All your cars are belong to us

jack_christie

Forum Addict
Joined
Aug 1, 2006
Messages
9,620
Scientist banned from revealing codes used to start luxury cars

A British-based computer scientist has been banned from publishing an academic paper revealing the secret codes used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis as it could lead to the theft of millions of vehicles, a judge has ruled.
http://www.guardian.co.uk/technology/2013/jul/26/scientist-banned-revealing-codes-cars


Hackers Reveal Nasty New Car Attacks
http://www.forbes.com/sites/andygre...w-car-attacks-with-me-behind-the-wheel-video/
 
Yeah, automakers need to tighten their security methods drastically.
 
Yeah I had a very good conversation with a computer scientist friend of mine about the problems of mobile Internet/infotainment systems in cars and the dangers without keeping the infotainment and ECU systems separate...
 
So bascially all of VW this time ...

It is a curious read this, rather than VW asking for time to fix the problem - they try to limit acess to the information. I don?t see how that is helping anyone ...

[...]They [the scientists] argued that "the public have a right to see weaknesses in security on which they rely exposed". Otherwise, the "industry and criminals know security is weak but the public do not".
solid argument. Trying to keep the lid on this is not helping. Fix the bloddy problem VW, not try to make it seem like there was none.
 
Any more info on that? The article was disappointingly light on details. "five minutes" to connect to a car, but do they mean from the outside? Inside the car? The capabilities of the device also don't seem serious enough for the automakers to care, although I imagine they're saving the juiciest bits for the conference.
I think the article means access to the car is necessary once to connect the device. From there, it's not complicated at all - hook up a controller (maybe raspberry pi-based to keep costs down), combine with wireless LAN, have fun.
 
Last edited:
Silly scientist, when you discover something like this you don't write a paper, you sell your invention to the mafia and get rewarded for your hard work. The mafia in turn makes VW improve their security.
 
I'm a computer engineering student and I did some research last semester on the lack of security when it comes to automotive computers. Some are better than others, but they're all pretty poor. If I remember right, Toyota's system (for the same model years as those in the "unintended acceleration" scandal) was particularly awful.
 
And what was wrong with keys anyway?
 

But is it possible to open up stranger's beamer from afar? Perhaps so. You'd need is the iOS app, the username, and the obtained or guessed password ? there's no way to limit the car to one mobe.

That's the digital equivalent of "all you'd need to steal someone's car is to break into their house and steal their car keys!" They mentioned brute-forcing the password, but the system disallows logins after five failed attempts, requiring a phone call to reset, so not exactly something you can just throw a rainbow table at, and repeated account locks would very quickly tell the real owner that something was up.
 
Having worked extensively with CAN at my previous place of employment, I agree that it's not the most secure network protocol. However, 'hacking' it and assuming control is a little bit more involved than as described in the above articles. One needs the CAN database before being able to do anything and that varies between manufactures and can even vary between platform. Of course it is possible to snoop the bus and figure out which message does what but that is incredibly time consuming (I know because I've done it when trying to decipher the CAN messages on competing products) and requires some basic knowledge about bit addressing.

Bosch has already been hard at work to bridge these security gaps in their next standard release.
 
Top