Author Topic: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW,  (Read 1734 times)

0 Members and 1 Guest are viewing this topic.

Offline KarelTopic starter

  • Super Contributor
  • ***
  • Posts: 2275
  • Country: 00

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More

https://samcurry.net/web-hackers-vs-the-auto-industry/

 :palm:
 

Offline DimitriP

  • Super Contributor
  • ***
  • Posts: 1420
  • Country: us
  • "Best practices" are best not practiced.© Dimitri
Which will be te first country to add software security testing to their vehicle roadworthiness tests?

   If three 100  Ohm resistors are connected in parallel, and in series with a 200 Ohm resistor, how many resistors do you have? 
 

Offline Faranight

  • Supporter
  • ****
  • Posts: 241
  • Country: si
I'm surprised nobody has yet managed to remotely murder someone on the road due to these vehicle vulnerabilities.
Fara-day? Fara-night.
 

Online Benta

  • Super Contributor
  • ***
  • Posts: 6420
  • Country: de
If you read carefully, it's all about gaining access to the company network, not the car itself.
The "hacks" for open/close/start etc. apply to idiot car buyers who think it's cool to start the car using the smartphone. Again, the company network.

Yawn.
 

Offline MrMobodies

  • Super Contributor
  • ***
  • Posts: 2028
  • Country: gb
https://volkswagenforum.com/forum/general-tech-7/case-cost-disabling-car-net-37546/
Quote
VWowner611 Thread Starter Join Date: Jan 2018

The case for, and cost of, disabling Car-Net
Car-Net is VW’s implementation of what is generally referred to as telematics. The car contains a cellular radio through which many functions can be controlled, operations performed, location tracked, and engine/systems data collected. VW sells some of these functions to consumers through a subscription service, such as remotely unlocking the doors, locating the parked car, geo-fencing, checking the fuel level, etc. It also can automatically call emergency services in the event of an accident (although I would point out that my Honda HR-V will do the same thing for free using Bluetooth through my own phone – it doesn’t have a cellular radio of its own). If you’re interested, see [url]http://www.vwcarnetconnect.com/security-service/[/url] for more information.

For some people these services are worth the subscription cost, although judging from posts on various websites, the current price point ($200/year or $18/month) makes it relatively unpopular. Of course you can opt not to subscribe. But it’s important to be aware that even if you don’t subscribe, there are two “costs” to having Car-Net operating in your vehicle. The first cost is loss of privacy. VW retains the ability to communicate with your car without your knowledge or consent, to control various systems, and to monitor virtually every aspect of its operation including audio and location. To my knowledge, there is no law in the U.S. that prohibits VW from such monitoring. Except for acknowledging that they may provide location information to law enforcement upon request, VW does not divulge how they uses these capabilities, or under what circumstances. But I know from personal experience that they are doggedly determined not to relinquish them.

I know that I will be accused of being paranoid, or wearing a tin-foil hat for worrying about this. But I have my own metaphor for those who are so dismissive. They are frogs being slowly brought to a boil in a surveillance society where privacy is gradually ebbing away because of their apathy. By the time they realize it’s a problem it will be too late. And I know to a moral certainty that any system that can be abused eventually will be abused.The second cost is hacking risk. One can easily imagine some black hat deciding to hack into VW’s systems to disable every VW in the U.S. for fun – or ransom; or hackers could simply unlock individual doors to facilitate theft; or ______ you fill in the blank. So for those of us who elect not to buy Car-Net’s subscription services, the presence of this equipment presents only downside.

Given all this I set about to have Car-Net disabled. What a struggle it was! The Car-Net brochure, the Car-Net Consent Form and the 2017 AllTrack owner’s manual all state that equipment must be removed from the car to completely disable Car-Net. But in fact that is untrue. Car-net can be disabled through software configuration. As noted by Frank Weith, General Manager of Connected Services for Volkswagen Group of America, a dealer can disable Car-Net cellular communications by putting it into so-called “Flight Mode” (BBC - Autos - How connected car tech is eroding personal privacy).

It sounds straightforward, but my dealer had no idea how to do it. When I asked VW customer service to instruct my dealer how to disable Car-Net, I was met with four months of stonewalling, deflection, dissembling, and outright lies. At every turn they denied that there is any way to disable Car-Net.  :bullshit: To make a very long story short, they eventually relented and put my dealer in touch with someone at VW who helped them put it into “flight mode.” (If you encounter similar stonewalling, write to me at VWowner611@outlook.com and I’ll give you the phone number of the representative who finally helped me.)

VW of America required the dealer to charge me $500 for this 75-minute procedure. The price seems clearly punitive – set to discourage customers from choosing this option. I will leave it to you to speculate as to why VW so strenuously hides this option from customers, and then overcharges those who insist on pursuing it. Given their deeply entrenched resistance, I suspect that there’s money involved. But I believe that as the owner of the vehicle I should not have to pay $500 to protect myself from the risks posed above. I should be able to opt out at no cost.

Finally, if you don’t want to spend the $500 and are game to perform some major dashboard surgery, check out this post on how to disable Car-Net yourself: VWVortex.com - Killing CarNet: how to find, bypass, and remove the CarNet box (what's inside it and how to repurpose the buttons too!)


https://old.reddit.com/r/whatcarshouldIbuy/comments/ihzyfg/vw_carnet_sells_your_driving_information_to/
Quote
genomnomics 1 point 2 years ago*
[url]https://www.vw.com/privacy/[/url]
Read the following sections:

"What Information Do We Collect?" (sections 2.3 - 2.6)
"How Do We Use Your Information?" (sections 3.1 - 3.6)
"With Whom Do We Share Your Information?" (sections 4.1 - 4.7)
To summarize, they collect driver behavior data, GPS data, and audio data (among others). They share it with law enforcement and third party advertisers (among others).

Note: They say that "precise GPS location data or your driver behavior data will not be [shared] with unaffiliated third parties [without] your affirmative consent." * If you enroll in Car-Net or DriveView, you are giving consent. It is also very carefully worded to allow them to share non-precise GPS data, or to share precise GPS data with affiliated third parties.


*Another incentive not to use the in car subscription stuff.

Any car I would want it left alone, no remote access and that radio/cellular stuff switched off and I think I'd buy my own gps tracker.
 

Offline TimFox

  • Super Contributor
  • ***
  • Posts: 9003
  • Country: us
  • Retired, now restoring antique test equipment
 

Online Benta

  • Super Contributor
  • ***
  • Posts: 6420
  • Country: de
There have been many car thefts reported recently in Chicago of Kia vehicles due to an USB vulnerability.
That seems a bit over the top. They have to break into the car first, which has always been an issue.
You could steal 90s Fords with a screwdriver in the ignition lock.
And those thieves are really low-achievers. I mean, who'd want to steal a KIA?
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7336
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
https://volkswagenforum.com/forum/general-tech-7/case-cost-disabling-car-net-37546/
Quote
VWowner611 Thread Starter Join Date: Jan 2018

The case for, and cost of, disabling Car-Net
[..]

This is odd, because I have a Golf with Car-Net and (a) the telematics module is easily reached (it's just behind the instrument cluster, about 30 minutes to remove) and (b) it's on its own fuse, so even if you didn't want to disable it by physically removing it, pulling that fuse should be enough.  A software change shouldn't be needed, and I'm not surprised the dealer had no idea how to do it.

VW's service infrastructure is shite, though -- no doubt about that.  After a battery fault occurred on my car, they had it away from me for 7 weeks while they figured out how to fix it.  In the end, a tech from Germany was flown over. 
 
The following users thanked this post: MrMobodies

Offline TimFox

  • Super Contributor
  • ***
  • Posts: 9003
  • Country: us
  • Retired, now restoring antique test equipment
There have been many car thefts reported recently in Chicago of Kia vehicles due to an USB vulnerability.
That seems a bit over the top. They have to break into the car first, which has always been an issue.
You could steal 90s Fords with a screwdriver in the ignition lock.
And those thieves are really low-achievers. I mean, who'd want to steal a KIA?

The reports in Chicago indicate that the stolen Kias are used in crimes, then abandoned.
Apparently, one needs only to break a window with a screwdriver, then proceed to the USB port.
A rational thief would presumably target commonly-available autos that are easier to steal than other commonly-available autos, especially if only to obtain a temporary vehicle for criminal activity.

From an December, 2022 news item on the Chicago CBS TV station:
"Kias and Hyundais each had about 3,500 car thefts, accounting for nearly 38% of all car thefts in the city.
So many Kias were stolen in Chicago, that they account for about 10% of the city's 36,300 registered Kias and about 7% of the city's 53,500 Hyundais, according to data from the Illinois Secretary of State.
That number does not include the 86 Hyundais and 62 Kias swept up in 1,500 carjackings since November of this year, according to police data obtained in a public records request.
Thousands of Kia and Hyundai owners have lost their cars in Chicago and other U.S. cities thanks in part to TikTok videos that show how to exploit a hack on certain models that lack engine immobilizers.
Car thieves, dubbed "Kia boys" by some, are able to break into cars and start them with nothing more than a screwdriver and USB charger."

By comparison, about 1500 Chevrolets, 1200 Dodges, 1000 (each) Fords and Jeeps, and 900 (each) Hondas and Toyotas were stolen.
Reference (with complete Chicago data):  https://www.cbsnews.com/chicago/news/kia-hyundais-stolen-chicago/
« Last Edit: January 10, 2023, 12:00:33 am by TimFox »
 

Offline Pagesing

  • Newbie
  • Posts: 1
  • Country: us
This seems like an extremely serious vulnerability considering that you can affect the starter and start/stop engine. Of course, this does not mean that you can break into cars, but it does not get any better. Access to personal data is a separate thing that could be mentioned, but I think everyone understands it anyway.
 

Offline jm_araujo

  • Regular Contributor
  • *
  • Posts: 77
  • Country: pt
I've seen the video of the hacking of the KIAs and Hyundais.
It has nothing to do with USB ports in the car. You have to disassemble the steering column and take apart the lock, and the hole where the lock turns the eletrical switch is an exact match in size with an USB type A plug. A screwdriver can also be used, but it doesn't make the headlines as juicy.

What I didn't knew was that cars are still beeing sold without immobilizers! Is that an USA thing?
« Last Edit: January 11, 2023, 05:45:29 pm by jm_araujo »
 

Online Benta

  • Super Contributor
  • ***
  • Posts: 6420
  • Country: de
What I didn't knew was that cars are still beeing sold without immobilizers! Is that an USA thing?
I wondered about that myself.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6126
  • Country: au
If you read carefully, it's all about gaining access to the company network, not the car itself.
The "hacks" for open/close/start etc. apply to idiot car buyers who think it's cool to start the car using the smartphone. Again, the company network.

Yawn.

That being said, it can be used to get live location information about a vehicle (depending on make/model). Ive been involved in this kind of thing in my previous job and I can tell you 100% that via certain manufacturers, law enforcement (and others) can gain access to vehicle location, regardless whether or not the end-user subscribes to any kind of package or service. I know at least one manufacturer won't reveal that they can do this publicly (and most of their dealers don't know), but I have seen and used that data personally myself.

If law enforcement and security agencies can access it, so too can people who exploit poorly written or vulnerable APIs.
 

Online Benta

  • Super Contributor
  • ***
  • Posts: 6420
  • Country: de
If you read carefully, it's all about gaining access to the company network, not the car itself.
The "hacks" for open/close/start etc. apply to idiot car buyers who think it's cool to start the car using the smartphone. Again, the company network.

Yawn.

That being said, it can be used to get live location information about a vehicle (depending on make/model). Ive been involved in this kind of thing in my previous job and I can tell you 100% that via certain manufacturers, law enforcement (and others) can gain access to vehicle location, regardless whether or not the end-user subscribes to any kind of package or service. I know at least one manufacturer won't reveal that they can do this publicly (and most of their dealers don't know), but I have seen and used that data personally myself.

If law enforcement and security agencies can access it, so too can people who exploit poorly written or vulnerable APIs.
Too true, but still doesn't merit the "sensational" OP video. We're still talking Nav/Infotainment info, not crucial car safety system.

But this is why I love my '97 MX-5/Miata: it's all car, zero smartphone :)
 
The following users thanked this post: Halcyon

Offline Stray Electron

  • Super Contributor
  • ***
  • Posts: 2253
Which will be te first country to add software security testing to their vehicle roadworthiness tests?

  None!  It will be left up the consumers to figure out which vehicles are safe and reliable to drive and which ones aren't. But by the time that consumers learn that, the manufacturers will be building new models with new bugs.   Just like the car market today and today's software market.  Tesla and Windows both come to mind.

   Governments, as usual, will be 15 to 20 years behind.
 

Offline rdl

  • Super Contributor
  • ***
  • Posts: 3667
  • Country: us
Looks like I'll be keeping my 20 year old truck a little longer...
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf