Hacking a Jeep's electronic control systems

[freebeard]

Jack Rickard puts the whole Jeep thing down to an attack on your right to repair your own vehicle:

Quote:

In the month when the copyright office is expected to issue a waiver of the Digital Millineum Copyright Act for those seeking to learn about and repair their own automobiles, would you believe that two notorious “hackers” have successfully hacked into a Jeep Cherokee in St. Louis and posed a grave threat to life and limb of the driver by completely taking over control of the vehicle. And two congressmen, also supported by Chrysler, are introducing legislation to address this severe threat to the cyber security of our nation of people hacking into cars? The article appeared in Wired Magazine and they didn’t even bother to hide the fact that the genius hackers had direct access to the vehicle for months and indeed had installed different firmware in the vehicle? Or that they were paid by Chrysler? And that Chrysler had issued a recall just hours before the event assuring all owners they could be secured from the security breach at no cost? There is so much wrong with this story that I scarce know where to begin, but due to the George Carlin effect no doubt a sufficient number of innocents will buy into this manufactured pap as to pose a real problem.

http://evtv.me/2015/07/weve-gone-plaid/

He was amused by the Tesla hack because they went in through an Ethernet port in the infotainment subsystem to get to the CANbus and then couldn't do much; while two feet away is a port with CAN high and low and he sells the tool to read and inject any CAN messaging you choose.

Right now he's working on smoothing out the regen at differing speeds.

[freebeard]

Replying to myself to bump the thread.

Highway to hack: Why we’re just at the beginning of the auto-hacking era

Ars Technica on the institutional impediments to good security in moving vehicles. It highlights how Tesla's outsider status allows it to re-imagine how security works.

Quote:

These are just the attack approaches that are being tried now. Corman said he believes, as In-Q-Tel Chief Information Security Officer Dan Geer has suggested, that "bugs are dense"—meaning there are sure to be a given number of potentially exploitable defects in every thousand lines of code. "The total number of bugs will go up as the total number of lines of code goes up," he said. "The total number of access points to the exploitable codes go up as the number of devices on the network go up. And the total number of adversaries go up because now we've taken car hacks from theoretical to demonstrable." Car companies, Corman said, have to be prepared for software failures, because it's not a question of if they will happen, but when. The more important question becomes how car makers will respond.

Running the article through Mac OSX Summarize:

Quote:

This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.


...No one at Ford, GM, and Chrysler would talk with Ars about their strategy for uncovering potential security issues in software that could be used for "cyber-physical" attacks—hacks that could have an impact in the physical world by interfering with the operation of cars.

...The “attack surfaces” of cars that get the most attention are the ones designed to keep people from driving away with cars they don’t own—electronic keyless entry systems or locks and vehicle immobilizers that use low-power radio to detect the presence of a valid car key before allowing a car to start for example.

...But connected car services such as GM’s OnStar, Fiat Chrysler’s Uconnect, Ford’s Sync, and add-on services such as those based on Mobile Devices’ C4 OBD2 “dongle” greatly extend the range of a potential attack—especially if the attacker’s goal is to do damage by interfering with the driver’s ability to operate the vehicle.