Author Topic: We Drove a Car While It Was Being Hacked (Read 16557 times)

Renegade · « **on:** May 31, 2014, 08:11 AM »

Interesting...

http://motherboard.v...d?trk_source=popular

As I drove to the top of the parking lot ramp, the car's engine suddenly shut off, and I started to roll backward. I expected this to happen, but it still left me wide-eyed.

I felt as though someone had just performed a magic trick on me. What ought to have triggered panic actually elicited a dumbfounded surprise in me. However, as the car slowly began to roll back down the ramp, surprise turned to alarm as the task of steering backwards without power brakes finally sank in.

This wasn't some glitch triggered by a defective ignition switch, but rather an orchestrated attack performed wirelessly, from the other side of the parking lot, by a security researcher.

Looking to upgrade your 2013 Cadillac to a 1977 Chevy?

40hz · « **Reply #1 on:** May 31, 2014, 08:24 AM »

Small surprise. Homeland Security and a number of police agencies have been lobbying for a law requiring that car makers provide the police with the ability to remotely disable any motor vehicle. It would make a nice addition to the inaccessibly embedded GPS tracker they also want installed in every car. Nice to see some manufacturers are getting a jump on it in anticipation of those proposed regulations being adopted. And including those "features" shouldn't add more than a few hundred dollars to the price the consumer would have to pay next time they bought a car.

Ain't electronics and wireless technology a grand thing? Wearing chains is so much easier to ignore when they're mostly invisible.

One nation, under surveillance, with monitoring and kill switches for all!

rgdot · « **Reply #2 on:** May 31, 2014, 08:47 AM »

Car computer whole disk encryption $:-\$

Stoic Joker · « **Reply #3 on:** May 31, 2014, 09:06 AM »

Looking to upgrade your 2013 Cadillac to a 1977 Chevy?
-Renegade (May 31, 2014, 08:11 AM)

Damn Straight!

...And that boys and girls, is precisely why my latest project is the high-performance restoration of an antique vehicle. With all control and management input to be direct pilot access only cogs and cables.

Innuendo · « **Reply #4 on:** May 31, 2014, 09:52 AM »

The sad, and scary, part about all this is how trivially easy it is to do. Spending a little time with Google is all a person needs to do in order to become adept at this.

Although affecting a much smaller segment of the population, there are ways to hack the new network-enabled pacemakers on the market. How's that for taking things to a whole new level of scary?

We'll keep on this dark path until companies wake up one day and realize that 0000 (and other similar codes) is not an acceptable default access password to their product.

TaoPhoenix · « **Reply #5 on:** May 31, 2014, 10:18 AM »

Yeah, shades of Flannery O'Connor, everything that gets internet enabled starts to converge.

Most people can't really ruin their life from their computer, not just by going to google and putting whatever into their search engine. Trouble, yes, but not on the order of trying to prove in court that you committed multiple vehicular homicide when your car was hacked and you crashed into a school bus!

And this attack sounds "fast", aka that researcher just sorta stood there and "did it", not like taking months of planning or whatever. So I am terrified if someone does a wide band attack within an hour on all million cars in NYC! You would never clean that up. The damage would last for months!

Stoic Joker · « **Reply #6 on:** May 31, 2014, 10:24 AM »

We'll keep on this dark path until companies wake up one day and realize that 0000 (and other similar codes) is not an acceptable default access password to their product.
-Innuendo (May 31, 2014, 09:52 AM)

The problem isn't that the default passwords are simple, because most if not all of them are well documented and therefore readily available. The problem is that so many people keep using them in production environments.

The number of time I go onsite and find that the client is completely unaware of their router's (or other equipment's') password is horrifyingly close to 90%. And the number of those cases where I get into it anyway using the manufacturer's default credentials is an almost perfect score of ~98%.

It's like leaving the keys to your car sitting on the seat - so you "don't lose them" - and then setting the alarm.

MilesAhead · « **Reply #7 on:** May 31, 2014, 12:39 PM »

These days the "OJ slow speed chase" would only last about 5 seconds as they kill the ignition and apply the brakes. Of course the TV networks may lobby the cops in real time. "Hey, you'll kill off our ratings unless you let the chase go on for at least 1/2 hour."

Innuendo · « **Reply #8 on:** June 01, 2014, 09:59 AM »

And this attack sounds "fast", aka that researcher just sorta stood there and "did it", not like taking months of planning or whatever. So I am terrified if someone does a wide band attack within an hour on all million cars in NYC! You would never clean that up. The damage would last for months!
-TaoPhoenix (May 31, 2014, 10:18 AM)

Oh, it *is* fast...as in 'drive up along-side your target on the freeway and 30 seconds later you're in control' kind of fast. Studied this a bit in school. It's very alarming.

Innuendo · « **Reply #9 on:** June 01, 2014, 10:01 AM »

The problem isn't that the default passwords are simple, because most if not all of them are well documented and therefore readily available. The problem is that so many people keep using them in production environments.
-Stoic Joker (May 31, 2014, 10:24 AM)

What I meant to include in my original post (but didn't because I sometimes type faster than I can think) is the real problem is often the manufacturer offers no way to change the default password in the product. It's set at the factory to a universal default with no way to alter it...like that Bluetooth-enabled toilet that anyone could connect to and flush.

40hz · « **Reply #10 on:** June 01, 2014, 10:26 AM »

The problem isn't that the default passwords are simple, because most if not all of them are well documented and therefore readily available. The problem is that so many people keep using them in production environments.
-Stoic Joker (May 31, 2014, 10:24 AM)

What I meant to include in my original post (but didn't because I sometimes type faster than I can think) is the real problem is often the manufacturer offers no way to change the default password in the product. It's set at the factory to a universal default with no way to alter it...like that Bluetooth-enabled toilet that anyone could connect to and flush.
-Innuendo (June 01, 2014, 10:01 AM)

With some fairness to manufacturers however, they're caught between a rock and a hard place with passwords. People change them and the forget all the time. If the manufacturer has a backdoor, the manufacturer risks liability - and it's only a matter of time before somebody else discovers it. If there isn't one, the customer invariably insists they didn't forget what they changed the password to - then claims it's the manufacturer's fault because something "must have glitched or got corrupted somehow" - and then demands the manufacturer fix it for free.

It's a no-win situation for everybody.

SeraphimLabs · « **Reply #11 on:** June 01, 2014, 11:44 AM »

The tech to do this is already implemented.

If your car is equipped with OnStar, it can already be remotely locked out and disabled with the system being sold as an anti-theft measure.

Likely this researcher simply figured out how to gain access to that system and transmitted the same signals.

I draw the cutoff at 1996. At that point vehicle computers began complying with government regulations (Such as ODBCII emissions requirements) and also simultaneously became sufficiently integrated to make the car unable to function without computer oversight.

Driving a 2014 is out of the question. I want another 1988 with a carbureted engine.

MilesAhead · « **Reply #12 on:** June 01, 2014, 12:10 PM »

The last points and condenser car I owned was a 1990 Honda CRX. A 3 speed automatic, it got about 30 MPG around town, That car always ran great. No fuel injection. Everything nice and simple. Only thing with that 1500 cc engine I made sure to have the timing belt replaced 10,000 miles ahead of schedule. It was worth it for the piece of mind. Other than that, a little water, a little oil, and a little fuel, and it was good to go.

SeraphimLabs · « **Reply #13 on:** June 02, 2014, 12:20 PM »

I'm currently sitting behind the wheel of a 1984 Ford Econoline, remodelled into an RV.

And you know what, this 4 barrel carb 7.0 liter V8 is making an astonishing 8 MPG, which for a vehicle this size is nothing less than incredible.

Plus because it's an old carburetor with no catalyst and no nonsense its a piece of cake to tweak the wiring to do whatever I want it to do. Like last night the radio stopped working. pull over, twist three wires together behind the radio, tape it up, and rock out.

If you know how to handle an old rig like this, it just works.

Stoic Joker · « **Reply #14 on:** June 02, 2014, 02:59 PM »

Now them^ were the good old days!

My 2002 Dodge Dakota with all the EFI crap, close to the same size engine (5.9L), and a probably half the weight only gets 12 MPG. Last time it had an issue I had to go and get the error codes read to find out what was up its ass. And that diagnosis was clear as mud...It appears it could be 1 of 4 different $80 parts.

MilesAhead · « **Reply #15 on:** June 02, 2014, 05:29 PM »

Now them^ were the good old days!

My 2002 Dodge Dakota with all the EFI crap, close to the same size engine (5.9L), and a probably half the weight only gets 12 MPG. Last time it had an issue I had to go and get the error codes read to find out what was up its ass. And that diagnosis was clear as mud...It appears it could be 1 of 4 different $80 parts.
-Stoic Joker (June 02, 2014, 02:59 PM)

When I took my first diagnostic class on the way to becoming a mechanic the Chrysler Corp. line just went to the electronic ignition hybrid. No computer yet, just electronic pickup in the distributor, dual ballast resister, and electronic voltage regulator. I was working in a gas station during the day. The boss was playing with this car that would catch, but as soon as you dropped the key, it would die. Classic ballast resister behavior. But the boss had his trusty test light telling him he had current across the resister. My father was in Electronics and let me have one of his old multimeters. I brought it into work and checked the resistance at the ballast resister stage that engaged during the normal running of the engine(after you dropped the key when staring.) I think the spec was 5 Ohms.. something like that. It showed 1/2 Million Ohms. The boss was not happy. But the next time the SnapOn Guy came in he bought a multimeter.

What a half-assed system that was! Nearly everyone just swapped out components until the car started. The honest shops took out the unneeded ones and only charged for diagnosis and R&R of the necessary one. It was even worse when they adopted that "lean burn" computerized crap. It was a brilliant concept. Generate waste heat deliberately. Like start a small fire in your house to discourage the mosquitoes. Crazy man!!

Stoic Joker · « **Reply #16 on:** June 02, 2014, 06:15 PM »

It was even worse when they adopted that "lean burn" computerized crap. It was a brilliant concept. Generate waste heat deliberately. Like start a small fire in your house to discourage the mosquitoes. Crazy man!!
-MilesAhead (June 02, 2014, 05:29 PM)

Oh yeah, I've been having big fun with that crap on my 2010 Harley FLTRX. The starter clutch is a bit edgy because the last owner would just let it grind until it fired (like an idiot). I dropped $500 on a vehicle interface kit so I can connect a laptop to it and club some sense into the damn thing.

It's EFI FFS, I shouldn't need to do any more than touch the starter and have it pop off instantly...regardless of what the temperature is (just like my carborated 1987 did..). But oh hell no...the startup enrichment is trying to light the 10's engine with a friggin butterfly fart.

...Damn'ed-est think though ... After I +++ed the startup mixture. All-of-a-suddenly - as if by magic - the engine began starting much easier. Kinda just like it was supposed to in the $%&#^@#^%$ first place. I've even add about 3mph to the top speed by adding a bit more fuel to the upper RPM range ... Seems they had made it a bit lean up there for safety...or some other idiotic notion.

Christ on a stick, if I wanted to play it that safe I'd be wearing a helmet and kneepads while hiding in a Volvo...(or get one of those lame-assed battery powered Prius' that don't even go fast enough to kill an insect that hits the windshield at "full" throttle)...not riding a freaking motorcycle -- God damn cretins piss me off.

MilesAhead · « **Reply #17 on:** June 03, 2014, 05:35 AM »

God damn cretins piss me off.
-Stoic Joker (June 02, 2014, 06:15 PM)

Just so I have it clear... would you recommend this product to your friends?

Sometimes I wonder how many people driving around could even start their cars in the first place if not for the computer? Used to be you needed at least a bit of feel, unless the car was finely tuned. Now you can't even start the damn things with your foot on the accelerator. So we are all in Park with parking break set, foot on the brake, in a car that's not running. Next thing is Denver Boot before you can engage the starter.

Then these morons text while driving. Apparently they can dual thumb messages expertly.

MilesAhead · « **Reply #18 on:** June 03, 2014, 03:00 PM »

Like last night the radio stopped working. pull over, twist three wires together behind the radio, tape it up, and rock out.
-SeraphimLabs (June 02, 2014, 12:20 PM)

I just remembered my father bought this old Toyota pickup truck. I forget the year and model but it was a little 4 cylinder rear wheel drive. The brake would go to the floor. It needed a master cylinder. I was a mechanic at that time. I had rebuilt calipers and wheel cylinders but never a master cylinder. At work we just ordered rebuilts from the parts house. My dad asked me to rebuild it. I suggested he not be so cheap and just buy the rebuilt. But we decided to give it a try. About $3.50 worth of O-rings, some brake fluid and fine emery paper was all it took. That was a fun little truck. I think he paid $150 for it. Nowadays everything that used to be "used" is a "classic." Picking something up for a song and fixing it is like a lost art.

Stoic Joker · « **Reply #19 on:** June 03, 2014, 05:09 PM »

After dealing with the rust-N-dust and ichor of most blown wheel cylinders the master cylinder rebuild must have been a welcomed change. I did a ton of that stuff on motorcycles that people had left sitting for too long. Only thing I go to a shop for is an automotive automatic transmission. I never have figured them damn things. Sure I know how they work...but put it back together and have it work ...(for me)... Not likely.

MilesAhead · « **Reply #20 on:** June 04, 2014, 05:52 AM »

I never messed with those transmissions either. I guy I worked with liked to call them "slush buckets." In computer and mechnics I like to think of myself as a General Practitioner. I don't get deep into the arcane specialties. But I know enough to direct people to those with the particular skill set. But to some people if you don't rebuild engines you're not a "real mechanic." I then ask the person if their family doctor is a GP? When they say yes then my comments is, "so you don't go to a real doctor? After all, he's not doing heart valve rebuilds, heart transplants or neurosurgery right?" heh heh They are usually quiet for awhile after that.

The sitting cars, man I hated having to mess with those. Seemed like when you start on them they will never clean up to work right. Not really a car that sat but one that went way past the recommended brake job was this old guy, must have been eighty, he came in to get snow tires mounted. Naturally as per the Safety Inspection Sales Procedure(tm) we checked his brakes. He had this old Dodge Dart. The rear brake drum came off in 3 pieces. The shoes were ground metal. A bunch of metal filings fell out when the drum came off. Nope! It's fine. Put the drum back on and just mount the snows. I called the other guys over to look at the state of it. We all got a good laugh. But that guy probably never topped 20 MPH and could Fred Flintstone that Dart.

Lots of weird stuff people drive on.

MilesAhead · « **Reply #21 on:** June 04, 2014, 11:31 AM »

Remember how we used to hear about the Miracle Carburetor invented by some guy suppressed
by the oil companies because with it your car got 200 MPG? I'm surprised we don't hear about the Miracle Automotive Computer Optimization that does pretty much the same thing.

At least I don't recall mention of it.

Stoic Joker · « **Reply #22 on:** June 04, 2014, 01:22 PM »

Oh that's an easy one (even leaving out the EPA's having the market cornered*), just Google Hypermiling. Seems there is a whole horde of idiots that just love to preen about how they're getting 90+MPG out of their ~~castrationmobile~~ Prius or other highway clogging road-slug hybrid. Apparently in their world impeding the flow of traffic is considered a "Driving Skill".

The thing I find is most hysterical is how many of their driving/tech tips are - in reality - suicidally stupid. Overinflate your already bicycle width tires to reduce rolling friction ... Yeah, right, and good luck with your first panic stop - Hope the insurance company has a sense of humor. My wife had an "economical car" - great on gas, but couldn't get out of its own way - that we finally managed to get her out of before she was killed. Anything that can't make it from 0 to 60mph in under 10 seconds (unless it's a Semi Truck) shouldn't be allowed on the highway.

See traffic backed up for miles going up a hill, clown at the front is one of them^.

See same clown sailing down other side of same hill at close to twice the speed limit (in neutral...)? Yepper, them again. And good freaking luck trying to set your cruise control behind one of these clowns!

Think running red lights is an "Aggressive Driver" issue (hehe) Nope! It's ^them^ again trying to avoid having to accelerate. Gas petal bad

... Butterflies good

.

...Stupidity rampant... The problem with the price of gas...is the price of gas. Period. A bunch of greedy cartels want people bleed dry so they're just going to take what they want because nobody is stopping them. This isn't solving anything, it's just making it easier for them to get twice the money for half the product.

Make a list of the things that people do in traffic that really piss you off, and then with that in mind go browse a few hypermiling websites. It's them.

Like the yahoos that start coasting at 5mph up to red-light from a block away. For a Semi Truck that doesn't want to have to gear down and back up 12 more time it is reasonable behavior. For some idiot in a hybrid with an automatic transmission ... Not so much. Ya know what I mean?

---------------------------------------------------------------------------------------------------
*There are apparently several auto companies that have gotten vilified for doing commercials that show people failing in (car running in closed garage) suicide attempts because their cars exhaust is so clean the air is breathable. So it'll be pretty hard to lean them out much further.

MilesAhead · « **Reply #23 on:** June 04, 2014, 03:36 PM »

See traffic backed up for miles going up a hill, clown at the front is one of them

These must be the same people drifting through malls looking side to side, walking abreast so I can't get around them. Meanwhile I know the store, shelf, item, price and have exact change for what I want to purchase ready. I'm 2.5 minutes in the store, bit 15 minutes getting around the obstructionists. I've dubbed these types Meanderthals. Someone should screen them when it comes to issuing driver's licenses and mall pedestrian permits.

tomos · « **Reply #24 on:** June 04, 2014, 04:28 PM »

...Stupidity rampant... The problem with the price of gas...is the price of gas. Period. A bunch of greedy cartels want people bleed dry so they're just going to take what they want because nobody is stopping them.
-Stoic Joker (June 04, 2014, 01:22 PM)

well today I 'tanked', as they say here :p
I just converted it:

1.56 euros a litre ('Super' 95) = 8 dollars a gallon at today's exchange rates.

In the last while it's usually over 1.60 a litre, got it today cause it was 'cheap'.
So, whoever is screwing ye, is doubly screwing us over here