I'm assuming automakers don't publish their specs for keyless entry for review? I'm sure they are relatively insecure, and they almost surely have backdoor codes known to thousands of individuals in each company and likely to several law enforcement agencies as well. Such info will inevitably be leaked. I'm honestly surprised we haven't already seen widespread hacking of keyless entry. Now that many cars do all their user authentication to wireless keyfobs, hotwiring's not even necessary if you can crack the protocol.
I believe these thieves are looking for valuables left in the car, as opposed to the vehicle itself. The "black box" unlocks the doors, but doesn't necessarily start the car.
This is only the tip of the iceberg as far as this kind of thing is concerned (this kind of thing being people relying on software to keep them and their belongings safe).
With peoples' lives at risk and with cars representing huge investments for many people, it's probably about time to get regulation that requires the software systems that are interacting with vehicles to be open to experts at large.
The same goes for things like in-home security software.
The competition should not be in the critical software. That much needs to be standard. The competition should be around fluff, construction quality, body design, brand, perks, horsepower, etc.
How is this kind of thing handled in the medical and aviation industries? How about NASA? Life-critical and safety-critical software isn't something you should hire the lowest bidder to create, nor is it something that should be hidden away in the belief that "obscurity is (the best, and the only) security."
While I agree with your general point of making car security openly auditable, I think the best short-term approach to fix this is via insurance companies. They have a direct financial loss from badly designed car locks, and probably sufficient power to issue direct pressure to the car makers as well as indirect pressure to car owners through astronomical insurance rates.
How is this kind of thing handled in the medical and aviation industries?
Since you ask, I'll draw on what I've learned from my childhood best friend (an electrical engineer who worked first in the aviation industry and now in the medical device industry) and my son (who was a summer intern for a medical device company). Simply put, safety-critical devices are heavily regulated in those industries, and everything new is assumed to be safety-critical by default. My son's summer work designing the doctor-facing user interface of a new bedside patient monitor was subject to a line-by-line code review by programmers on the FDA staff. He estimated that the product he worked on would take six years to get to market, even thought it was just version 2 of a device that already worked and had clinical usefulness. Federal government regulators try to be extra careful in review of new software that protects human lives in those industries.
> How is this kind of thing handled in the medical and aviation industries?
You need government approval (FDA or FAA respectively) to bring a product to market. Are you sure you want that kind of bureaucratic overhead (and the associated politics) in your car and home alarm?
I don't think "government" means "good engineering", I think that it should be thoroughly vetted by sufficient expertise.
I'm not sure if the FDA or FAA are capable of doing that, given how the government is really, really bad at building or contracting software (in general).
If only we could have some kind of standardized software to power these devices that is built by the community at large and thoroughly reviewed for correctness. Even at the cost of limiting hardware, I think that's an option.
It'd be neat if they could come to some sort of a standard on this so that its an open, reviewable piece of software that handles the crypto side of things and then passes that off and they (the Automakers) can "customize" the rest of the software all they want.
Somewhat (but also not at all) like a more advanced ODBII[0]
> The competition should not be in the critical software. That much needs to be standard. The competition should be around fluff, construction quality, body design, brand, perks, horsepower, etc.
Could you explain your reasoning for this claim? Does competition lead to better/more efficient products, or doesn't it? Why do you desire to leave non-critical parts to competitive forces, but not the critical parts?
It doesn't because 99% of people are entirely and completely ignorant of these systems and their importance. And no amount of discussion or even car theft is going to put it in terms that they understand. Here the news item is "with a black box that nobody understands." That wording is HORRIBLE for HN. Because it makes it sound like it's black magic and this group has found some genie that opens cars. Instead, it's more likely a simple exploit of a very vulnerable system. But that wording gives you a glimpse into how most people see technology. It's just magic. Their cares about how software works are nonexistent enough. There's no reference for "good" vs "bad" crypto, insecure design, etc.
Until we have a car that kills 500 people because of faulty software, it's just not that important to people, which means there's no pressure in industry to get it right. People understand "my car will kill me if X isn't good." That's why people understand getting their tires rotated and replaced. That's why they understand to get checkups and to replace belts, filters, oil, etc. That's why they understand you need to replace your brake pads and other such hardware, even if it feels a little expensive. But when you point out that very few people have ever even been injured by bad software in a car, they think "well it can't be that bad." And "good enough", especially in a market like the US where mediocre is what sells the most, is where the market stops innovating.
I hope a company like Tesla is a little more concerned with the quality, though. Maybe we can get a decent example of how to do things.
> Until we have a car that kills 500 people because of faulty software, it's just not that important to people, which means there's no pressure in industry to get it right.
I agree with that. But what is your alternate proposal, and where does the pressure to get it right come from in your proposal?
I don't think there's any other way to apply pressure to these companies other than regulation, unfortunately. They don't care much about what we think, and their customers don't care, so outside of forcing them to use a secure system (or else not be allowed to sell their products), it'll never happen.
But what I meant is: where does the "pressure to get it right" come from when government decides to regulate something? If the aggregation of actors' choices in a competitive market doesn't provide pressure to get it right, why would the aggregation of actors' choices in a government provide pressure to get it right?
I'm not saying it would. But the point is that it should, and it's stupid that it doesn't.
It's 2014.
"Someone stole my car by using a packaged exploit that is easier to find and abuse than breaking anything on DVL"
This is just unacceptable.
I think most of us (here) care about the software our cars are running. It's also absurd that we can't access the computers and put our own software on them. It may be difficult to get legislators to realize just how bad this software is and how much important it is to get right, but it's their job to listen. An alternative is to push for openness of these computing devices. Having access to put your own software on any computer you own may enable the existence of open source implementations that are better than the defaults, and sensationalist headlines might get enough attention of the right people to make something happen. "These hackers can keep your car from being stolen, for free."
Alternatively, headlines about this kind of issue need to be more specific. 'Mysterious "black box"' seems like the headline created by someone in the pocket of the industry. Instead, how about a headline like "a black box created by low-tech criminals exploiting massive security holes that car manufacturers know about allows anyone to unlock and start any car". Maybe it's a bit wordy, but it's somewhere to start. And it shines a light on the real problem. It doesn't paint it as a mystery with only the thieves at fault.
I'm surprised that it's taking so long for these kind of stories to hit the news. Here's a paper from three years ago describing some disturbing attack vectors on a modern automobile:
http://www.autosec.org/pubs/cars-usenixsec2011.pdf
Glad I'm not the only one that thought that. Got a serious case of deja vu, almost exactly the same article text, including Texas having confiscated one them.
There was a pretty good talk at 29C3 about side-channel analysis and how it can break secret keys of wireless devices and smartcards. [1]
With knowledge of cryptanalysis and lots of free time I think it's conceivable that someone could have cracked the system. I wonder if car companies test their crypto very rigorously?
Read somewhere that this is possible by re-playing bluetooth (or similar) keyless entry signals. The suspect doesn't actually know what car he or she is going to unlock. So they brute force walk by any car that opens and drive off.
Anyone know how this is done? Maybe brute forcing the keyless entry? Maybe damaging the antenna/preamp with something high-powered would work if there's a fail safe feature to unlock the car in that event?
I've recently seen a presentation about attacks on a widely used system used in current cars.
There are a couple of different ways that are significantly better than brute force (as in: works against real cars in seconds to a few minutes). (Though since key length is only 48 bit, even brute forcing might be practical.)
I'm pretty sure I've had this happen to me [1]: both my Chevy and Jeep were broken into on the same night without damage.
Knowing nothing about how it was done, I'd just assume the security was really bad [2] and the box simply emitted all possible combinations. Has any industry ever taken security seriously before the first major breach?
Our solution is to never store anything of value in the car.
[1] Pretty sure because almost never leave a car unlocked. Two cars unlocked is even more unlikely.
[2] By way of example, unlocking my Chevy with its fob routinely set off a car alarm for a different car. That tells you right there that the car alarm receiver has zero security.
The typical attack in the past involves two devices, one by the car and one by the key. But that attack only works on proximity fobs for obvious reasons.
I read last year the (Texas?) police had some similar devices in there possession. The ones the article talked about listened to lock frequencies and could then work out the unlock frequency from it. So the criminals would scan car parks waiting for people to lock cars that where brought in, wait for the person to leave, then approach the car and unlock it with the captured frequency.
I have no idea if thats what all these devices are, or how legit the article was, but seems legit to me.
Writing real time serial DAQ applications that will run for 20-30 years on end on custom 20 year old microprocessor isn't exactly for the faint of heart.
Source: this is part of my job, I work in fuel systems.
I meant more in the sense that it would make all the subsystems of the vehicle subject to review by security researchers and hobbyists.
Things like backdoors in key/locking mechanisms or even gross incompetence would be difficult to hide when the underlying hardware and software was open source.
The issue becomes when opening sourcing engine components it becomes very easy to damage engines in ways that could injure the driver/other people on the road, as well as maintain EPA standards for emission and fuel consumption.
Not every mechanic is a Fuel System Engineer, its relatively easy to hydrolock an engine. If you screw up the internal mechanics then just a hop-skip-and-a-jump to a VERY rapid dis-assembly.
It's a lot like overclocking, but instead of a 500CPU you have a 5,000 6 chamber bomb.
There are many options, my favorite: https://www.factoryfive.com/kits/project-818/ Go ahead and put whatever you like in there from there if you like. In person I've seen custom instruments built on Tegra and QNX in someone's project even. Sky's the limit!
Gee, you guize! Oh noes, scarey people is
doing bad, bad tings, and let's all worry now!
Police no can help! Meesuh gonna die now???
Is there a particular reason why the 5 o'clock news is dumbed down to non-verbal pre-schooler degrees of retardation? I mean this is like Barney The Purple Dinosaur "2 + 2 is 4" level informative.
"...AND NO ONE KNOWS WHAT IT IS!"
Bullshit. That is a fucking lie. What's the next segment going to be? Strange lights in the sky, and maybe they're space aliens? Thanks for nothing, "journalists."
Someone knows exactly what it is, and where it came from, and they're just not permitted to explain on public channels, because classified. This is just an all-points-bulletin to make sure an otherwise disinformed citizenry starts reporting on a type of crime that they might've been previously unfamiliar with.
> Is there a particular reason why the 5 o'clock news is dumbed down to non-verbal pre-schooler degrees of retardation?
Yes, getting eyeballs and selling ads. The simple model of appeals with high emotional resonance and low rational content that generates among a large segment of the population a feeling that the world is a scary, scary place and if they don't keep tabs on the latest danger by watching the news it will be even more dangerous for them is a very effective way of doing that.
Often, there's simply no benefit to putting more than the minimum amount of effort into a story. Staff may be untrained, overworked, underpaid, crunched for time or (apparently in this case) just serving up whatever shit the mothership gives them to fill some space.
Just look at how many times that particular 'story' mentions 'CNN reported' and 'CNN says.'
And the whole thing is like ten sentences. I bet someone didn't even have to put down their coffee for this one.
I've worked at a local NBC station that was exactly like this. Nice people, but there's absolutely no incentive at all for anything in depth. Local stations sometimes redeem themselves when shitty weather hits the fan though.
