GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown

from the I'm-sorry-I-can't-do-that,-Dave dept

We've highlighted for years how flimsy (read: often nonexistent) privacy and security standards in the internet of things space is opening the door to all kinds of problems, from historically-massive DDOS attacks to your refrigerator leaking your Gmail login data. And while your your not-so-smart kettle exposing your network credentials is intimidating enough, the problem is far more worrisome in the "smart" automobile space, where a compromised system could prove decidedly more, oh, fatal.

Most modern car infotainment GUIs hint at the sloppiness lingering just beneath. Security researchers have routinely highlighted how many cars are absurdly vulnerable to not just hacking but a near-total takeover of in-car systems. They've similarly noted how historically, automaker efforts to patch these vulnerabilities are slow to arrive--if they arrive at all.

Granted it's not just retail vehicles that pose a security risk. Last week, researchers highlighted how GPS units installed in many fleet automobiles (designed to help companies track their shipments or employees as they travel) could also be somewhat easily compromised, allowing attackers to track these vehicles and their drivers without their permission:

"The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines."

The origin of this vulnerability? The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of..."123456." Worse perhaps, because these systems are so closely tied to a vehicle's network and computers, the hacker found he could actually disable some vehicle systems (since that's a function already embedded in these services app platforms). In this case (fortunately), only if the vehicles are traveling at speeds slower than 12 miles per hour.

The researcher who discovered the problem noted it wouldn't be hard to use such vulnerabilities to create some notable urban headaches:

"On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices...“My target was the company, not the customers. Customers are at risk because of the company,” L&M told Motherboard in an online chat. “They need to make money, and don't want to secure their customers."

Comforting. Over the last decade some have tried to argue that dismal vehicle security practices are being over-hyped, yet a steady parade of reports have indicated the problem is very real. As everything becomes interconnected and the quest to build interlinked smart cities and smart vehicles takes off, the door opens ever so wider to somebody using our collective privacy and security apathy in a very troubling way at an even more troubling scale -- something security experts like Bruce Schneier have been warning about for some time.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cars, gps, remote vehicle shutdown, security, vulnerability


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 1 May 2019 @ 6:38am

    Note what is being discussed here is cars a product that existed for a hundred years without digital computer control.

    Also note that a web interconnected computer is not required for any environmental reason.

    That being is the only reason for computer control a lock in of the repair service as per John Deere?

    link to this | view in thread ]

  2. icon
    Matthew Cline (profile), 1 May 2019 @ 6:41am

    The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of..."123456."

    That's amazing! I've got the same combination on my luggage!

    link to this | view in thread ]

  3. icon
    PaulT (profile), 1 May 2019 @ 6:52am

    Re:

    "Note what is being discussed here is cars a product that existed for a hundred years without digital computer control."

    So has the printing press, that doesn't mean it's better for everybody to typeset by hand.

    "That being is the only reason for computer control a lock in of the repair service as per John Deere?"

    If you ignore all the stuff it actually does, sure.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 1 May 2019 @ 7:00am

    This was the 1983 prototype for this type of system in a car:

    https://www.youtube.com/watch?v=zNSDAaeIh7U

    link to this | view in thread ]

  5. icon
    Gary (profile), 1 May 2019 @ 7:09am

    Re: Re:

    Today, my computer-controlled car will shut the engine off at stoplights. Seamlessly.

    My old non-computer car with a carburetor would rarely start on the first try. And sometimes not on the second either.

    And yes, I much prefer this keyboard to Guttenberg press.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 1 May 2019 @ 7:18am

    I can imagine armored truck companies scrambling to disable the GPS systems on their vehicles.

    link to this | view in thread ]

  7. icon
    PaulT (profile), 1 May 2019 @ 7:44am

    Re: Re: Re:

    It's a petty little peeve - but there's only one t in that Gutenberg's name. The guy with 2 t's was in the Police Academy movies.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 1 May 2019 @ 8:34am

    only if the vehicles are traveling at speeds slower than 12 miles per hour.

    Well, it could be worse. The vehicle could be vulnerable to remote detonation if it goes slower than 50 miles per hour.

    link to this | view in thread ]

  9. identicon
    TFG, 1 May 2019 @ 8:43am

    And this is why I have a dim view of the future of the self-driving car. It's not pessimism regarding the ability of the car to drive - it's pessimism regarding the security that will put into any such system, to prevent outside interference by any source.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 1 May 2019 @ 8:54am

    Re:

    But if that happens you can call the cops who didn't figure out that they could have stopped the speeding subway at the end of the film simply by cutting power to the third rail.

    link to this | view in thread ]

  11. icon
    PaulT (profile), 1 May 2019 @ 9:04am

    Re: Re:

    ...and rob people of the chance to see Dennis Hopper hilariously decapitated? I'd rather they stay incompetent.

    link to this | view in thread ]

  12. icon
    PaulT (profile), 1 May 2019 @ 9:07am

    Re:

    My view is that there's a non-zero danger with those kinds of cars and there will certainly be some major problems caused. But, the overall realistic amount of damage will still be lower than with the current number of drunk/distracted/outright bad drivers on the roads that self-driving cars will remove from the roads.

    Plus, the major problem here is that ease of use, extra features and the like take priority over security with this tech. As soon as it becomes a marketable or even legally actionable problem, this stuff will start getting a lot better. The current car manufacturers just don't care because their market doesn't care. They'll change their tune as soon as that changes.

    link to this | view in thread ]

  13. icon
    Anonymous Anonymous Coward (profile), 1 May 2019 @ 9:47am

    Re: Re:

    "The current car manufacturers just don't care because their market doesn't care. "

    But the insurance companies will, and they's got them some influence.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 1 May 2019 @ 9:51am

    Re: Re: Re:

    The NSA was even more incompetent in Under Siege 2 since it was noted that Grazer One could only be hacked by a moving computer station (hence the need for a train). So instead of Steven Seagal needing to run through a burning, collapsing train to take a flying leap onto a waiting ladder strung from a helicopter, they could have just cut power to the third rail and disabled the satellite.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 1 May 2019 @ 9:53am

    Re: Re:

    Come to think of it, this also ruins Money Train and probably every other "Die Hard on a Train" film.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 1 May 2019 @ 10:02am

    I doubt it will take very long for this feature to be abused.

    link to this | view in thread ]

  17. icon
    PaulT (profile), 1 May 2019 @ 10:46am

    Re: Re: Re:

    Yes, but the claims have to come in first and then they will need to be ones that the insurance finds it difficult to avoid paying out. That will take a while.

    link to this | view in thread ]

  18. icon
    PaulT (profile), 1 May 2019 @ 10:49am

    Re: Re: Re:

    Logic often ruins action movies if you keep your brain turned on :(

    That’s one reason why Die Hard is so great - Gruber was counting on the cops actually being competent and following procedure, not winging it in the hope they’d miss something obvious.

    link to this | view in thread ]

  19. icon
    Anonymous Anonymous Coward (profile), 1 May 2019 @ 11:26am

    Re: Re: Re: Re:

    Ah, your thinking about the end user's insurance, and that might part of the process. I was thinking about those that insure the manufacturers. They are going to do everything they can to mitigate the manufacturers liability.

    I am surprised they haven't taken action with regard to the security of the software mounted in their products, as it will only take a couple of successful cases where that insecurity will cause them major liability, possibly for negligence. Those insecurities, and the potential problems, are becoming more and more apparent. It is only a matter of time, or a few cases, before those that insure the manufacturers bring the hammer down, fix it or lose your insurance.

    It is too bad that those few cases might catastrophic for those end users, but sometimes it takes a good smack to wake someone up, especially when they are blinded by profit.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 1 May 2019 @ 12:25pm

    Re:

    “Playing watchdogs”
    Yep

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 1 May 2019 @ 12:27pm

    Re: Re: Re:

    Cool - but why do I need random people on the internet to have the capability to shut down my vehicle while it is at highway speeds?

    Is there an option on new vehicles to not have these things installed?
    Is it illegal to disconnect them?

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 1 May 2019 @ 12:30pm

    Re: Re: Re: Re:

    People get mad at you for laughing at the stupid hollywood physics.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 1 May 2019 @ 1:34pm

    Re: Re:

    The death count by vehicles will definitely go down, but it will now be selected (controlled) vehicle deaths...

    I guess that's better if you're the one in control (the 1%)

    link to this | view in thread ]

  24. icon
    PaulT (profile), 2 May 2019 @ 12:12am

    Re: Re: Re: Re: Re:

    "I am surprised they haven't taken action with regard to the security of the software mounted in their products"

    I'm not. Again - nobody seems to give a crap until something happens. It's only where liability becomes obvious that action will be taken. Until then, there are a thousand other factor that insurance companies will take notice, as until then it doesn't open up new liability that's recognised.

    "It is too bad that those few cases might catastrophic for those end users"

    But, this is the way of things. Car manufacturers are literally known to hold off vehicle recalls if they calculate that the cost of recall would be more than the financial costs of paying off accident victims. I don't know why you'd be surprised that they haven't taken action on an issue that, to the best of our knowledge, has not been exploited to actually cause any serious accidents yet.

    link to this | view in thread ]

  25. identicon
    Glenn, 2 May 2019 @ 4:06am

    Now more than ever I really really don't want to ever buy a new car, esp. not one with any "smart" features.

    link to this | view in thread ]

  26. identicon
    Liam Harrison, 7 Mar 2020 @ 9:17pm

    Tracker service in Bangladesh is being famous among general people and<a href=https://nits.com.bd/>this is the best tracker service in Bangladesh</a>. You will get a lots of good products with different packages in cheap price here. I recommend them highly.

    link to this | view in thread ]

  27. identicon
    liam, 25 Mar 2020 @ 11:17pm

    Tracker service in Bangladesh is being famous among general people andthis is <a href=https://nits.com.bd/>the best tracker service in Bangladesh</a>. You will get a lots of good products with different packages in cheap price here. I recommend them highly.

    link to this | view in thread ]

  28. icon
    Hisonka (profile), 17 Sep 2020 @ 11:51am

    INJECTION PUMP

    In fact, many people have difficulties now even to understand how the engine works in cars, where there are already more complex matter. That is why I will say from myself that it is necessary to think and look for mechanisms several times concerning the study of at least the basics, then it will be easier to know the rest of the car in a meaningful way. It is also good that I was once helped by an avid motorist I know and shared an article about the INJECTION PUMP https://avtotachki.com/en/chto-takoe-toplivnyj-nasos-vysokogo-davleniya/
    and what it is for, in fact, this pump for the engine. This is not enough where else you can read, so be sure to everyone to start at least with this and continue to read, to study what you need, then there will be no problems. I hope that it will be really useful and I can somehow help with it. In addition, such a fuel pump is exactly what really helps the engine to move forward, which must be understood by everyone, because it is important in reality.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.