Car Makers Haven’t Learned: Insecure Apps Expose Millions Of Connected Cars To Theft, Risks

[Lucian Armasu]

Car makers seem no closer to adopting strong security for their cars and related systems, even as we're years away from having to trust fully automated cars to drive us around safely.

Car Makers Haven’t Learned: Insecure Apps Expose Millions Of Connected Cars To Theft, Risks : Read more

 

[__thatguy__]

"Allowing remote access through apps to car doors and the car engines just to slightly one-up the competition doesn’t seem like a responsible thing to do from these well-known car brands, and that needs to change."

Entire article was good until the above. It's not only responsible - it's wanted. You don't impede progress, but automobile manufacturers have to implement effective security measures.

 

[matmat9v]

It's not irresponsible, it is unwanted unless you want your car stolen. I would prefer to have a car unlock by at least PIN entered on keypad on my car door. After all car keys are easy to loose. If I were a security analyst in any insurance company I would refuse honoring any "stolen car" claim for such a vehicle citing insufficient protection and gross negligence on user part.

 

[anbello262]

It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.

 

[chile7236]

why are these apps lacking confidence in themselves?

 

[nukemaster]

It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.

I have to agree. People determine what THEY want. The connected world is simply something more and more users want. As long as they can secure it better, I do not see a problem with it.

People generally love everything being connected to a cellular phone. I see routers you can hardly configure on a computer via web browser any more(this trend is kind of disturbing because a web based interface or other multi-platform one will work even with new operating systems while these Apps may or may not be ported in the future to your device of choice.).

I personally have no use for such things.

I do not need my living room/bathroom/bedroom/kitchen connected to the internet. I the fridge that tracks food with all kinds of cameras is kind of cool. It would be nice to be at the store and say "Do I need milk? Check the fridge remotely and see that I do."(not much loss if a hacker knows I need milk as well). I do NOT want anything important linked to the internet(says the online shopper), but I am a minority in that.

Even government computers seem to have more connection that they need and users of some offices even bring flash drives from home to work(big NO NO in my books).

 

[SheriffMoose]

I wholeheartedly agree with the concept of this article - car manufacturers need to be practicing standard security measures when implementing this level of connectedness. However, I would say the current risk of thieves using this technology to steal your car is less likely. The average criminal interested in stealing your car isn't going to have the know how or take the time to learn how to hack into your car to unlock the doors when you can use fairly inexpensive tools to unlock the car. If you can still call a locksmith to unlock the car in less than 10 minutes with a physical tool, then its unlikely that your car will be stolen using high-tech hacking methods.

That's just my 2 cents. They need to be implementing security measures as is best practice with any internet connected technology, but I won't be losing sleep over the idea of a street criminal stealing my car by hacking the internet functions when they could use a Door Jimmy or other locksmith tool.

 

[anbello262]

I wholeheartedly agree with the concept of this article - car manufacturers need to be practicing standard security measures when implementing this level of connectedness. However, I would say the current risk of thieves using this technology to steal your car is less likely. The average criminal interested in stealing your car isn't going to have the know how or take the time to learn how to hack into your car to unlock the doors when you can use fairly inexpensive tools to unlock the car. If you can still call a locksmith to unlock the car in less than 10 minutes with a physical tool, then its unlikely that your car will be stolen using high-tech hacking methods.

That's just my 2 cents. They need to be implementing security measures as is best practice with any internet connected technology, but I won't be losing sleep over the idea of a street criminal stealing my car by hacking the internet functions when they could use a Door Jimmy or other locksmith tool.

I actually believe the biggest danger is not in the car-theft area (and that's even covered by insurance).
I believe that the big risk comes from causing crashes or kidnapping people by disabling some car functions (forcing a stop, for example), which would be a big concern for 'interesting' targets (people with more money than average, or political/social significance). No need to be the president, just being 'a bit bigger' than the average people can make you a good target.
I agree that it is quite hard to achieve, but for the right target (or just random attacks, or even cyber terrorism) this probably could be done.

 

[Guest]

Kaspersky is full of it. Cars are insured against theft. Insurance companies would not insure cars that had these systems had vulnerabilities. 6 months ago I submitted a virus report to Kaspersky, including the binaries. Their software still does not detect it. This is complete bogus marketing by Kaspersky.

 

[junkeymonkey]

'' Car Makers Haven’t Learned ''

no its you haven't learned and support these things that cam allow a 3ed party as much control over your personal stuff , come on

if it aint got it that you don't worry about it , right ???

 

[wiyosaya]

It IS wanted. If it wasn't, those cars wouldn't be selling in the first point. And it brings a lot of convenience. As long as they improve the security enough to be as safe as driving itself can be (which is not much, with man-driven cars), it is completely acceptable. Having the ability to pre-start your engine to warm it up was one of the biggest revolutions of remotely controlled cars, for example.

I understand not wanting this progress while it brings so much risk, but just saying "it shouldn't be done, it will never be safe" is looking away from a more convenient future (and sounds a lot like the same stuff that was said about cars when they were first invented).
The solution is not to just ignore it and forbid it. It should just be closely regulated and made secure.

Personally, I think it is a stretch to say that the cars would not sell if they did not have an app that could remotely control the things talked about in the article. As I see it, we really cannot say why the cars are selling.

This is a tech site, and in the real world, the number of tech illiterate people are likely much more of a proportion than they are on this site. Many of my own family members would have no clue about something like this, and I suspect that everyone who responded to this thread knows at least one such technically illiterate person, too. If the purchaser of a car does not ask about these options, do you think the dealer is going to tell them that the car they are considering has it? Dealers just want to sell cars, and in my experience, will do almost anything that they can to sell a car.

The author of the article is not saying it should not be done, what he is saying is that it should not be done if it cannot be done securely.

Right now, car manufs seem to not care at all about whether these apps make the car less secure. Blowing if off as "the insurance company will pay if the car is stolen", etc., is just a cop-out. At some point, insurance companies will care that manufs seem to have forgotten to keep their cars as secure as they were when keys were around, and if manufs still refuse to implement basic security options for apps like these, I would not be surprised if the insurance companies put clauses in their contracts that say something along the lines of we will not pay if your car is stolen due to defects in the manufs implementation of security. Insurance companies will not put up with this crap once it starts to become a major problem.

I'll be in the market for a new car in the next few years, and if any car I am interested in has anything like this where the car can be compromised in any way by something stupid that the manufacturer could have taken steps to prevent, such as putting critical controls on a separate network, etc., I'll be telling the dealer: Thanks but no thanks, because I am not exposing my loved ones or myself to that kind of risk.

 

[anbello262]

Personally, I think it is a stretch to say that the cars would not sell if they did not have an app that could remotely control the things talked about in the article. As I see it, we really cannot say why the cars are selling.

You got my point exactly backwards. I did not say "they woudn't sell if they did not have this". I said "if they weren't wanted, they woudln't sell cars with them". These features are not free for the manufacturers, and usually aren't free for the customer. You usually have to pay for them (at least in the examples I have seen in person). They might come as part of a feature-pack, but they are usually said out loud, because they attract people.
(I agree that we do not have the data to be able to say WHY the cars are or are not selling, and this will at most be an educated guess based on what can be inferred). Basically:
They aren't free, so manufacturers wouldn't put them if they weren't able to get a higher selling price, or more sales

If the purchaser of a car does not ask about these options, do you think the dealer is going to tell them that the car they are considering has it? Dealers just want to sell cars, and in my experience, will do almost anything that they can to sell a car.

Exactly, dealers want to sell. So they will obviously tell you about these features, even more if you aren't a tech person! You know how big of a selling point it is to say "And you can even start your car from your phone!" to common folk? Why wouldn't they tell you about a feature that makes the car more expensive and can attract more customers??

People who buy a car with these features almost always KNOW that they have these features. They paid for them, they wanted them, they tell people about them.
Actually, I first heard about them from "tech illiterate people", because they came and told me with big enthusiasm "Did you see what this car can do? You can do (xxxx) through your phone!!"

The author of the article is not saying it should not be done, what he is saying is that it should not be done if it cannot be done securely.

Although I did not feel this is what was said, I understand that this might be the actual meaning of the article. But I still feel it is not the right thing to say. I wouldn't say "Manufacturers, don't do it because it is not safe right now", I would say "Manufacturers, MAKE it safe". The focus should be in the actions to take in order to make this a safe technology, not in avoiding it because it isn't safe right now. But again, that's just my own personal view on the subject.

At some point, insurance companies will care that manufs seem to have forgotten to keep their cars as secure as they were when keys were around, and if manufs still refuse to implement basic security options for apps like these, I would not be surprised if the insurance companies put clauses in their contracts that say something along the lines of we will not pay if your car is stolen due to defects in the manufs implementation of security. Insurance companies will not put up with this crap once it starts to become a major problem.

I would believe this wouldn't be legal, and that the insurance companies woul actually start pressuring the manufacturers to make it safe (or don't include it), but that's just my own guessing work, no real disagreement with your words. They might just make the insurance premiums quite a bit larger for cars with these features, though.


I don't mean to pick on your opinion, I'm just trying to explain WHY I think the way I do. I tried to make clear which parts are purely my opinion and feelings, and which parts are more based in experiences and information available.

 

[MASOUTH]

"Kaspersky is full of it. Cars are insured against theft. Insurance companies would not insure cars that had these systems had vulnerabilities. 6 months ago I submitted a virus report to Kaspersky, including the binaries. Their software still does not detect it. This is complete bogus marketing by Kaspersky."

I'm thinking YOU are full of it if you think there's any actual logic in the premise that because insurance companies insure cars against theft then there CAN'T be security flaws. Using that logic you could say that all operating systems are free of security defects because you can't make money selling an OS with security flaws.

Insurance companies suffer the same blind spots as the automakers and IoT developers. They will continue to take your money as long as it's profitable for them. To see a change in any of them is going to come down to 3 overly generalized reasions:

1) they feel it's the "right" thing to do
2) their bottom line suffers or is predicted to (theft/damage/injury/PR)
3) the government makes them

 

[Guest]

"Kaspersky is full of it. Cars are insured against theft. Insurance companies would not insure cars that had these systems had vulnerabilities. 6 months ago I submitted a virus report to Kaspersky, including the binaries. Their software still does not detect it. This is complete bogus marketing by Kaspersky."

I'm thinking YOU are full of it if you think there's any actual logic in the premise that because insurance companies insure cars against theft then there CAN'T be security flaws. Using that logic you could say that all operating systems are free of security defects because you can't make money selling an OS with security flaws.

Insurance companies suffer the same blind spots as the automakers and IoT developers. They will continue to take your money as long as it's profitable for them. To see a change in any of them is going to come down to 3 overly generalized reasions:

1) they feel it's the "right" thing to do
2) their bottom line suffers or is predicted to (theft/damage/injury/PR)
3) the government makes them

It's obvious because 2). Car theft costs money to insurance companies. Insurance companies are very proactive to any potential future losses.

Your "analogy" is dumb. It's more like saying "because I can insure against data loss, it means that I can't lose my data". Well, try to get insurance against data loss... it's not going to happen. In fact, every software comes with a license agreement specifically saying that if anything happens, you're on your own.

 

[bloodroses]

Theft is not the primary concern when it comes to the hacking of vehicles as almost every insurance company protects against theft. People getting killed when their car gets hijacked is the real concern.

In relation to the customer, you quickly learn how much their own life is out of their own control when you see hacks such as these (now fixed thankfully):

https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

https://www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-hack-remote-control-brakes

The worst part about the situation is that no matter how secure you make an app, if the underlying OS is insecure, it won't help one bit. Android and IOS have swiss cheese for security. Currently, it's up to car manufacturers to determine what should and should not be placed on its internal (CAN/Flexray/etc) network. These networks are very insecure because they were originally designed when the internet was not even considered an option on a car.
Every newer car has more than you think on these network whether you want the feature or not; contrary to what ANBELLO262 says. Manufacturers just disable them since it's cheaper than not adding it in the first place from a production standpoint.
The only current solution that is being working on right now is a new network protocol inside the vehicles; which is very PC like and just as insecure as one. This is coming from someone who's an engineer in the auto industry.

 

[videobear]

I don't want to operate my car with my phone. What if I leave my phone home, or lock it in the car? Or it gets stolen? Or the battery dies? But pretty soon, I won't be able to buy a new car that does NOT have such unwanted "convenience" features.

Carmakers: Please stick to making cars, not apps.