Here's how to remotely take over a Ferrari...account, that is Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers — by exploiting vulnerabilities in the vehicles' telematic systems, automotive APIs and supporting infrastructure, according to security researchers. …
To me all of these 'security is top priority' -claims are pure bollocks: Security costs money and none of them spend money on actual security, which is proven when obvious total disregard of security goes into production systems.
Patching publicly known bugs is several decades cheaper, after someone else published them first. Bugs themselves has existed who know how many years and none of the companies could trace software development to the moment said bugs were created. Or didn't publish it because it's years or decades.
That tells how high the security actually is: A PR issue. No more, no less.
If it *really* was top priority, every software team would have one security expert who audits *every single row* of code they write. And company wide experts for infrastructure. and everything not related to their own software development.
I can bet none of companies mentioned has that kind of security: It costs money.
I've been saying for years that that there should be an inherently secure, fully audited, vendor agnostic, industry standard protocol for IoT devices to enforce security at every single point as far as practically possible.
Considering the vast majority of people buy (or lease) a car and then leave it outside for the entire period of time it's in their possession, it's obvious this requirement should also be extended to anything produced by the automotive industry.
Of course, when these two various industries eventually decide that's a good idea they won't all work together to do it, you'll get three 'alliances' of various companies working on their own 'better' version of a protocol and we'll end up with another royal VHS/Betamax/DVD/BluRay style battle of competing standards which will only be marginally beneficial until one of them is adopted as the industry standard.
"We permanently monitor our systems," the spokesperson said. "We take any indications of vulnerabilities very seriously. Our top priority is to prevent unauthorized access to the systems in our vehicles by third parties."
Un-huh. those third parties being white hat hackers. They need to change their logo to a farmer closing a barn door with a horse running away.
"Permanently monitor" is a nonsense phrase anyway. They could plan to check the logs once a year for perpetuity and claim they "permanently monitor".
At least "continuously monitor" means something, though very little, since it says nothing about the quality of monitoring.
This post has been deleted by its author
This post has been deleted by its author
"So, Spireon are either bullshitting (no toolset) or incompetent (dunno how to use the toolset). Or, their toolset supplier(s) bullshitted them."
There is no "toolset". If you are serious about security, you have an 'inside' team and an 'outside' team. The insiders have access to how the system is constructed/coded and look for vulns based on that. The outside team works from knowledge of how to hack things and attempts to worm their way in. Any mention of a "toolset" hints at some sort of automated testing based on known exploits.
> There is no "toolset". If you are serious about security, you have an 'inside' team and an 'outside' team
They do have all the teams required, including a management team that takes a certain delight in referring to everyone else as just a bunch of tools, to be used, abused and everything in between.
Oops, they didn't mean to say that out loud where the press may be listening...
There is no "toolset". If you are serious about security, you have an 'inside' team and an 'outside' team.
Oh, bullshit. While penetration testing is definitely important, and necessary for any serious piece of software, it's only one of many pieces in a real SDL. Static and dynamic scanning and fuzzing are also necessary, as are other non-tool-based activities such as threat modeling.
Picking one security activity as the correct one just shows a poor understanding of security.
I have a connected car app/account and it is so secure that I can’t get into it myself.
It sends a code to the car which appears on the screen and it won’t work unless I put that code in and I can’t be bothered to do it again. So it just locks me out.
It was sort of useful if I couldn’t remember locking the car I could quickly check, but not that big a deal.
I'd like a dis-connected car/account. Or at least, the option for one. I suspect it'll be like the ancient 'radio delete' option was years ago--sure, we can remove that, but there's a fee....
More and more, it's looking like my next car will have a number of previous owners and will be from the prior century.
If you want that to happen, every country on the planet that has any sort of automotive market would need a law passed holding the automobile manufacturer financially liable for all damages caused by an intrusion on a "guilty unless proven innocent" basis, with innocent defined as "no way of knowing." If anyone comes forth to testify that they warned the automaker, they pay. If any whistleblower in the company testifies, they not only pay but pay the whistleblower a percentage of the fine. If an independent professional coder testifies that after examining the code the manufacturer should have found the problem, they pay. If the company refuses to allow an investigation access to the code, they pay triple. Further, if anyone dies, the C suite wears black and orange stripey pyjamas for a few years. Without this, security will be treated as a non-event until it becomes an event. With this, of course, and auto driving comes to an end until they can make it work correctly.
Companies will apply a risk/reward analysis against an expense, and if they decide the risk is worth it they'll take it. Example, Ford knew the Ford Pinto was prone to catching the passenger compartment in fire, and developed a fix for the problem that would have cost Ford a little over $7USD. The beancounters calculated that the payout for letting people burn to death would be less than the cost to fix, so they denied the fix. What's especially sad is they could have added 8 bucks to the car's price, and it would have cost Ford nothing.
This post has been deleted by its author
Lil Endian, you ask "Which other countries allowed the fire trap on their roads, after the issue was identified?"
Well, it was not a 'fire trap' but the Austin Allegro had a known problem of wheel bearing failure "One potential danger was that over tightening the wheel bearing nuts could result in bearing failure".* This occurred on at least one occasion, I recall a report that someone driving along the motorway was hit by a wheel from an Allegro which sheared off and crashed through the windscreen (he died). This was one of the events which caused a great deal of controversy in the UK as the vehicle test results, conducted by a government department, were classified at the then "RESTRICTED" level, meaning they could not be published in the UK.
In the USA they were available, and the BBC program 'Tomorrow's World' did a broadcast from the USA specifically on this issue. Shortly afterwards (in political time) test results for Motor vehicles in the UK were made public.
The appalling tragedy of the fire at Grenfell Tower caused by the use of highly flammable cladding, abysmal fire prevention, and poor building maintenance shows that the UK may still have a problem with publicising the results of safety tests and acting on them.
*https://www.autoexpress.co.uk/car-news/97617/austin-allegro-the-worst-cars-ever
"Talking of Grenfell, how many other high buildings have similar cladding, even today?"
Far, far too many.
https://www.insidehousing.co.uk/news/news/more-than-100-buildings-with-grenfell-style-cladding-yet-to-complete-work-nearly-five-years-after-tragedy-75689
This post has been deleted by its author
"If it *really* was top priority, every software team would have one security expert who audits *every single row* of code they write. And company wide experts for infrastructure. and everything not related to their own software development."
Indeed, and jobs openings for security would be all over the place for them in linkedin.
Oh, wait, there is literally none !
It is more than just code though. The fashion for everything to be connected as if it somehow makes things better is as much a part of the problem.
For some reason there is this concept in the eye of the average users that because something is connect to the Internet or has an App it is magically better. Sales, Marketing droids push this and inept developers push out huge volumes of half-tested "Agile" software because it is "better".
The result is nobody in the chain gives a toss and the few of us oldies that do understand say anything we are considered to be out of date and inflexible to modern ways of working.
Yes I would like security to be better but I would also like to see much of this shite consigned to the bin completely.
Why the hell on my VW do I need to sign in with a Volkswagen Identity just to setup two profiles on the two keys (mainly so I don't have to suffer my wife's radio selection, very loud when you get in the car)? My previous Golf did not need that, it just worked.
This post has been deleted by its author
This post has been deleted by its author
This post has been deleted by its author
"The affected companies all fixed the issues within one or two days of reporting,"
Wait until these "connected" accidents looking for a place to happen are 10+ years old and try that again. Personally I'd be amazed if any get fixed at all, let alone within anything like a sensible time.
Bonus hacker points for identifying some future attack vector that cannot be fixed on the older hardware and thus will remain exploitable <reverb>FOREVER</reverb>.
This post has been deleted by its author
.....I had a metal key on my key ring. The car had a keyhole in the door, and behind the keyhole there was a mechanical lock.
But now, in our advanced society, I have a radio key fob. There's a radio in the car, connected to a computer....which (perhaps) communicates with a device in the car door.....and (perhaps) the door opens.
.....and of course, this elaborate technology is marketed as "progress"......
Really?
Spend £100k on a car and get advised by the police to fit CCTV and a steering lock due to common thefts:
https://www.bbc.com/news/uk-england-stoke-staffordshire-61838245
Obviously in addition to putting your keyless fob in a Faraday bag, because clearly they were designed with security in mind...
"Spend £100k on a car and get advised by the police to fit CCTV and a steering lock due to common thefts:"
The way I think, getting a £100k car and not having a secure place to park it is the first problem. I have a much less expensive car and a garage to put it in that's entirely paid off. Priorities.
This post has been deleted by its author
And from today's "I" newspaper: https://inews.co.uk/news/hidden-chinese-tracking-device-government-car-national-security-2070152 9Subscriber only article, sadly, and I don't have a subscription).
"At least one SIM card capable of transmitting location data was discovered in a sweep of government and diplomatic vehicles which uncovered ‘disturbing things’, a serving security source confirmed.
A hidden Chinese tracking device was found in a UK Government car after intelligence officials stripped back vehicles in response to growing concerns over spyware, i has been told."
In the newspaper article it seems that there are millions of 'spy SIMs' embedded in parts from Chinese manufacturers which potentially allow tracking an eavesdropping of vehicles and their occupants. Which the Chinese officially deny are for any sort of espionage activities. Though I do find it strange that anyone would knowingly install mobile phone connectivity which has to be paid for by the call in millions of devices and parts for vehicles without getting something very valuable in return.
@Eclectic_Man
Ha......Chinese......
No mention here about GCHQ and the NSA monitoring mobile phones................
Or Apple keeping track of "Find My" devices..... (See: https://www.apple.com/uk/icloud/find-my/)
Or Google slurping 1.6 million medical records....(See: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act )
Or the "Police super-database"......(See: https://www.theguardian.com/uk-news/2018/oct/01/police-super-database-prompts-liberty-warning-on-privacy )
Yup......plenty to worry about before we start worrying about the Chinese!!!
.......and that's a few of the local threats we know about!!!
"Though I do find it strange that anyone would knowingly install mobile phone connectivity which has to be paid for by the call in millions of devices and parts for vehicles without getting something very valuable in return.
There isn't a "call" to be paid. It's low bandwidth, low priority data that can be had for very little money in bulk.
"Spireon takes all security matters seriously and utilizes an extensive industry leading toolset to monitor and scan its products and services for both known and novel potential security risks,"
And yet the software development team wrote code that suffered from SQL injection vulnerabilities. In the 21st century. JFC! What kind of dweebs do they have the writing their code?
That's what they're still saying in the 23rd century.
Can't park your starship anywhere these days.
All the versions are great. It's fun to see Douglas craft the narrative multiple different ways. Having a background in music and having worked with some galactic sized egos (and loud performers), I relate to the Disaster Area version. I can think of a couple of bands I've worked with that could slot right in.
I would bet these companies did indeed hire someone to vet, or audit, their corporate IT and possibly even some of their vehicle telematics.
And it was done by one of the usual assortment of two-letter and three-letter accounting firms who assigned the tasks to dutiful but dumb accounting graduates.
And it was expensive, and therefore All Was Good. (Never mind if they actually found anything.)
Until a competent security researcher with real experience rather than a three-year-old checklist found some defects. Or rather, lots of defects.
There is liability to be found here, for the right lawyer who can read audit statements accompanying a shareholder's annual report. Lots of liability.
I'm not a Luddite, I welcome advanced technology in a vehicle. BUT -- I don't want my car connected. Ever. Its not just security, its the insidious way that ''features' are now being peddled on subscription. Its not just that I want to buy and own something, its the idea that once you have remote access then you have to have security with that remote access which means that I have to keep paying to secure a service that I didn't want in the first place.
So I'm stuck. I can't buy any new products any more. Assuming i'm not unique then I'm probably helping cause a recession. Good.
(Elsewhere the MSFT CEO says that 'technology will be in recession for a couple of years' because, yes, I could do with a newer computer but no, I don't want to pay over the odds for a bunch of spyware that uses up a significant chunk of my system's resources and I have absolutely no need for, or use for, cloud capabilities. I'm probably like everyone else so he's banking on a couple of years of depressed sales until everything we've got has either fallen to bits or has been 'upgraded' into uselessness.)
"So I'm stuck. I can't buy any new products any more."
Why not get a local group together and work on limiting the data collection and comms from newer vehicles. I expect that there are more than a few people that would be willing to pay a fair price to have their new cars devoid of tracking and data collection.
How much of the software in the newer vehicles is "Because We Can" and not because it is needed, or even actually useful in the real world?
Who actually benefits for the mandatory two way connectivity in todays cars? I can understand some of this in fleet vehicles, but how useful is the same stuff it in a private, paid for vehicle?
I understand much of this connectivity cannot be opt out of without disabling the vehicle.
"but how useful is the same stuff it in a private, paid for vehicle?
"
Instead of completely testing the systems in a vehicle and getting it just right before release, they can get to market sooner and fix the most egregious issued via an "Over the Air" update when they can get to it. My car is old enough that it doesn't have any of that connectivity yet everything works just fine. I'm rather happy it doesn't have things like a built in nav system. The Garmin I chuck up on the dash can be replaced for a few bob if it goes wrong or there are no longer updates for the maps. If it was built into the car........
My 2015 Toyota in-car media/bluetooth/settings thing reboots itself for no apparent reason even after an update a couple of years ago, so I dread to think what later Toyotas where software is more important to the car's functioning will do.
However if the car has a SIM instead of an eSIM then there's always the option of removing it. Probably why every car manufacturer will eventually move to eSIMs... got to sell your data to... someone...
"because we can .... exert far creater control than just with controlling supply for service and spare parts. And if we connect all the services to an account that is required, we can charge significant amount from every car owner." I presume.
Imagine if you cannot for example lock the doors for the used car you just purchased or control audio volume unless you have purchased 1000-3000€ services package with automatic emergency call system (mandatory at least in EU with new cars around 2020) and some extra quality of life services.
How much of the code is Friday afternoon "wouldn't it be nice if..." brainstorms that got abandoned in the cold hard light of a Monday morning but never got removed.
Watched the 'Fifth Gear Recharged' team delving into the depths of the Tesla Model Y's UI last week, only to discover it has a 'fart on 'turn' signal option!
"Who actually benefits for the mandatory two way connectivity in todays cars?"
You might not be of interest individually, but if the car company can collect vast amounts of driving data, there will be a market for it. Then again, if the police are able to subpoena a load of info and your car happens to have been nearby during several incidents they are investigating, you might need to prove your innocence or really hope they don't stop their investigation due to "having their man" and leaving it at that. I can see that insurance companies will be very interested in accessing travel logs, sensor data and graphs of motorway speeds vs posted limits.
Things are getting better, slowly. Remember the Chrysler vulnerability of a few years back which allowed root dbus calls directly from the internet with a default password, so that anybody could crash a car remotely?
Computer security as applied to the automotive industry is now being taught at the University technical colleges in the UK, so some cars of the future (e.g. JLR) should at least have better authentication and a chain of trust. But how much of this software development is being guided by this when the cheaper programmers are elsewhere in the world and the directors think that sales depend on features/benefits more than security?
The problem here is that most of these attack vectors involved hacking the manufacturer and getting hold of the credentials from the inside, so it doesn't matter if you have a strong password, trusted certificates or even blockchain tech, people get to your car and account through the front door with that.
So it's more a matter of if, rather than how, hence the PR efforts to prevent widespread panic about car security.
With Wind River's (OS manufacturer) purchase by Aptiv (car electronics and wiring) this might help some of the industry who still use other OS.
At CES they had a demonstration where a trunk/boot would not open. They modified the code in Wind River Studio. Fed it into the DevOps workflow that security checked the code (amongst other things), tested the final executable on a digit twin of the car and eventually securely sent it to the car to make it more responsive and open for the lady demonstrating it.
Wind River really know about high integrity security in their certifiable operating systems, so let's hope it permeates into the vehicle market.
"The security of our organization, products and services is one of our top priorities," the spokesperson said, adding that "the identified vulnerability did not affect the security of our vehicles."
That seems to be contradicted by what was found (lets ignore the essentially total takeover of internal systems and havoc that could cause to vehicle security)
If we look at "source code for various Mercedes-Benz projects including its Me Connect app used by customers to remotely connect to their vehicles"
If you have the source code for that (they already had various keys etc) then its trivial to build a malicious application based on that code & thus impact vehicle security
Why cant spokesdroids just be honest (& express massive thanks to the whitehats who found that & helped them fix it). If these issues had been found my malicious actors then maybe these companies would take security more seriously (this has cost them little financially & a bit of disaster IT embarrassment that the average car owner won't even register )
You might be able to make the manufacturer's records change, but those are not authoritative. Even for the fancy high-end, limited run stuff, there's no requirement to report sales back, so their databases are frequently out of date, even at the "how many of these cars are in Europe" level.
There might be a government database that, if altered, would imply a change of ownership, but that'd fall apart quickly when you start asking for receipts showing when it was sold and to/from whom.
"but that'd fall apart quickly when you start asking for receipts showing when it was sold and to/from whom."
The higher the cost of something, the more important it is to have printed documentation with "wet" signatures.
This post has been deleted by its author
Rather than having Benny Hill as a computer expert who loads a rigged tape on the traffic-light control system, you now have a script-kiddy in their bedroom remote-bricking the traffic.
Loses a sense of the "drama" methinks. (Although, even by 60s sensitivities, aspects of the Benny Hill character were "challenging").
"you now have a script-kiddy in their bedroom remote-bricking the traffic."
Because nobody stood up and asked why the traffic lights needed to be controllable or programmable from a remote location. The city council was sold on the story that it would save money to be able to change the timing remotely rather than visiting each signal (every couple of years). Never mind that the data connection completely negates any sort of cost savings and will go wrong and need servicing every few months.
I don't own a car, so make of that what you will, but cam anyone give me an advantage of giving that much control over your car to an app on your phone? I can see that it's nice to be do things like unlock the car and start the engine while you are sitting down at your table and having a cup of tea, but is it really worth risking losing your car, or you or your family's lives?
I can see it would be an advantage if your car offers full self driving, as you could click a button and have the car come collect you, but even that's dubious, because you quite possibly drove to wherever you would need to be picked up from.
"cam anyone give me an advantage of giving that much control over your car to an app on your phone?"
The only things that I see as useful is being able to verify that an EV is charging or done charging if you need to make a long trip the next morning and being able to preheat/cool the car. Unlocking and being able to remotely 'start' the car aren't features for me. My car has a fob that lets me lock and unlock the doors and open the boot, but it's still a mechanical key that will unlock the doors if the battery goes flat. The car won't start unless one of the chipped keys is in the ignition and that's handled passively so it will still work if the fob battery is flat or missing. I find that more secure than what's being installed today. My fob is simple so it won't succumb to relay attacks.
> Toyota Financial app that disclosed the name, phone number, email address, and loan status of any customers.
> Toyota Motor Credit told The Register that it fixed the issue, and noted "this had no connection to Toyota vehicles or how they operate."
I presume they alerted the relevant IC of this GDPR breach.
"So the team used their newly created account credentials to login to several applications containing sensitive data. Then they "achieved remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees."
One of these was the carmaker's version of Slack. "We had permission to join any channel, including security channels, and could pose as a Mercedes-Benz employee who could ask whatever questions necessary for an actual attacker to elevate their privileges across the Benz infrastructure," the researchers explained."
and
"A Mercedes-Benz spokesperson confirmed that Curry contacted the company about the vulnerability and that it had been fixed.
"The security of our organization, products and services is one of our top priorities," the spokesperson said, adding that "the identified vulnerability did not affect the security of our vehicles.""
If I can create an account, login and access sensitive data and achieve remote code execution to "exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees."
I would say the security of those vehicles were more than affected.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
