March 22, 2011 at 9:25 pm
Comments posted to this topic are about the item Hacking Data
March 23, 2011 at 6:25 am
Steve,
In your editorial you say: "I saw a note recently that researchers had successfully hacked a car using only an MP3 file on a CD. They were able to lock the doors and kill the engine in a car."
But in the article it says (emphasis mine):
"they described a 2009 experiment in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car.
In that experiment, they had to plug a laptop into the car's internal diagnostic system in order to install their malicious code."
Though I don't doubt the systems will one day be interconnected enough for us to be concerned about a malicious MP3, I don't think we're quite there yet.
Are you gunning for a job on Fox news? 🙂
March 23, 2011 at 6:27 am
In the late 1970's I had a professor who said:
You have to accept that as long as there are technical "advances" made, there will be those who try to break, or turn to their own sometimes evil will, any technology man can invent.
If you wrap your life up with technology and think you are safe because the manufacturer "tested" their product, you are kidding yourself. In today's marketplace the idea is to get product to market as fast as possible, and in that dynamic, clearly stuff is not being tested and designed as well as if time were available to assess and manage risk. In the end, you (Mr. Consumer) are only a revenue source for that given company, so don't kid yourself that they took the time to ensure you are safe.
Worse still, there is the ignorance of the very consumer buying the stuff! Do you know that every cell phone ever made recommends that when in use, the device be held an average of 9mm from your head? Hey, who reads manuals right? Did you know that most countries print warnings right on the cell phones, with one major exception - the United States - where the cell phone lobby ensured we would not do that.
Is that the action of a company looking out for your safety? No, they are looking out for revenue.
If you look at the reality, many people are now slaves to their technology - and worse, they simply presume its all safe and unhackable. We thought the same thing about asbestos, thalidomide, bloodletting, and well - history is replead with examples where our own ignorance blew up in our faces. So in the end, the owness is on you - the user - no one else is going to be looking out for you, because throughout history as well, "their" motivation is revenue - not you.
March 23, 2011 at 6:32 am
It's crazy to think that the audio system in some cars can be wired to the ignition system in such a way that that a hacked MP3 file could kill the engine. I guess it's exploiting a hole in some high tech "smart" feature that the owner payed a few hundred extra bucks for at the auto dealership. Personally, I still drive my '99 Corolla, because it gets me where I need to go.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 23, 2011 at 7:15 am
Chris-354050,
Look a little closer at the article. The laptop connection study was a separate study from the one where they tested bluetooth and music files.
As far as the Fox News comment, have a little respect for the other members of this forum and leave politics out of the discussion.
Thanks.
March 23, 2011 at 7:52 am
I suggest we all go back to listening to AM radio. No more tapes or CDs or XMSirius radio that no one knows anything about or that requires you to insert some unknown media into a "reader" in your car.
Bluetooth? Who needs it? If the auto manufacturers can unlock your doors for you, or know when your car has impacted some other object in a destructive way and can call the local cops, we are already in big trouble.:w00t:
March 23, 2011 at 7:57 am
Craig,
You're correct about it being separate studies, that's the point I was making i.e. that the editorial had conflated them.
FYI: the comment about Fox was intended humorously and referred to the quality of their reporting, no mention was made of politics. My apologies to all those who were offended.
Chris.
March 23, 2011 at 8:05 am
nelsonj-902869 (3/23/2011)
I suggest we all go back to listening to AM radio. No more tapes or CDs or XMSirius radio that no one knows anything about or that requires you to insert some unknown media into a "reader" in your car.Bluetooth? Who needs it? If the auto manufacturers can unlock your doors for you, or know when your car has impacted some other object in a destructive way and can call the local cops, we are already in big trouble.:w00t:
The only thing I listen to on FM is NPR. I'll also listen to MP3 podcasts on my car stereo using one of those $12 Jupiter Jack devices designed for cell phones.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 23, 2011 at 8:05 am
It isn't just the hackers you have to worry about... the car manufacturers are up to no good with their own car software.
Peugeot in Europe were found to be incrementing the odometer with an algorithm based on length of journey, engine starts and stops etc, in order to "more accurately reflect the wear and tear on the car".
It was noticed by an eagle-eyed owner who spotted that his odometer had jumped 2 miles after he had done nothing more than open and shut the door.
Of course, it had nothing to do with increasing service frequency or car replacement or making the MPG figures look good. 😉
March 23, 2011 at 8:09 am
Ian Scarlett (3/23/2011)
It isn't just the hackers you have to worry about... the car manufacturers are up to no good with their own car software.Peugeot in Europe were found to be incrementing the odometer with an algorithm based on length of journey, engine starts and stops etc, in order to "more accurately reflect the wear and tear on the car".
It was noticed by an eagle-eyed owner who spotted that his odometer had jumped 2 miles after he had done nothing more than open and shut the door.
Of course, it had nothing to do with increasing service frequency or car replacement or making the MPG figures look good. 😉
Those exagerated odometer readings are costing people money, when they rent a car or pay for auto insurance per mile driven.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 23, 2011 at 9:30 am
The injection of code did happen with a CD, which also distracts the issue. There is the ability of someone to inject code in anywhere a decode happens, whether by CD, over the airwaves, bluetooth, etc. I assume the laptop experiment was to determine what code was needed to inject, which someone could do on the same model of car.
Bruce Schneier doesn't necessarily see this as a wide issue as the code is model and year specific, but as car manufacturers look to develop standards, or get a significant portion of their code from somewhere like the Microsoft Sync platform, this could be an issue. Note I'm not bashing sync. Android for cars would have the same issue.
No worries on the Fox News comment. I hope I'm not in the running for a job there.
March 23, 2011 at 9:51 am
Chris-354050 (3/23/2011)
Steve,In your editorial you say: "I saw a note recently that researchers had successfully hacked a car using only an MP3 file on a CD. They were able to lock the doors and kill the engine in a car."
But in the article it says (emphasis mine):
"they described a 2009 experiment in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car.
In that experiment, they had to plug a laptop into the car's internal diagnostic system in order to install their malicious code."
Though I don't doubt the systems will one day be interconnected enough for us to be concerned about a malicious MP3, I don't think we're quite there yet.
Are you gunning for a job on Fox news? 🙂
You are correct that the editorial conflated two separate attacks. It's worth noting, however, that the MP3 Trojan was able to alter the firmware on the stereo, providing entry to other systems. I'd like to have a better understanding of exactly what was accomplished, but we may already need to be concerned about malicious MP3s.
Of greater concern to me is that the researchers themselves really downplay the risk by referring to the level of skill required and the variety of systems out there. We should already know that script kiddies don't invent attacks, they just use software created by those with the skills to do so, and not all script kiddies limit themselves to merely annoying kinds of behaviour. As to the variety of systems out there, let's not forget that the car manufacturers are already using a lot of off-the-shelf components in their cars, to the point where competitors might be buying key components from the same manufacturer. If nothing else, Windows CE/embedded and Android are already finding their way into cars.
March 23, 2011 at 2:44 pm
Ron Porter (3/23/2011)
Chris-354050 (3/23/2011)
Steve,In your editorial you say: "I saw a note recently that researchers had successfully hacked a car using only an MP3 file on a CD. They were able to lock the doors and kill the engine in a car."
But in the article it says (emphasis mine):
"they described a 2009 experiment in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car.
In that experiment, they had to plug a laptop into the car's internal diagnostic system in order to install their malicious code."
Though I don't doubt the systems will one day be interconnected enough for us to be concerned about a malicious MP3, I don't think we're quite there yet.
Are you gunning for a job on Fox news? 🙂
You are correct that the editorial conflated two separate attacks. It's worth noting, however, that the MP3 Trojan was able to alter the firmware on the stereo, providing entry to other systems. I'd like to have a better understanding of exactly what was accomplished, but we may already need to be concerned about malicious MP3s.
Of greater concern to me is that the researchers themselves really downplay the risk by referring to the level of skill required and the variety of systems out there. We should already know that script kiddies don't invent attacks, they just use software created by those with the skills to do so, and not all script kiddies limit themselves to merely annoying kinds of behaviour. As to the variety of systems out there, let's not forget that the car manufacturers are already using a lot of off-the-shelf components in their cars, to the point where competitors might be buying key components from the same manufacturer. If nothing else, Windows CE/embedded and Android are already finding their way into cars.
My thoughts exactly, once somebody figures this stuff out, they just publish and others plug n play, they don't have to do the work to re-discover.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
March 23, 2011 at 5:14 pm
An MP3 player and an automobile engine are two unrelated systems that should not be tightly coupled.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 24, 2011 at 6:25 am
Once you understand that the car run a CAN network system between all major system, it's no different than network hack in the internet, Other than it CAN network, not a Ethernet network.
Viewing 15 posts - 1 through 15 (of 47 total)
You must be logged in to reply to this topic. Login to reply