Schneier on Security
A blog covering security and security technology.
« Citizen Counter-Terrorists |
| Stealing and Reselling Phone Minutes »
March 20, 2007
Control Your Car from the Internet
Really. Or, for more fun, hack into the system and control someone else's car from the Internet.
Posted on March 20, 2007 at 2:00 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I like the possibility of controlling an exploisve device with the "Set Motion Notification [Stop]" option. Wonder where I've seen -that- before? Brilliant.
Byline: "Bringing movie plot threats closer to reality."
Someone been watching Knight Rider reruns? Where are the turbo boost and ejection seat buttons?
> control someone else's car from the Internet.
Car bombs no longer need suicide drivers. Oooh! You can now take over a car *driven by an innocent* and turn it into a weapon of terror!
Wasn't this done in "Batman Returns"?
Wasn't this done in a James Bond movie?
(which is actually becoming reality - VW have created the research Golf [I guess a beetle would be corny] that can 'drive itself' - they call it the '53+1' after the famous car)
This is not a problem. It's an opportunity. Combustion engines are old hat. What a good motor industry executive wants is to develop a new market.
Vehicle firewalls anybody?
Try as I might, I can't come up with a Windows/Linux joke that hasn't been said already.
hmm.. you can start the engine via the web. This could lead to interesting results if you leave the first gear in while parked (as I usually do).
Who is responsible when you get hit by a car without driver in it? The police may be able to track the web control usage back to one IP, but who was on that PC at that time? Oooh, I can smell funny lawsuits coming up :)
I like it but it's lacking a few features:
"Excuse me sir but your car's been stolen"
"Has it? Hang on ..."
Logs in ...
Perhaps it could automatically notify the insurance company as well.
I think I'll wait for the open source alternative then I can code my own features ( but I promise to use my 1337 coding skills for good not evil )
Car bombs have never needed suicide drivers. Well not for a long time anyway.
Wiring up a car to a remote control is pretty easy. Its done frequently in Holloywood and would not be difficult for many eletronic hobbiest....
Thats the irony in all this.
Remote start makes a nice denial-of-service technique if you can run the car out of gas. Also a nice potential murder weapon when employed in an attached garage when occupants of the house are asleep.
And of course there will be a CALEA-style back door in the system so that law enforcement can track or stop any attached vehicle...
Combine this with Volvo's in-car heart rate sensor and you have a good monitoring system for race car drivers. Other than that, it seems pretty dangerous.
I'm still waiting for the first automotive virus that will now have the ability to control your car. Maybe then lawmakers will do something real and useful about stopping hackers, spam, viruses and identity theft. Or maybe we'll just have multiple types of cars, the less expensive adware ones, and the "pro" unlocked version that only gets spam.
Should make carjacking a little easier... ...as well as heists of armoured vehicles (shades of "After the Sunset").
Will present an interesting dilema for international law (similar to the issues of hacking and computer crimes) if the person who takes control voer the internet is in another country... where di the actual crime occur?
From the website comments and because I don't wish to create an account there....
3. This solution better has a two factor authentication
like RSA or Entrust tokens, otherwise this idea will fail due to a weak security implementation.
So long hackers and giggles indeed.
Posted at 12:15PM on Mar 17th 2007 by PaulM
4. Yea but what happens when somebody hacks into their server and decides to start or stop everyone's cars? Or what happens when there's a glitch that won't allow you to turn the car off after you've started it?
Posted at 3:27PM on Mar 17th 2007 by Ford Mustang
5. Two factor authentication must be implemented for both: users and admins and you can protect entire server or particular page where all start/stop/lock controls are... it's easy to do... so, even when somebody breaks in to the server - won't be able to access this page without PIN+token code...
Posted at 11:29PM on Mar 17th 2007 by PaulM
Anyone who thinks two-factor auth is any more of a silver bullet then encryption is (sadly....these people still do exist)....well...I'd hate to have them work security for my organization....unfortunately I think they do. People get a hold of buzz words and technology and have no idea what risks these technologies mitigate or how they mitigate them. The problem partly belongs to the industry...we don't have enough security engineers/researches..but far too many practitioners who are not adequately trained to understand what they are practicing or how it helps.
The problem worsens itself when such people are given titles or promote themselves as "experts" =\
Just my $.02
From a more pedestrian perspective, I'm really getting tired of the saving-the-kids justifications like:
"Aside from providing a bit more convenience and protection, the major draw for some users, namely parents, is the ability to not only track the movements of the vehicle, but also be alerted via text message or email if the kiddies stray from set boundaries or operate the vehicle during certain times of the day or night (no more ditching school or sneaking into the love interest's window at 3 AM)."
For Pete's sake, why not just throw your kid in a room and not let them out until they're 21 if every one is so damn concerned about tracking their every movement. Between that tracking everything they see, everyone they talk to...heck with this sort of logic for child rearing our country is doomed ;) Giving up all of our privacy rights in exchange for our kids being safety seems like the framing for a non-existent dichotomy.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.