SoylentNews is people
SoylentNews
A flaw buried deep in the hearts of all modern cars allows an attacker with local or even remote access to a vehicle to shut down various components, including safety systems such as airbags, brakes, parking sensors, and others.
The vulnerability affects the CAN (Controller Area Network) protocol that's deployed in modern cars and used to manage communications between a vehicle's internal components.
The flaw was discovered by a collaborative effort of Politecnico di Milano, Linklayer Labs, and Trend Micro's Forward-looking Threat Research (FTR) team.
Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable.
Patching the issue means changing how the CAN standard works at its lowest levels. Researchers say car manufacturers can only mitigate the vulnerability via specific network countermeasures, but cannot eliminate it entirely.
"To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented," researchers say. "Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade."
[...] The Department of Homeland Security's ICS-CERT has issued an alert regarding this flaw, albeit there is little to be done on the side of car makers.
"The only current recommendation for protecting against this exploit is to limit access to input ports (specifically OBD-II) on automobiles," said ICS-CERT experts in an alert released last month.
[...] The research was presented last month at the DIMVA conference in Bonn, Germany. The technical paper detailing the flaw in depth is available here and here. A YouTube video recorded by Trend Micro researcher Federico Maggi is available.
Source: Bleeping Computer
(Score: 2) by Grishnakh on Friday August 18 2017, @08:17PM (3 children)
The security was the impossibility to get AT the cable. That is no longer true. Then with IoT the bend it to be wide open on the internet.
What are you talking about? It still is true, at least on my '15 car. As I said before, if a car has exposed the CAN bus to the internet, that's a design fault, and IMO should result in a full recall. I've heard of some shitty Jeeps having this, but that's what you get for buying a Jeep. It's entirely possible to design a car so that the vehicle systems are not exposed to the network.
(Score: 3, Interesting) by fraxinus-tree on Friday August 18 2017, @09:13PM
The CAN bus is not, by design, open to the Internet, in a sense it doesn't have a dedicated interconnecting device. Then again, it happily connects in peer-to-peer manner both safety-critical systems (brakes, steering, engine, transmission, lights) and the utter bullshit the modern cars are full of - tracking/"security"/remote control (cell, rf and/or BT connected) system, all the infotainment crap (BT/wifi/3G enabled, too) and so on.
Rest assured, no one really cares about the car radio security right now.
(Score: 1, Informative) by Anonymous Coward on Saturday August 19 2017, @04:54AM
It's entirely possible to design a car so that the vehicle systems are not exposed to the network.
You missed my point and sailed on by it then waved as you went by.
It is entirely possible to keep them seperate. However in IoT many companies are building huge data gathering systems built upon the fact that these networks are open. The small handful that are closed are usually behind laughable 'security'. Such as a knock code or slightly randomized port tickling. With the old protocol sitting behind it. Dead easy to sniff.
Physical access is easy to get at in most cars. However, the whole network is insecure by default. With some systems you can jump a bit from usb->radio->controller->CAN. This is not a terribly hard exploit to pull off. Where if you have physical access you can just grab the can port under the dash. However, many of these infotainment systems have cell and wifi modems in them. I worked with sever of the large manufactures a few years ago in their system they were getting ready to launch. I bailed out but they are just hitting the market now. They are not secure by design. They are designed as feature points.
(Score: 2) by tangomargarine on Monday August 21 2017, @03:00PM
Nobody is saying it's impossible; it's just cheaper and lazier to not design it properly.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"