So, the Jeep Cherokee wasn't the first car with a remote exploit.

It was the '09 Impala, and because there was no public pressure to fix the problem, and apparently because until recently GM had as much programming talent as a tire shop, they took five goddamn years to get patches rolled out

http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/

The exploit involved some old-school phone phreaking. Also the researchers who found it told military and government agencies including those with interest in offensive use about the flaw, but kept the make and model of the car secret, which probably cost the NSA a good 2-3 days before they nailed down which car could be turned into a suicide booth. Assuming they understood the ethical implications, they should've known better than that.

I grew up in a family that owned largely GM cars, but have grown to loathe them as a company.

They are like a utility or something, completely reactive.

PHeller wrote: They are like a utility or something, completely reactive.

In my line of work.. Everytime I see this statement, I think.. Now that is a company that needs my services. Same with Comcast.

I do operations customer experience improvements...

Fueled by Caffeine wrote: I do operations customer experience improvements...

The company needs your services, but do they WANT your services?

all this talk about cars able to be hacked....are there any accounts of it ACTUALLY happening?

The Jeep exploit was demonstrated quite effectively.

I mean, is this happening in the real world to real people, not just as a demonstration to show that its possible. I dont own a new jeep but I do quite like the new renegade as a possible replacement for my wife several years down the road.

Ah, the "head in the sand" approach to security. I'm sure if it were happening regularly Fox News would be on high alert.

It's like owning a car that can be started with a screwdriver. Chances are, you'll be fine. But it's still not a good idea.

failboat wrote: all this talk about cars able to be hacked....are there any accounts of it ACTUALLY happening?

This is my question. How many cars have actually been hacked in the real world? How many crashes? Is this a case of a whole lot of noise about a issue that really isn't an issue?

So you're saying that we need to wait until some bored kid decides to screw around with a car driving down the interstate on the other side of the country before becoming concerned about this security hole?

In reply to Keith Tanner:

No, I'm just wondering if this isn't a lot like cutting someone's brake lines. It's doable, but no one ever does it, so it's a non issue.

Yes, it's a lot like cutting someone's brake lines, except a bored kid could do it untraceably from the other side of the planet, just for the lulz.

Bored kids don't know how to work shears, but they know how to work a computer.

It was less of an issue because NO ONE wanted to drive an Impala, even remotely.

Cutting brake lines is a pretty good analogy, actually.

There are only three reasons I can think of why someone would do this:
- personal animosity towards an individual
- bored kids who want to watch the world burn
- terrorism. Actual legitimate terrorism, with the intent to spread terror.

The second is the one that would scare me. Crawling under a random car to cut brake lines isn't fun and requires leaving the house and effort. But you could screw around with multiple cars across the country without even getting out of your chair with the Jeep exploit.

If you have a website, you may have seen just how often people - and by "people", I mean script kiddies - try to crack into the most mundane aspects just because it's fun to do. It's a constant attack, not an occasional one.

As far as I know, any real world automobile hacking is more in the tin foil hat camp than anything actually verifiable. Michael Hastings is an example. Could it happen? Sure. Has it happened? No way for us to know.

Keith Tanner wrote: Cutting brake lines is a pretty good analogy, actually. There are only three reasons I can think of why someone would do this: - personal animosity towards an individual - bored kids who want to watch the world burn - terrorism. Actual legitimate terrorism, with the intent to spread terror. The second is the one that would scare me. Crawling under a random car to cut brake lines isn't fun and requires leaving the house and effort. But you could screw around with multiple cars across the country without even getting out of your chair with the Jeep exploit. If you have a website, you may have seen just how often people - and by "people", I mean script kiddies - try to crack into the most mundane aspects just because it's fun to do. It's a constant attack, not an occasional one.

More than that, there is MUCH LESS chance of getting caught. If someone sees you climbing out from underneath a car, they're going to yell out, and say what were you doing under my car and maybe call the police. There is zero chance of anybody catching the hacker until after the damage (meaning the crash) has been done.

has anyone here ever tried to cut brake lines? they fight back..

In reply to Keith Tanner:

If a kid wants to watch the world burn, there isn't much you can do to stop them.

I guess the next question is, why does a critical system like steering, engine management, throttle and brakes need web connectivity to start with? What purpose does it serve?

Toyman01 wrote: If a kid wants to watch the world burn, there isn't much you can do to stop them.

Sure there is, that's why you're looking at GRM's website right now instead of Goatse's butthole (common image placed on hacked websites, if you didn't know - don't search it!), and why your cell phone isn't ringing off the hook with foreign toll calls.

Toyman01 wrote: I guess the next question is, why does a critical system like steering, engine management, throttle and brakes need web connectivity to start with? What purpose does it serve?

Now there's a good question. Those systems weren't meant to be web-connected, but it was cheaper and easier to toss them all on the same CANbus network with the OnStar system than to safely firewall or ideally airgap the critical systems from the web-connected dashboard toy.

GameboyRMH wrote:

Toyman01 wrote: If a kid wants to watch the world burn, there isn't much you can do to stop them.

Sure there is, that's why you're looking at GRM's website right now instead of Goatse's butthole (common image placed on hacked websites, if you didn't know - don't search it!), and why your cell phone isn't ringing off the hook with foreign toll calls.

I was thinking more of the physical world, but point taken.

T.J. wrote: As far as I know, any real world automobile hacking is more in the tin foil hat camp than anything actually verifiable. Michael Hastings is an example. Could it happen? Sure. Has it happened? No way for us to know.

Hastings died a far too suspicious of a death to call it a tin foil hat conspiracy. We're talking about (as I understand it) a vocal critic of the surveillance state, who hours after calling his lawyer and telling his friends he was onto something big, crashed his new Benz into a tree at top speed on a city street, sober.

There is no way for us to know, which makes it a rather convenient way of shutting people up.

GameboyRMH wrote:

Toyman01 wrote: If a kid wants to watch the world burn, there isn't much you can do to stop them.

Sure there is, that's why you're looking at GRM's website right now instead of Goatse's butthole (common image placed on hacked websites, if you didn't know - don't search it!), and why your cell phone isn't ringing off the hook with foreign toll calls.

Toyman01 wrote: I guess the next question is, why does a critical system like steering, engine management, throttle and brakes need web connectivity to start with? What purpose does it serve?

Now there's a good question. Those systems weren't meant to be web-connected, but it was cheaper and easier to toss them all on the same CANbus network with the OnStar system than to safely firewall or ideally airgap the critical systems from the web-connected dashboard toy.

The first time I saw one of those super interconnected CAN-BUS systems in a classroom and its operation was described, all I could think of was 'any one module barfing can bring the whole thing down', later proven in real life by a iPod adapter making a radio croak which in turn shut down the entire BUS system in a Liberty. (Man, that girl was PISSED.) I never stopped to consider hackability but obviously it's possible.

I would have expected an air gap as well - but when you think about it, there are a number of parameters that need to be communicated from the vehicle systems to the infotainment/communication. For example, OnStar vehicles call for help if they've been in an accident. That could be triggered by the airbag or even massive acceleration spikes (which can be pretty funny). It can also disable the vehicle if it's stolen. These are considered good things for most people, but they do require that connection. I'm sure other onboard setups are similar.