Well, we put light bulbs on the network/IOT so people can control with their phones and they got remotely commandeered and turned into a botnet (source:
https://www.techdirt.com/articles/2...re-safe-shitty-internet-things-security.shtml)
What did we think would happen if we expose automobile networks to the same? There's some decent research out there on the CAN-bus.
If you can get access to that, you own the car's ECU(s). There are a few computers on the CAN-bus and they constantly send out "I'm OK" messages to other subsystems on the bus. In theory, interrupt/intercept just a single message and ... owned. Auto manufacturers don't know all that much about computer and network security. I met a guy from Gotenborg Sweden a few years back. He was a computer/network practitioner working at Volvo in Sweden. We had a good conversation about these sorts of things and I left wondering if U.S.-based car makers hire people with his smarts to think about info system in autos.
I don't even like throttle-by-wire or steer-by-wire, but it's the world we live in. My car's owner's manual doesn't even publish torque specs for lug nuts. You can probably make a pretty good guess, but if you want to be sure, you'd have to get the shop manual from the manufacturer or a Chilton's.
My opinion is that these sorts of things happen because their code base is closed source and there aren't enough eyeballs on it to spot problems. Closed source makes sense, it's their proprietary code, their profit stream. But if you want a better product, there are much smarter people out there who can help.
Really, really good post. T/Y!
Hooked into my CAN-bus, are you?
The three highlighted bits (pardon the pun) above hit three of my major concerns. Yes, I have been called a tin foil hat wearer, but I do know (from work experience) that network/IOT attacks are a great way in stealing personal data/identity theft. And yup, through light bulbs, refrigerators, door bells, etc.
My fear is that CAN-bus hijacking doesn't even have to be malicious to be problematic. What I mean by that is the disputes I read about from time to time about software engineers who "own" the ECU spatting with auto manufacturers who use the ECU. I'm reading that much of this wasn't done in house....
Leading to your third "bold": bringing it in house. As you noted, that comes with its own problems.
Again, thanks. Excellent post. really enjoyed it.
MEh, I dont worry about it so much. The Tesla hacks fix was already in the works and it was deployed rapidly. The odds of you personally having any issue with this is less than you getting bit by a rabid animal. Hell, you are more likely to personally be involved in a terrorist attack than have this affect you, I think.
I get that. My concern splits three ways: privacy, software security, & personal safety. The first is ideological matter; the second, a procedures concern (I absolutely despise that everything these days is in "beta"); the third, existential.
I realize the first matters little to others, while the third is playing the odds (lightning striking and all that).
The middle one is the one that bothers me most as a professional; while very little of my career was spent with the IT folks I was a pretty intense user (both in offensive and defensive modes) and I came to appreciate beautiful code/approaches and hate sloppy, "good enough for the govt" mindsets. As TCrow mentioned there's the profit stream angle; I would add there's a rush to be first in the market and corners are cut. When we talk about transportation (aviation, autos, railroads, etc.) that's not a good thing.
--- End of line (MCP)
day.