Ready to patch your car?

Topic

New Reply

ON SECURITY By Susan Bradley Recently, I lamented having to get rid of an older automobile that had very little in the way of technology. As I mention
[See the full post at: Ready to patch your car?]

Susan Bradley Patch Lady

5 users thanked author for this post.

rc primak, Charlie, Alex5723, Seff, geekdom

Reply | Quote

Replies

Thanks Susan, an interesting article.

Having got a new VW last year I can’t say I’m over-impressed with the new technology. For example, the concept of lane control is fine in principle, who wouldn’t want to be roused from drifting brought on by drowsiness, but it takes it too far and frequently tells me to get in the middle of the lane when it’s misreading the road markings and I’m already there. Moreover, having to access most things from the “Infotainment” screen is so much more distracting from the road ahead than the old way of flicking a switch or turning a knob etc.

Once all this car technology came in, I had a vivid imagination of being in the fast lane of the motorway and wondering if I had the confidence to take in my stride the message “Your car’s software is being updated, you can continue to drive as normal”! What if I got home and attempted to turn the engine off only to be told “The car’s software is being updated, do not turn the engine off”!

Those things were only in my imagination of course, but my biggest peeve is a very real one. All the computer power and technology, and they can’t include a CD player? Really?

3 users thanked author for this post.

rc primak, Cybertooth, Charlie

Reply | Quote

Just as I patch my lattop, nu smartphone, tablet, watch. I patch my car. After all it is running as OS with bugs, security bugs, new features… just like any other OS.

1 user thanked author for this post.

rc primak

Reply | Quote

Cheap, effective mitigation for the current highest risk on new cars with remote start key fobs:  a faraday box.

I got one that actually works for about $20 . . .  tested by putting keys inside and trying to open a car that uses the near field to unlock doors when I touch the handle.

~ Group "Weekend" ~

3 users thanked author for this post.

rc primak, Cybertooth, Charlie

Reply | Quote

As a person who keeps his cars an average of 32 years, I would hate the very real possibility of having to buy a new car every 10 to 12 years just because the manufacturer stops sending out updates and patches.  Think MS and Windows.  Then think again how uneasy you feel after update plays its games with your computer.

Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

3 users thanked author for this post.

rc primak, Microfix, Cybertooth

Reply | Quote

We would be lucky to have a car OS go for 10 or 12 years. Wouldn’t surprise me to learn that “support” would last for 3 years like with phones, then the scolds would start jumping on drivers for running insecure systems.

Nice little racket that would be, steamrolling customers every few years into shelling out $15K or $30K that they could otherwise save for retirement or spend on other things.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

Charlie, Microfix

Reply | Quote

That ‘racket’ is probably here and now..but not so ‘nice’ long-term.
Pay-per-patch coming to car dealerships near you?
No ESU patches required for our car, just the way we like it.

Keeping IT Lean, Clean and Mean!

3 users thanked author for this post.

Cybertooth, Charlie, rc primak

Reply | Quote

Susan Bradley wrote:

One cannot just walk up to a car, plug in a USB drive, run AutoRun, and install malware.

Um, I beg to differ:

Gone in 130 seconds: New Tesla hack gives thieves their own personal key
You may want to think twice before giving the parking attendant your Tesla-issued NFC card.
https://arstechnica.com/information-technology/2022/06/hackers-out-to-steal-a-tesla-can-create-their-very-own-personal-key/

All that’s required is to be within range of the car during the crucial 130-second window of it being unlocked with an NFC card. If a vehicle owner normally uses the phone app to unlock the car—by far the most common unlocking method for Teslas—the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a-key app.

Do you want to argue that this was just a “proof of concept”?

-- rc primak

2 users thanked author for this post.

Cybertooth, Alex5723

Reply | Quote

rc primak wrote:

Do you want to argue that this was just a “proof of concept”?

Yes. And it doesn’t use USB, AutoRun or install malware.

But “need to be meticulously reverse-engineered” applied.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

Yes.  Read on

“The official Tesla phone app doesn’t permit keys to be enrolled unless it’s connected to the owner’s account, but despite this, Herfurt found that the vehicle gladly exchanges messages with any Bluetooth Low Energy, or BLE, device that’s nearby. So the researcher built his own app, named Teslakee, that speaks VCSec, the same language that the official Tesla app uses to communicate with Tesla cars.”

Which is not out yet ” We are currently planning to release the TeslaKee app in Q3 2022.” and has to get through the Apple store.  He built an advertising gimmick to sell his app.

Susan Bradley Patch Lady

Reply | Quote

And between now and then that Tesla will probably be patched to subvert this.  He’s going to play wack-a-mole with Elon.  Good luck with that quest.

Until an ACTUAL theft has occurred – like all of the catalytic converters that keep being stolen – it’s still a proof of concept right now.

Susan Bradley Patch Lady

1 user thanked author for this post.

rc primak

Reply | Quote

b wrote:

rc primak wrote:

Do you want to argue that this was just a “proof of concept”?

Yes. And it doesn’t use USB, AutoRun or install malware.

But “need to be meticulously reverse-engineered” applied.

I believe Susan’s post was about car security.

IMO @rc-primak’s post was about successfully subverting car security.

I believe that your post was about semantics, not security.

At the end of the day, if my car was stolen as the result of poor security, semantics really wouldn’t matter a stuff to me.

2 users thanked author for this post.

rc primak, satrow

Reply | Quote

Rick Corbett wrote:

IMO @rc-primak‘s post was about successfully subverting car security.

I believe that your post was about semantics, not security.

Then he really should not have chosen to “beg to differ” with a very specific quote from Trend Micro’s white paper “Cybersecurity for Connected Cars” about how cars are different from computers or phones and therefore much more difficult to attack:

3.4 Challenges of Deploying Malware in Cars

There is this common misconception that just because modern cars share many of the same hardware and software components with everyday IT systems, infecting a car with malware is a straightforward task. This is far from the truth. Here, we discuss the limitations that hackers attempting to infect cars will have to contend with.

• One cannot just walk up to a car, plug in a USB drive, run AutoRun, and install malware. Different car OEMs have vastly different system architecture and software environments that need to be meticulously reverse-engineered for an individual or group to learn how to access systems and execute a random binary.

Does this Tesla NFC proof of concept attack sound simple to develop, easy to implement or difficult to prevent?

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

https://www.motorbiscuit.com/hackers-targeting-ev-charging-stations/

https://www.autonews.com/mobility-report/ev-chargers-emerge-targets-hackers

Error posting: Error: Your reply cannot be created at this time.

1 user thanked author for this post.

rc primak

Reply | Quote

Alex5723 wrote:

https://www.motorbiscuit.com/hackers-targeting-ev-charging-stations/

Typically, cybercriminals hack electric cars to hold the vehicle, or the charging station, for ransom.

But:

Supposing that there was a successful ransomware infection for car brand X, for instance, the following points of contention must still be addressed:

• The attackers would need to ensure that the ransomware does not cause fatality as that will attract too much attention.

• The infection can be cleared just by reflashing the ECU(s) at the dealer.

• Ransomware payment cannot guarantee that the car will return to its normal operation; instead of paying, reflashing might be better.

• Ransomware is a best-effort malware versus a targeted attack, so it is logical to expect that no ransomware author will spend a huge amount of time and money developing complex malware that only works with a single car model in specific circumstances.

Cybersecurity for Connected Cars — Trend Micro Research white paper

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

1 user thanked author for this post.

Alex5723

Reply | Quote

no ransomware author will spend a huge amount of time and money developing complex malware that only works with a single car model in specific circumstances.

Microsoft issues CUs for billion different PC configurations, so can hackers.

1 user thanked author for this post.

rc primak

Reply | Quote

They could but they won’t because it’s much too expensive, especially with unlikely return for investment.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

b wrote:

They could but they won’t because it’s much too expensive, especially with unlikely return for investment.

They will.

Just like with phishing. Hackers send thousand of phishing mails. They need only a couple of hundreds to gain profit.

The world is going forward to ‘all electric cars’ so the scope of available targets will expand.

1 user thanked author for this post.

rc primak

Reply | Quote

Phishing emails cost next-to-nothing. Practically zero for research and development. But a very likely small result.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

I envision a “business model” akin to spear-phishing, where the average payoff is increased by the bad guys’ focusing on high-value targets.

And the goal need not even be money–it could be the elimination of people deemed inconvenient. (Hence I reject the putative need for the hackers to avoid causing fatalities.)

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

rc primak

Reply | Quote

FYI: 1960 VWs did NOT have seatbelts…Not even as an option 🙂

1 user thanked author for this post.

Cybertooth

Reply | Quote

Thanks, Susan. That was reassuring, your bit near the end about the steps one would have to take to hack a car.

Still, I’m not eager to move to one of these bleeding edge machines that requires my cellphone, Internet connection and the chip in my head to operate. Just keep it simple.

To the point about accepting the EULA or whatever the car requires: you probably can’t go anyhere unless you do accept. We have to end that.

Reply | Quote

Tesla ready to add ‘Reverse Summon’ by the end of the year.

Reverse Summon or ‘Park Seek’ as Tesla appears to be calling it, is the opposite of Smart Summon. Whereas Smart Summon drives to you from a parking spot, users who activate Reverse Summon would have their Tesla drop them off at a location, perhaps closest to the entrance of a mall, and then find a parking spot. This feature was described by Musk on July 1, 2020, when he gave it a two to a four-month timeline.

Ashok Elluswamy, Tesla’s director of the Autopilot program, started the FSD portion of AI Day, saying, “FSD beta software is quite capable of driving the car. It should be able to navigate from parking lot to parking lot, city street driving, stopping for traffic lights and stops signs, negotiating with objects at intersections, making turns and so on.”..

Reply | Quote