Critical vulnerabilities in vehicle systems

That's a quality read. Thanks for sharing.

A great deal of this is about vulnerabilities in the corporate networks rather than the vehicle itself. Its possible to hack into an actual vehicle to take over some of the systems via malicious code but its more likely that someone would want to try and steal the unlock code so they can then steal the car which is actually worth something, as opposed to data which probably isn't (unless you want to try and hold a company to ransom)

Hack vulnerabilities for safety systems would be interesting, eg, turn off the brakes, but actually very difficult to do (the systems are silo'd from the outside) and frankly, why would anyone bother unless they're trying to do some large scale corporate or state level blackmail or want to go after someone specific.

TBH, keyless entry (ie. not using a plipper but where the car detects that you are nearby and unlocks itself automatically) is the biggest issue at the moment as cars can be stolen using scanner systems to remote access and activate the keys if they are kept close enough to the car, but this is far more likely if you have something like a Range Rover or Merc than a Kia Ceed...

TL:DR, unless you have a nice expensive car with keyless entry, in which case, keep your keys in a RFID faraday bag 🙂 and for everyone else, FFS don't leave your carkeys in a bowl on a table next to the front door that can be seen from the letterbox...

In South Africa, there is a major problem with criminals using radio interference to block you locking your car in parking lots, then just opening the door and boot and stealing all the stuff in your car. Insurance doesn't pay out as you did not lock your car.

And it doesn't even need to be high-tech for car companies to mess up: https://www.thedrive.com/news/how-thieves-are-stealing-hyundais-and-kias-with-just-a-usb-cable

for everyone else, FFS don’t leave your carkeys in a bowl on a table next to the front door that can be seen from the letterbox…

Honestly, if someone were to break into my house to get my car keys, I'd much rather the keys were in a bowl next to the door than having car thieves standing in my bedroom with a knife asking where they were.

Visible from the letterbox is silly though, they could be fished out with a coat hanger.

if someone were to break into my house to get my car keys, I’d much rather the keys were in a bowl next to the door than having car thieves standing in my bedroom with a knife asking where they were.

LOL. I think that might be a direct quote from the last post I made on the same point. 😂

A great deal of this is about vulnerabilities in the corporate networks rather than the vehicle itself.

The cyber & indeed regular security from most of the major vehicle manufacturers is absolutely pathetic. Even the head of the AA keeps his keys in his microwave because of how easy cars are to steal 🙄😂 https://www.theguardian.com/technology/2022/aug/05/aa-chief-reveals-his-microwave-tip-to-foil-tech-savvy-car-thieves

My Ford (as stock) can be stolen within seconds by using a lockpick easily purchased off the net then plugging a laptop into the OBD2 port & running some software. (Obviously I have taken steps to prevent this so don’t try it 😀)

The fact the manufacturers spent close to zero effort on security is inexcusable, but I guess most car buyers don’t consider it so it doesn’t help sell vehicles?

Fascinating Timba, bookmarked

The fact the manufacturers spent close to zero effort on security is inexcusable, but I guess most car buyers don’t consider it so it doesn’t help sell vehicles?

Like most car crime, it'd be easily preventable but that goes against the whole "freedom!" and "convenience!" sales angle.

It'd be easy to implement fingerprint or face ID before you can start it, easy to have an inbuilt breathalyser, black box, dashcam, speed limiter and so on.

You could remove a lot of car crime very quickly through some proper security measures (and through better roads policing and sentencing which is a different topic) but it's not a selling point. 🤷🏻‍♂️

The fact the manufacturers spent close to zero effort on security is inexcusable, but I guess most car buyers don’t consider it so it doesn’t help sell vehicles?

"Some" manufacturers spend a significant amount of cash. A lot are playing catch up, and even more are diligently gazing at their navels and leaving it to the suppliers and insurance companies to deal with...

Car security is utter crap, people blame the folk selling bump keys, leishy picks, OBD plugs and such but if these easily fixed exploits weren't there then people wouldn't be able to take advantage of them.

Some of the info in that article is pretty shocking but at the same time not overly surprising. There's not really an excuse for having vulnerable publicly-accessible APIs but it's easy to understand how it happens if a company doesn't have IT security at the core of it's policies and resource it as such.

The client I work for has various classified systems and even there (although thankfully they're not publicly accessible) there's gaps in knowledge between the infrastructure and development side of IT, we do have a security team but they are more audit and assurance rather than technical security. So securing things like APIs mostly comes down to following vendor documentation (if it exists) and hoping any gaps will get picked up via penetration testing (although I know that won't be as comprehensive as much of the hacking documented in this article).

On the automotive side I can imagine similar gaps being there and add into the mix pressure to rollout out new systems and features to maximise revenue etc. and unless you have a very good technical security team that's empowered to prevent systems going live until issues are addressed etc. (and having the time to thoroughly review them) you're going to end up with the sort of issues documented in the article.

A lot of people assume securing systems is relatively straight-forward, it isn't. Securing them 99% of the way is straight-forward, it's that last bit that's difficult (and in many cases impossible) - not that most of the issues identified in the article fall into that 1%...

Securing them 99% of the way is straight-forward, it’s that last bit that’s difficult (and in many cases impossible) – not that most of the issues identified in the article fall into that 1%…

Its the "not that most" that is the problem. There are many years of hard learned lessons about security in the software industry as a whole. The car industry seems to have gone "nahhhh. lets start from scratch".
When I was a lad I remember the krooklocks and similar slowly disappearing from the shelves because the standard car locks had got good enough not to need them.
Now though with the magic of computers they are back again.

Thats leaving aside the ones which actually allow direct interference with cars. Just imagine the "fun" someone could have hitting the engine off button for a certain type of car during rushhour.

Scary that they could track and disable fleets of Cop cars and Ambulances..
Sounds like something from a Hollywood Heist movie!
Just imagine the chaos if all the BMW's and Mercedes were disabled on the same day..

Also, runs off the check the Ferraris are still in the garage..

Also, How good is the Tesla driverless system locked up.?

Bring back keys and a short range transponder chip. No such issues with our cars, can't be robbed without the key (or very difficult to rob). BIL always puts his keys in a special pouch when in the house - what a faff, just for push button start ! It was one of the reasons we bought the slightly older version of MrsF's car - the older one wasn't keyless.

I've avoided keyless systems deliberately, I wouldn't have one if it was offered.

Same with the house; a few years ago we bought a front door lock for my MiL that was operated by a fob or a PIN. They're not available now, only smart locks that you open with your phone. Obviously I'm a boomer dinosaur but I wouldn't have one of those.

Often the biggest problem with 'smart' door locks is they also have a manual key which is trivially easy to open.

The problem with locks is they are attached to doors, which have windows which can be smashed.

On a slightly different tack a mate of mine is a big wig at EURO NCAP, he says as cars are now so software driven it's actually cheaper for say BMW etc to make all of their cars exactly the same system wise and then simply charge you to turn on your electric seats, driver assist pack etc, he says unfortunately the inevitable conclusion of this will be a monthly subscription to BMW service pack or whatever you want to call it, don't pay and they'll simply turn your car back in to a base model, it's the future.

Nothing new there, car manufacturers have been doing that for 15-20 years, making multiple models with the same build list, then changing performance and functionality with software.

@catfood yeah that’s very much a thing, I can enable add ons with my Audi for one off payment or subscription.

Thought BMW were already doing that? Or at least announced it? Think Merc do it too (although with them it’s performance/acceleration I think). Just shows what mugs the people who buy that kind of car are 😂

only smart locks that you open with your phone. Obviously I’m a boomer dinosaur but I wouldn’t have one of those.

Just don’t understand how those are so far behind in terms of tech/security.

Convenience of the user. All that effort of clicking a button to open the door when it could just open as you walk up to it... 😉

And besides, if the car gets nicked, the insurance pay up and the customer goes off to buy another car.

Can I just ask something here, ELII5 style?

I've never had or used one of these things.

I understand you can just "walk away" and presumably it senses how far you are, and remotely locks itself, and vice versa.

Can you walk away from the car and actually choose to lock or deadlock the car? Like plip it?

That's a really interesting read.

My Ford (as stock) can be stolen within seconds by using a lockpick easily purchased off the net then plugging a laptop into the OBD2 port & running some software.

Good to see they are maintaining the tradition of poor security. It used to be any key would fit any car from Ford.

Yes, we used to move a mates fiesta round the 6th form car park with the keys from another mates fiesta, then he'd do the same back. Got really out of hand when we found that the same keys would unlock the maths teachers escort.

That's the point where they banned us from being in the car park unless we were starting or finishing lessons.

You could unlock a mates Nova with the blade from a pair of scissors. Needed the key to start it though. Or you'd stab yourself in the leg every time you moved from brake to accelerator, or vice versa.

It used to be any key would fit any car from Ford.

My granddad once left work in his Austin Allegro. The only reason he realised he was halfway home in his boss's Allegro was because he'd reached for his sunglasses and they weren't there.

I almost miss those days. Mid-90s, a lass at work locked herself out of her car. Before I could say anything a colleague jumped up, proclaimed to be an ex police officer and that he knew how to open cars. Off they went. Maybe 20 minutes had gone by, I moseyed on down. He was there with a makeshift slim jim down the side of the window or something. A small crowd had developed. I asked "can I have a go?" and raked the lock in about five seconds.

I understand you can just “walk away” and presumably it senses how far you are, and remotely locks itself, and vice versa.

Yes

Can you walk away from the car and actually choose to lock or deadlock the car? Like plip it?

Yes, at least on my Megane you can.