GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown
from the I'm-sorry-I-can't-do-that,-Dave dept
We've highlighted for years how flimsy (read: often nonexistent) privacy and security standards in the internet of things space is opening the door to all kinds of problems, from historically-massive DDOS attacks to your refrigerator leaking your Gmail login data. And while your your not-so-smart kettle exposing your network credentials is intimidating enough, the problem is far more worrisome in the "smart" automobile space, where a compromised system could prove decidedly more, oh, fatal.
Most modern car infotainment GUIs hint at the sloppiness lingering just beneath. Security researchers have routinely highlighted how many cars are absurdly vulnerable to not just hacking but a near-total takeover of in-car systems. They've similarly noted how historically, automaker efforts to patch these vulnerabilities are slow to arrive--if they arrive at all.
Granted it's not just retail vehicles that pose a security risk. Last week, researchers highlighted how GPS units installed in many fleet automobiles (designed to help companies track their shipments or employees as they travel) could also be somewhat easily compromised, allowing attackers to track these vehicles and their drivers without their permission:
"The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines."
The origin of this vulnerability? The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of..."123456." Worse perhaps, because these systems are so closely tied to a vehicle's network and computers, the hacker found he could actually disable some vehicle systems (since that's a function already embedded in these services app platforms). In this case (fortunately), only if the vehicles are traveling at speeds slower than 12 miles per hour.
The researcher who discovered the problem noted it wouldn't be hard to use such vulnerabilities to create some notable urban headaches:
"On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices...“My target was the company, not the customers. Customers are at risk because of the company,” L&M told Motherboard in an online chat. “They need to make money, and don't want to secure their customers."
Comforting. Over the last decade some have tried to argue that dismal vehicle security practices are being over-hyped, yet a steady parade of reports have indicated the problem is very real. As everything becomes interconnected and the quest to build interlinked smart cities and smart vehicles takes off, the door opens ever so wider to somebody using our collective privacy and security apathy in a very troubling way at an even more troubling scale -- something security experts like Bruce Schneier have been warning about for some time.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cars, gps, remote vehicle shutdown, security, vulnerability
Reader Comments
The First Word
“That's amazing! I've got the same combination on my luggage!
Subscribe: RSS
View by: Time | Thread
Note what is being discussed here is cars a product that existed for a hundred years without digital computer control.
Also note that a web interconnected computer is not required for any environmental reason.
That being is the only reason for computer control a lock in of the repair service as per John Deere?
[ link to this | view in chronology ]
Re:
"Note what is being discussed here is cars a product that existed for a hundred years without digital computer control."
So has the printing press, that doesn't mean it's better for everybody to typeset by hand.
"That being is the only reason for computer control a lock in of the repair service as per John Deere?"
If you ignore all the stuff it actually does, sure.
[ link to this | view in chronology ]
Re: Re:
Today, my computer-controlled car will shut the engine off at stoplights. Seamlessly.
My old non-computer car with a carburetor would rarely start on the first try. And sometimes not on the second either.
And yes, I much prefer this keyboard to Guttenberg press.
[ link to this | view in chronology ]
Re: Re: Re:
It's a petty little peeve - but there's only one t in that Gutenberg's name. The guy with 2 t's was in the Police Academy movies.
[ link to this | view in chronology ]
Re: Re: Re:
Cool - but why do I need random people on the internet to have the capability to shut down my vehicle while it is at highway speeds?
Is there an option on new vehicles to not have these things installed?
Is it illegal to disconnect them?
[ link to this | view in chronology ]
That's amazing! I've got the same combination on my luggage!
[ link to this | view in chronology ]
This was the 1983 prototype for this type of system in a car:
https://www.youtube.com/watch?v=zNSDAaeIh7U
[ link to this | view in chronology ]
I can imagine armored truck companies scrambling to disable the GPS systems on their vehicles.
[ link to this | view in chronology ]
Well, it could be worse. The vehicle could be vulnerable to remote detonation if it goes slower than 50 miles per hour.
[ link to this | view in chronology ]
Re:
But if that happens you can call the cops who didn't figure out that they could have stopped the speeding subway at the end of the film simply by cutting power to the third rail.
[ link to this | view in chronology ]
Re: Re:
...and rob people of the chance to see Dennis Hopper hilariously decapitated? I'd rather they stay incompetent.
[ link to this | view in chronology ]
Re: Re: Re:
The NSA was even more incompetent in Under Siege 2 since it was noted that Grazer One could only be hacked by a moving computer station (hence the need for a train). So instead of Steven Seagal needing to run through a burning, collapsing train to take a flying leap onto a waiting ladder strung from a helicopter, they could have just cut power to the third rail and disabled the satellite.
[ link to this | view in chronology ]
Re: Re:
Come to think of it, this also ruins Money Train and probably every other "Die Hard on a Train" film.
[ link to this | view in chronology ]
Re: Re: Re:
Logic often ruins action movies if you keep your brain turned on :(
That’s one reason why Die Hard is so great - Gruber was counting on the cops actually being competent and following procedure, not winging it in the hope they’d miss something obvious.
[ link to this | view in chronology ]
Re: Re: Re: Re:
People get mad at you for laughing at the stupid hollywood physics.
[ link to this | view in chronology ]
And this is why I have a dim view of the future of the self-driving car. It's not pessimism regarding the ability of the car to drive - it's pessimism regarding the security that will put into any such system, to prevent outside interference by any source.
[ link to this | view in chronology ]
Re:
My view is that there's a non-zero danger with those kinds of cars and there will certainly be some major problems caused. But, the overall realistic amount of damage will still be lower than with the current number of drunk/distracted/outright bad drivers on the roads that self-driving cars will remove from the roads.
Plus, the major problem here is that ease of use, extra features and the like take priority over security with this tech. As soon as it becomes a marketable or even legally actionable problem, this stuff will start getting a lot better. The current car manufacturers just don't care because their market doesn't care. They'll change their tune as soon as that changes.
[ link to this | view in chronology ]
Re: Re:
But the insurance companies will, and they's got them some influence.
[ link to this | view in chronology ]
Re: Re: Re:
Yes, but the claims have to come in first and then they will need to be ones that the insurance finds it difficult to avoid paying out. That will take a while.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Ah, your thinking about the end user's insurance, and that might part of the process. I was thinking about those that insure the manufacturers. They are going to do everything they can to mitigate the manufacturers liability.
I am surprised they haven't taken action with regard to the security of the software mounted in their products, as it will only take a couple of successful cases where that insecurity will cause them major liability, possibly for negligence. Those insecurities, and the potential problems, are becoming more and more apparent. It is only a matter of time, or a few cases, before those that insure the manufacturers bring the hammer down, fix it or lose your insurance.
It is too bad that those few cases might catastrophic for those end users, but sometimes it takes a good smack to wake someone up, especially when they are blinded by profit.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"I am surprised they haven't taken action with regard to the security of the software mounted in their products"
I'm not. Again - nobody seems to give a crap until something happens. It's only where liability becomes obvious that action will be taken. Until then, there are a thousand other factor that insurance companies will take notice, as until then it doesn't open up new liability that's recognised.
"It is too bad that those few cases might catastrophic for those end users"
But, this is the way of things. Car manufacturers are literally known to hold off vehicle recalls if they calculate that the cost of recall would be more than the financial costs of paying off accident victims. I don't know why you'd be surprised that they haven't taken action on an issue that, to the best of our knowledge, has not been exploited to actually cause any serious accidents yet.
[ link to this | view in chronology ]
Re: Re:
The death count by vehicles will definitely go down, but it will now be selected (controlled) vehicle deaths...
I guess that's better if you're the one in control (the 1%)
[ link to this | view in chronology ]
I doubt it will take very long for this feature to be abused.
[ link to this | view in chronology ]
Re:
“Playing watchdogs”
Yep
[ link to this | view in chronology ]
Now more than ever I really really don't want to ever buy a new car, esp. not one with any "smart" features.
[ link to this | view in chronology ]
Tracker service in Bangladesh is being famous among general people and<a href=https://nits.com.bd/>this is the best tracker service in Bangladesh</a>. You will get a lots of good products with different packages in cheap price here. I recommend them highly.
[ link to this | view in chronology ]
Tracker service in Bangladesh is being famous among general people andthis is <a href=https://nits.com.bd/>the best tracker service in Bangladesh</a>. You will get a lots of good products with different packages in cheap price here. I recommend them highly.
[ link to this | view in chronology ]
INJECTION PUMP
In fact, many people have difficulties now even to understand how the engine works in cars, where there are already more complex matter. That is why I will say from myself that it is necessary to think and look for mechanisms several times concerning the study of at least the basics, then it will be easier to know the rest of the car in a meaningful way. It is also good that I was once helped by an avid motorist I know and shared an article about the INJECTION PUMP https://avtotachki.com/en/chto-takoe-toplivnyj-nasos-vysokogo-davleniya/
and what it is for, in fact, this pump for the engine. This is not enough where else you can read, so be sure to everyone to start at least with this and continue to read, to study what you need, then there will be no problems. I hope that it will be really useful and I can somehow help with it. In addition, such a fuel pump is exactly what really helps the engine to move forward, which must be understood by everyone, because it is important in reality.
[ link to this | view in chronology ]