f13.net

College researchers figure out how hackers might steal your wheels with a corrupted CD (http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car):

They also mention new cars with Bluetooth and cellular network connections ("Hello Mr. Thompson, this is OnStar."), but assure us that the easiest way is just to "Plug into the car and do it."

My CD player is from the 90's and I have had it in three cars. Good luck hacking my shit.  :grin:

The more you think about how to abuse this stuff the more it makes me wonder if it's worth the minor convenience.  I really don't want any of these new features like remote start/stop, gps, remote unlock.  Just seems like it's begging for someone to hack all that.

'Course I'm the luddite who still thinks its foolish to have a personal cell phone.   :awesome_for_real:

There was once a time (i.e up until 8 years ago) that I didn't see the point of remote lock/unlock either. Now that I have it though, you'll pry it out of my cold dead hands.

The guy who sold me that car tried to get me to buy an on-board gps/directions package for an additional 2 grand (this was in 2003) and I did say no to that.

Yeah. Not having to take your keys out to unlock the car -- or start it. My car unlocks when I tug on the handle, and starts as long as the keys are inside. It's rather useful.

People say the same thing about cell phones.  As with that I say, "so?"

It's not like any of those processes were actually killing my time. *shrug*

You've mentioned that twice 3 posts apart in the same thread in a 2-hour period now. Well done to you. Your choice, congratulations to you on not having a cell phone, etc. Not sure how many of us actually care, though.

OT: Network security is increasingly important while at the same time vulnerable spots continue to pop up. A truly malicious bluetooth-distributed virus could do a lot of damage very quickly.

My cars are 25-40 years old.  They'll just have to hack it the old fashioned way if they really want a pile that bad.

As part of my job I consult a lot of businesses that need expert knowledge about wired and wireless embedded communication. Businesses that build entertainment solutions, control systems or instruments for cars and other types of transportation, metering companies that want to design smart metering solutions etc.

They all rely exclusively on security by obscurity. They have software design workflows that are 30 years old. They don't know anything about black box attack techniques and don't employ encryption. Most don't even see themselves as a software company although by all intents and purposes they are. My favourity quote: We design brake systems not computers.

You could easily manipulate your water or heat meter to not pay any utilities. Everything is transmitted without encryption or authentication in clear text over wire or wireless.

Any time I go to a customer with my CompSci background I am shocked just how little businesses that maintain codebases with millions of LoC know about software development.

They repeat all of the mistakes the OS vendors made in the nineties and most rely on the protocols and data formats being a secret.

[Edit: Zod commands that I fix typos]

I really want some of that exoert knwoledge.

Maybe they could operate the locks and kill the engine by using the onstar or sync systems, but it wouldn't be a permanent alteration to the vehicles programming. And "turn off the brakes"? Lol. Seriously. I laughed. How the fuck do you turn off the brakes? Perhaps they disabled the ABS, but last I checked, cars still have a hydraulic braking system.

In short, this is a horseshit article as far as current technology is concerned. You might as well be worried about aliens zapping you out of your car or getting raptured while on the freeway. All have the same level of possibility.

You are just butthurt because you love your cellphone so much... JUST LOOK AT YOU WITH YOUR FINGER IN THE AIR!

You can be serious about security and safety without being a luddite. Unfortunately I don't have a english translation but only yesterday I received an interview a business dealing in communication modules gave to a german business mag. They recommended potential investors to invest in proprietary wireless solutions because 'the transparency caused by employing wireless standards like Zigbee might adversely affect security of their systems'.

They sell a million modules per month to businesses that have no clue about communication systems and don't deem that knowledge to be strategic to their business interests and they get recommended shit like 'if the protocol is a secret nobody will be able to hack it'.

I talked to a rep from Renesas recently (major maker of microcontrollers, DSPs and smart card processors), the chip card business arm basically took over the microcontroller unit because even their MCU experts had no clue about security and encryption and tamper proofing. Currently only a few 8 and 16 bit MCUs are actually able to at least compute an AES 64 encryption efficiently and they are usually not used because they are slightly more expensive than they MCUs without those kinds of encryption engines. MCUs with AES 256 encryption on board will only be available Q2/Q3 2011: Yet if you look at wireless communication in cars (they want to replace the fucking expensive miles of copper in cars with wireless systems as much as possible) or large smart metering infrastructures in commercial and residential buildings (thousands of metering devices) a symmetric encryption and authentication simply won't cut it.

No MCU currently available that would be used in such systems could calculate elliptic curves necessary for a secure asymmetric encryption with public and private keys which would be necessary because individual nodes could easily become compromised. Also there are no solutions how keys would be distributed, invalidated and checked in such large scale distributed systems.

The only thing that you hear from those businesses is that 'you'd need a 10.000 dollar device and expert knowledge of our system to hack it' so they won't invest.

They get usually very silent when you show them just how much you can achieve by hooking their nodes up to a mixed signal scope that just profiles power consumption and scanning the frequency with a GNU radio device an investment of less than $500.

You obviously cared enough to respond.  Why is that, I wonder.

He just wants to call you, and talk.  You know; about stuff.

I felt I was calling you out on overdoing the shit about your lack of cellphone in a car thread, but hey. What you might want to do is actually create a sig for yourself that tells everyone that you don't have a cellphone. Hell, maybe I'll do it for you!
Out of kindness.

It seems to be an age thing. Some of my coworkers are very security concious (our technical manager is one, he keeps himself up to date on web security since a lot of our product is web-based, even though it's purely on a secured, internal network) and some aren't.

Which leads to the occasional awkward conversations in staff meetings. Thankfully we're secured up the wazoo against the outside (multiple firewalls, secure internal networks with highly limited remote access through heavily encrypted tunnels, etc) but we do have an actual internal security requirement that lots of people just don't seem to think about, developmentally.

Which is weird, given how anal the security is in other places. Like everyone having two USB drives -- one for our 'real company' one for 'on-site' (the agency that we do the contract work for) because they've had a few virus infections from USB drives. (Hell, they require Ironkey now for on-site). But nobody bats an eyelash if you plug your iPod or phone into the USB port to charge, despite the fact that you've just connected a hard drive to the secure internal network...

It sounds like the only thing to fear from this sort of thing is having some college kids change my radio station while I'm driving. 

And I want to point out for the record that I totally WOULD DOWNLOAD A CAR. 

Indeed. I would download a car, a house, a ham sandwich if I could. If 3D printers and Fab Stations ever become cheap enough for everyone to have, I think the corporate world is in for a shock at just what people would download given the chance.

Also, I don't want a car with bluetooth or a wireless network. What sort of dick would even think that's something they need. I resent having to get power locks and windows in new cars. Replace a window crank: 10 bucks. Replace a window motor and troubleshoot wiring: just buy a new door. And don't even get me started on the back gates of "crossovers" (station wagons for people who don't want to admit they drive a station wagon) that close and latch themslelves. THe shit is just way to overwraught nowadays.

Heck, I would download it just because I can, and dump it in a spare garage together with all the other cars I would never use.

I would download the car.
Drive it around while bitching what a crappy car it was and what a crappy dev team must have created the car.
Post to the car forums how if they had listened to me during beta it would have been an awesome car. Moar turbo! Nerf nitrous!
Dump the car two weeks later for the latest car.
Repeat.

If you're going to make a "you wouldn't download a car. Fuck you, i would if i could" joke at least be kind enough to link the years old motivational poster.

(http://dl.dropbox.com/u/85916/car_awesome.jpg)

Hahahaha, that got me good.

So appropriate that he of all people saw that for the first time in this thread.