atomic_fungus (atomic_fungus) wrote,

#4821: All connected systems are vulnerable.

It's what I have to tell people day in and day out: anything that's connected to the Internet is vulnerable to hacking and malware. It doesn't matter what kind of security software you have on the thing.

Some people are outraged that they "paid all this money!" for security software only to find that it can't guarantee that their computers will remain virus-free in perpetuity. (Incidentally, if the first thing you do after picking up your computer and getting home with it is to surf to pornhub or redtube--well, sorry, but you're a lot more screwed than you thought you were.) Computers are more useful when networked, and if you want to use it to view pornography that's your lookout...but expect to get tons of malware from the sites that serve that shit up.

Cars, on the other hand, do not need to have a high level of connectivity to perform their basic function. The problem with CANBUS is how tempting it is for automakers to connect everything to it, because it makes certain things cheaper to implement.

It then, however, exposes critical functions to tampering.

The "critical functions", in a car, are things like steering, brakes, transmission gear selection, and engine state. Those functions should not be accessible to anyone who is not physically inside the vehicle. There should be no way for someone outside the vehicle to make it misbehave; for example it should be flatly impossible for anyone--even a person with root access to the vehicle's on-board network--to remotely override driver commands.

The problem with interconnected design seems to stem from engineers not realizing that if it can be hacked, it will be. A lot of engineers appear to proceed from the assumption that no one would bother hacking something like this, because what does it get them? It's a thermostat or a lamp dimmer module or something else that's mundane.

But of course if it's on a network, it can be hacked, and if it can be hacked, it might give the hacker root access to something really interesting. The guys in the story about the Jeep Grand Cherokee, they got in through the entertainment system, and used that access to take over the entire thing. The guys who worked on the radio probably thought security wasn't important because it's just the radio--but it's not, because the radio is connected to literally everything else in the car, including the steering, brakes, and transmission!

Putting everything on one bus is all about saving a few bucks, of course. A separate bus for the critical systems would cost a few dollars more per unit.

It's possible to air-gap a connected vehicle like this, though, though the simple expedient of not subscribing to the wireless service; the cellular carriers won't connect to anything for free and that fact makes for a very handy firewall, one that literally costs nothing to implement. Further, you can probably disable the cellular connection completely by pulling a fuse.

You shouldn't have to, though.

  • #7607: Oh, yeah

    Had another opportunity today to play Pat Metheney's "Spring Ain't Here", because it snowed for most of the morning. But yeah, "global warming"…


    Some fatuous pinhead on the radio said that Chicago was ready for "looting and other forms of protest". But you know what? It's fine. We no longer…

  • #7605: I don't even need lettuce any longer

    See, the tacos I make at home blow away any tacos I've ever had anywhere else. Lettuce used to be necessary, but now it just gets in the way, so I…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.