connectivity problems that any user would use to solve internet connectivity issues from his home.

The article also alludes to SPY CAR ACT 2015 brewing in the States that I referenced in my earlier post.

With Honda introducing HondaConnect with the mission of "24x7 connectivity support for safety security and convenience" one wouldn't think that all automakers are passive indeed as cited in a whitepaper titled "Automakers Remain Passive as Government Take Action" in that article.


reference: January-February 2016 Infosecurity Professional Magazine

[hserus]

This "internet of things" fetish extending to cars means you have fully mobile, high speed botnets to go with the ones that merely stay in one place like infected PCs and laptops.

Here is a new example of just how right ISC2 is - http://www.zdnet.com/article/hackers...elong-to-them/ - break into the CAN bus of a Jeep Cherokee and gain control of the brakes. Right now, physical connectivity but the way things are going, it is likely to be quite possible over the internet.

[batman]

Yesterday, when I was reading about the recent ransomware attack 'WCry / Wannacry' on computers worldwide, I stumbled upon this 2 year old video, wherein the hackers (here reasearchers Charlie Miller and Chris Valasek) demonstrate remotely activating Air conditioning, Wipers, fans including stopping the engine in a car on highway.

https://www.youtube.com/watch?v=MK0SrxBC1xs

I further read Chrysler has patched the software for this particular bug but as cars are becoming more and more Automated / Controlled electronically and connected to Internet, soon it may be a reality when hackers can intrude into you car and demand ransom for it to move further.

In a follow-up article in wired.com they say “There will almost certainly continue to be remote vulnerabilities in the future”

The complete article is in the link below:
https://www.wired.com/2016/08/jeep-h...eration-hacks/

In the above link you can find the video below that hackers (researchers) controlling steering through a laptop, although while sitting inside the car and connected physically.

https://www.youtube.com/watch?v=ONDSAMfNGP0

Although the article says "A careful driver with two hands on the wheel could also overpower the steering attack". But as the cars becoming more and more Automated, it is natural that drivers will become lethargic over a period of time. They may not be 100% alert, like when they drive the car all through by themselves. Even the common, Internet-connected insurance insurance dongles plugged into vehicles’ dashboards could create the same remote hacking vulnerabilities, the article states.

Just imagine subscribing to 'Anti-virus' software for your car! Hope the Cars would not become as vulnerable as today's computers!