back to article Here's how to remotely take over a Ferrari...account, that is

Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers —  by exploiting vulnerabilities in the vehicles' telematic systems, automotive APIs and supporting infrastructure, according to security researchers. …

  1. Anonymous Coward
    Anonymous Coward

    Pure BS and security is really only a PR problem

    To me all of these 'security is top priority' -claims are pure bollocks: Security costs money and none of them spend money on actual security, which is proven when obvious total disregard of security goes into production systems.

    Patching publicly known bugs is several decades cheaper, after someone else published them first. Bugs themselves has existed who know how many years and none of the companies could trace software development to the moment said bugs were created. Or didn't publish it because it's years or decades.

    That tells how high the security actually is: A PR issue. No more, no less.

    If it *really* was top priority, every software team would have one security expert who audits *every single row* of code they write. And company wide experts for infrastructure. and everything not related to their own software development.

    I can bet none of companies mentioned has that kind of security: It costs money.

    1. simonlb Silver badge
      FAIL

      Re: Pure BS and security is really only a PR problem

      I've been saying for years that that there should be an inherently secure, fully audited, vendor agnostic, industry standard protocol for IoT devices to enforce security at every single point as far as practically possible.

      Considering the vast majority of people buy (or lease) a car and then leave it outside for the entire period of time it's in their possession, it's obvious this requirement should also be extended to anything produced by the automotive industry.

      Of course, when these two various industries eventually decide that's a good idea they won't all work together to do it, you'll get three 'alliances' of various companies working on their own 'better' version of a protocol and we'll end up with another royal VHS/Betamax/DVD/BluRay style battle of competing standards which will only be marginally beneficial until one of them is adopted as the industry standard.

      1. NoneSuch Silver badge
        FAIL

        Re: Pure BS and security is really only a PR problem

        "We permanently monitor our systems," the spokesperson said. "We take any indications of vulnerabilities very seriously. Our top priority is to prevent unauthorized access to the systems in our vehicles by third parties."

        Un-huh. those third parties being white hat hackers. They need to change their logo to a farmer closing a barn door with a horse running away.

        1. Michael Wojcik Silver badge

          Re: Pure BS and security is really only a PR problem

          "Permanently monitor" is a nonsense phrase anyway. They could plan to check the logs once a year for perpetuity and claim they "permanently monitor".

          At least "continuously monitor" means something, though very little, since it says nothing about the quality of monitoring.

    2. Lil Endian Silver badge

      Re: Pure BS and security is really only a PR problem

      Agreed.

      I especially 'liked' this bit:

      "Spireon takes all security matters seriously and utilizes an extensive industry leading toolset to monitor and scan its products and services for both known and novel potential security risks," the spokesperson added.

      Yet that arrangement didn't detect ...multiple vulnerabilities in SQL injection and authorization bypass...

      So, Spireon are either bullshitting (no toolset) or incompetent (dunno how to use the toolset). Or, their toolset supplier(s) bullshitted them.

      1. Alumoi Silver badge

        Re: Pure BS and security is really only a PR problem

        Have you considered it is all three?

        They can always claim a 'sophisticated cyber attack by a state-sponsoder bad actor' like evreybody else does.

        1. Lil Endian Silver badge

          Re: Pure BS and security is really only a PR problem

          If Spireon cannot use the toolset that they don't have, then that's some serious new level on incompetence, and some truly world class bullshitting from their suppliers! Maybe the toolset is called "The Emperor's Clothes"!

          That said, I doesn't eliminate that it could be all three! Ah, the confidence grows!

      2. MachDiamond Silver badge

        Re: Pure BS and security is really only a PR problem

        "So, Spireon are either bullshitting (no toolset) or incompetent (dunno how to use the toolset). Or, their toolset supplier(s) bullshitted them."

        There is no "toolset". If you are serious about security, you have an 'inside' team and an 'outside' team. The insiders have access to how the system is constructed/coded and look for vulns based on that. The outside team works from knowledge of how to hack things and attempts to worm their way in. Any mention of a "toolset" hints at some sort of automated testing based on known exploits.

        1. An_Old_Dog Silver badge
          Unhappy

          "Toolset"

          "Toolset" == "sudo dmesg | more" ??

        2. that one in the corner Silver badge

          Re: Pure BS and security is really only a PR problem

          > There is no "toolset". If you are serious about security, you have an 'inside' team and an 'outside' team

          They do have all the teams required, including a management team that takes a certain delight in referring to everyone else as just a bunch of tools, to be used, abused and everything in between.

          Oops, they didn't mean to say that out loud where the press may be listening...

        3. Michael Wojcik Silver badge

          Re: Pure BS and security is really only a PR problem

          There is no "toolset". If you are serious about security, you have an 'inside' team and an 'outside' team.

          Oh, bullshit. While penetration testing is definitely important, and necessary for any serious piece of software, it's only one of many pieces in a real SDL. Static and dynamic scanning and fuzzing are also necessary, as are other non-tool-based activities such as threat modeling.

          Picking one security activity as the correct one just shows a poor understanding of security.

    3. Timop

      Re: Pure BS and security is really only a PR problem

      If you don't validate security yourself, "there are no remainder risks nor breaches in our systems (we are aware of)". Plus you don't have to pay for it, that would be really good news at least for the German automakers.

    4. werdsmith Silver badge

      Re: Pure BS and security is really only a PR problem

      I have a connected car app/account and it is so secure that I can’t get into it myself.

      It sends a code to the car which appears on the screen and it won’t work unless I put that code in and I can’t be bothered to do it again. So it just locks me out.

      It was sort of useful if I couldn’t remember locking the car I could quickly check, but not that big a deal.

      1. quxinot

        Re: Pure BS and security is really only a PR problem

        I'd like a dis-connected car/account. Or at least, the option for one. I suspect it'll be like the ancient 'radio delete' option was years ago--sure, we can remove that, but there's a fee....

        More and more, it's looking like my next car will have a number of previous owners and will be from the prior century.

    5. M.V. Lipvig Silver badge
      Flame

      Re: Pure BS and security is really only a PR problem

      If you want that to happen, every country on the planet that has any sort of automotive market would need a law passed holding the automobile manufacturer financially liable for all damages caused by an intrusion on a "guilty unless proven innocent" basis, with innocent defined as "no way of knowing." If anyone comes forth to testify that they warned the automaker, they pay. If any whistleblower in the company testifies, they not only pay but pay the whistleblower a percentage of the fine. If an independent professional coder testifies that after examining the code the manufacturer should have found the problem, they pay. If the company refuses to allow an investigation access to the code, they pay triple. Further, if anyone dies, the C suite wears black and orange stripey pyjamas for a few years. Without this, security will be treated as a non-event until it becomes an event. With this, of course, and auto driving comes to an end until they can make it work correctly.

      Companies will apply a risk/reward analysis against an expense, and if they decide the risk is worth it they'll take it. Example, Ford knew the Ford Pinto was prone to catching the passenger compartment in fire, and developed a fix for the problem that would have cost Ford a little over $7USD. The beancounters calculated that the payout for letting people burn to death would be less than the cost to fix, so they denied the fix. What's especially sad is they could have added 8 bucks to the car's price, and it would have cost Ford nothing.

      1. Lil Endian Silver badge

        Re: Pure BS and security is really only a PR problem

        I wanted to refer to the risk/reward point when we were discussing Teslas recently, but I couldn't remember the car with the issue. So thanks for filling that gap in for me.

        The Pinto "problem" was in the USA, right? It does seem to me that the same would not happen in all countries. Which other countries allowed the fire trap on their roads, after the issue was identified?

        I think the underlying problem I'd identify from your comment is that profiteering can be selfish to the point of causing deaths - although I'm not attempting to put words in your mouth.

        [See: Corporate manslaughter.]

        1. Eclectic Man Silver badge
          Unhappy

          Re: Pure BS and security is really only a PR problem

          Lil Endian, you ask "Which other countries allowed the fire trap on their roads, after the issue was identified?"

          Well, it was not a 'fire trap' but the Austin Allegro had a known problem of wheel bearing failure "One potential danger was that over tightening the wheel bearing nuts could result in bearing failure".* This occurred on at least one occasion, I recall a report that someone driving along the motorway was hit by a wheel from an Allegro which sheared off and crashed through the windscreen (he died). This was one of the events which caused a great deal of controversy in the UK as the vehicle test results, conducted by a government department, were classified at the then "RESTRICTED" level, meaning they could not be published in the UK.

          In the USA they were available, and the BBC program 'Tomorrow's World' did a broadcast from the USA specifically on this issue. Shortly afterwards (in political time) test results for Motor vehicles in the UK were made public.

          The appalling tragedy of the fire at Grenfell Tower caused by the use of highly flammable cladding, abysmal fire prevention, and poor building maintenance shows that the UK may still have a problem with publicising the results of safety tests and acting on them.

          *https://www.autoexpress.co.uk/car-news/97617/austin-allegro-the-worst-cars-ever

          1. heyrick Silver badge

            Re: Pure BS and security is really only a PR problem

            Sadly, it's always more effective to ignore safety issues and bleat "lessons will be learned" when people die.

            Talking of Grenfell, how many other high buildings have similar cladding, even today?

            1. Eclectic Man Silver badge
              Unhappy

              Re: Pure BS and security is really only a PR problem

              "Talking of Grenfell, how many other high buildings have similar cladding, even today?"

              Far, far too many.

              https://www.insidehousing.co.uk/news/news/more-than-100-buildings-with-grenfell-style-cladding-yet-to-complete-work-nearly-five-years-after-tragedy-75689

          2. Lil Endian Silver badge

            Re: Pure BS and security is really only a PR problem

            Thanks for the response Eclectic Man.

            Laws can be enacted, and they can be ignored, all for the sake of chasing the money - part of M.V. Lipvig's point above re: risk/reward. VW emissions, for example. And, yes, grossly, Grenfell Tower and other such buildings. I doubt there's a market segment that doesn't flout laws in this way.

            (Without making light of the situation, the All-aggro was a proper pain in the back if you ever had to push-start one. A proper lump of Black Country metal.)

      2. chivo243 Silver badge

        Re: Pure BS and security is really only a PR problem

        My aunt had a Ford Pinto in the 70s... Not for long, my uncle replaced it quickly once the cat was out of the bag.

    6. MachDiamond Silver badge

      Re: Pure BS and security is really only a PR problem

      "every software team would have one security expert who audits *every single row* of code they write."

      It's not a line by line issue. It's the software as a whole and how it touches the outside world.

    7. Potemkine! Silver badge

      Re: Pure BS and security is really only a PR problem

      Hear, hear

      1. Michael Wojcik Silver badge

        Re: Pure BS and security is really only a PR problem

        Upvoted just for using the correct homonym.

    8. Anonymous Coward
      Anonymous Coward

      Re: Pure BS and security is really only a PR problem

      "If it *really* was top priority, every software team would have one security expert who audits *every single row* of code they write. And company wide experts for infrastructure. and everything not related to their own software development."

      Indeed, and jobs openings for security would be all over the place for them in linkedin.

      Oh, wait, there is literally none !

    9. hoola Silver badge

      Re: Pure BS and security is really only a PR problem

      It is more than just code though. The fashion for everything to be connected as if it somehow makes things better is as much a part of the problem.

      For some reason there is this concept in the eye of the average users that because something is connect to the Internet or has an App it is magically better. Sales, Marketing droids push this and inept developers push out huge volumes of half-tested "Agile" software because it is "better".

      The result is nobody in the chain gives a toss and the few of us oldies that do understand say anything we are considered to be out of date and inflexible to modern ways of working.

      Yes I would like security to be better but I would also like to see much of this shite consigned to the bin completely.

      Why the hell on my VW do I need to sign in with a Volkswagen Identity just to setup two profiles on the two keys (mainly so I don't have to suffer my wife's radio selection, very loud when you get in the car)? My previous Golf did not need that, it just worked.

  2. Lil Endian Silver badge
    Stop

    Vehicular Pandemic Vector, Dubbed - re:SpiOn

    ...from which an attacker could send arbitrary commands to all 15 million vehicles, thus remotely unlocking doors, honking horns, starting engines and disabling starters.

    What would be the impact on the consumer base if 15m vehicles all immobilized simultaneously. Would they "get it" then?

    I was wondering about the egregious SOP surrounding these services when reading the Qualcomm article a few days ago.

    Emergency Vehicles

    Shirley all nation states banging on about Terrists and National Security must ban this technology on key response assets (until the tech is proven, in the fullness of time), or be on record as spieling doodoo. Although, they just don't care about being caught any more, so, meh.

    1. Lil Endian Silver badge
      Facepalm

      Re: Vehicular Pandemic Vector, Dubbed - re:SpiOn

      Sorry, I did mean SPF (Single Point of Failure) above, rather than SOP. Although SOP kinda works a bit.

      1. AndrueC Silver badge
        Happy

        Re: Vehicular Pandemic Vector, Dubbed - re:SpiOn

        POS would work better. And I don't mean Point of Sale.

        1. Lil Endian Silver badge
          Coffee/keyboard

          Re: Vehicular Pandemic Vector, Dubbed - re:SpiOn

          Message acknowledged! --->

  3. TeeCee Gold badge
    Facepalm

    Yes, but..

    "The affected companies all fixed the issues within one or two days of reporting,"

    Wait until these "connected" accidents looking for a place to happen are 10+ years old and try that again. Personally I'd be amazed if any get fixed at all, let alone within anything like a sensible time.

    Bonus hacker points for identifying some future attack vector that cannot be fixed on the older hardware and thus will remain exploitable <reverb>FOREVER</reverb>.

    1. John Brown (no body) Silver badge

      Re: Yes, but..

      And if the car itself actually gets some firmware security updates, will that still happen out of warranty, will it be made available to the drivers or will you have to go to a dealer and pay through the nose?

      1. Lil Endian Silver badge

        Re: Yes, but..

        I think we know the answer to that.

        Only a couple of years ago, I tried to find a hose for an ten year old Astra (UK). Discontinued. No other vehicle hoses would fit the pattern, nothing available, a write-off for a hose. Around the same time I managed to source various parts for an '84 CRX, still running. Clearly now manufacturers want to limit the practical life of a vehicle. Not a shocker to us here I know.

        Yet, as this article indicates, automotive manufacturers haven't yet got much of a grasp on securing the IT components of their products. So, for the time being at least, I'm pretty confident I can do my own firmware upgrades if needed. Assuming a trusted source, of course.

      2. Michael Wojcik Silver badge

        Re: Yes, but..

        Even if the owners don't have to pay, how many "bring it to the dealer" recall notices are ignored by the recipients? Particularly if the issue isn't causing any problem they can see at the moment?

  4. TimMaher Silver badge
    Coat

    Any word about Volvo?

    Asking for a friend.

  5. Anonymous Coward
    Anonymous Coward

    Once upon a time.......

    .....I had a metal key on my key ring. The car had a keyhole in the door, and behind the keyhole there was a mechanical lock.

    But now, in our advanced society, I have a radio key fob. There's a radio in the car, connected to a computer....which (perhaps) communicates with a device in the car door.....and (perhaps) the door opens.

    .....and of course, this elaborate technology is marketed as "progress"......

    Really?

    1. Paul Crawford Silver badge
      Facepalm

      Re: Once upon a time.......

      Spend £100k on a car and get advised by the police to fit CCTV and a steering lock due to common thefts:

      https://www.bbc.com/news/uk-england-stoke-staffordshire-61838245

      Obviously in addition to putting your keyless fob in a Faraday bag, because clearly they were designed with security in mind...

      1. werdsmith Silver badge

        Re: Once upon a time.......

        You don’t need to put them in faraday cage, the double lock or similar process, disables the keyless entry until you use it again. I think the early ones had a problem, but not for years now.

      2. MachDiamond Silver badge

        Re: Once upon a time.......

        "Spend £100k on a car and get advised by the police to fit CCTV and a steering lock due to common thefts:"

        The way I think, getting a £100k car and not having a secure place to park it is the first problem. I have a much less expensive car and a garage to put it in that's entirely paid off. Priorities.

    2. nijam Silver badge

      Re: Once upon a time.......

      > ... behind the keyhole there was a mechanical lock

      ... which could be opened by any lout with a screwdriver.

      1. Richard 12 Silver badge

        Re: Once upon a time.......

        Mechanical locks have many orders of magnitude fewer feasible combinations than electronic ones.

        So picking a well-built mechanical lock is fundamentally easier than a well-built electronic.

        The problem is of course that "well-built" prerequisite...

        1. Lil Endian Silver badge

          Re: Once upon a time.......

          My mate was gobsmacked when I picked up a lollipop stick from the road and opened his Vauxhall Viva with it! (TBH, I was surprised too, but I'd said it would work, so managed to keep my I-knew-that face on!) Ah, the 80s!

      2. Paul Crawford Silver badge

        Re: Once upon a time.......

        True, but then the insurers can't claim it was never locked as "no sign of violence used".

      3. MachDiamond Silver badge

        Re: Once upon a time.......

        "which could be opened by any lout with a screwdriver.'

        and any lout with a rock can open the window.

        1. Killfalcon Silver badge
          Joke

          Re: Once upon a time.......

          Really, it's to the customer's benefit. No easier to steal, no harder to recover, but if you *do* get it back, the window won't need replacing!

  6. Eclectic Man Silver badge
    Meh

    Spying on Government Vehicles

    And from today's "I" newspaper: https://inews.co.uk/news/hidden-chinese-tracking-device-government-car-national-security-2070152 9Subscriber only article, sadly, and I don't have a subscription).

    "At least one SIM card capable of transmitting location data was discovered in a sweep of government and diplomatic vehicles which uncovered ‘disturbing things’, a serving security source confirmed.

    A hidden Chinese tracking device was found in a UK Government car after intelligence officials stripped back vehicles in response to growing concerns over spyware, i has been told."

    In the newspaper article it seems that there are millions of 'spy SIMs' embedded in parts from Chinese manufacturers which potentially allow tracking an eavesdropping of vehicles and their occupants. Which the Chinese officially deny are for any sort of espionage activities. Though I do find it strange that anyone would knowingly install mobile phone connectivity which has to be paid for by the call in millions of devices and parts for vehicles without getting something very valuable in return.

    1. Anonymous Coward
      Anonymous Coward

      Chinese Threat......But Then There Are Other Threats......

      @Eclectic_Man

      Ha......Chinese......

      No mention here about GCHQ and the NSA monitoring mobile phones................

      Or Apple keeping track of "Find My" devices..... (See: https://www.apple.com/uk/icloud/find-my/)

      Or Google slurping 1.6 million medical records....(See: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act )

      Or the "Police super-database"......(See: https://www.theguardian.com/uk-news/2018/oct/01/police-super-database-prompts-liberty-warning-on-privacy )

      Yup......plenty to worry about before we start worrying about the Chinese!!!

      .......and that's a few of the local threats we know about!!!

      1. Barry Rueger

        Re: Chinese Threat......But Then There Are Other Threats......

        @AC is exactly right. Why in God's name would anyone assume that Western government agencies are less sneaky and underhanded than their Chinese counterparts?

    2. MachDiamond Silver badge

      Re: Spying on Government Vehicles

      "Though I do find it strange that anyone would knowingly install mobile phone connectivity which has to be paid for by the call in millions of devices and parts for vehicles without getting something very valuable in return.

      There isn't a "call" to be paid. It's low bandwidth, low priority data that can be had for very little money in bulk.

    3. werdsmith Silver badge

      Re: Spying on Government Vehicles

      A Chinese device found in a car.

      Most electronic devices are made in China. If I bought one from banggood and put it in a government car, would it be relevant where it was made? An iPhone with find my friends enabled is a Chinese made tracking device

  7. AndrueC Silver badge
    Facepalm

    "Spireon takes all security matters seriously and utilizes an extensive industry leading toolset to monitor and scan its products and services for both known and novel potential security risks,"

    And yet the software development team wrote code that suffered from SQL injection vulnerabilities. In the 21st century. JFC! What kind of dweebs do they have the writing their code?

    1. Dan 55 Silver badge

      That's what they're still saying in the 23rd century.

      Can't park your starship anywhere these days.

      1. Eclectic Man Silver badge
        Joke

        Parking your starship

        Ford Prefect: Marvin, what makes you think this is the flagship of an admiral of the space fleet?

        Marvin: I know it is, I parked it for him.

        (Obligatory HHGTTG reference regarding parking starships.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Parking your starship

          Wasn't it Hotblack Desiato's Limo ?

          1. Andy 68

            Re: Parking your starship

            Nope. It could have been Hotblack's Stunt ship, but that depends on whether you're going for the TV/Book version, or if you're going for ultimate geek-cred points with the original Radio version

            1. MachDiamond Silver badge

              Re: Parking your starship

              All the versions are great. It's fun to see Douglas craft the narrative multiple different ways. Having a background in music and having worked with some galactic sized egos (and loud performers), I relate to the Disaster Area version. I can think of a couple of bands I've worked with that could slot right in.

  8. Bitsminer Silver badge

    I betcha

    I would bet these companies did indeed hire someone to vet, or audit, their corporate IT and possibly even some of their vehicle telematics.

    And it was done by one of the usual assortment of two-letter and three-letter accounting firms who assigned the tasks to dutiful but dumb accounting graduates.

    And it was expensive, and therefore All Was Good. (Never mind if they actually found anything.)

    Until a competent security researcher with real experience rather than a three-year-old checklist found some defects. Or rather, lots of defects.

    There is liability to be found here, for the right lawyer who can read audit statements accompanying a shareholder's annual report. Lots of liability.

  9. martinusher Silver badge

    But all I want to do is buy a car

    I'm not a Luddite, I welcome advanced technology in a vehicle. BUT -- I don't want my car connected. Ever. Its not just security, its the insidious way that ''features' are now being peddled on subscription. Its not just that I want to buy and own something, its the idea that once you have remote access then you have to have security with that remote access which means that I have to keep paying to secure a service that I didn't want in the first place.

    So I'm stuck. I can't buy any new products any more. Assuming i'm not unique then I'm probably helping cause a recession. Good.

    (Elsewhere the MSFT CEO says that 'technology will be in recession for a couple of years' because, yes, I could do with a newer computer but no, I don't want to pay over the odds for a bunch of spyware that uses up a significant chunk of my system's resources and I have absolutely no need for, or use for, cloud capabilities. I'm probably like everyone else so he's banking on a couple of years of depressed sales until everything we've got has either fallen to bits or has been 'upgraded' into uselessness.)

    1. MachDiamond Silver badge

      Re: But all I want to do is buy a car

      "So I'm stuck. I can't buy any new products any more."

      Why not get a local group together and work on limiting the data collection and comms from newer vehicles. I expect that there are more than a few people that would be willing to pay a fair price to have their new cars devoid of tracking and data collection.

  10. ITS Retired

    How much of the software in the newer vehicles is "Because We Can" and not because it is needed, or even actually useful in the real world?

    Who actually benefits for the mandatory two way connectivity in todays cars? I can understand some of this in fleet vehicles, but how useful is the same stuff it in a private, paid for vehicle?

    I understand much of this connectivity cannot be opt out of without disabling the vehicle.

    1. MachDiamond Silver badge

      "but how useful is the same stuff it in a private, paid for vehicle?

      "

      Instead of completely testing the systems in a vehicle and getting it just right before release, they can get to market sooner and fix the most egregious issued via an "Over the Air" update when they can get to it. My car is old enough that it doesn't have any of that connectivity yet everything works just fine. I'm rather happy it doesn't have things like a built in nav system. The Garmin I chuck up on the dash can be replaced for a few bob if it goes wrong or there are no longer updates for the maps. If it was built into the car........

      1. Anonymous Coward
        Anonymous Coward

        My 2015 Toyota in-car media/bluetooth/settings thing reboots itself for no apparent reason even after an update a couple of years ago, so I dread to think what later Toyotas where software is more important to the car's functioning will do.

        However if the car has a SIM instead of an eSIM then there's always the option of removing it. Probably why every car manufacturer will eventually move to eSIMs... got to sell your data to... someone...

    2. Timop

      "because we can .... exert far creater control than just with controlling supply for service and spare parts. And if we connect all the services to an account that is required, we can charge significant amount from every car owner." I presume.

      Imagine if you cannot for example lock the doors for the used car you just purchased or control audio volume unless you have purchased 1000-3000€ services package with automatic emergency call system (mandatory at least in EU with new cars around 2020) and some extra quality of life services.

    3. Anonymous Coward
      Anonymous Coward

      How much of the code is Friday afternoon "wouldn't it be nice if..." brainstorms that got abandoned in the cold hard light of a Monday morning but never got removed.

      Watched the 'Fifth Gear Recharged' team delving into the depths of the Tesla Model Y's UI last week, only to discover it has a 'fart on 'turn' signal option!

    4. MachDiamond Silver badge

      "Who actually benefits for the mandatory two way connectivity in todays cars?"

      You might not be of interest individually, but if the car company can collect vast amounts of driving data, there will be a market for it. Then again, if the police are able to subpoena a load of info and your car happens to have been nearby during several incidents they are investigating, you might need to prove your innocence or really hope they don't stop their investigation due to "having their man" and leaving it at that. I can see that insurance companies will be very interested in accessing travel logs, sensor data and graphs of motorway speeds vs posted limits.

  11. DaemonProcess

    Slow improvements

    Things are getting better, slowly. Remember the Chrysler vulnerability of a few years back which allowed root dbus calls directly from the internet with a default password, so that anybody could crash a car remotely?

    Computer security as applied to the automotive industry is now being taught at the University technical colleges in the UK, so some cars of the future (e.g. JLR) should at least have better authentication and a chain of trust. But how much of this software development is being guided by this when the cheaper programmers are elsewhere in the world and the directors think that sales depend on features/benefits more than security?

    The problem here is that most of these attack vectors involved hacking the manufacturer and getting hold of the credentials from the inside, so it doesn't matter if you have a strong password, trusted certificates or even blockchain tech, people get to your car and account through the front door with that.

    So it's more a matter of if, rather than how, hence the PR efforts to prevent widespread panic about car security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Slow improvements

      With Wind River's (OS manufacturer) purchase by Aptiv (car electronics and wiring) this might help some of the industry who still use other OS.

      At CES they had a demonstration where a trunk/boot would not open. They modified the code in Wind River Studio. Fed it into the DevOps workflow that security checked the code (amongst other things), tested the final executable on a digit twin of the car and eventually securely sent it to the car to make it more responsive and open for the lady demonstrating it.

      Wind River really know about high integrity security in their certifiable operating systems, so let's hope it permeates into the vehicle market.

  12. Anonymous Coward
    Anonymous Coward

    It’s one thing to remote start a Ferrari

    It’s another thing to get the car from breaking down after a few miles.

    Security via lack of ingenuity.

  13. SimonL

    To justify cars 'phoning home', manufacturers will probably argue that you don't truely outright own the vehicle. A bit like the way Microsoft is doing Windows.

    Yes, you pay a single up-front payment and you never have to give it back, but you never really own it.

  14. Filippo Silver badge

    I'm not sure, PR-wise, what the worst response is between "<brand> answered that security is their top priority", or "<brand> has not responded to our requests for comment". Flat-out lie, or embarrassed silence? The eternal dilemma!

  15. tiggity Silver badge

    Unconvinced by the Merc Benz comment

    "The security of our organization, products and services is one of our top priorities," the spokesperson said, adding that "the identified vulnerability did not affect the security of our vehicles."

    That seems to be contradicted by what was found (lets ignore the essentially total takeover of internal systems and havoc that could cause to vehicle security)

    If we look at "source code for various Mercedes-Benz projects including its Me Connect app used by customers to remotely connect to their vehicles"

    If you have the source code for that (they already had various keys etc) then its trivial to build a malicious application based on that code & thus impact vehicle security

    Why cant spokesdroids just be honest (& express massive thanks to the whitehats who found that & helped them fix it). If these issues had been found my malicious actors then maybe these companies would take security more seriously (this has cost them little financially & a bit of disaster IT embarrassment that the average car owner won't even register )

  16. Andytug

    Would be interesting if the ownership of the car could be hacked....

    ...as that would surely then be tested in a court of law, with potential £££££consequences if proved that it was a securty fail. Rich persons won't like being told that legally the Ferrari isn't theirs...!

    1. Killfalcon Silver badge

      Re: Would be interesting if the ownership of the car could be hacked....

      You might be able to make the manufacturer's records change, but those are not authoritative. Even for the fancy high-end, limited run stuff, there's no requirement to report sales back, so their databases are frequently out of date, even at the "how many of these cars are in Europe" level.

      There might be a government database that, if altered, would imply a change of ownership, but that'd fall apart quickly when you start asking for receipts showing when it was sold and to/from whom.

      1. MachDiamond Silver badge

        Re: Would be interesting if the ownership of the car could be hacked....

        "but that'd fall apart quickly when you start asking for receipts showing when it was sold and to/from whom."

        The higher the cost of something, the more important it is to have printed documentation with "wet" signatures.

    2. Lil Endian Silver badge

      Re: Would be interesting if the ownership of the car could be hacked....

      Even a house can be nicked! So, maybe to get the car, first a bit of identity theft, then hack the connected car. Drive away, sell it.

  17. Mast1

    Pitch for "The Italian Job" Mk3

    Rather than having Benny Hill as a computer expert who loads a rigged tape on the traffic-light control system, you now have a script-kiddy in their bedroom remote-bricking the traffic.

    Loses a sense of the "drama" methinks. (Although, even by 60s sensitivities, aspects of the Benny Hill character were "challenging").

    1. MachDiamond Silver badge

      Re: Pitch for "The Italian Job" Mk3

      "you now have a script-kiddy in their bedroom remote-bricking the traffic."

      Because nobody stood up and asked why the traffic lights needed to be controllable or programmable from a remote location. The city council was sold on the story that it would save money to be able to change the timing remotely rather than visiting each signal (every couple of years). Never mind that the data connection completely negates any sort of cost savings and will go wrong and need servicing every few months.

  18. Plest Silver badge
    Facepalm

    Javascript?

    "...access JavaScript code for several internal applications..."

    Can't imagine we'd have got to the moon in 1969 if we'd relied on a Javascript! Seriously, I have read that right, internal apps within high-end cars are using Javascript as the core language? God help us!

    1. Killfalcon Silver badge

      Re: Javascript?

      "Internal apps" usually means stuff used within the company.

      But I would not be surprised to find out that the touch-screen menu stuff often is Javascript or something of that ilk.

  19. heyrick Silver badge

    Spireon takes all security matters seriously

    Saying that, after such a mind blowing lack of anything resembling security, ought to be some sort of offence.

  20. annodomini2

    While it has been too long coming

    Automotive Cybersecutiy has improved (at least at the vehicle side)

    All new cars sold (outside of China at least), made after June 2022 need to meet ISO 21434.

    Is it perfect, no.

    Is it a big improvement, yes.

  21. spold Silver badge

    An everyday tale of IoC (Car-Crap) - Rickroll my ride one day, Rickrollover my ride next day.

  22. Stuart Castle Silver badge

    I don't own a car, so make of that what you will, but cam anyone give me an advantage of giving that much control over your car to an app on your phone? I can see that it's nice to be do things like unlock the car and start the engine while you are sitting down at your table and having a cup of tea, but is it really worth risking losing your car, or you or your family's lives?

    I can see it would be an advantage if your car offers full self driving, as you could click a button and have the car come collect you, but even that's dubious, because you quite possibly drove to wherever you would need to be picked up from.

    1. MachDiamond Silver badge

      "cam anyone give me an advantage of giving that much control over your car to an app on your phone?"

      The only things that I see as useful is being able to verify that an EV is charging or done charging if you need to make a long trip the next morning and being able to preheat/cool the car. Unlocking and being able to remotely 'start' the car aren't features for me. My car has a fob that lets me lock and unlock the doors and open the boot, but it's still a mechanical key that will unlock the doors if the battery goes flat. The car won't start unless one of the chipped keys is in the ignition and that's handled passively so it will still work if the fob battery is flat or missing. I find that more secure than what's being installed today. My fob is simple so it won't succumb to relay attacks.

  23. SloppyJesse

    Information Commissioner has been alerted

    > Toyota Financial app that disclosed the name, phone number, email address, and loan status of any customers.

    > Toyota Motor Credit told The Register that it fixed the issue, and noted "this had no connection to Toyota vehicles or how they operate."

    I presume they alerted the relevant IC of this GDPR breach.

  24. Eric Kimminau TREG

    These 2 statements appear to be at odds

    "So the team used their newly created account credentials to login to several applications containing sensitive data. Then they "achieved remote code execution via exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees."

    One of these was the carmaker's version of Slack. "We had permission to join any channel, including security channels, and could pose as a Mercedes-Benz employee who could ask whatever questions necessary for an actual attacker to elevate their privileges across the Benz infrastructure," the researchers explained."

    and

    "A Mercedes-Benz spokesperson confirmed that Curry contacted the company about the vulnerability and that it had been fixed.

    "The security of our organization, products and services is one of our top priorities," the spokesperson said, adding that "the identified vulnerability did not affect the security of our vehicles.""

    If I can create an account, login and access sensitive data and achieve remote code execution to "exposed actuators, spring boot consoles, and dozens of sensitive internal applications used by Mercedes-Benz employees."

    I would say the security of those vehicles were more than affected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like