The CAN bus, the network interface vehicle components use to communicate was, at least as of a few years ago, the source of basically infinite vulnerabilities.
Add in over the air updates or worse, updated bluetooth or radio firmware and you find things like stopping a vehicle remotely at highway speeds[1]
A good starter would have been running the keyfob data on a different CAN line than the one going into the headlights... you know, the one you can reach with your hand from the outside.
Then we could also talk about encryption, but at least making it a tad more difficult to have physical access.
Not that toyota is the only one. If you ever notice a car that has a reinforced grill protecting the front RADAR, or the rear lights... now you know why.
That's great, but the writing is still on the wall if Toyota doesn't get serious about electric cars.
With their current trajectory Toyota is headed at 1000mph directly towards being the next Blackberry, Kodak, Nokia or Blockbuster.
I say this as someone who owned a Prius for 10 years and loved it, and have also driven their hydrogen car. The BZ4X is badly named overpriced garbage, not enough and not good enough. The clock is ticking and they have to act yesterday to avert disaster and they're sitting their twiddling their thumbs.
Currently Tesla is the iPhone to Toyota's Nokia and they're going to have to work very hard very soon to turn that around or their company will die.
Car companies would benefit from hiring thieves in the dark web. There were always toolkits on sale as well. So they could just investigate what is being done to steal the cars and patch it. I suppose a good bounty program would help as well as the tech savvy thieves would have a choice to get a bug bounty instead of ganging up with other criminals. Sort of divide and conquer.
The legacy automakers have been cramming ever more ECUs into their cars, at a considerable cost expense. Tesla did something different with the big screen and one 'big computer' rather than a bevvy of ECUs. This appears to be the design pattern going forward, as evidenced by VW's investment in Rivian, where they also go for the 'big computer' approach.
It seems to me that the security of Tesla cars is pretty good, compared to that of the legacy automakers. You can't hotwire a Tesla.
Securing one computer is relatively easy when compared to the challenge of securing a veritable forest of hardware, as made by numerous suppliers.
Regarding the way that general attacks on car security systems happen, something has gone wrong with how all of it has been implemented. RFID works fine in many other applications, but they are doing it 'back to front' with automotive and it is just too easy to hack. I am not even sure it has been for features people really want. Remotely opening the car before you get in it has convenience value but we got in trouble with that.
Companies are responsible for their own security. You cannot try to hack them without their permission. Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.
Also, companies are not responsible (liable) for their own poor security. If they do something like leak the private data of half the nation--shrug--what can you do?
How convenient for companies. It's literally a matter of national security; our national security is made worse by this status-quo, but at least companies aren't bothered by unwanted security researchers.
We need to pick a lane.
If companies want to be solely responsible for their own security, then they should also be solely reliable for any damages done by their own poor security.
Or, we can recognize that security is really hard and make it a team effort and setup laws to protect security researchers, and then special "events" wouldn't be needed for security research; anyone could test the security systems at any time, and especially people would be able to test the security of devices they own.
Tangent but I have a 2016 Toyota 4Runner. Great car and fits my family and needs perfectly. The key fob broke so I needed to get a replacement, I got a blank and had a locksmith cut and program the blank. He must have not done it right because it worked and then I got stranded cause it must have lost its pair to the car or something. Nothing wrong with the vehicle, the engine wouldn’t start because of the key. I do road trips through the desert SW and other remote places, if I have the key I need the car to start no matter what. I really don’t want my keys to require a battery either. I wish there was a way to bypass the rfid/BLE or whatever it is.
Or we could make Toyotas tunable like many other brands. I would love to tune my Tundra like I could tune my GTI. The mid 2010s after market super charged Tundras were so cool!
14 comments
[ 2.7 ms ] story [ 40.0 ms ] threadAdd in over the air updates or worse, updated bluetooth or radio firmware and you find things like stopping a vehicle remotely at highway speeds[1]
[1] https://fractionalciso.com/the-groundbreaking-2015-jeep-hack...
Then we could also talk about encryption, but at least making it a tad more difficult to have physical access.
Not that toyota is the only one. If you ever notice a car that has a reinforced grill protecting the front RADAR, or the rear lights... now you know why.
With their current trajectory Toyota is headed at 1000mph directly towards being the next Blackberry, Kodak, Nokia or Blockbuster.
I say this as someone who owned a Prius for 10 years and loved it, and have also driven their hydrogen car. The BZ4X is badly named overpriced garbage, not enough and not good enough. The clock is ticking and they have to act yesterday to avert disaster and they're sitting their twiddling their thumbs.
Currently Tesla is the iPhone to Toyota's Nokia and they're going to have to work very hard very soon to turn that around or their company will die.
Are current electronics (the consumer ones) good enough at scale to limit the time the round-trip car-key-car takes?
It seems to me that the security of Tesla cars is pretty good, compared to that of the legacy automakers. You can't hotwire a Tesla.
Securing one computer is relatively easy when compared to the challenge of securing a veritable forest of hardware, as made by numerous suppliers.
Regarding the way that general attacks on car security systems happen, something has gone wrong with how all of it has been implemented. RFID works fine in many other applications, but they are doing it 'back to front' with automotive and it is just too easy to hack. I am not even sure it has been for features people really want. Remotely opening the car before you get in it has convenience value but we got in trouble with that.
Companies are responsible for their own security. You cannot try to hack them without their permission. Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.
Also, companies are not responsible (liable) for their own poor security. If they do something like leak the private data of half the nation--shrug--what can you do?
How convenient for companies. It's literally a matter of national security; our national security is made worse by this status-quo, but at least companies aren't bothered by unwanted security researchers.
We need to pick a lane.
If companies want to be solely responsible for their own security, then they should also be solely reliable for any damages done by their own poor security.
Or, we can recognize that security is really hard and make it a team effort and setup laws to protect security researchers, and then special "events" wouldn't be needed for security research; anyone could test the security systems at any time, and especially people would be able to test the security of devices they own.