4 comments

[ 4.8 ms ] story [ 21.2 ms ] thread
Wow, pretty serious implications on this one. Really surprised there's no discussion about this yet.
Like with IoT devices, this seems to be a place where there is a massive lack of care or understanding in how to build a secure product. The repercussions of which, however, are potentially much more severe. Perhaps this will get the ball rolling on some much needed regulations for the security of internet-connected products (especially cars).
It's a fundamental flaw in the design. Everything important communicates over a shared bus with read/write privileges. The infotainment center has a not-understandable-by-a-fucking-army amount of code in particularly unsafe languages. It's connected to that bus to provide features like tire pressure and parking brake status. The infotainment will almost certainly be pwned, and a breach in that system propagates to a breach of the rest of the car. The only reason we don't see more of it is that it's a wee bit difficult to pull off the full attack and not super easy to exploit for personal gain.
Another factor is that cost of screwing up is far worse than any other setup. I'm always happy to tinker with computer software, since, if I mess it up, I can just delete it and start over (or just never re-download it). I even sideloaded some lightweight emulators onto my $600 TV.

However, if I mess up my car by poking around, I've just borked a five-figure "device" and the warranty won't cover it. Oops!