Police Slowly Waking Up To Fact That Vehicle Network Security Is A Joke To Hackers, Thieves

from the internet-of-not-so-smart-things dept

We've been talking for several years now about how modern "smart cars" don't adhere to particularly smart security practices. Nissan recently opened Leaf owners to remote attack via a nasty vulnerability in the car's app. The Mitsubishi Outlander was similarly unveiled to be relatively trivial to hack. And last year, hackers showed just how easy it was to manipulate and disable a new Jeep Cherokee running Fiat Chrysler's UConnect platform.

Most of these attacks involve the intruder worming so deeply into a vehicle's systems that they're in some cases able to actually control most if not all of the car systems from anywhere on the planet. So as you might imagine, simply unlocking the doors and starting the engine while in or near the car isn't proving too difficult for many hackers.

The Wall Street Journal notes how police and insurance companies are only just now waking up to the problem this creates for owners, one of which last month posted this video of a thief using a laptop to hack into and steal a 2010 Jeep:
Houston police don't seem all that sure, but they have a sneakin' suspicion that somethin' ain't right here:
"If you are going to hot-wire a car, you don’t bring along a laptop,” said Senior Officer James Woods, who has spent 23 years in the Houston Police Department’s auto antitheft unit. “We don’t know what he is exactly doing with the laptop, but my guess is he is tapping into the car’s computer and marrying it with a key he may already have with him so he can start the car."
Gosh, good guess (though many of these hacks don't require a key at all). The story continues along in this vein, with a rep for the insurance industry also kind of dumbly stating the sector "thinks" that hackers might be exploiting awful car security:
"The National Insurance Crime Bureau, an insurance-industry group that tracks car thefts across the U.S., said it recently has begun to see police reports that tie thefts of newer-model cars to what it calls “mystery” electronic devices. "We think it is becoming the new way of stealing cars,” said NICB Vice President Roger Morris. “The public, law enforcement and the manufacturers need to be aware."
That police "don't know" what hackers are doing and insurance companies "think" something's going on should clue you in to the fact that car hackers and thieves haven't faced much resistance for several years now. As one security analyst in the piece notes, it's going to take significantly more than the current paper-mache grade security most automakers are employing to protect vehicle owners from theft (or worse). Vehicle manufacturers are also going to have to do better than the often multi-year process it takes to issue patches once security vulnerabilities are exposed.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: car thieves, cars, connected cars, security, vehicle security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 7 Jul 2016 @ 2:48pm

    Houston...

    we have a problem.

    link to this | view in thread ]

  2. icon
    That Anonymous Coward (profile), 7 Jul 2016 @ 2:49pm

    Instead they'd like to expand laws to punish people who might look for flaws.

    link to this | view in thread ]

  3. icon
    Rapnel (profile), 7 Jul 2016 @ 2:49pm

    The police waking up slowly is not really the problem. It's the self-induced coma the manufactures are in that requires rapid response.

    Not for nothing but this is partly why I believe we should all own our shit, bolt to bit, and not this faux-ownership privilege based nonsense. Root the planet.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 7 Jul 2016 @ 2:52pm

    Re:

    Just make it illegal to go near a car with a laptop - done!

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 7 Jul 2016 @ 3:09pm

    what does a laptop need? fingers.

    i say anybody with fingers is up to no good.

    link to this | view in thread ]

  6. identicon
    Ed, 7 Jul 2016 @ 3:42pm

    Solution

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 7 Jul 2016 @ 3:43pm

    But their solution to "fix" this weak security problem isn't to require real security but will be to just make it illegal to tinker with the computers in your car.

    That'll fix everything right cause no one is gonna try and hack into a car if there are laws saying it's illegal to do so will they? SMH

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 7 Jul 2016 @ 4:34pm

    finally someone slower than the speed of government.

    The car manufacturers have had many years to fix the security hole they created in the modern car. At this point it is looking more like a many-decade timeline to issue patches.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 7 Jul 2016 @ 5:06pm

    Re: finally someone slower than the speed of government.

    At this point it is looking like it is intentional, they will ask their congress critters to pass laws making vehicle maintenance a dealer only function. They have had this wet dream for some time now, hope they have a towel ready to clean up their mess.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 7 Jul 2016 @ 5:56pm

    Re: Re:

    There goes the cops' favorite computing-while-driving past time.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 8 Jul 2016 @ 4:40am

    Car manufacturers are just following Redmonds lead.

    My guess is they will be releasing an "anti computer theft package", "value added" service for an additional annual subscription fee.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 8 Jul 2016 @ 4:52am

    "Police Slowly Waking Up To Fact That Vehicle Network Security Is A Joke To Hackers, Thieves"

    And what do they think they can do about it? They barely knew it was a problem, certainly they know very little detail and would not understand even if it were explained like a they were five.

    Possibly, the answer is for vehicle manufacturers to stop incorporating this connect everything bullshit. I do not need my vehicle connected to anything, nor my fridge, toaster, thermostat ... Products looking for a market, forced upon an unsuspecting public, abused by nefarious cretins while the owner is accused of the repercussions. This is a train wreck in slow motion.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 8 Jul 2016 @ 5:23am

    The solution is clear. We need Norton or McAfee running in our cars.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 8 Jul 2016 @ 5:25am

    There's already to much in my car

    Manufacturers have been competing with each other to offer the most tech in their cars for years now. And what's worse, they suck at it. I read an article, can't remember where, that stated a majority of drivers are never informed about the entire electronics capabilities of their vehicles, and the few that are, rarely if ever use most of them.

    In short, the vehicles are being piled up with every bell and whistle the manufacturers can dream up, and car owners are getting saddled with the bill, the reliability headaches, and now easy theft.

    You could take EVERY piece of wiz-bang electro-stupidity out of every car this side of german luxary, and no one would notice, except the thieves who's job would suddenly get harder.

    link to this | view in thread ]

  15. icon
    John Fenderson (profile), 8 Jul 2016 @ 6:42am

    Re:

    The solution is clear. Disconnect the antenna that your car is using to talk over the cell network. There are readily available instructions for all sorts of car models on the internet.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 8 Jul 2016 @ 7:40am

    question for the techies.

    Disconnect the antenna that your car is using to talk over the cell network.

    can that be done to a computer so that only direct wire would connect it with the 'net?

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 8 Jul 2016 @ 7:48am

    regarding the above question, i'm not interested in software solutions. i want a physical disconnect that can't be overridden.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 8 Jul 2016 @ 7:51am

    Re:

    Guess I should have put a /s at the end of that. I won't buy a car that can be hacked or need to be disconnected in that way.

    link to this | view in thread ]

  19. icon
    John Fenderson (profile), 8 Jul 2016 @ 7:56am

    Re:

    Are you asking about a normal computer rather than one embedded in your car? Then yes. The easiest way is to disable the hardware in the BIOS (which is pretty much as good as physical disconnection), but if you want to physically disconnect it, that is also possible.

    The exact thing to do depends on your computer. Laptops are usually easiest. On my laptop, for instance, there's an access panel that reveals the antenna connection (usually two snap connectors) for the wifi. It can easily be unplugged and reconnected later if you wish. I've had laptops that didn't have such easy access, but opening the case completely reveals the connection.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 8 Jul 2016 @ 7:57am

    Re: Re:

    Most people do not like paying for something they have no intention of using.

    link to this | view in thread ]

  21. icon
    John Fenderson (profile), 8 Jul 2016 @ 8:08am

    Re: Re: Re:

    The problem is that this stuff is increasingly becoming part of the standard package and you can't choose not to have it.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 8 Jul 2016 @ 9:05am

    thank you, john. yes, i'm talking about a regular computer.

    nothing nefarious, just an old computer with an old operating system and some old software that i like and know how to use for occasional special projects.

    i have zero trust in the maker of the operating system to not force an update that would surely make my software not usable and we all know there are backdoors and route-arounds in every electronic device that aren't common knowledge.

    hey, where'd my tin hat go?

    link to this | view in thread ]

  23. icon
    John Fenderson (profile), 8 Jul 2016 @ 10:02am

    Re:

    If your computer is old enough, it's possible that your wifi hardware is on an expansion card and you could just remove the card. That would be the easiest thing to do.

    If not, then my advice (as a fellow paranoid who does security-related development work) is just to disable it in the BIOS if possible.

    While it is true that there exist exploits that can alter your BIOS settings, they're very rare -- and ordinary software has no chance of being able to change that setting. That stuff all happens at a level below the operating system itself, and is largely insulated from it.

    In the end, though, this is a question of how secure you feel comfortable with. There is no such thing as perfect security no matter what, and the greater the level of security, the greater the inconvenience of it. Ultimately we all have to determine what level of security fits our individual situations.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 8 Jul 2016 @ 12:06pm

    thank you again, john. yes, this computer is ancient. a .91 cubit model, which was a rarity even in its day, what with the two-way scroll feature and built-in ice compartment. connecting with the 'net would be very bad, so i want to ensure that doesn't happen.

    i'll check out the cards. thanks much.

    link to this | view in thread ]

  25. identicon
    Manok, 8 Jul 2016 @ 12:54pm

    People just get lazy. Guys, they're still selling things like:
    https://www.amazon.com/Club-CL303-Pedal-Steering-Wheel/dp/B000JIND4S/ref=pd_sim_263_2?ie=UTF8&a mp;dpID=31QkpgngiwL&dpSrc=sims&preST=_AC_UL160_SR160%2C160_&psc=1&refRID=P0797EZ8H6S YZ2BDN9KV
    Those worked in the past against proper tools... they work even better against laptops.

    link to this | view in thread ]

  26. icon
    John Fenderson (profile), 8 Jul 2016 @ 2:10pm

    Re:

    Ummm... those are only effective against amateur thieves. The ones who do it for a living can bypass them in under 30 seconds.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 8 Jul 2016 @ 6:32pm

    Re:

    You have fingers?! You must be an errorist.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 8 Jul 2016 @ 6:35pm

    This car theft was only possible due to that large wireless antena.

    Please, ban Wi-Fi.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.