The good news is that this particular bug has been addressed but it does not make the vulnerability any less terrifying. A mere 18 seconds of playtime on a compromised audio CD in your car is enough to insert the attack code and gain complete control over your cars computer controlled systems. This particular vulnerability was discovered in 2010, long before the more recent vulnerabilities you would have seen all over various media. You could shut off the engines, forcibly unlock the doors, interfere with steering and many other functions that could well cause serious damage at highway speeds or in other scenarios.
When placing the blame, The Inquirer makes sure to point out that you should not look to the car companies as it is the software providers who are the source of the problem. Thanks to various corporate policies no car company has access to all of the source code running in their products so a security audit will not help. Even better is the inclusion of a government-mandated OBD-II port which allows complete control over your cars system; which you should not touch as simply plugging into it would be a crime in the USA. There is some good news, this vulnerability resulted in Fiat Chrysler recalling 1.4 million cars at a cost of about a quarter of a billion dollars … an expensive mistake that may convince them to change their software implementation processes.
"The modern car's operating system is such a mess that researchers were once able to get complete control of a vehicle by playing a song laced with malicious code. Malware encoded in the track was executed after the file was loaded from a CD and processed by a buggy parser."
Here is some more Tech News from around the web:
- AMD emits fresh open-source GPU tools for HPC, game devs @ The Register
- Augmented Reality Becomes Useful, Real @ Hack a Day
- honor 5X, honor 7 Enhanced & honor Band Z1 Revealed @ Tech ARP
- Western Digital, IBM enter patently cosy deal @ The Register
- Mozilla launches Firefox 44 with pop-up notifications @ The Inquirer
- Google Chrome had an unchecked extension that can spy on you @ The Inquirer
- Increasing adoption of Ultra HD panels for notebooks may push down prices @ DigiTimes
- Raspberry Pi Zero Cluster Packs a Punch @ Hack a Day
- N1 Email Client — A User-Friendly Option @ Linux.com
- Guide: Block Google DNS per device @ MissingRemote
Worst title ever.
Worst title ever.
Oh please, I’ve done much
Oh please, I've done much worse.
Worst ever? When Disney
Worst ever? When Disney released “Cooking with Pooh” as a book title?
Well I think the title is
Well I think the title is brilliant ! 🙂
“When placing the blame, The
“When placing the blame, The Inquirer makes sure to point out that you should not look to the car companies as it is the software providers who are the source of the problem.”
We can indeed blame the car manufacturer. They handle the software that controls the engine, drivetrain, and other hits that make the car go. If their software is accepting spurious commands from other devices on the CANbus (e.g. not using signed commands) it’s 100% on them.
Not sure that is right, it
Not sure that is right, it sounds more like they received the software package from the parts manufacture and have no access to it to review the code, they just have to stick it in.
“Even better is the inclusion
“Even better is the inclusion of a government-mandated OBD-II port which allows complete control over your cars system; which you should not touch as simply plugging into it would be a crime in the USA.”
Then how come I can walk into any Walmart or auto parts store and buy an OBDII scanner which plugs into said port? I think you might want to research that part. Tampering with it I can totally see but just plugging into it? No.
The past three cars I’ve
The past three cars I’ve owned I have plugged into said port and done everything to change fuel/air ratios, gear shift points, you name it. It’s not illegal. It can void your warranty, but that’s about it.
The DCMA down there is a
The DCMA down there is a little ridiculous so I figured better safe than sorry. I think you should be able to do whatever you want with that port as long as you own the vehicle but that isn't going to hold up in court.
The insanity about tractor repair right now for instance.
http://www.wired.com/2015/04/dmca-ownership-john-deere/
http://copyright.gov/1201/
I ran into a similar
I ran into a similar situation when hacking (changing a hex value) the navigation DVD of my Chrysler a few years ago in order to bypass the in-motion menu lockout and mess with the CAN bus a little bit. I hosted the bootleg DVD on one of my servers for some others to download and got a notice from Comcast. I took it down right away and nothing ever came of it.
I don’t recall the name of the man or the venue, but about 25 years ago I was at a conference with my dad and an auto industry guy was talking about vehicles as a service. This was still the DOS/Windows 3.1 era, VHS rentals were still a thing, and Internet speed still went by “baud rate”. Anyway, he was talking about how GM, Ford, etc. were all working out long term plans to essentially make all vehicles leased, non-stop-continuous payments that included the maintenance cycle. At a high level, this is probably a liberty vs. security argument.
They might as well be.
They might as well be. Modern cars will never have near the life span of their older relatives. Machines last lifetimes, computers….well they work for a while.