Sign & Help to Improve Automotive Security

A group of security professionals have formed “The Cavalry“: dedicated to improving collaboration between the cyber security and automotive industries.

Because what if things like adaptive cruise control, electronic braking and stolen vehicle recovery technology could be used nefariously? What if all Toyotas in Canada were instructed to go left next Tuesday at 1pm? Like that.

Specifically, they’re proposing a Five Star Automotive Cyber Safety Program:

1 – Safety by Design
2 – Third-Party Collaboration
3 – Evidence Capture
4 – Security Updates
5 – Segmentation & Isolation

Why I signed: 

Sign it too, here.

Non-security nerds: I know this stuff can seem shadowy and strange, with a name like “The Cavalry” and a blank profile pic, but in this particular case it’s okay, I know one of the guys in real life; I signed with my real name, not Blog.

 

 

Access a Car’s Computer via the OBDII Port

OBDII port – On-board Diagnostics. The II is pronounced “two”.

Each of the 16 pins outputs something specific:

(photo via Wikipedia)

Found within 2 feet of all steering wheels, OBDII ports became mandatory in 1996.

That’s my ’99 VW Jetta.

When you read about car hacking and it says,
“requires physical access to the vehicle”,
that usually means through this port.

Connect an OBD II scanner to see what’s up.

It gives back readouts that look like this.

How to read the codes:

1st character – indicates which system is having the problem.

B = Body C = Chassis P = Powertrain U = Undefined

2nd digit – identifies if the code is generic, or specific to a manufacturer

0 = Generic
1 = Manufacturer specific

3rd digit – indicates which sub-system is having the problem

1 = Emission Management (Fuel or Air)
2 = Injector Circuit (Fuel or Air)
3 = Ignition or Misfire
4 = Emission Control
5 = Vehicle Speed & Idle Control
6 = Computer & Output Circuit
7 = Transmission
8 = Transmission
9 = SAE Reserved
0 = SAE Reserved

4th and 5th digits – variable, and indicate a particular problem

My Jetta output a _lot_ of codes.

Which is why it failed its E-test, so hard, and is no longer on the road.

Couple this OBDII port to the internet,
and a whole new vertical in the auto industry is starting.

ExampleMojio is a (Canadian!) company that is soon launching a cellular-&-GPS device that plugs into this port. It will provide real-time engine analytics, share your car’s location with your contacts, analyze your driving style, and much more, because apps can be written for the device.

I predict insurance companies will use these, “pay only for insurance when you’re actually driving on the road! Imagine the savings!”… like that.

 

 

A Rare Chance to Hear a Car Hacking Expert

Chris Valasek is the Keynote speaker on October 21, 12pm at SecTor Security Conference.

While hacking a car almost always requires physical access,
it won’t be long before it doesn’t.

Consider this scenario: a virus is accidentally downloaded onto a driver’s phone, who unknowingly pairs it to his car, now the infection is inside the vehicle, where the Bluetooth and brakes run on the same network… what’s the defence?

How do you mass-update the software in tens of thousands of cars? It can costs millions just for an automaker to mail a “come in and get updated” letter to its customers.

As vehicles become more computers-on-wheels than cars, the act of securing them should be a priority for automakers, yet there’s an absence of information on this topic.

Here’s a rare opportunity to hear from a bleeding-edge expert at this year’s SecTor, Canada’s premier IT security conference.

Christopher Valasek is a pioneer in automotive security. He serves as Director of Vehicle Security Research at IOActive, one of the first companies to specialize in automotive security.

He’s not just a theory guy, Chris is an actual practitioner. Remember last year when the headlines screamed “a Prius and Ford have been hacked!’ – that was him. If you’ve read anything in the news about car hacking, it probably contains a quote or citation to his work.

He’s not out to do bad and hack your product, or show up individual OEMs, this is a rare chance to hear from one of the good guys, plus – the added advantage of having a mind like this assessing your product, for free.

On October 21 at noon, Chris’ keynote presentation, ‘The Connected Car: Security Throwback’ , will demonstrate how present-day automotive security is like a hard shell with a gooey inner layer – protect the outside, but once inside, it’s a field day.

(photo via Forbes)

He’ll draw comparisons between today’s auto landscape and the early 2000s of the internet, when protection mechanisms were an afterthought. He feels automotive security is stuck in a hole in time, and that the same solutions used to secure the networks of 10 years ago, can be applied to today’s automotive security issues.

Because the more computers and code that go in to cars, the greater the odds of a mistake being made and someone like Chris finding it. Moreover, with the automotive production cycle being so long (2018 model years are now being finalized), a problem found today is going to be prevalent for some time.

Automotive industry types – is your product resistant against a cyber-attack? If you’re not securing the vehicles you’re producing, then they can be weaponized, and yes that sentence is intended to give you chills.

His keynote will include the opportunity to ask questions. Catch it at SecTor on Tuesday, October 21 at 12:00 – 1:10pm. Ticket information here

Blog tag = auto security

Meet me in this post

 

 

How to Cheat at Motorsports

Racing is a real dirty sport, so it surprises me a group with such minds haven’t gotten into this, and we don’t hear more about it.

Got the idea at Indy 2012.

Why not attack the other team’s
networks, internet & communications?

Examples:

The WiFi connection went down? And you were relying on the cloud?

The telematics, feedback and monitoring systems stopped functioning? Or instead, started to output false data?

An F1 engineer in the pits can remotely control the car, so how about altering those settings? Make the engine blow, you only get so many engines per race…

You in position? Preparing to cut crew-driver communications, you’ll have 5 seconds to pass until the system is live again in 3, 2…

This isn’t a barely-subtle way of saying I’m for hire, these are not rate card items, don’t ask me that at races.

This photo has nothing to do with anything, just needed one more to round out this post.

It’s a 2015 Jaguar F-TYPE S

3.0L V6 Supercharged
380 hp
339 lb-ft
$110,000-ish
Googly-eyed button
Best engine note ever.

 

 

Paired my Phone to a Car for the First Time

Ever.

Why never

I don’t think Chrysler (or any manufacturer) is going to do anything nefarious with my information, nor will the following auto journalists to test this car, but…

1 – Your contacts database is one of your most precious files, and ideally, you have a copy on an external drive, that’s been backed up in the last couple weeks (if you say you store all your contacts in Facebook, please leave my blog.) So why be careless about where that file ends up?

2 – I don’t know what information the car copies, then saves, from my phone. Nor do I know that the data is fully deleted when I un-pair the phone. Not-knowing means not-happening.

3 – I’m still undecided if I trust the cloud, and so I don’t use it. And pairing the car means I’ve dipped my toe into the cloud.

4 – pairing usually requires Bluetooth, which I don’t use. I’ve been attacked via Bluetooth before, so I quit using it (that’s why you never see me anymore, in my beloved hands-free headsets)

So why now?

I’m conducting a test for an upcoming ‘Keri on Driving‘ column…

The test is: automakers say we’re now able to fully control our car, without removing our hands from the wheel. Okay then, let’s see.

I set up for success and chose Chrysler because their ‘UConnect’ infotainment system is one of the best available.

How I paired it

I did not pair my own phone, not a chance.

Instead, I got a pre-paid SIM card from TELUS (talk & text only, no data), and put it in the Android they gave me. I saved the contacts I chat most with, and fired it up.

What happened

1 – the car now has saved all my contacts list, and my call history 
2 – the car can now access my text messages, and can send as me

So to word it dramatically – the car now knows all your friends, whom you speak with most, and can text them. This is why you always delete your phone from a rental car, and don’t name your phone your name.

Because a possible attack: return the rental car > next guy gets in > your phone is your name > look up home address for that name > guy now knows where you are not

That’s pretty high-level, and the guy would have to be quite skilled, but still, why chance it.

Let the test begin

Figured out voice command navigation this afternoon, and how to send texts but only using the screen (think I’m doing something wrong there), audio is easy, and not sure if climate controls are even a possibility…

How nice did this photo turn out

When it launched, I reviewed this car for the paper, click here.

Short review – the 200 went from barely competing, to the one to compete against.