Debate on speeding, with a side order of "For $60, you can hack a connected car (original topic)"



  • This is typical of networked systems deployed to market these days. Get it to work, get it shipped to beat your competitors, and then patch the security holes later. Maybe. If anyone besides professional hackers discover them and hold the selling company accountable.

    Excerpt: Evenchick also told Forbes that he wants to make it for people to probe connected car systems for weaknesses, largely because car manufacturers tend to keep their systems closed to the outside security community. By designing a tool that can search for these vulnerabilities, Evenchick is enabling hackers to see what kinds of weaknesses made it to the market.


  • sockdevs

    No surprise to see that attacks the CAN bus; they have more security holes than unpatched Windows XP…



  • @RaceProUK said:

    more security holes than unpatched Windows XP…

    O_o


  • area_deu



  • @redwizard said:

    Evenchick is enabling hackers to see what kinds of weaknesses made it to the market.

    The performance aftermarket has reverse engineered the entire computer of many cars. CAN bus vulnerabilities don't reduce the already shoddy security in these systems.

    Securing them is pretty much infeasible. It took the satellite TV industry many years to make their stuff good enough to keep hacking under control and they have over-the-air updates. There is much less incentive for car manufacturers to have good security and their update model is laughable.



  • @Jaime said:

    Securing them is pretty much infeasible. It took the satellite TV industry many years to make their stuff good enough to keep hacking under control and they have over-the-air updates. There is much less incentive for car manufacturers to have good security and their update model is laughable.

    I would argue that industry has already learned these lessons. Why are the car manufacturers reinventing the wheel?

    @Jaime said:

    There is much less incentive for car manufacturers to have good security and their update model is laughable.

    Oh. Yeah. Right.


  • area_deu

    @redwizard said:

    car manufacturers reinventing the wheel

    I see what you did there :eyes:



  • I don't really see a problem, unless I missed something you'd already have to have physical access to the car's electronics to do this, and anyone with nefarious intent would do a dozen other things before tapping into the car's electronics.

    Avionics is pretty similar, for many of the standard protocols anyone1 can plug a bus monitor in and see what's happening.

    1That is, anyone with specialized and very expensive hardware and software, physical access to the airplane, and the ninja skills required to sneak into military hangars and tamper with jets without getting shot by the MPs.



  • @mott555 said:

    I don't really see a problem, unless I missed something you'd already have to have physical access to the car's electronics to do this, and anyone with nefarious intent would do a dozen other things before tapping into the car's electronics.

    My concern is many cars connect via wireless these days...maybe I'm making a buttumption?



  • If the car's electronics are exposed via wireless, then yes there's definitely a problem. I made a buttumption that they aren't, because why would you need that?



  • @redwizard said:

    I would argue that industry has already learned these lessons. Why are the car manufacturers reinventing the wheel?

    I have a 2014 Mazda 3 which has an infotainment system built with OpenCar. In theory, this should be the most update friendly system since it's really just embedded Linux. If order to update the system myself, I have to find an unauthorized download of the firmware and use a bunch of hidden commands in the UI to start the update. If I want the dealership to do it for me, I have to either prove I have an issue that needs to be fixed or pay for the labor for them to watch the little blue bar go across the screen.

    So, they not only don't make it easy for their systems to be updated, they go out of their way to make it hard. However, they do enable SSH by default and the root password is "jci".


  • sockdevs

    @Jaime said:

    So, they not only don't make it easy for their systems to be updated, they go out of their way to make it hard enough for the average driver so they can justify charging insane labour rates and make a buttload of cash.

    <purple monkey dishwasher



  • @Jaime said:

    In theory, this should be the most update friendly system since it's really just embedded Linux.

    This is a theory which can only be held by a person who has literally never owned ANYTHING run on embedded Linux.


  • area_deu

    This post is deleted!

  • Fake News

    These days, it's generally extremely difficult - if not impossible - to rip that integrated infotainment shit out and put in whatever the fuck you want. And I Just! Can't! Wait! for nanny-state bullshit like Ford's Intelligent Speed Limiter to come into widespread use. You'll be doing the speed limit soon enough, no matter how ludicrously low it is, slave. :stuck_out_tongue:



  • @lolwhat said:

    And I Just! Can't! Wait! for nanny-state bullshit like Ford's Intelligent Speed Limiter to come into widespread use. You'll be doing the speed limit soon enough, no matter how ludicrously low it is, slave.

    You know, you can just turn the feature off if you don't like it.


  • sockdevs

    @blakeyrat said:

    You know, you can just turn the feature off if you don't like it.

    Given how nannying some governments can be, there may be a law passed that makes that illegal…


  • Winner of the 2016 Presidential Election

    @blakeyrat said:

    This is a theory which can only be held by a person who has literally never owned ANYTHING run on embedded Linux.

    mmm... false.



  • I've seen 5mph speed limit signs posted on roadways leading into parking lots, post offices...that'll be SO much fun...


  • sockdevs

    5mph is a right pain in the arse to maintain in a manual car; at least with a 10mph limit, you can let the car idle in second, and it'll do about 8-9mph naturally.


  • Fake News

    @blakeyrat said:

    You know, you can just turn the feature off if you don't like it.

    Right, just like air bags. :fa_thumbs_o_up: And OK, yes, initially, you can turn it off... until the gummint mandates it as a standard "safety" feature.



  • @RaceProUK said:

    Given how nannying some governments can be, there may be a law passed that makes that illegal…

    Case Study: DEF (diesel exhaust fluid).

    Some doofus at the EPA decided squirting piss into your exhaust pipe is A Good Thing, and now it's mandatory on road diesels. It is absolutely NOT required for your vehicle to operate normally, however it's mandated that if and when the DEF tank goes empty your vehicle needs to go into limp mode which limits you to 15 mph or something and if you turn it off it won't start again until the DEF tank is re-filled.


  • I survived the hour long Uno hand

    TIL enforcing the laws of a country is considered "nannying". :rolleyes:

    Speed limits are almost always stupid, for sure, but this feels like the wrong complaint to be making :laughing:


  • Discourse touched me in a no-no place

    @lolwhat said:

    Ford's Intelligent Speed Limiter

    Read about that in The Times yesterday.

    When they tried it, it got confused between the road limit signs at the side of the road, and the 'maximum speed this truck will go at. In kmh' stickers on the backs of some lorries.


  • sockdevs

    @mott555 said:

    Case Study: DEF (diesel exhaust fluid).

    *Googles*
    Ah, so that's what AdBlue is then… I assume there's a reason diesels use that instead of a catalytic converter, like petrol cars do?


  • Fake News

    @Yamikuronue said:

    enforcing the laws of a country is considered "nannying"

    If a given law proscribes something other than actual or extremely likely threats to life, liberty or property, then the law's shitty and quite possibly nannying.
    @Yamikuronue said:
    this feels like the wrong complaint to be making

    So, what's the right one? :stuck_out_tongue:
    https://www.youtube.com/watch?v=2BKdbxX1pDw


  • sockdevs

    @Yamikuronue said:

    TIL enforcing the laws of a country is considered "nannying".

    Enforcing laws is fine; it's how that can be nannying. I'd rather not be enslaved to an electronic overlord, thankyou very much :stuck_out_tongue:



  • It catalyzes something or other. Knowing the mess the EPA has made of diesels, it probably catalyzes something that is produced as a by-product of one of their other emission schemes. Kinda like the sick guy who takes a drug for his condition and then needs 12 other drugs to manage all the side effects.


  • BINNED

    @PJH said:

    When they tried it, it got confused between the road limit signs at the side of the road, and the 'maximum speed this truck will go at. In kmh' stickers on the backs of some lorries

    It could be fun to buy a UK spec one then take it to a country with speed limits in km/h

    "Sorry Officer, I was relying on my automatic speed limiter. I don't see how I could go 100mph like that


  • Winner of the 2016 Presidential Election

    @mott555 said:

    It catalyzes something or other. Knowing the mess the EPA has made of diesels, it probably catalyzes something that is produced as a by-product of one of their other emission schemes. Kinda like the sick guy who takes a drug for his condition and then needs 12 other drugs to manage all the side effects.

    <empty this
    @Wikipedia said:
    DEF is used as a consumable in selective catalytic reduction (SCR) in order to lower NOx concentration in the diesel exhaust emissions from diesel engines.2


  • sockdevs

    The thing is, a standard three-way cat does the same job, and doesn't need you to refill the car's piss-tank, because there won't be one.


  • Winner of the 2016 Presidential Election

    Eh I can't attest to the good/badness of the system. I'm just saying what it does :)


  • I survived the hour long Uno hand

    @lolwhat said:

    So, what's the right one?

    The law (in this case, the speed limit) is terrible, feel free to complain about that. But saying "We're going to enforce our existing laws in a new way due to technological advances making it possible" is hardly nannying.

    "Waah, the big bad government is making me obey the laws!"



  • @Yamikuronue said:

    "Waah, the big bad government is making me obey the laws!"

    In my opinion, laws are there to punish, not prevent, crime.


  • sockdevs

    @Yamikuronue said:

    "Waah, the big bad government is making me obey the laws!"

    It's not so much that, but more the fact that electronic governance cannot possibly take into account emergency situations; it's rare, but sometimes you have to go faster to avoid an accident.


  • Fake News

    @PJH, while that's true, it doesn't mean it won't be "improved." In just one minute of pondering this crap, I can easily picture the eventual use of a combination of GPS, mobile phone tower triangulation, highly-localized radio beacons, signs with special QR codes, and so on, to pinpoint your exact location. Then, a quick download of a "speed limit map" will tell the onboard computer that the limit is, say, 40mph. It's merely one in a series of baby steps, just like any other control mechanism. Oh, and if the country's maximum speed limit is 70mph, then guess what, 70mph is the fastest you'll ever go - no need for fancier tech.


  • I survived the hour long Uno hand

    Then bitch about that rather than "nanny states".

    Apparently I'm in a Blakey mood today :/


  • Fake News

    @mott555 said:

    laws are supposed to be there to punish, not prevent, crime, in a perfect world that doesn't have nannies and power-trippers

    FTFY.


  • sockdevs

    @Yamikuronue said:

    Then bitch about that rather than "nanny states".

    The two often go together ;)
    @Yamikuronue said:
    Apparently I'm in a Blakey mood today :/

    You're not very good at it; you haven't called me an idiot yet :stuck_out_tongue:


  • BINNED

    @RaceProUK said:

    it's rare, but sometimes you have to go faster to avoid an accident.

    ISTR this Ford one has a way to override the limit by doing a double click type movement on the accelerator.


  • sockdevs

    @Jaloopa said:

    ISTR this Ford one has a way to override the limit by doing a double click type movement on the accelerator.

    Good luck remembering to do that in a moment of terrified panic ;)



  • @blakeyrat said:

    This is a theory which can only be held by a person who has literally never owned ANYTHING run on embedded Linux.

    Windows has pretty much no penetration into the vehicle market. We're comparing Linux to QNX here, so Linux actually comes out pretty good.


  • Grade A Premium Asshole

    @blakeyrat said:

    You know, you can just turn the feature off if you don't like it.

    Like you can turn off the stupid fucking dialog that nags you every time you pair a Bluetooth phone to a Ford vehicle? Meaning, you have to turn it off every time you start the fucking car?

    No thank you. I would rather my car just mind its own fucking business. This also seems like a damned good way for your car to testify against you in traffic court. This is a solution to a problem that no one has. I don't appreciate it when my electronics nag me.



  • @mott555 said:

    ...you'd already have to have physical access to the car's electronics to do this...
    When I was in grad school, we had a faculty candidate talk by someone who did his dissertation on attacks against cars. He found several attack vectors, some which did not require physical access. For example, the telematics unit (like OnStar) connects via a cellular signal; on some cars, you can attack via that. They also had attacks via bluetooth and seemingly-harmless physical access like putting a CD into the CD player.


  • sockdevs

    @EvanED said:

    For example, the telematics unit (like OnStar) connects via a cellular signal; on some cars, you can attack via that

    Exactly; they usually have a direct connection to the CANbus, and the security of a ruptured sieve.


  • Winner of the 2016 Presidential Election

    @Polygeekery said:

    No thank you. I would rather my car just mind its own fucking business. This also seems like a damned good way for your car to testify against you in traffic court. This is a solution to a problem that no one has. I don't appreciate it when my electronics nag me.

    +1

    Adaptive cruise control: Good idea. I can turn it on when I need it and is a useful feature
    This: Bad Idea, feels like Dennis Nedry "nah nah nah, can't go that fast"



  • @redwizard said:

    By designing a tool that can search for these vulnerabilities, Evenchick is enabling hackers to see what kinds of weaknesses made it to the market.

    So it is with every tool that can be a weapon.


  • sockdevs

    @xaade said:

    every tool that can be a weapon

    ;)

    You can weaponise anything if you're creative enough…



  • @RaceProUK said:

    You can weaponise anything if you're creative enough…

    Yes you can.



  • I have half a mind to buy this and carry it on me.

    I mean, how are they going to ban you from carrying shovels?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.