Journalist Michael Hastings is dead at 33

Moderators: Elvis, DrVolin, Jeff

Re: Journalist Michael Hastings is dead at 33

Postby Nordic » Tue May 26, 2015 5:21 pm

More on remote control hacking of modern cars. They can actually hack the car through the music you play. No shit.

"He who wounds the ecosphere literally wounds God" -- Philip K. Dick
Nordic
 
Posts: 14230
Joined: Fri Nov 10, 2006 3:36 am
Location: California USA
Blog: View Blog (6)

Re: Journalist Michael Hastings is dead at 33

Postby MinM » Sat May 30, 2015 12:06 am

GM says you don't own your car, you just license it

GM has joined with John Deere in asking the government to confirm that you literally cannot own your car because of the software in its engine.

Like Deere, GM wants to stop the Copyright Office from granting an exemption to the Digital Millennium Copyright Act that would allow you to jailbreak the code in your car's engine so that you can take it to a non-GM mechanic for service, or fix it yourself. By controlling who can service your car, GM can force you to buy only official, expensive parts, protecting its bottom line.

As Consumerist quips, GM wants you to know that the car in the driveway is "literally not your father's Oldsmobile."

GM’s claim is all about copyright and software code, and it’s the same claim John Deere is making about their tractors. The TL;DR version of the argument goes something like this:

* Cars work because software tells all the parts how to operate

* The software that tells all the parts to operate is customized code

* That code is subject to copyright

* GM owns the copyright on that code and that software

* A modern car cannot run without that software; it is integral to all systems

* Therefore, the purchase or use of that car is a licensing agreement

* And since it is subject to a licensing agreement, GM is the owner and can allow/disallow certain uses or access.

GM: That Car You Bought? We’re Really The Ones Who Own It. [Kate Cox/Consumerist]

http://boingboing.net/2015/05/21/gm-say ... ur-ca.html
Earth-704509
User avatar
MinM
 
Posts: 3286
Joined: Wed Jun 04, 2008 2:16 pm
Location: Mont Saint-Michel
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Pele'sDaughter » Mon Jun 01, 2015 10:38 am

Simple. Don't buy GM. Of course, how long will it be before they're all on board. :wallhead:
Don't believe anything they say.
And at the same time,
Don't believe that they say anything without a reason.
---Immanuel Kant
User avatar
Pele'sDaughter
 
Posts: 1917
Joined: Thu Sep 13, 2007 11:45 am
Location: Texas
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby NeonLX » Mon Jun 01, 2015 2:46 pm

I'll continue to by used cars that I can both afford and fix until they make THAT illegal too.

At that point, I'll walk, ride my bike or take transit--all 3 of which I normally do anyway.
America is a fucked society because there is no room for essential human dignity. Its all about what you have, not who you are.--Joe Hillshoist
User avatar
NeonLX
 
Posts: 2293
Joined: Sat Aug 11, 2007 9:11 am
Location: Enemy Occupied Territory
Blog: View Blog (1)

Re: Journalist Michael Hastings is dead at 33

Postby Twyla LaSarc » Mon Jun 01, 2015 5:32 pm

I guess that the 91 silverado I currently own is going to be my last car ever, unless I can find another pre-computer automobile.
“The Radium Water Worked Fine until His Jaw Came Off”
User avatar
Twyla LaSarc
 
Posts: 1040
Joined: Mon Jun 07, 2010 2:50 pm
Location: On the 8th hole
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Sounder » Mon Jun 01, 2015 7:12 pm

It's all good, Merica's gonna be pretty much like Cuba in a few years anyway.
All these things will continue as long as coercion remains a central element of our mentality.
Sounder
 
Posts: 4054
Joined: Thu Nov 09, 2006 8:49 am
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby 82_28 » Mon Jun 01, 2015 8:24 pm

Twyla LaSarc » Mon Jun 01, 2015 1:32 pm wrote:I guess that the 91 silverado I currently own is going to be my last car ever, unless I can find another pre-computer automobile.


I don't drive anymore, but that is my rule of thumb anything pre 1980 is the way to go. You and Mr. LaSarc stayed in my VW a few years ago. I would love to give it to you, but I think that I can make several thousand on it and sadly I could actually use several thousand -- people give me random offers to take it off my hands all the time. Not to mention as well that the saying is your knees are "the crumple zone" in a bus. Find a good mid 70s Dodge Van for that matter. You'll always find a Mopar (Dodge) part. But yeah, if it starts, runs and has an 8 track player -- take it!
There is no me. There is no you. There is all. There is no you. There is no me. And that is all. A profound acceptance of an enormous pageantry. A haunting certainty that the unifying principle of this universe is love. -- Propagandhi
User avatar
82_28
 
Posts: 11194
Joined: Fri Nov 30, 2007 4:34 am
Location: North of Queen Anne
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Luther Blissett » Mon Jun 01, 2015 11:28 pm

"Vanning" is coming back in style. Paint a mural on the side of your van depicting a wizard casting a spell on some badass dinosaurs out in the desert.
The Rich and the Corporate remain in their hundred-year fever visions of Bolsheviks taking their stuff - JackRiddler
User avatar
Luther Blissett
 
Posts: 4990
Joined: Fri Jan 02, 2009 1:31 pm
Location: Philadelphia
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby slomo » Tue Jun 02, 2015 12:57 am

2025:
Microsquish wants you to know that the smart home on your lot is "literally not your father's home."

It's all about copyright and software code. The TL;DR version of the argument goes something like this:

* Smart homes work because software tells all the devices how to operate

* The software that tells all the devices to operate is customized code

* That code is subject to copyright

* Microsquish owns the copyright on that code and that software

* A modern home cannot run without that software; it is integral to all systems

* Therefore, the purchase or use of that home is a licensing agreement

* And since it is subject to a licensing agreement, Microsquish is the owner and can allow/disallow certain uses or access.

Microsquish: That Home You Bought? We’re Really The Ones Who Own It.
User avatar
slomo
 
Posts: 1781
Joined: Tue Dec 06, 2005 8:42 pm
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Twyla LaSarc » Tue Jun 02, 2015 2:48 am

82_28 » Mon Jun 01, 2015 5:24 pm wrote:
Twyla LaSarc » Mon Jun 01, 2015 1:32 pm wrote:I guess that the 91 silverado I currently own is going to be my last car ever, unless I can find another pre-computer automobile.


I don't drive anymore, but that is my rule of thumb anything pre 1980 is the way to go. You and Mr. LaSarc stayed in my VW a few years ago. I would love to give it to you, but I think that I can make several thousand on it and sadly I could actually use several thousand -- people give me random offers to take it off my hands all the time. Not to mention as well that the saying is your knees are "the crumple zone" in a bus. Find a good mid 70s Dodge Van for that matter. You'll always find a Mopar (Dodge) part. But yeah, if it starts, runs and has an 8 track player -- take it!


I love your bus. My first car was a 66 VW bus. My dad let me have it because the lights would drain the battery, thus I could not drive it at night. We often had to push it to start it...good times. If I knew more about keeping VW engines running (indeed any engine, for that matter) I would have likely given you an offer too.

However, my fave van of all time was my 1970 Dodge camper van with the slant six between the seats and three on the tree. I cannot imagine how much that might cost me now to replace.

I was just given a schwinn 10 speed tonight. I need to do some work on it but it is going to open my traveling circumferece big time.
“The Radium Water Worked Fine until His Jaw Came Off”
User avatar
Twyla LaSarc
 
Posts: 1040
Joined: Mon Jun 07, 2010 2:50 pm
Location: On the 8th hole
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby 82_28 » Tue Jun 02, 2015 3:49 am

Oh yeah. The drainage of battery in a bus. I couldn't figure that out either. Since there's no "hood to get under" I tried to inspect what the problem was, took a look at the wires and said fuck this shit. Then my favorite VW mechanic joint closed up shop. I would always joke since that DUI I got and having to put that breathalizer whatever it is in your car would be impossible for an old VW because you could start it from the engine itself and hop in. I don't even know how you would even put a breathing mechanism to test for alcohol in a bus to prevent you from starting it. You'd have to rebuild the whole thing. VWs are impervious.
There is no me. There is no you. There is all. There is no you. There is no me. And that is all. A profound acceptance of an enormous pageantry. A haunting certainty that the unifying principle of this universe is love. -- Propagandhi
User avatar
82_28
 
Posts: 11194
Joined: Fri Nov 30, 2007 4:34 am
Location: North of Queen Anne
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Twyla LaSarc » Tue Jun 02, 2015 3:53 pm

And the whole knee crumple zone? Not an issue when/if all the other cars are chugging away at barely 50 MPH or so.

To reusume the thread, even if they could rig an old VW to repond to remote commands, there ain't no way they can make it go fast enough to kill you (although granted, you could be taken out by a heavier, faster vehicle that leaves the scene but that is not vehicle tampering and generally leaves more traces).

On edit, I am pining for my old cars that could only go just so fast. The illusion of performance is a danger. If the car can do over 100 MPH, and you have no practical use for that horsepower, there is now real danger that the horsepower might be used against you.
“The Radium Water Worked Fine until His Jaw Came Off”
User avatar
Twyla LaSarc
 
Posts: 1040
Joined: Mon Jun 07, 2010 2:50 pm
Location: On the 8th hole
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Luther Blissett » Tue Jul 21, 2015 3:33 pm

These smug assholes. Wired, naturally.

Hackers Remotely Kill a Jeep on the Highway—With Me in It

ANDY GREENBERG SECURITY 07.21.15 6:00 AM.

I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.”1

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.

Wireless Carjackers
This wasn’t the first time Miller and Valasek had put me behind the wheel of a compromised car. In the summer of 2013, I drove a Ford Escape and a Toyota Prius around a South Bend, Indiana, parking lot while they sat in the backseat with their laptops, cackling as they disabled my brakes, honked the horn, jerked the seat belt, and commandeered the steering wheel. “When you lose faith that a car will do what you tell it to do,” Miller observed at the time, “it really changes your whole view of how the thing works.” Back then, however, their hacks had a comforting limitation: The attacker’s PC had been wired into the vehicles’ onboard diagnostic port, a feature that normally gives repair technicians access to information about the car’s electronically controlled systems.

A mere two years later, that carjacking has gone wireless. Miller and Valasek plan to publish a portion of their exploit on the Internet, timed to a talk they’re giving at the Black Hat security conference in Las Vegas next month. It’s the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks, first sparked when Markey took note of Miller and Valasek’s work in 2013.

As an auto-hacking antidote, the bill couldn’t be timelier. The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I-64; After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment.

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.

From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

After the researchers reveal the details of their work in Vegas, only two things will prevent their tool from enabling a wave of attacks on Jeeps around the world. First, they plan to leave out the part of the attack that rewrites the chip’s firmware; hackers following in their footsteps will have to reverse-engineer that element, a process that took Miller and Valasek months. But the code they publish will enable many of the dashboard hijinks they demonstrated on me as well as GPS tracking.

Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” reads a statement a Chrysler spokesperson sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”

Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. (Download the update here.) That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.

Chrysler stated in a response to questions from WIRED that it “appreciates” Miller and Valasek’s work. But the company also seemed leery of their decision to publish part of their exploit. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company’s statement reads. “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”

The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review. It also sends a message: Automakers need to be held accountable for their vehicles’ digital security. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller says. “This might be the kind of software bug most likely to kill someone.”

In fact, Miller and Valasek aren’t the first to hack a car over the Internet. In 2011 a team of researchers from the University of Washington and the University of California at San Diego showed that they could wirelessly disable the locks and brakes on a sedan. But those academics took a more discreet approach, keeping the identity of the hacked car secret and sharing the details of the exploit only with carmakers.

Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. Earlier this month, in fact, Range Rover issued a recall to fix a software security flaw that could be used to unlock vehicles’ doors. “Imagine going up against a class-action lawyer after Anonymous decides it would be fun to brick all the Jeep Cherokees in California,” Savage says.

For the auto industry and its watchdogs, in other words, Miller and Valasek’s release may be the last warning before they see a full-blown zero-day attack. “The regulators and the industry can no longer count on the idea that exploit code won’t be in the wild,” Savage says. “They’ve been thinking it wasn’t an imminent danger you needed to deal with. That implicit assumption is now dead.”

471,000 Hackable Automobiles
Sitting on a leather couch in Miller’s living room as a summer storm thunders outside, the two researchers scan the Internet for victims.

Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.

When Miller and Valasek first found the Uconnect flaw, they thought it might only enable attacks over a direct Wi-Fi link, confining its range to a few dozen yards. When they discovered the Uconnect’s cellular vulnerability earlier this summer, they still thought it might work only on vehicles on the same cell tower as their scanning phone, restricting the range of the attack to a few dozen miles. But they quickly found even that wasn’t the limit. “When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek says. “I was frightened. It was like, holy fuck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”

That moment was the culmination of almost three years of work. In the fall of 2012, Miller, a security researcher for Twitter and a former NSA hacker, and Valasek, the director of vehicle security research at the consultancy IOActive, were inspired by the UCSD and University of Washington study to apply for a car-hacking research grant from Darpa. With the resulting $80,000, they bought a Toyota Prius and a Ford Escape. They spent the next year tearing the vehicles apart digitally and physically, mapping out their electronic control units, or ECUs—the computers that run practically every component of a modern car—and learning to speak the CAN network protocol that controls them.

When they demonstrated a wired-in attack on those vehicles at the DefCon hacker conference in 2013, though, Toyota, Ford, and others in the automotive industry downplayed the significance of their work, pointing out that the hack had required physical access to the vehicles. Toyota, in particular, argued that its systems were “robust and secure” against wireless attacks. “We didn’t have the impact with the manufacturers that we wanted,” Miller says. To get their attention, they’d need to find a way to hack a vehicle remotely.

So the next year, they signed up for mechanic’s accounts on the websites of every major automaker and downloaded dozens of vehicles’ technical manuals and wiring diagrams. Using those specs, they rated 24 cars, SUVs, and trucks on three factors they thought might determine their vulnerability to hackers: How many and what types of radios connected the vehicle’s systems to the Internet; whether the Internet-connected computers were properly isolated from critical driving systems, and whether those critical systems had “cyberphysical” components—whether digital commands could trigger physical actions like turning the wheel or activating brakes.

Based on that study, they rated Jeep Cherokee the most hackable model. Cadillac’s Escalade and Infiniti’s Q50 didn’t fare much better; Miller and Valasek ranked them second- and third-most vulnerable. When WIRED told Infiniti that at least one of Miller and Valasek’s warnings had been borne out, the company responded in a statement that its engineers “look forward to the findings of this [new] study” and will “continue to integrate security features into our vehicles to protect against cyberattacks.” Cadillac emphasized in a written statement that the company has released a new Escalade since Miller and Valasek’s last study, but that cybersecurity is “an emerging area in which we are devoting more resources and tools,” including the recent hire of a chief product cybersecurity officer.

After Miller and Valasek decided to focus on the Jeep Cherokee in 2014, it took them another year of hunting for hackable bugs and reverse-engineering to prove their educated guess. It wasn’t until June that Valasek issued a command from his laptop in Pittsburgh and turned on the windshield wipers of the Jeep in Miller’s St. Louis driveway.

Since then, Miller has scanned Sprint’s network multiple times for vulnerable vehicles and recorded their vehicle identification numbers. Plugging that data into an algorithm sometimes used for tagging and tracking wild animals to estimate their population size, he estimated that there are as many as 471,000 vehicles with vulnerable Uconnect systems on the road.

Pinpointing a vehicle belonging to a specific person isn’t easy. Miller and Valasek’s scans reveal random VINs, IP addresses, and GPS coordinates. Finding a particular victim’s vehicle out of thousands is unlikely through the slow and random probing of one Sprint-enabled phone. But enough phones scanning together, Miller says, could allow an individual to be found and targeted. Worse, he suggests, a skilled hacker could take over a group of Uconnect head units and use them to perform more scans—as with any collection of hijacked computers—worming from one dashboard to the next over Sprint’s network. The result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.

“For all the critics in 2013 who said our work didn’t count because we were plugged into the dashboard,” Valasek says, “well, now what?”

Congress Takes on Car Hacking
Now the auto industry needs to do the unglamorous, ongoing work of actually protecting cars from hackers. And Washington may be about to force the issue.

Later today, senators Markey and Blumenthal intend to reveal new legislation designed to tighten cars’ protections against hackers. The bill (which a Markey spokesperson insists wasn’t timed to this story) will call on the National Highway Traffic Safety Administration and the Federal Trade Commission to set new security standards and create a privacy and security rating system for consumers. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car,” Markey wrote in a statement to WIRED. “Drivers shouldn’t have to choose between being connected and being protected…We need clear rules of the road that protect cars from hackers and American families from data trackers.”

Markey has keenly followed Miller and Valasek’s research for years. Citing their 2013 Darpa-funded research and hacking demo, he sent a letter to 20 automakers, asking them to answer a series of questions about their security practices. The answers, released in February, show what Markey describes as “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle.” Of the 16 automakers who responded, all confirmed that virtually every vehicle they sell has some sort of wireless connection, including Bluetooth, Wi-Fi, cellular service, and radios. (Markey didn’t reveal the automakers’ individual responses.) Only seven of the companies said they hired independent security firms to test their vehicles’ digital security. Only two said their vehicles had monitoring systems that checked their CAN networks for malicious digital commands.

UCSD’s Savage says the lesson of Miller and Valasek’s research isn’t that Jeeps or any other vehicle are particularly vulnerable, but that practically any modern vehicle could be vulnerable. “I don’t think there are qualitative differences in security between vehicles today,” he says. “The Europeans are a little bit ahead. The Japanese are a little bit behind. But broadly writ, this is something everyone’s still getting their hands around.”

Aside from wireless hacks used by thieves to open car doors, only one malicious car-hacking attack has been documented: In 2010 a disgruntled employee in Austin, Texas, used a remote shutdown system meant for enforcing timely car payments to brick more than 100 vehicles. But the opportunities for real-world car hacking have only grown, as automakers add wireless connections to vehicles’ internal networks. Uconnect is just one of a dozen telematics systems, including GM Onstar, Lexus Enform, Toyota Safety Connect, Hyundai Bluelink, and Infiniti Connection.

In fact, automakers are thinking about their digital security more than ever before, says Josh Corman, the cofounder of I Am the Cavalry, a security industry organization devoted to protecting future Internet-of-things targets like automobiles and medical devices. Thanks to Markey’s letter, and another set of questions sent to automakers by the House Energy and Commerce Committee in May, Corman says, Detroit has known for months that car security regulations are coming.

But Corman cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.) The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better,” he says. “If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it.”

Corman’s group has been visiting auto industry events to push five recommendations: safer design to reduce attack points, third-party testing, internal monitoring systems, segmented architecture to limit the damage from any successful penetration, and the same Internet-enabled security software updates that PCs now receive. The last of those in particular is already catching on; Ford announced a switch to over-the-air updates in March, and BMW used wireless updates to patch a hackable security flaw in door locks in January.

Corman says carmakers need to befriend hackers who expose flaws, rather than fear or antagonize them—just as companies like Microsoft have evolved from threatening hackers with lawsuits to inviting them to security conferences and paying them “bug bounties” for disclosing security vulnerabilities. For tech companies, Corman says, “that enlightenment took 15 to 20 years.” The auto industry can’t afford to take that long. “Given that my car can hurt me and my family,” he says, “I want to see that enlightenment happen in three to five years, especially since the consequences for failure are flesh and blood.”

As I drove the Jeep back toward Miller’s house from downtown St. Louis, however, the notion of car hacking hardly seemed like a threat that will wait three to five years to emerge. In fact, it seemed more like a matter of seconds; I felt the vehicle’s vulnerability, the nagging possibility that Miller and Valasek could cut the puppet’s strings again at any time.

The hackers holding the scissors agree. “We shut down your engine—a big rig was honking up on you because of something we did on our couch,” Miller says, as if I needed the reminder. “This is what everyone who thinks about car security has worried about for years. This is a reality.”

1Correction 10:45 7/21/2015: An earlier version of the story stated that the hacking demonstration took place on Interstate 40, when in fact it was Route 40, which coincides in St. Louis with Interstate 64.
The Rich and the Corporate remain in their hundred-year fever visions of Bolsheviks taking their stuff - JackRiddler
User avatar
Luther Blissett
 
Posts: 4990
Joined: Fri Jan 02, 2009 1:31 pm
Location: Philadelphia
Blog: View Blog (0)

Re: Journalist Michael Hastings is dead at 33

Postby Nordic » Tue Jul 21, 2015 4:05 pm

Thanks. Just came here to post the same thing.

Would be NICE if the fine folks at, say, WIRED, would point out that this is precisely how Hastings was assassinated.
"He who wounds the ecosphere literally wounds God" -- Philip K. Dick
Nordic
 
Posts: 14230
Joined: Fri Nov 10, 2006 3:36 am
Location: California USA
Blog: View Blog (6)

Re: Journalist Michael Hastings is dead at 33

Postby Nordic » Tue Jul 21, 2015 4:08 pm

Commenter on Reddit:

"I wonder if it will ever be possible for criminals to disable police cars during pursuits. Would make a neat movie anyway."

Criminals? How about as a method of self defense?
"He who wounds the ecosphere literally wounds God" -- Philip K. Dick
Nordic
 
Posts: 14230
Joined: Fri Nov 10, 2006 3:36 am
Location: California USA
Blog: View Blog (6)

PreviousNext

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 41 guests