Entries Tagged "cars"

Page 12 of 18

Hacking Cars Through Wireless Tire-Pressure Sensors

Still minor, but this kind of thing is only going to get worse:

The new research shows that other systems in the vehicle are similarly insecure. The tire pressure monitors are notable because they’re wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.

The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.

More:

Now, Ishtiaq Rouf at the USC and other researchers have found a vulnerability in the data transfer mechanisms between CANbus controllers and wireless tyre pressure monitoring sensors which allows misleading data to be injected into a vehicle’s system and allows remote recording of the movement profiles of a specific vehicle. The sensors, which are compulsory for new cars in the US (and probably soon in the EU), each communicate individually with the vehicle’s on-board electronics. Although a loss of pressure can also be detected via differences in the rotational speed of fully inflated and partially inflated tyres on the same axle, such indirect methods are now prohibited in the US.

Paper here. This is a previous paper on automobile computer security.

EDITED TO ADD (8/25): This is a better article.

Posted on August 17, 2010 at 6:42 AMView Comments

Protecting Cars with The Club

From the Freakonomics blog:

At some point, the Club was mentioned. The professional thieves laughed and exchanged knowing glances. What we knew was that the Club is a hardened steel device that attaches to the steering wheel and the brake pedal to prevent steering and/or braking. What we found out was that a pro thief would carry a short piece of a hacksaw blade to cut through the plastic steering wheel in a couple seconds. They were then able to release The Club and use it to apply a huge amount of torque to the steering wheel and break the lock on the steering column (which most cars were already equipped with). The pro thieves actually sought out cars with The Club on them because they didn’t want to carry a long pry bar that was too hard to conceal.

Posted on June 14, 2010 at 1:46 PMView Comments

Mainstream Cost-Benefit Security Analysis

This essay in The New York Times is refreshingly cogent:

You’ve seen it over and over. At a certain intersection in a certain town, there’ll be an unfortunate accident. A child is hit by a car.

So the public cries out, the town politicians band together, and the next thing you know, they’ve spent $60,000 to install speed bumps, guardrails and a stoplight at that intersection—even if it was clearly a accident, say, a drunk driver, that had nothing to do with the design of the intersection.

I understand the concept; people want to DO something to channel their grief. But rationally, turning that single intersection into a teeming jungle of safety features, while doing nothing for all the other intersections in town, in the state, across the country, doesn’t make a lot of sense.

Another essay from the BBC website:

That poses a difficult ethical dilemma: should government decisions about risk reflect the often irrational foibles of the populace or the rational calculations of sober risk assessment? Should our politicians opt for informed paternalism or respect for irrational preferences?

The volcanic ash cloud is a classic case study. Were the government to allow flights to go ahead when the risks were equal to those of road travel, it is almost certain that, over the course of the year, hundreds of people would die in resulting air accidents, since around 2,500 die on the roads each year.

This is politically unimaginable, not for good, rational reasons, but because people are much more risk averse when it comes to plane travel than they are to driving their own cars.

So, in practice, governments do not make fully rational risk assessments. Their calculations are based partly on cost-benefit analyses, and partly on what the public will tolerate.

Posted on June 11, 2010 at 12:08 PMView Comments

Voluntary Security Inspections

What could possibly be the point of this?

Cars heading to Austin-Bergstrom International Airport will see random, voluntary inspections Monday.

The searches are part of an increase in security at the airport.

It’s a joint operation between the U.S. Department of Homeland Security, Austin Police, and airport security.

The enhancements are not a response to specific threats, and the security level has not changed.

Officials say the searches are voluntary and drivers can opt out if they want.

Training? Reassuring a jittery public? Looking busy? This can’t possibly be done for security reasons.

Posted on June 1, 2010 at 1:00 PMView Comments

Automobile Security Analysis

Experimental Security Analysis of a Modern Automobile,” by a whole mess of authors:

Abstract: Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input—including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car’s telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

Posted on May 21, 2010 at 6:56 AMView Comments

Seat Belt Use and Lessons for Security Awareness

From Lance Spitzner:

In January of this year the National Highway Traffic Safety Administration released a report called “Analyzing the First Years Of the Ticket or Click It Mobilizations“… While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 – 2006, when most states in the United States began campaigns (called Ticket or Click-It) promoting and requiring the use of seat belts. Just like security awareness, the goal of the campaign was to change behaviors, specifically to get people to wear their seat belts when driving… The campaigns were very successful, resulting in a 20-23% increase in seat belt use regardless of which statistics they used. The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage.

[..]

I feel the key lesson here is not only must an awareness program effectively communicate, but to truly change behaviors what you communicate has to be enforced. An information security awareness campaign communicates what is enforced (your policies) and in addition it should communicate why. Then, follow-up that campaign with strong, visible enforcement.

Posted on April 28, 2010 at 7:39 AMView Comments

Disabling Cars by Remote Control

Who didn’t see this coming?

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

[…]

Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.

Posted on March 18, 2010 at 7:41 AMView Comments

Car-Key Copier

This is neat:

The Impressioner consists of a sensor that goes into the lock and sends information back to a computer via USB about the location of the lock’s tumblers—a corresponding computer program comes up with the code, depending on the make of car you’ve entered beforehand. Once you know the code, a key-cutting machine can use it to carve up a key.

Right now, it’s a prototype that only works on Ford car locks. The article points out that both locksmiths and thieves can use this device.

Another article.

EDITED TO ADD (2/16): How it likely works.

Posted on February 12, 2010 at 6:23 AMView Comments

1 10 11 12 13 14 18

Sidebar photo of Bruce Schneier by Joe MacInnis.