ON SECURITY By Susan Bradley Recently, I lamented having to get rid of an older automobile that had very little in the way of technology. As I mention
[See the full post at: Ready to patch your car?]
Susan Bradley Patch Lady
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » Ready to patch your car?
ON SECURITY By Susan Bradley Recently, I lamented having to get rid of an older automobile that had very little in the way of technology. As I mention
[See the full post at: Ready to patch your car?]
Susan Bradley Patch Lady
Thanks Susan, an interesting article.
Having got a new VW last year I can’t say I’m over-impressed with the new technology. For example, the concept of lane control is fine in principle, who wouldn’t want to be roused from drifting brought on by drowsiness, but it takes it too far and frequently tells me to get in the middle of the lane when it’s misreading the road markings and I’m already there. Moreover, having to access most things from the “Infotainment” screen is so much more distracting from the road ahead than the old way of flicking a switch or turning a knob etc.
Once all this car technology came in, I had a vivid imagination of being in the fast lane of the motorway and wondering if I had the confidence to take in my stride the message “Your car’s software is being updated, you can continue to drive as normal”! What if I got home and attempted to turn the engine off only to be told “The car’s software is being updated, do not turn the engine off”!
Those things were only in my imagination of course, but my biggest peeve is a very real one. All the computer power and technology, and they can’t include a CD player? Really?
Cheap, effective mitigation for the current highest risk on new cars with remote start key fobs: a faraday box.
I got one that actually works for about $20 . . . tested by putting keys inside and trying to open a car that uses the near field to unlock doors when I touch the handle.
~ Group "Weekend" ~
As a person who keeps his cars an average of 32 years, I would hate the very real possibility of having to buy a new car every 10 to 12 years just because the manufacturer stops sending out updates and patches. Think MS and Windows. Then think again how uneasy you feel after update plays its games with your computer.
Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.
We would be lucky to have a car OS go for 10 or 12 years. Wouldn’t surprise me to learn that “support” would last for 3 years like with phones, then the scolds would start jumping on drivers for running insecure systems.
Nice little racket that would be, steamrolling customers every few years into shelling out $15K or $30K that they could otherwise save for retirement or spend on other things.
That ‘racket’ is probably here and now..but not so ‘nice’ long-term.
Pay-per-patch coming to car dealerships near you?
No ESU patches required for our car, just the way we like it.
Susan Bradley wrote:
One cannot just walk up to a car, plug in a USB drive, run AutoRun, and install malware.
Um, I beg to differ:
Gone in 130 seconds: New Tesla hack gives thieves their own personal key
You may want to think twice before giving the parking attendant your Tesla-issued NFC card.
https://arstechnica.com/information-technology/2022/06/hackers-out-to-steal-a-tesla-can-create-their-very-own-personal-key/
All that’s required is to be within range of the car during the crucial 130-second window of it being unlocked with an NFC card. If a vehicle owner normally uses the phone app to unlock the car—by far the most common unlocking method for Teslas—the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a-key app.
Do you want to argue that this was just a “proof of concept”?
-- rc primak
Do you want to argue that this was just a “proof of concept”?
Yes. And it doesn’t use USB, AutoRun or install malware.
But “need to be meticulously reverse-engineered” applied.
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
Yes. Read on
“The official Tesla phone app doesn’t permit keys to be enrolled unless it’s connected to the owner’s account, but despite this, Herfurt found that the vehicle gladly exchanges messages with any Bluetooth Low Energy, or BLE, device that’s nearby. So the researcher built his own app, named Teslakee, that speaks VCSec, the same language that the official Tesla app uses to communicate with Tesla cars.”
Which is not out yet ” We are currently planning to release the TeslaKee app in Q3 2022.” and has to get through the Apple store. He built an advertising gimmick to sell his app.
Susan Bradley Patch Lady
And between now and then that Tesla will probably be patched to subvert this. He’s going to play wack-a-mole with Elon. Good luck with that quest.
Until an ACTUAL theft has occurred – like all of the catalytic converters that keep being stolen – it’s still a proof of concept right now.
Susan Bradley Patch Lady
Do you want to argue that this was just a “proof of concept”?
Yes. And it doesn’t use USB, AutoRun or install malware.
But “need to be meticulously reverse-engineered” applied.
I believe Susan’s post was about car security.
IMO @rc-primak’s post was about successfully subverting car security.
I believe that your post was about semantics, not security.
At the end of the day, if my car was stolen as the result of poor security, semantics really wouldn’t matter a stuff to me.
IMO @rc-primak‘s post was about successfully subverting car security.
I believe that your post was about semantics, not security.
Then he really should not have chosen to “beg to differ” with a very specific quote from Trend Micro’s white paper “Cybersecurity for Connected Cars” about how cars are different from computers or phones and therefore much more difficult to attack:
3.4 Challenges of Deploying Malware in Cars
There is this common misconception that just because modern cars share many of the same hardware and software components with everyday IT systems, infecting a car with malware is a straightforward task. This is far from the truth. Here, we discuss the limitations that hackers attempting to infect cars will have to contend with.
• One cannot just walk up to a car, plug in a USB drive, run AutoRun, and install malware. Different car OEMs have vastly different system architecture and software environments that need to be meticulously reverse-engineered for an individual or group to learn how to access systems and execute a random binary.
Does this Tesla NFC proof of concept attack sound simple to develop, easy to implement or difficult to prevent?
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
https://www.motorbiscuit.com/hackers-targeting-ev-charging-stations/
https://www.autonews.com/mobility-report/ev-chargers-emerge-targets-hackers
Error posting: Error: Your reply cannot be created at this time.
https://www.motorbiscuit.com/hackers-targeting-ev-charging-stations/
Typically, cybercriminals hack electric cars to hold the vehicle, or the charging station, for ransom.
But:
Supposing that there was a successful ransomware infection for car brand X, for instance, the following points of contention must still be addressed:
• The attackers would need to ensure that the ransomware does not cause fatality as that will attract too much attention.
• The infection can be cleared just by reflashing the ECU(s) at the dealer.
• Ransomware payment cannot guarantee that the car will return to its normal operation; instead of paying, reflashing might be better.
• Ransomware is a best-effort malware versus a targeted attack, so it is logical to expect that no ransomware author will spend a huge amount of time and money developing complex malware that only works with a single car model in specific circumstances.
Cybersecurity for Connected Cars — Trend Micro Research white paper
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
They could but they won’t because it’s much too expensive, especially with unlikely return for investment.
They will.
Just like with phishing. Hackers send thousand of phishing mails. They need only a couple of hundreds to gain profit.
The world is going forward to ‘all electric cars’ so the scope of available targets will expand.
I envision a “business model” akin to spear-phishing, where the average payoff is increased by the bad guys’ focusing on high-value targets.
And the goal need not even be money–it could be the elimination of people deemed inconvenient. (Hence I reject the putative need for the hackers to avoid causing fatalities.)
Thanks, Susan. That was reassuring, your bit near the end about the steps one would have to take to hack a car.
Still, I’m not eager to move to one of these bleeding edge machines that requires my cellphone, Internet connection and the chip in my head to operate. Just keep it simple.
To the point about accepting the EULA or whatever the car requires: you probably can’t go anyhere unless you do accept. We have to end that.
Tesla ready to add ‘Reverse Summon’ by the end of the year.
Reverse Summon or ‘Park Seek’ as Tesla appears to be calling it, is the opposite of Smart Summon. Whereas Smart Summon drives to you from a parking spot, users who activate Reverse Summon would have their Tesla drop them off at a location, perhaps closest to the entrance of a mall, and then find a parking spot. This feature was described by Musk on July 1, 2020, when he gave it a two to a four-month timeline.
Ashok Elluswamy, Tesla’s director of the Autopilot program, started the FSD portion of AI Day, saying, “FSD beta software is quite capable of driving the car. It should be able to navigate from parking lot to parking lot, city street driving, stopping for traffic lights and stops signs, negotiating with objects at intersections, making turns and so on.”..
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 |
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.