Sign & Help to Improve Automotive Security

A group of security professionals have formed “The Cavalry“: dedicated to improving collaboration between the cyber security and automotive industries.

Because what if things like adaptive cruise control, electronic braking and stolen vehicle recovery technology could be used nefariously? What if all Toyotas in Canada were instructed to go left next Tuesday at 1pm? Like that.

Specifically, they’re proposing a Five Star Automotive Cyber Safety Program:

1 – Safety by Design
2 – Third-Party Collaboration
3 – Evidence Capture
4 – Security Updates
5 – Segmentation & Isolation

Why I signed: 

Sign it too, here.

Non-security nerds: I know this stuff can seem shadowy and strange, with a name like “The Cavalry” and a blank profile pic, but in this particular case it’s okay, I know one of the guys in real life; I signed with my real name, not Blog.

 

 

Join an Industry with a 100% Employment Rate

Online security.

There’s 1 day left of SecTor, Canada’s premiere security conference.

That blog title is not dramatic, it’s like 98%. Makes sense, look how fast we adopted the internet of everything, that’s currently pretty vulnerable and held together with popsicle sticks, a nightmare is coming, one day you’ll tell your grandchildren of a time when people’s password was password, tada! You have a job for life.

I went straight for the car hacking stuff.

What to do while there

Check out the Keynote while eating lunch, and making friends.

Sit in on a talk, which looks like this.

That’s Christopher Pogue of Nuix, talking about cybercrime and forensics. He made a good point: if the 3rd parties and vendors connecting to your network aren’t secure, neither are you.

Or if you feel shy, go to the lock picking village and grab a seat; I find people into locking picking are generally welcoming and fun.

Take the requisite conference-bathroom-selfie.

Don’t be shy to ask questions! And don’t let the nature of the information put you off, it’s a friendly crowd.

Too bad you missed the annual party, though. Finally after 1,000 emails got meet Sabrina, who runs communications & media, and edited my article about the car hacking keynote by Chris Valasek.

Whom I also met IRL, read that piece here.

Tickets and location information here, and whomever’s running their Twitter is funny @SecTorCa #SecTorCA

One day I’d like to give a talk, maybe another year of quiet study first.

I have 3 possible topics, but they’re not yet strong enough to type here.

Blog tag = SecTor

 

 

Spent the day at SecTor

Canada’s biggest security conference.

Have a rough post built about it , will publish tomorrow morning, but just got home (I don’t miss living downtown ugh), hope you guys are still out having fun, good seeing and meeting you today.

@SecTorCA

 

 

 

Access a Car’s Computer via the OBDII Port

OBDII port – On-board Diagnostics. The II is pronounced “two”.

Each of the 16 pins outputs something specific:

(photo via Wikipedia)

Found within 2 feet of all steering wheels, OBDII ports became mandatory in 1996.

That’s my ’99 VW Jetta.

When you read about car hacking and it says,
“requires physical access to the vehicle”,
that usually means through this port.

Connect an OBD II scanner to see what’s up.

It gives back readouts that look like this.

How to read the codes:

1st character – indicates which system is having the problem.

B = Body C = Chassis P = Powertrain U = Undefined

2nd digit – identifies if the code is generic, or specific to a manufacturer

0 = Generic
1 = Manufacturer specific

3rd digit – indicates which sub-system is having the problem

1 = Emission Management (Fuel or Air)
2 = Injector Circuit (Fuel or Air)
3 = Ignition or Misfire
4 = Emission Control
5 = Vehicle Speed & Idle Control
6 = Computer & Output Circuit
7 = Transmission
8 = Transmission
9 = SAE Reserved
0 = SAE Reserved

4th and 5th digits – variable, and indicate a particular problem

My Jetta output a _lot_ of codes.

Which is why it failed its E-test, so hard, and is no longer on the road.

Couple this OBDII port to the internet,
and a whole new vertical in the auto industry is starting.

ExampleMojio is a (Canadian!) company that is soon launching a cellular-&-GPS device that plugs into this port. It will provide real-time engine analytics, share your car’s location with your contacts, analyze your driving style, and much more, because apps can be written for the device.

I predict insurance companies will use these, “pay only for insurance when you’re actually driving on the road! Imagine the savings!”… like that.