Schneier on Security
A blog covering security and security technology.
« Casino Hack |
| Security Trade-Offs and Sacred Values »
March 18, 2010
Disabling Cars by Remote Control
Who didn't see this coming?
More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.
Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.
Posted on March 18, 2010 at 7:41 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I might have to call my dealership and see if my recently purchased used car has the same device (and tell them to remove it).
Better to go to a trusted local mechanic.
Free Software car operating system anyone?
I've got a great idea. It's obviously a particular danger to the public if people steal police cars, so let's install this immobilization system on all of them.
I wonder how secure the pager update system is. Are the pager messages signed and such?
No, I didn't see this coming. I didn't think anybody would be stupid enough to do this in the first place.
It's different from opening the car with OnStar, say, in that random unlocking is unlikely to cause harm.
I obviously need to work on my cynicism.
Who's to say some clever individual couldn't ... oh ... program a Toyota to suddenly accelerate?
I'm just sayin' ...
Never mind breaking into the web-based system, how are the pager messages to the cars authenticated? With a USRP, I imagine it would be fairly easy to send a forged pager message without ever touching the web-based interface.
If something is physically possible, someone will do it. Irrespective of how stupid it will be to do.
If you do not believe that, read up on the Darwin Awards:
Well, from my meager experience working at an auto supplier...
The pager messages to the car can be authenticated in one of several ways.
(1) Secret key on car electronics that needs to match pager message. Probably not used, unless it's a public-key/private-key pair. But generating a distinct public/private pair for each of a million units might be too hard.
However, at least one auto company that I have seen has an electronic key-set for doing updates of car-electronics over the on-car CAN bus. The electronic key is a small USB dangle for laptops, and is somehow embedded into the factory programming-tools.
If the data can be sniffed from the transmission channel, the secret key had better be part of a public/private pair. If not, the secret is as secure as the employees of every company that gets to work with the system.
(2) Car will only accept a message from a particular source phone-number. Can pager-style messages be limited this way? How hard is it to spoof?
(3) Car will accept any message sent, with a combination of VIN, Remote-System-ID, and Special Key. This gets around the issue of public/private key pairs shown above, but is still subject to inside saboteurs.
I might think of another couple of ways, given enough time. But I keep running into the fact that insiders would know how to generate the message, and that the companies involved have to trust their employees and contractors.
I'll go back to driving my 10-year-old vehicle which has no remote electronics of any kind on it...
Immobilise whilst in motion.... then you've issues...
"Who didn't see this coming?"
Well I didn't, but then I was not aware that such a "dumb 455" system existed.
What has amazed me though is this is the first time in 10 years it's been used incorrectly...
The second thing was the comment,
“Omar was pretty good with computers,”
Made by Martin Garcia, Texas Auto Center's manager. Does he realise how dumb that makes him look?
After all Omar was not bright enough to go and do his mischief away from his home Internet Connection...
@ Bruce / Clive
Totally agree, that the main thing that prevented anticpating this was not realising the crazy system existed.
If this is genuinely the first time in 10 years that a malicious person has mounted an attack like this I am surprised.
Omar strikes me as being a bit of a simpleton, sadly this just shows how much more of a simpleton Garcia (and I presume his other staff) is.
Are we now reliant on the stupidity of employees to prevent attacks. That seems like such a good risk mitigation measure I have to insert it into my next project report....
Personally, I love this quote: "He had retained a password, and what happened was he went in and created a little bit of havoc.”
Emphasis on little, then havoc...
If ever a system should have strong authentication, where password authentication is not enough, this would fit the category. And let's not forget application control! (Who placed the command and who autorized it !?)
And the real cruncher, to me, comes from: "traced the saboteur’s IP address"
This means the Pay-tech guys offer a service, as in ASP model. The access should be limited to the client's network, using a VPN, not open on the Internet...
How can such a system be placed openly on the net, without controlling the source IP, is a marvel in security economics.
Since this is a repo alternative, it probably disables the cars by preventing them from starting. It probably doesn't disable them while in operation (like OnStar can do).
To paraphrase an old quip, "The nice thing about security, is that everyone needs some"...
We all know password security is important, but here's where the rubber meets the road!
Thanks, I'll be here all week.
> It's different from opening the car with OnStar, say, in that random unlocking is unlikely to cause harm.
Well, as a matter of fact, OnStar has an ability to send an arbitrary pass-through message to the vehicle bus. So, in most cars, it has total control of door locks, lights and infotainment system; in some car models, it can also lie to the instrument cluster, stop the engine, or deploy airbags.
A little off-topic perhaps, but is it possible to disable OnStar entirely?
And when you ask a company (government, utility, etc) how a system or your information will be used and they reply, "This will only be used by authorized employees for legal purposes"... I hope we pause and think about this story. Oh, Trust... why do you plague us so?! :)
My first thought when I read about these systems was the potential for abuse. There have been other cases of mismanagement and malfeasance. They just weren't on this scale.
Regarding the computer security literacy or lack thereof:
Have you met any of the people that run this kind of business? Have you met the kind of people who are gullible enough to buy from them?
So much becomes clear...
I wonder if Texas Auto Center informed its customers it had installed non-oem remote control software in the cars bought from them... if they didn't I suspect they could be facing an expensive time - especially having failed to secure the control of such software.
@uk visa: Even if they did inform the customers (no doubt in a vaguely-worded clause burried in the fine print) I'd expect a class-action suit from the people whose cars were affected by their failure to secure the system.
Wow, the OnStar comment blows my mind. The potential for damage in that system, if it really can remotely deploy airbags in moving cars, is amazing. What does it look like, the day 10,000 cars spread out across urban/suburban highways in the US have their airbags deploy as they're heading down the road at 70 MPH? (And if you can get finer control, you could do much worse stuff. Max out the accelerator signal for 30 seconds, then trigger the stability control or ABS in some pattern calculated to roll the car.)
This is one of the many places where we're building up huge systems with complex failure modes and vulnerabilities we don't even begin to understand. One day, someone may teach us a lot more than we want to know about them.
@an alex: Thank you for the enlightenment. I now see I have to avoid cars with OnStar at any cost, and really should ask about remote control whenever I buy a car.
I *really* need to work on my cynicism.
Now that people know about these devices, how long till people figure out how to yank them out?
Its only a matter of time before they will be disabling humans by remote control :-)
It is like any security issue if their is a motive or grievance then someone will exploit the flaws.
"And if you can get finer control, you could do much worse stuff. Max out the accelerator signal for 30 seconds, then trigger the stability control or ABS in some pattern calculated to roll the car."
Sounds like a movie-plot threat. Drive Free or Die Hard-er-est
@all " not realising the crazy system existed"
Yeah. How 'bout that? at first I laughed and now I'm pissed.
I'd sue. But then Weird Al wrote this song for me http://www.youtube.com/watch?v=MeXQBHLIPcw
@TimH "disable OnStar"
Gotta be a fuse for it maybe? cut the green wire or deploy a faraday cage around the xmiter and ant?
"We all know password security is important, but here's where the rubber meets the road!
Thanks, I'll be here all week."
This sort of thing clearly violates the rules of the road on the information highway. I mean someone had better get behind the wheel on this issue, put the pedal to metal, and bring this demolition derby to a screeching halt before we're all road kill.
The interesting comment about the horns only honking from 9AM to 9PM. Sounds pretty bogus. Most people would be working for most of that time and the effect won't be readily heard (unless someone calls you up to stop the horn). It seems that using the horn at any point at night is exactly what this company wanted: to annoy their customers into paying. Lying about what the system can/can't do might get them in trouble, especially since the customer might have signed up for this and they violated the conditions. Even more troubling is the fact that this is done to people who are financially risky and perhaps should even be considered.
"I smell a lawsuit"
- someone might just throw millions of messages at my car (eg from their own portable cell phone minitower closeby) and unlock/start/disable it
- thru a brute-force-prevention lock my car permanent which results in a denial-of-service for me (eg 10 times the wrong code makes you wait 10 min)
bad either way
@ John Kelsey
"...you could do much worse stuff. Max out the accelerator signal for 30 seconds, then trigger the stability control or ABS in some pattern calculated to roll the car."
And then, for like, even greater worseness, you could do this when the GPS tells the OnStar the vehicle is on a bridge...or entering a tunnel...or southbound on Highway 1 south of Stinson Beach. Dude, it would be totally messed up!
A valuable public service vulnerability advertisement
brought to you by a non-government-sworn-to-secrecy hacker.
When I saw this article, I was immediately reminded of the recent "laptop spy cam" news and went right to Schneier's site to see that... yes, indeed, it had already been posted. Drat! :D
First off, to remove something like this, I would definitely start by tracing the electrical system. All of these kind of gadgets, including OnStar, most consumer-grade "Private Investigator GPS spy units", third party alarms and yes, even LoJack, will have to plug in somewhere.
Most accessories are connected by the fuse box, conveniently located under your dashboard (yours may vary). After supplying the car's internal components, the electrical system will supply a line to this box and then branches out from there to your radio, A/C, and other accessories.
Looking at the fusebox and the wires that are connected to it will usually allow you to trace the connected components; to selectively disconnect a portion, just pull on the fuse until it pops out.
Your car will have a service manual that details all the components in a part blowup. Reviewing this manual can help you determine which components are supposed to be there.
In the case of the module described here, which can prevent the engine from starting, it may sit at a junction between some other components, like the onboard computer (ECM). In case the now-unplugged module does not have a fail-safe pass through, a rerouting of the wires may be needed.
But in fact, most newer cars have even more functionality that the owners aren't aware of. Other features may be installed by the manufacturer, dealer, or authorized or unauthorized third parties. I did a bit of web research and found that fortunately, there are ways to disable these "value added features".
TECHNOLOGY: OnStar - the use of OnStar to stop stolen vehicles in high-speed chases has been considered before; use of various GPS systems have been abused for stalking before and I would not be surprised if OnStar has or will be used to locate fugitives.
SOLUTION: Disable the antenna or disconnect the box, usually in back.
TECHNOLOGY: EDR - In addition, most consumers don't realize that most cars built in the last 5 years have a black box or "Event Data Recorder" that records driving-related data, such as brake deployment, if the crash sensors are activated. This data can be potentially incriminating or embarrasing in the case of a disputed collision accident.
SOLUTION: Most of the new ones are Bosch units integrated with the airbag controller. Please note the warnings about accidental airbag deployment. In the case of a recalled Toyota though I would leave it alone - the data will be more damning for Toyota than you in the event of "sudden acceleration"...
TECHNOLOGY: Toll transponders - This should be obvious to anyone here, but most toll transponders work using RFID technology. A word of warning: aside from the use of toll payment data for domestic dispute litigation, spying on spouses and stalking, the module may pose other privacy risks as well. Boxes such as the EZ-Pass use an active signal to broadcast to high overhead antennas. By broadcasting the "activation" frequency in a parking lot identification of all EZ-Pass-type customers in a 200-ft radius as well as possible cloning of the devices is a possible result.
SOLUTION: Remove toll transponder from dashboard. Request refund from EZ-Pass operator. Go to bank and get coins.
TECHNOLOGY: A company has come out with high voltage devices called "Road Patriot" and "Road Sentry" that uses a high voltage zap to fry the electronics of cars, presumably to end high speed chases. This brings up the questions of 1) how much voltage is really needed to fry a car 2) will this work on new Volkswagen cars and other cars with plate shielding of the undercarriage and 3) how can this be abused?
SOLUTION?: Cars with undercarriage protection may be immune. Older vehicles without electronics will not have vulnerable ECM (Electronic/Engine Control Modules) or spy features.
I just checked the manufacturer's site:
For those of you who are worrying about car dealerships putting this in without your knowledge: don't worry.
It's apparently paid for by the customer, and "offered" to clients who would otherwise be unable to afford a car. They sign an agreement not to tamper with the device and the system has a 24-hour emergency override feature. The device is supposed to be removed after the final payment.
The security implications are still concerning, but my initial fears (and from what I read on Wired, shared by many others) of surreptitious installation by shady car dealers appears to be unfounded.
Having heard a few comments about OnStar over time, and not being sure what to believe, and what to dismiss as tinfoil-hat fantasy, I looked it up and was amazed to find http://www.onstar.com/us_english/jsp/explore/... - why on earth would anybody agree to buy a car with that level of privacy invasion?
If all manufacturers (including imports) mandated such a system, it would be almost unavoidable for the average consumer. But if it is possible to buy a car without this "feature", why would one buy a car with it? I am genuinely perplexed. It's not as if GM make such desirable cars that (like iPhone for example) people may put other factors to one side to own the product... why would anybody buy a spyware-infested car?
This is a genuine question from someone in the UK who drives a German car which does not involve itself in any kind of pro- or anti-owner espionage...
This guy knew some co-workers password... how many people know your password.. shoulder-surf in i bet. He did not accomplish this through some sophisticated attach. once again a break down in security led to this. lots of questions I would ask about security procedures. my first is why is this system that disables cars only requiring a password. sounds like something that 2-factor should be used on.
"Its only a matter of time before they will be disabling humans by remote control :-)"
Shock Bracelet Considered For Airline Passengers, Border Control
"Don't worry about it Dr. Jones, we have top men working on it now.
My brother (well, really his wife) brought a fancy car with one of these gadgets in it. I asked them why they needed one and I got a dirty look, the same look I got when I asked him why he wanted a real Rolex.
I think its a status symbol.
I mean, I know he can use a map!
Being in the UK n' all, you know, vehicle-borne spyware would be the least of my concerns.
First you add in all in the 500,000 CCTV cameras, congestion charge cameras that store your information in a database (perfect for domestic disputes) and "safety" cameras. With a national ID registry may be coming soon, you'll realize exactly how much the wonderful Home Office cares about British privacy - EU data protection mandates be damned.
That's just the surveillance part. Other UK innovations in ineffective yet pervasive "crime fighting" innovations include the "anti-social behaviour order", the knife/sword ban, proposed curfews, and libel laws so popular litigants go the the UK just to use them.
I would personally have no object to driving an OnStar-equipped vehicle in the UK. After all, this is the same country where Top Secret MI5 intel about al-Qaida in Iraq was the exposed tube twice. Maybe three times. So no worries about OnStar... even if it /is/ supplied by a wholly owned subsidiary of the U.S. Government.
God Save the Queen. :)
"why is this system that disables cars only requiring a password. sounds like something that 2-factor should be used on."
First you have to define what you mean as "2-factor"...
As has been mentioned on this blog a couple of times in the past few days "2-factor" means whatever the marketing department thinks will get it past the SabOx auditor...
Thus one definition was "to have possesion of the 'secur' memory stick and it's password".
And another was "to know both paswords"...
Oh and somebody mentioned something about a US state putting PCI DSS into state law (this one I'm going to have to follow up because PCI requirment is well... let's just say if you think this system is bad... )
Having no allegiance to either country (though having lived in both, last century) let me offer to mediate between Steve Parker and Seiran.
IMHO, neither the US nor the UK government cares a fig for the privacy of its citizens. If you choose to live in one of those countries, get used to that. From time to time, one of them gets ahead of the other in some aspect of privacy invasion, but they learn from each other. Any major difference will be temporary.
OnStar, however, is easy to avoid wherever you live. I think the main reason people buy cars with it is that they don't bother to inform themselves in detail about what it can do.
I've located the Nevada Senate Bill No. 227 sponsored bySenator Wiener,
It's an update to existing legislation, and having had a brief read through it I'm less than impressed (there appears to be no prescribed penalties for non compliance...).
However outside of (1) PCI DSS requirments, there are requirments on "data collectors" of some PII type information, which appears to be a step in the right direction.
However SB-227 differentiates between data in "electronic" form going outside of an organisations "secure system" (whatever that may be...). And in a tangable "data storage device", which appears to be constrained to "the logical or physical controls of the data collector or its data storage contractor".
Sadly it is badly worded but it appears encryption is not required for voice or ITU group 3/4 fax communications (stand alone and computer/modem) or paper records (that concevably might be in computer readable form).
From the above link,
"2. A data collector doing business in this State to whom subsection 1 does not apply shall not:
(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission;
(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information."
Oh and this little goodie, which is effectivly a get out of jail free card, if you use the right legal "spin",
"3. A data collector shall not be liable for damages for a breach of the security of the system data if:
(a) The data collector is in compliance with this section; and
(b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents."
So no requirment to keep data in a secure format within the organisation, and if it is lost due to "a breach of the security of the system data" provided they are not on the payrole that makes it no liability. As proving "gross negligence or intentional misconduct" in such an internal system is not going to be easy...
Mind you there is one wry smile raiser,
"(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology."
Do they perchance mean "provably secure" encryption (such as OTP or it's equivalent) by "which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption".
And as for "Appropriate management and safeguards of cryptographic keys to protect the integrity" surely not "PKI"...
"Do they perchance mean "provably secure" encryption (such as OTP or it's equivalent) by "which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption"."
OTP is "unconditionally secure" (assuming, of course, a perfectly random OTP), which means that no computational assumptions are made. "Provably secure" means something else: that you can prove that the security of the cryptographic primitive is equivalent to a hard problem. An example is to prove that the cryptographic primitive is as difficult to break as the RSA problem or the DH problem. The proof is constructed by reducing an attack on the primitive to a solver for the corresponding problem. In other words, if you can break the primitive in P, then you can solve the problem in P. "Provably secure" involves computational complexity assumptions (e.g. that factoring large semiprimes or solving discrete logarithms is "hard").
And no, I don't think either of those is what they mean in the preceding paragraphs. :)
Perhaps a little bit off topic: I've just got my copy of Cryptography Engineering. Thanks a lot for a great book, but I have a question: why didn't you mention CFB in block cipher modes discussion ? Is there something wrong with CFB ?
Thank you for the correction,
The moral is don't tipy tapy as a way to occupie the mind not having any sleep.
I actualy ment both as in,
Do they perchance mean "provably secure" encryption or "unconditionaly secure" (such as OTP or it's equivalent) by "which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption".
As you say they probably did not intend either but, the use of "absence" and "necessary" in
"which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption"
Is a very high standard to set, as it excludes all forms of attack...
Oh and the use of "perchance" blaim Will Shakespeare's (Hamlet "To be or not to be") with the immortal words,
perchance to dream,
aye, there's the rub."
Is appropriate for one who cannot sleep but is deathly tired.
The whole speach in many ways is close to our notions of security within society and our place there in...
Watching the OnStar commercials, I've noticed that these things have microphones in them so the driver can talk to the OnStar operator.
I wonder if Government Motors can activate a microphone remotely and monitor conversations without the driver's knowledge?
It could be a powerful weapon in the war on terror as long as it's not abused. (They wouldn't abuse it, would they?)
@ Hard Times,
"It could be a powerful weapon in the war on terror as long as it's not abused. (They wouldn't abuse it, would they?)
First define what you mean by "abuse".
Second have a look at US Gov behavior for the past 8-12 years.
Third ask yourself if there is any common ground between 1&2.
If the answer to 3 is No the welcome to the world as the "outsiders" see it and I'll pass you a tin foil hat and a copy of "catcher in the rye" 8)
The answer is "of course they will" they trim their sails as they see fit.
As for the rest of us we have to delude ourselves that we are not of interest to such evesdropping, therefore it only happens to bad people...
By which logic we arive at the conclusion the US Gov considers all the people that it can evesdrop on by whatever method "bad" ;)
@Hard Times: Yes it can be reversed without the operator's knowledge. Back in the 90's before "terrorist" became the root password to bypass the US Constitution, The FBI had OnStar (without a warrant) put OnStar into reverse to monitor suspected mafiosi conversing in cars.
I have 2 problems with this - 1) it is a form of wiretap and therefore should have due process (ie a judge's approval - cant be THAT hard to get).
2) The other problem is this: When I pay Onstar (hypthetical only - I would NEVER have a car with this @#$! on it - even if I have to cut the antenna line, pull the fuse or build my own engine control computer to avoid it) for a monitoring service, I expect it to call an ambulance if I have a wreck. HOWEVER when OnStar does this unconstitutional "reverse" the link and transfer feed to FBI stunt, it disables the automatic safety features that I am paying for. If I have an accident when the FBI has the link, nothing happens (well, the FBI guys probably have a laugh, but no ambulance gets called).
As far as the subject of the article, this has to be a "buy here pay here" type of used car facility, a new car manufacturer would have screaming shit fits if they found dealers putting these electronics on their new cars without prior approval. I think its a good idea, lets people buy cars who might not be able to otherwise. Kind of like check-cashing places let people in hard times borrow money that they would otherwise have to go to a loan shark for.
The crazy thing here is that the only reason these devices would be put on a vehicle is to track a car via GPS. Why they would have it on 100 cars baffles me. It's generally used for people who are using "In House" Financing options. It would be interesting to see how this plays out, because the customer must be aware of such devices being present and must sign a consent form...or at least thats the case in CA. This could be a lawsuit.
What encryption are these people using? Not Keeloq (still or again) I hope.
@Used Cars Los Angeles: You're correct about the financing options, as far as I've learned: these were cars being financed by the seller, presumably to people with very bad credit. I suspect the contract signed was very favorable to the seller, as many people who are large credit risks aren't all that good at avoiding bad contracts. The legal issue likely comes down to something like: there were no guarantees about the behavior of the box, everything was the buyer's responsibility, and all disputes were supposed to go to binding arbitration by arbiters who will almost always rule in favor of the seller.
Hmmm, I recently got a 2010 Camaro SS with OnStar. Sure would be nice to have a toggle switch on that, all the sites that talk about this only show how to take it all the way out. I don't think they have throttle control, but in this car, just turning that wide open for *much* less than 30 seconds is enough to get going WAY over 150mph....no other fancy dance needed. Probably wouldn't kill me -- but whoever is in the way when I ditch deliberately (inverse pit maneuver) before it gets going that fast. I know this as I had some nice cops help me test the new car they were drooling over themselves -- amazing how nice they *can* be if you let them have a little fun too.
I don't care if they listen in -- I don't talk trash in my new cars anyway, or anywhere else, they'd die of boredom or get sick of the music I play in there.
But imagine this scenario as it's somewhat probable. I live in the far boonies, where it can actually be pretty safe to "stretch out my legs" and go very fast -- it's a real event to see another car some days in a 20 mile round trip. As soon as I get near "civilization", I slow down, of course. Now someone blows a stopsign and hits me -- nothing even a very good defensive driver can do about that one sometimes.
They pull the black box, see the 100 mph plus speeds and now it's all my fault! Wonder what the time resolution on this data aq is?
Want that toggle switch badly. I want the phone etc to work when I want what I pay for, but not this other junk. Feeping creaturism?
To say you won't buy a car with this stuff in it -- then you'd better get used to antique cars that aren't otherwise as safe (handling etc have really gotten better over the recent years, especially stopping power which is the first thing I check in a test drive -- no point going if you can't stop -- air bags, crush zones, all that stuff)....while you can still find them at all (cash for clunkers). It doesn't seem all that realistic to keep maintaining a '70's Oldsmobile that gets ~9 mpg (the 422 hp Camaro gets better than 21 around town -- my 6 cyl Honda mini truck gets less!).
OK, the device that started this thread, no problems with that and I understand how that can be a good deal for all involved. This is much more insidious as it's just on the cars, not an option to not get it.
@DC: Its more insidious than that. You can't just remove it. These things are all integrated systems and if you disable just the "bad" parts, the engine wont work anymore. Its the creeping computerisation at fault. Before computers, this would have been a removable module whose absence had no measurable effect (like a gallbladder or appendix).
However now that every aspect of operation is controlled by computers (for example in my Silverado the VENTILATION CONTROLS have a CPU which second guesses me on whether I deserve to turn the A/C faster or blow more heat to my feet - and at least once a year it locks up and I have to pull off the road and "reboot" by shutting the ignition off - another benefit of overcomputerisation; I hope this Toyota thing reverses this trend, but I imagine its just like government taking control of everything; once you lose control over an aspect of your life you never get it back) you wont be able to remove the "talk to big brother" unit because it is the same one which makes the spark plugs fire, so instead of an appendix its more like removing a brain or heart.
Right now it is "fail-safe" where if it loses contact with OS it still will run normally so you can safely terminate the antenna connection, but eventually it will be "fail-death" where if it cant get a response from the satellite it wont start.
But as far as "black-box" technology, these engine control computers remember like an hour's worth of stuff (now) and are ever more frequently showing up in court - and these are in your car, nothing to do with OS.
The only solution is to put your own stand-alone engine control system in for induction, fuel & ignition control. And of course if you have mandatory emissions testing, you'll need to put in a computer to pretend it is an OBD-II system when interrogated to have it say "all's well".
How is this different from disabling your cell phone, home phone, cable TV, etc. for non payment? All of those can be remotely disabled by a hacker who breaks into the respective systems. I can imagine fraudulently shutting down electricity and water service by generating truck-roll tickets.
For that matter, what's to prevent a fraudulent repossession contract from being issued?
To be honest, I saw it coming, but anyone I suggested to that this might happen, typically called me "paranoid". :)P
well its texas, what do you expect? haha just kidding. but in all seriousness, this kinda stuff is gonna happen more and more and it'll keep happening until we pretty much lose our privacy. Someone here said that if its physically possible, someone will do it, no matter how stupid. That is absolutely true. If there's ever a question "We can do this, but should we?" someone will for sure answer it "yes".
Sidelobe asked, "How is this different from disabling your cell phone, home phone, cable TV, etc. for non payment?" It's similar to that. However, that doesn't happen. Those devices are not remotely disabled; the service with which they are used is. The analogous operation would be to disable a car's access to roads or to fueling stations in the event of non-payment for use of those services.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.