Smart cars? Smarter car thieves.
Apr. 8th, 2023 01:53 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneDid you know that the latest in cars have built-in computer networks? It's called a CAN, a Controller Area Network. And thieves have figured out how to exploit it to steal cars!
It's a lot like IOT, the Internet Of Things. Even the headlights in a car can be intelligent devices, I don't want to think about how much those cost to replace! Anyway, thieves have figured out that if they can get access to the CAN, they can tell it to unlock the car, disable the anti-theft interlocks like engine immobilizers, and they are away!
The basic problem is the exact same problem that the Internet has. When the Internet was being developed back in the early days, the engineers trusted in the better angels of humankind, and didn't accept the fact that the world has a ridiculously large number of people who are shitgibbons and enjoy destroying nice things that everyone could enjoy. This resulted in a huge number of exploitable weaknesses in the original internet as every device that connected to it was trusted to be well-behaved and no malice behind it. It didn't take long for that assumption to be disproven and the engineers have been forever trying to make the Internet more secure.
Same problem with CANs. Every device in the car that plugs into it is trusted. No code-signing, no security certificates, so anything that connects to it has full access to the control computer, which probably doesn't have much in the way of security precautions built-in. Override or trick the computer, and you're in.
https://www.theregister.com/2023/04/06/can_injection_attack_car_theft
It's a lot like IOT, the Internet Of Things. Even the headlights in a car can be intelligent devices, I don't want to think about how much those cost to replace! Anyway, thieves have figured out that if they can get access to the CAN, they can tell it to unlock the car, disable the anti-theft interlocks like engine immobilizers, and they are away!
The basic problem is the exact same problem that the Internet has. When the Internet was being developed back in the early days, the engineers trusted in the better angels of humankind, and didn't accept the fact that the world has a ridiculously large number of people who are shitgibbons and enjoy destroying nice things that everyone could enjoy. This resulted in a huge number of exploitable weaknesses in the original internet as every device that connected to it was trusted to be well-behaved and no malice behind it. It didn't take long for that assumption to be disproven and the engineers have been forever trying to make the Internet more secure.
Same problem with CANs. Every device in the car that plugs into it is trusted. No code-signing, no security certificates, so anything that connects to it has full access to the control computer, which probably doesn't have much in the way of security precautions built-in. Override or trick the computer, and you're in.
https://www.theregister.com/2023/04/06/can_injection_attack_car_theft
no subject
Date: 2023-04-14 09:44 pm (UTC)The old adage followed by computer security people is that if an attacker can gain physical access, it's game over. And it's holding true to CANs.