Steal a car by breaking a headlight

[mdolan92869]

Just found and read this article. I wish companies adding software to their products (cars in this case) would hire some security professionals to point out all the flaws in their designs and don’t let hackers point them out in shipping products.

https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/

Sponsored

 

[Hammered]

Just found and read this article. I wish companies adding software to their products (cars in this case) would hire some security professionals to point out all the flaws in their designs and don’t let hackers point them out in shipping products.

https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/

There are no free lunches. They could spend 10s if not hundreds of millions only to see another attack vector used while passing the expenses on to the customer.

There's always going to be an ebb and flow between the latest technology and those looking to exploit it.

 

[mdolan92869]

There are no free lunches. They could spend 10s if not hundreds of millions only to see another attack vector used while passing the expenses on to the customer.

There's always going to be an ebb and flow between the latest technology and those looking to exploit it.

I agree, but doing nothing surely isn’t the answer. There’s got to be some thought given to the systems and how they trust, or don’t trust, messages sent to them. Then build on that as technology moves forward.

 

[SpaceEVDriver]

You could do all sorts of things, but it'll never be enough to stop vehicle thefts.

My father used to say that no lock or seal or safe will ever stop a skilled thief, those are there to stop honest people from becoming thieves. In the end one could just hook up a tow truck to steal the vehicle.

He'd leave keys in the car, engine running, door open (not just unlocked, wide open) while he went shopping. In his 65+ years of driving, he had one vehicle stolen.
For a day.
It was returned when the thief realized whose vehicle they'd stolen. And no, the rumors that he was a mob boss were not accurate.

 

[Mach1E]

I wish “the news” would stop giving criminals ideas on the latest way to steal our stuff!

I remember post 9/11 all the news outlets that did stories basically telling terrorists the best way to attack us. ?‍

 

[MBCook]

The problem isn’t spending $50 million. It’s spending $0.

Every time security researchers play with cars or get to see the source code in them it’s a disaster. Very simple, cheap, basic stuff like input validation or source validation is missing.

Stuff that would be an absolute no-no in standard practices for any website, let alone an e-commerce site that has to do with PCI.

They should have to comply with basic software industry best practices if they want to use software.

No different from all the other electronic appliances and gadgets and IoT garbage that’s trivial to exploit.

 

[SpaceEVDriver]

The problem isn’t spending $50 million. It’s spending $0.

Every time security researchers play with cars or get to see the source code in them it’s a disaster. Very simple, cheap, basic stuff like input validation or source validation is missing.

Stuff that would be an absolute no-no in standard practices for any website, let alone an e-commerce site that has to do with PCI.

They should have to comply with basic software industry best practices if they want to use software.

No different from all the other electronic appliances and gadgets and IoT garbage that’s trivial to exploit.

All of this, not just for car security, but for safety and reliability as well.

 

[tannerk89]

Yeah nothing is easier or less risky to steal than breaking a headlight out in the open and connecting a Bluetooth speaker to it. They did a really bad job on the security… just kidding.. that’s some extraordinary effort to steal a Rav4. Seriously though, that’s not poor security it’s someone doing something extremely risky and difficult in order to steal it. Cars used to be able to be hot wired by connecting 2 wires in the steering column, this is significantly more difficult. And hacking a can-bus network is not a skill typical people have.

 

[HGxxx]

I am just thinking, that's why I pay insurance every month.

 

[azerik]

I'll see if I can get ChatGPT to write an attack to open the Job1's frunks from an iPhone.
It'll probably work.

 

[Hammered]

You could do all sorts of things, but it'll never be enough to stop vehicle thefts.

My father used to say that no lock or seal or safe will ever stop a skilled thief, those are there to stop honest people from becoming thieves. In the end one could just hook up a tow truck to steal the vehicle.

He'd leave keys in the car, engine running, door open (not just unlocked, wide open) while he went shopping. In his 65+ years of driving, he had one vehicle stolen.
For a day.
It was returned when the thief realized whose vehicle they'd stolen. And no, the rumors that he was a mob boss were not accurate.

Locks and their keys are often rated in minutes due to the time it takes 'security' to respond, thus expecting such an item to be watched. A vehicle on the other hand can easily be picked up and taken away in as little as 15 seconds.

Thieves and security measures are a tail as old as time. Some argue that women hold the record for the oldest profession -- that title on the other hand belongs to thieves in general. It even transcends species.

 

[Fremont Kid]

The problem isn’t spending $50 million. It’s spending $0.

Every time security researchers play with cars or get to see the source code in them it’s a disaster. Very simple, cheap, basic stuff like input validation or source validation is missing.

Stuff that would be an absolute no-no in standard practices for any website, let alone an e-commerce site that has to do with PCI.

They should have to comply with basic software industry best practices if they want to use software.

No different from all the other electronic appliances and gadgets and IoT garbage that’s trivial to exploit.

I agree absolutely. During my computer science/IT career most problems were caused by not following industry best practices and/or company architecture and development standards. These types of problems with vehicles can compromise safety and contribute to increased insurance costs. I am in favor of regulations that mandate disclosing vehicle software architecture with independent 3rd parties who validate compliance. Tires are rated for different vehicles to ensure safety such as load limits and speeds - we should do at least as much for vehicle software.

Yes, this may be 'big government' to some but this topic was generated by the failure of private companies, i.e. the auto manufacturers, to prevent these type of problems. Regulation can promote private sector solutions.

 

[Mach-Lee]

Interesting. The Mach-E uses a private CAN to the headlights, so the rest of the network wouldn’t be accessible from that point. They would have to get the hood open and access the PCM directly.

 

[SpaceEVDriver]

Locks and their keys are often rated in minutes due to the time it takes 'security' to respond, thus expecting such an item to be watched. A vehicle on the other hand can easily be picked up and taken away in as little as 15 seconds.

This one took less than a minute...because the driver cared about not completely destroying the vehicle's drivetrain.

 

[smoke20]

That was almost exactly Gone In 60 Seconds.

Sponsored