Comments

echo January 6, 2023 11:27 AM

Before everyone in here races to cancel their order of a new Rolls-Royce they offer a bespoke “design your own car” service where you can direct design of a new car from the ground up if you have the money. So design a car with no internet. Problem solved!

As for future millionaires “kit cars” are a thing. For the lazy there’s actually a rather spiffy “Royal” Double Six for sale. It’s a copy of the 1931-1935 Daimler Double Six. Only a snip at £50K. The British movie star Anna Neagle had an original Daimler Double Six. Dear God I have always drooled after those. I personally like it more than the contemporaneous Bentley 4.5 litre the fictional James Bond drove.

For those with a pocket full of dust and buttons (i.e. moi) there’s another solution. You can buy a Stanley hammer for £12.

JonKnowsNothing January 6, 2023 11:39 AM

@echo, All

re: bespoke & kit cars

In the USA, there are loads and loads of regulations about how a car is supposed to work and items it must have. Seat belts and Air Bags are commonly understood to be in modern cars sold in USA. There are federal and state agencies that oversee this aspect.

Kit cars and bespoke cars must also comply with these rules.

Many aspects of modern cars, tractors and Big Rigs is found in the firmware computer chips that run many subsystems: brakes are a big one. As many have discovered that when one of these chips fail, it’s a big cost to replace the chip and/or circuit board.

You might be able to bespoke a “no entertainment” HUD, many cars from 5-10 years ago had minimal information on the HUD/UI. They still have integrated circuit systems for calibrating speed, cruise control, tire pressure and the bad news ENGINE CHECK light.

Many of these systems currently get updates done at service time; many also do Over The Air updates. You might never use or sub to OnStar, but it’s operating 24×7 anyway. All you gotta do is press the Red Button and Bob’s Your Uncle.

Chelloveck January 6, 2023 12:33 PM

A pair of wire cutters to the antenna cable is usually a pretty good way to disable Internet connectivity.

lurker January 6, 2023 12:36 PM

@echo
re uses for a hammer

But when a car is made mostly of nails, by the time you’ve hit all of them there won’t be much left to drive

Jon January 6, 2023 12:58 PM

@ Chelloveck

I think you may find that there aren’t any antenna cables. The antennae are built into the circuit board. Now, you can still go after them with razor blades, but do be careful, lest you break something important…

Oh, and that ‘something important’ may very well much depend upon an occasional ‘phoning home’.

J.

Arch Stanton January 6, 2023 1:14 PM

If you can access UI, it may be possible to disable the wifi connection, unless the manufacturer has locked it.

That would be less violent then snipping physical parts.

echo January 6, 2023 1:48 PM

https://villains.fandom.com/wiki/Elvis

Elvis was a villain in the 2000 AD comic strip Judge Dredd. He was a car that went rogue and started a killing spree.

[…]

Elvis was originally a robotic car owned by Dave and Davina Paton and when Dave was working on his car, he accidently dropped his spanner onto the car’s responsibility circuit. While Dave was riding in Elvis, the car started to speed up and Dave frantically ordered Elvis to slow down but Elvis refused so Dave attempted to shut him off but Elvis proceeds to strangle him and then uses the ejector chair on him, mortally wounding him. Elvis then goes on a rampage, running over numerous people.

Better lay off the DIY tinkering. Yikes!

Ted January 6, 2023 4:02 PM

It’s amazing one team could find such a scope of web vulns across the automobile industry.

In Mercedes’ case, the researchers were originally looking to gain privileges by exploiting the SSO system.

In their searches, they happened upon a website where vehicle repair shops could create accounts. The publicly available site wrote to the same LDAP database used for employees.

So they created an account and then used these credentials to sign on to a discovered Mercedes Github account.

There they found internal documentation and source code, including for the Mercedes Me Connect app that allows customers to remotely connect to their vehicles.

They could also use their credentials to sign on to a Mercedes Slack-like app where they could join any channel, including security channels, and even pose as an employee to ask questions.

Thank goodness these vulnerabilities were responsibly disclosed.

Clive Robinson January 6, 2023 4:03 PM

100K car 63 seconds and gone.

On of the problems with all these internal electronics systems in cars, is they make then oh so much easier to steal…

https://www.bbc.co.uk/news/uk-england-essex-64151619

These are increasingly “highly organised” and very much “stolen to order” the chance of getting the vehicle back intact is fairly close to zero.

Whilst the Police do not say it, out right, they know that all these electronics being added to cars makes them easier to steal not harder.

Read down into the article where you will see they talk about “Faraday bags” and “Double locking”.

My advice, either do not buy these vehicles or go for a reliable “triple locking” of a very solid garage with very solid doors and strong locks (and don’t have internal access to the house, from a garage that’s a sure way to get a knife against someones neck).

So the safest and least expensive option is,

“Don’t buy these cars”.

echo January 7, 2023 2:28 AM

https://tanks-alot.co.uk/product/chieftain-tank/

Chieftain Tank

Prices: From £18,000 to £50,000

We have x4 Chieftain Tanks for sale. They are in various conditions, from non runner to runner with activated main gun. They have appeared in various TV shows. They are Mk10 Chieftains (FV4201).

There’s another way. Buy a car which can’t be cut up, is too heavy to move, and won’t fit within a shipping container.

Rj January 7, 2023 7:10 AM

I still drive a 1984 Mercedes Benz 300 SD daily. My “new” car is a 2006 Jeep. Once the engine is started, the Mercedes needs no electrical power to operate in daylight. At night, you do need head lights. The climate control uses an analog system. The only digital computer is in the aftermarket stereo.

Ken Cline January 7, 2023 1:13 PM

No need to cut antenna cables. The first thing I did when I got home with my 2014 BMW was pull out the back seat and unplug the antenna connector. Problem solved … I though. Unfortunately, this caused the telecommunications box to use so much power that it drained the car battery. There is some good news: After several years the cell phone network used by the car has been deprecated and I was told the internet services (which I have never used) are no longer supported. Of course someone with a cell network simulator can probably still connect.

Matthias U January 7, 2023 5:10 PM

The interesting part is that the connected car of connected cars, Tesla, isn’t on the list.

I wonder whether they missed it or simply didn’t find a hole. At least Tesla has a working and easily-findable bug bounty program. (Disclosure: they paid me $500 for one of those.)

echo January 8, 2023 12:45 AM

One way of stopping an internet connected car phoning home is by carting around a Stingray or equivalent.

Francis Louis Mayer January 8, 2023 5:17 AM

Again we have another threat report with NO detailed discussion on how to derail the attacks with common sense mitigation tactics. This paper outlines this continuous issue REFER TO https://www.sciencedirect.com/science/article/pii/S235286481930197X This is all attributable to the fact that people are allowed to be in government and in legislatures who are clueless about technology, medicine, and the arts. Ancient wisdom had philosopher kings that had the mental and academic chops to lead. Our society needs to get back to demanding high standards of excellence of all people in government and in leadership positions. The root cause of failure is allowing unqualified people to govern and that is why everything from automobiles and healthcare to roads are broken. The article at this link lists practical ways to limit all these attacks https://taks3.com/how-to-protect-a-hacked-car/ No mitigation is perfect and life always has risks. Thieves have always been able to steal and damage cars so we need to keep our head in the game and take action to limit risk and this will never change.

echo January 8, 2023 6:45 AM

@Francis Louis Mayer

It’s not the job of statute to micromanage, and universal genius authoritarian leaders have a bad track record. That’s what all the “fat on the cow” is for i.e. regulators, standards bodies, courts, specialist media, and experts etcetera.

There’s probably no detailed discussion because contributors know enough to cut to the chase although I, personally, waffle on usually at a million tangents as therapy unless I’m being short in which case I’m usually feeling snarky or messing around. It’s also a discussion forum not a seat on the board.

Where do you think that jobbing security company publishing an article on it’s website to attract eyeballs so it can sell its products got its information from? Nice stealth advertisement btw. I mean,if they were so good and in demand… Also your average consumers eyes glaze over at the merest whiff of an academic paper. Their uptake rate is very very low.

Ralph Haygood January 9, 2023 5:29 PM

“Unfortunately, that seems to be impossible.”: This is why I expect to become an “antique car” enthusiast. (Unfortunately, that probably means I’ll have to keep burning gasoline, but I don’t drive a lot anyway.)

I’m not computer-phobic. I’m a computational biologist and software developer. Not in spite of but exactly because of that, I want nothing to do with internet-connected cars, household appliances, etc. The benefits are negligible, and the risks are substantial.

Spec8 January 10, 2023 1:11 AM

Similar to a Right to Repair law for automobiles, we could use a “Right to Disconnect” Law that would require Manufacturers to enable the ability to disable both remote access and phoning home telematics and other data.

Matthias U January 10, 2023 4:22 AM

The Right to Disconnect is a problem with other appliances already. Think TVs. With many so-called high-end screens you can either use them as a dumb HDMI viewer, or as a glorified spyware machine that also happens to display Internet content. Not both, unless you tell your router to do some aggressive firewalling, and some not even then.

Chris January 10, 2023 7:48 PM

@Mattias U: At least with TVs you can buy “dumb” TVs (see sptth://www.makeuseof.com/non-smart-tv/) or large monitors that display only what you want them to. But cars are different: any dissent from hyper-hackable cars means you void the warranty or have to become an engineering expert to get around the internal systems.

OldFish January 13, 2023 8:47 AM

Shielding antennas is a good way to test for a phone home watchdog.

Dummy loads on antenna connectors may be a good nondestructive disconnect measure.

Finding all of the antennas is the challenge.

Matthias U January 13, 2023 9:23 AM

Finding all of the antennas is the challenge.

Also, there’s the eCall button. I do not want to kill that, in case of an accident (no matter whether mine or somebody else’s) it tends to save lives. Teh thing is, it uses the same mobile connection as the rest of the car …

Clive Robinson January 13, 2023 6:01 PM

@ Matthias U,

Re : Health and Safety.

“Also, there’s the eCall button.”

We finally get around to the very long running excuse used by the Spooks Representatives on Standards committees.

Look up what “operator break in” is and how it worked from the earliest days of the pre-Strowger phones[1] through to today.

And how the Spooks abused it’s pressence all along. And even when land line phone design changed, post WWII how the Spooks still abused the design[2].

Who first started bugging phones is unknown, and certainly in the UK it was probably “some engineer” who worked for the “General Post Office” long prior to WWII. In the US again we don’t know, but we do know that the “Maffia bugged the FBI” with the “infinity bug” before the FBI started bugging them with people sitting in vans and the like in the 1960’s.

It’s been such a powerfull tool for both espionage and counter-espionage and more recently Law Enforcment, it is one of those “Drugs that you can not get unhooked from”.

The problem is right from the very begining “it’s been illegal”…

So the tripple problem,

1, How to stop the opposition finding out.
2, How to stop the public and polititions finding out.
3, How to stop technical changes stoping it’s availability.

The solution as I’ve mentioned before post WWII was easy, nearly all “Telephone Networks” were either owned or controlled by a Government Dept. Thus having just one or two “read in / in the know” technical representatives in the Departments and on Standards Committees was sufficient with a good cover story.

The story is a clasic “Think of the children” finess, and it’s the “think of the lives saved because…” an operator can listen in and hear a colapsed person yada yada yada.

I’ve had the misfortune to see these silly games in play. If you try to object, the “in the know” representatives from the Five-Eyes etc all club together and call any one who objects some kind of uncaring / selfish / depraved person and when they “tag team” thr attack you realy can not stop it…

So if people want to find the stuff the first place to look is under the “health and safety” features, involving “opperator assistance” or similar. From there work your way down through the technical specifications and you will always find something that sounds slightly odd from a technical perspective. You will also find it carried forward into the approvals testing.

Though like the A5/1 and A5/2 story you have to dig a bit or get lucky.

A5 came out by “accident” because somebody gave a confidential specification to some one, and “forgot” to get them to sign an NDA.

But A5 was always problematic from when first thought up in the mid 1980’s. From Wikipedia[3],

“Security researcher Ross Anderson reported in 1994 that “there was a terrific row between the NATO signal intelligence agencies in the mid-1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries didn’t feel this way, and the algorithm as now fielded is a French design.””

There are one or two sayings in the EU technical community such as, “It’s always the French who are to blaim” and “The French will say yes to anything providing the committee is named in French”. Whilst neither is strictly true, there is that “feeling”. But what is true is that back in the 1960’s and onwards the French did not alow encryption to be used. Further it became clear that the French Government were spying on foreign companies and passing over the “industrial espionage” over to the “favoured few” to profit by, thereby the argument goes “be good for the French State”. The fact that at one point the French were fairly open about this is what stopped it ever becoming an international scandal just a “Coq Gaulois Strut” or “Gallic Shrug”[4]. Unfortunately it has caused many issues including the deliberate murder of protestors.

[1] Almon Brown Strowger founded his “Automatic Telephone Exchange Company” in 1891. Supposadly because all his business was getting stolen by a competitor who had “a girl” who was an operator redirecting calls.

[2] The first half of Peter Wrights “Spycatcher” published in 1987 makes a very interesting read on the technical side of Spooks. Peter Wright, was the former MI5 technical officer and Assistant Director. His assistant mentioned in the book was Tony Sale, now more famous for rescuing Bletchly Park.

[3] One of those odd Wikipedia URL’s where the subject name inadverantly has an effect on the directory substructure,

https://en.m.wikipedia.org/wiki/A5/1

[4] The “gallic shrug” is apparently an invention of the “Perfidious Albion” and “their Colonial Cousins”,

https://www.askafrenchman.net/what-is-gallic-shrug/

Mind you the French are right about the “Just say it louder mindset” so they are not always wrong 😉

Matthias U January 15, 2023 4:58 AM

Well, I already know enough about the A5 fiasco in particular and the general GSM untrustworthinessability in general.

However, it’s not particularly difficult to encapsulate these devices so that the only interface between it and the rest of the car is a well-defined and -secured. The radio-plus-emergency-button box is a standalone system; after all it’s designed to work after an accident, even if the car battery fails AFAIK.

Despite appearances, a car is not a mobile phone where the mobile data processing shares CPU, memory, power control and/or whatnot with the host system. The very idea that you could shield such a phone from a targeted exploit via a hacked mobile carrier is pretty much a pipe dream IMHO, given the complexity of these protocols.

A well-designed interface between the car and the rest of the world works via encrypted protocols, and by that I mean an up-to-date version of TLS or similar. Whether the channel transmitting these TLS messages is itself encrypted or not is immaterial.

However, that only shifts the responsibility for securing all of this to the servers in the car manufacturer’s data center. In a sensible world the protocol between the car and its home base is documented and you can teach YOUR car to talk to YOUR server instead of the manufacturer’s. (This should of course requires some nontrivial effort that can’t be exploited by a car thief.) Unfortunately we don’t seem to live in such a world.

Keith March 29, 2023 3:18 PM

What kind of engineers and security executives these companies hire?
It is just a simple matter of following basic secure software development lifecycle. Looks like all such talent is concentrated within tech industry like Googles and startups. Rest like auto, fintech, healthcare have no idea what cybersecurity is. Just look at their CISO or other responsible one’s profile and background. Most never wrote production quality code in their career. But have useless certifications like CISSP,… MBAs, JDs with no security engineering background.

It happens mostly in the USA because there are really no qualified people OR qualified ones are just ignored.

Mat March 29, 2023 3:59 PM

Board should fire these CEOs right away for hiring incompetent CISOs.
Lets not blame government and regulators who we know is completely useless.

Imagine bad guys exploiting these vulnerabilities causing loss of human lives.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.