https://www.schneier.com/blog/archiv....html#c1271436
Recent Auto Recalls Result of Multi-national Cyber Attack
Detroit – Six major automakers today held an unprecedented joint press conference to announce the result of investigations into the spate of recent recalls. GM, Ford, Fiat/Chrysler, Honda, Toyota, and Nissan met with their major electronic module suppliers Delco, Bosch, and Mitsubishi. All recently issued major recall campaigns to address rough idling, high gas consumption, and PCM (powertrain control module) failures.
Albert Darrow, chief counsel for GM, released the following:
“This week the major automakers worked diligently to understand what we now know was an cyber attack on our industry. A multi-national group, funded by oil producing and electronics manufacturing countries, engineered a virus that attacks our PCMs, causing them to overwork their output drivers until the drivers fail. What begins as poor mileage causes complete engine failure within about 4 weeks.
When we asked how this was possible, we found three critical factors. In 2012 a group of thoughtless computer science researchers in Washington and California reported that automotive systems were not protected against hackers. These results alone were irrelevant, the automobile is a closed system not connected to anything. The US Department of Transportation and international counterparts in the 1980s required that all cars include an OnBoard Diagnostics port (called OBD-II in the US and EOBD elsewhere) connected to the PCM to facilitate emissions maintenance. Several insurance companies made devices, devices not sanctioned by the auto manufacturers, which plug into the OBD-II and connect to the Internet.
Insurance companies failed to warn customers that these devices were dangerous. In fact the insurers, in the form of lower premiums, paid customers to install the devices. The government mandate for OBD-II made all cars vulnerable, creating what security researchers termed a monoculture. Government was aware of the risks caused by mandating a monoculture, but since it was only discussed in obscure security blogs the industry was unaware of it. Under the recent cyber-security regulations, the Department of Homeland Security took responsibility for protecting automobile infrastructure from cyber-attack, and they did nothing to prevent this.
We have identified over 150 million autos in the US that are vulnerable to this virus. It has spread to every dealership and emissions inspection station in the country, and there is no means to eliminate it. Any car that has been to the dealer in the last 6 months should be considered infected. All infected cars will fail in the next 3-4 months. Estimates to replace these cars begin at $3 trillion. We call upon the government, in light of their substantial fault in the matter, to institute an immediate program to compensate victims. We expect to have new cars, without the vulnerabilities, on the market within 6 months. The PCMs will be designed and built by a consortium of defense contractors; knowledgeable of the techniques needed to make computers invulnerable to such attack. Unfortunately, old PCMs cannot be retrofitted. Thank God we had an American cyber-industry available to help when this war on cars was started.”
....
You done been punked?