Imagine what would happen if a hostile government, organized crime, someone who hated you, or a bored teenager controlled your car. And also your oven, your air conditioner, and your garage door. Welcome to the Internet of Things, folks!
Wow. I'm really skeptical of this kind of accusation, since it looks a lot like a loony conspiracy theory, but the Internet of Things turns it into an everyday hack instead of a super-secret state-level one.
"As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method."
Right. This may be the beginning of the end of remote software updates for "security fixes". The backdoor implicit in remote software updates may be a bigger risk than the existing hole. If anybody ever gets (or already has) Microsoft's or Apple's signing key, there's going to be big trouble.
What's riskier? Systems that are never patched with still plenty of potential surface attack area, or systems that have a way to obtain fixes, including fixes to the patching system?
If a system has an options for untrusted I/O (radios, network, unmonitored physical access), I would take the later over the former every time.
Granted not all companies are created equal in how they handle security, but that doesn't change in either scenario. The same team developing a fix are also typically working on the original implementation, so it's unlikely that the system code/design quality would be drastically different.
What's riskier? Systems that are never patched with still plenty of potential surface attack area, or systems that are uncontrollably patched with still plenty of potential remote and MITM attack area? I can't decide, but in both cases, removing remote access removes the problem. My car and toaster wouldn't be much more useful with Internet.
Making car software updates available via the manufacturer's web site (downloaded to a usb like they mention in the article) and making it the standard practice during normal car maintenance (by dealership, mechanic, or owner) to update the software might be better than remote updates.
Not that this is "old news", but I thought Rule #1 was that when something is more complicated (or here, "smarter") there's more opportunity for things to go wrong, or for things to get abused.
I feel like we knew this was going to happen, but kind of shrugged it off as irrational.
Right after cell phones with blue tooth were made public, we added "blue snarfing" into our vocabulary.
I mean, I don't put a sticky-note over my webcam; I'm just not surprised at all that hackers are keeping up with tech.
So why do any of the things mentioned in an article need any form of network connection? All the monitoring could be done at a standard mechanic like how cars are already checked over, the unlock system doesn't need to work over more than a few metres (what's the chance anyone is going to want to legitimately unlock a car from miles away?) and stuff like the entertainment system could be kept self contained.
Then it wouldn't be an issue how 'insecure' the OS is, since a thief would have to be physically near the vehicle to do anything.
But hey, thanks to the obsession with 'smart' devices and the internet of things and all that stuff, everything seems to have an internet connection chucked in for no real reason.
The crime is the NTSB not taking these unsafe vehicles off the road. Drivetrains should be air gapped. Period. You want a multimedia display it should be read only off the CAN bus.
12 comments
[ 5.1 ms ] story [ 17.8 ms ] threadLook up "Xbox turn off trolling" on Youtube.
Or imagine a voice-controlled self-driving car, and a radio commercial loudly saying "Siri, drive me to New York".
https://en.wikipedia.org/wiki/Michael_Hastings_(journalist)#...
Right. This may be the beginning of the end of remote software updates for "security fixes". The backdoor implicit in remote software updates may be a bigger risk than the existing hole. If anybody ever gets (or already has) Microsoft's or Apple's signing key, there's going to be big trouble.
If a system has an options for untrusted I/O (radios, network, unmonitored physical access), I would take the later over the former every time.
Granted not all companies are created equal in how they handle security, but that doesn't change in either scenario. The same team developing a fix are also typically working on the original implementation, so it's unlikely that the system code/design quality would be drastically different.
They're coming to car/refrigerator/toaster near you.
Not that this is "old news", but I thought Rule #1 was that when something is more complicated (or here, "smarter") there's more opportunity for things to go wrong, or for things to get abused.
I feel like we knew this was going to happen, but kind of shrugged it off as irrational.
Right after cell phones with blue tooth were made public, we added "blue snarfing" into our vocabulary.
I mean, I don't put a sticky-note over my webcam; I'm just not surprised at all that hackers are keeping up with tech.
Then it wouldn't be an issue how 'insecure' the OS is, since a thief would have to be physically near the vehicle to do anything.
But hey, thanks to the obsession with 'smart' devices and the internet of things and all that stuff, everything seems to have an internet connection chucked in for no real reason.