Smart cars? Smarter car thieves.

[thewayne]

Did you know that the latest in cars have built-in computer networks? It's called a CAN, a Controller Area Network. And thieves have figured out how to exploit it to steal cars!

It's a lot like IOT, the Internet Of Things. Even the headlights in a car can be intelligent devices, I don't want to think about how much those cost to replace! Anyway, thieves have figured out that if they can get access to the CAN, they can tell it to unlock the car, disable the anti-theft interlocks like engine immobilizers, and they are away!

The basic problem is the exact same problem that the Internet has. When the Internet was being developed back in the early days, the engineers trusted in the better angels of humankind, and didn't accept the fact that the world has a ridiculously large number of people who are shitgibbons and enjoy destroying nice things that everyone could enjoy. This resulted in a huge number of exploitable weaknesses in the original internet as every device that connected to it was trusted to be well-behaved and no malice behind it. It didn't take long for that assumption to be disproven and the engineers have been forever trying to make the Internet more secure.

Same problem with CANs. Every device in the car that plugs into it is trusted. No code-signing, no security certificates, so anything that connects to it has full access to the control computer, which probably doesn't have much in the way of security precautions built-in. Override or trick the computer, and you're in.

https://www.theregister.com/2023/04/06/can_injection_attack_car_theft

Comments

[kaishin108]

I don't want anything electronic with all these issues. No Ring doorbell for me or anything! :-D

[thewayne]

I won't touch IOT devices.  Just today I was reading about a number of Google devices that will cease functioning later this month because the cloud services for those devices is being shut down.  Google, in their magnanimous hearts, is offering replacement devices in some cases to keep those monthly subscription fees coming in.  I occasionally think about getting an Apple speaker device, but just for listening to music.  With as much information as Google and Amazon suck in from their devices to monetize, I'll never own one of their pieces of kit.

[kaishin108]

I totally agree.

[armiphlage]

I guess the acronym CAN is the same as IOT - the "S" in the acronym is for "Security".

[captainsblog]

So, this isn't the issue with Kias and Hyundais where the kidz can hotwire one with a TikTok video and a USB cable in about 2 seconds? And the manufacturers are saying, oops, sorry, go buy a Club for your steering wheel?

For us, connectivity to the Internet Of Things is a dealbreaker. Last thing I need is the smart TV sexting with the toaster.

[thewayne]

Last thing I need is the smart TV sexting with the toaster.

To quote Pinky and the Brain, 'But what would the children look like? ;-)

Man, don't get me started on smart TVs! I think I posted something on, IIRC, LG's TV division made more money on selling the data harvested from smart TVs THAN THEY DID ON SELLING THE EFFING TVS IN THE FIRST PLACE!

And sadly, it's getting much harder to buy a non-smart TV. If I ever end up with one because of the inability to buy a dumb one, it will NEVER be connected to the internet, and I will continue using my Apple TV device for streaming what I want to watch. Apple has demonstrated that they're much better at keeping user info private as they are not a company devoted to selling things like Amazon or selling advertising like Google. Once you buy the device and start streaming with it, they are happy.

[disneydream06]

UGH.................
One more reason to stick to an older model. :o
Hugs, Jon

Yes ...

[ysabetwordsmith]

>>Did you know that the latest in cars have built-in computer networks? It's called a CAN, a Controller Area Network. And thieves have figured out how to exploit it to steal cars!<<

Well, duh. Anything computerized can be hacked. Most people don't believe me when I say this, but code is dumb and believes whatever it's told in the proper way. The people who do understand this? Are behind the rising popularity of manual typewriters, which cannot be hacked.

Re: Yes ...

[thewayne]

Yep.  Code is dumb, and can't be smarter than the people writing it.  If they weren't paranoid, it's going to be weak code.  The C programming language is over 40 years old, which it and its successors still have some of the memory protection faults of the original version.  There are ways to protect against these faults, but things like memory overflow are still viable exploits. So either the language needs an overhaul, or programmers need better education.  Actually both.  But then there's the problem of legacy code which needs more than just a recompilation: it needs to be reviewed.  Then tested to make sure it still integrates properly with all the other code that it interacts with.  This is known as refactoring legacy code, and it is beyond a monumental, Sisyphean, task.  It's like the Y2K problem at a much larger scale because of the tiny places that code runs and this ancient code hides.  In many cases, the original code may no longer be available for analysis, which makes things even worse.  So code runs until it fails, then they rewrite the whole thing from scratch.

[silveradept]

I suppose the saving grace of the described attack still requires someone to have physical access to the car, rather than, say, something that infiltrates the entertainment system and then executes privilege escalation or other kinds of attacks on that system that the can then use to gain write access or sending message access to the CAN, so that someone can wirelessly hack the car, unlock it, and steal it through that kind of attack surface.

[thewayne]

The old adage followed by computer security people is that if an attacker can gain physical access, it's game over.  And it's holding true to CANs.