Volkswagen Cars Vulnerable To Flaws The Company Won't Patch

[Lucian Armasu]

Researchers from Dutch security company Computest uncovered a remotely exploitable flaw in some Volkswagen and Audi models that the Volkswagen Group doesn't want to patch.

Volkswagen Cars Vulnerable To Flaws The Company Won't Patch : Read more

 

[HideOut]

Gm does not make to the Cherokee

 

[dextermat]

And yet fanboys keep buying them...

 

[stdragon]

What moron thought it was a good idea to not air-gap the CAN bus from the rest of the internet connected entertainment system?! Did their engineering dept not object to the marketing dept? The fail here is epic!

 

[10tacle]

Yes please edit the comment about "GM's Cherokee." Jeep is a Fiat-Chrysler company. Anyway what is up with VW? They used to make great products back in the 1980s and 1990s with Jettas and Golfs. The last auto show I went to I sat in a new Jetta and the controls like AC knobs just felt so cheap. I know they build some of them in Mexico for the North and South American markets, but I don't think that's their issue. They have a severe management quality control issue, and their diesel scandal put that under the microscope.

Actually, I've noticed in general that all German auto makers are spiraling downward in quality. Here are just a few examples from owners of them I know:

2008 Mercedes CL class two door convertible transmission failing at 48K miles.

2011 Audi A4 engine ECM failure (repeat issue, spent more time at dealer than in garage)./

2012 BMW 335i coupe with a bad turbocharger at only 32K miles.

2013 Mercedes GL450 SUV diesel having a bad rear seal gasket leaking oil (known issue, anyone out of warranty had to pay thousands to fix it).

2015 Porsche 911 GT3 bad engine component (owner had to wait six weeks after ordering for the factory to ship a replacement motor to install at the dealer before delivery - all GT3s were recalled).

German quality engineering is not what it used to be and Japanese quality is top notch. Decades ago it used to be the other way around. My daily driver 2008 Infiniti G37 with 135K on the clock is still as good as new.

 

[10tacle]

What moron thought it was a good idea to not air-gap the CAN bus from the rest of the internet connected entertainment system?! Did their engineering dept not object to the marketing dept? The fail here is epic!

Probably the same genius who was previously employed at Airbus who thought the chances of being hacked remotely on avionics monitoring software transmitted to airline ground monitoring stations was non-existent.

 

[sykozis]

Please do some research before typing an article.....

For instance, cars may now have two Controller Area Network (CAN) buses, one for safety-critical components such as the engine and brakes, and another for non-safety-critical ones such as the entertainment dashboard, AC, wipers, and so on.

There are 5 network protocols used in automotive applications. There can be (and usually are) multiple instances of at least 2 of those 5 network types in any given vehicle. The more modules the vehicle contains, the more networks exist. Some modules are even connected to more than 1 network. There is a network protocol referred to as LIN or Local Interconnect Network. This is typically used for power windows, power door locks and wipers since data only has to go in 1 direction.

Btw, CANs have existed for over 2 decades..... Roughly 27 years actually... The statement I quoted makes it sound as though networking in automotive applications is something new....

 

[mrjhh]

Over-the-air updates have their own set of issues. At the minimum, the firmware needs to be signed, and the vehicle needs to verify the signature. Anti-reversion checks also need to be in place to prevent someone from taking an old, buggy, but signed firmware version and pushing that into the vehicle. Then, there is the issue of having a validated path between the processor which validates the firmware, and the place where the firmware is stored, to be sure the validation doesn't get bypassed. Then, if there is a bug in any of the above processes, they can still be bypassed to install improper firmware.

 

[stdragon]

Over-the-air updates have their own set of issues. At the minimum, the firmware needs to be signed, and the vehicle needs to verify the signature. Anti-reversion checks also need to be in place to prevent someone from taking an old, buggy, but signed firmware version and pushing that into the vehicle. Then, there is the issue of having a validated path between the processor which validates the firmware, and the place where the firmware is stored, to be sure the validation doesn't get bypassed. Then, if there is a bug in any of the above processes, they can still be bypassed to install improper firmware.

That's all well and good, and I agree with the above. But more to the point, WHY is any of the critical ECU components even exposed to "over the air" access??! At *minimum*, they should be air-gaped and can only be serviced with a hard-lined connector; meaning physical access.

When you have a vehicle weighing between 2,500 and 4000+ pounds humming along a highway at 60+ MPH, that's a considerable amount of kinetic energy! There is no room for failure.

When it comes to automotive tech, there's no getting around inherent electro-mechanical complexity. However, whenever possible, the model of KISS (Keep It Simple Silly) is preferred so unintended consequences aren't introduced.

 

[King_V]

Did their engineering dept not object to the marketing dept?

As a software developer, I rather suspect that engineering gets overruled by marketing. Or anyone else, really.

 

[velocityg4]

Did their engineering dept not object to the marketing dept?

As a software developer, I rather suspect that engineering gets overruled by marketing. Or anyone else, really.

I'd say accounting overrules everybody. If engineering ruled. The cars would last 1,000,000+ miles, never rust out and be very easy to repair. Engineers in the 1800's created steam engines and other mechanical contraptions still in use today.

They'd also have us wear a harness with five point restraints and dump the airbags. Like in race cars. Simpler, more effective, cheaper, reliable and reduces weight.

 

[hellno]

Issue here is that supplier makes hardware/software. VW (others too) is using mostly contractors to do the job and then next group is hired. Harman used to be developed and made in Germany... these were the good days but now all is outsourced to far east where developers doent even see the whole system and work of specification documents. I have seen this mess first hand.

 

[sosofm]

That's why the classic cars are the best. No computers , no hacking , just pure mecanic.

 

[King_V]

That's why the classic cars are the best. No computers , no hacking , just pure mecanic.

I used to think so, once.

But, electronic ignition is way better than points ignition.

Distributorless ignition is way better than a distributor.

Antilock brakes are amazing.

Electronic fuel injection is way better than mechanical injection or carburetors.

Engines last way longer (and the more precise metering of fuel is definitely good at helping prevent over rich mixtures in certain conditions, which shortens oil life, sometimes dramatically)

etc etc.


Though, I'd probably draw the line at the infotainment systems, but only because they're not 100% isolated from the systems that are necessary to the vehicle's functioning.



I still love classic cars, don't get me wrong - but there's a lot of issues we simply don't have to put up with anymore due to the advance of technology. And we make more horsepower than we could've dreamed of back then, while getting better fuel economy and cleaner emissions in the process.

 

[Ninjawithagun]

And yet fanboys keep buying them...

You do know that the WiFi feature can be turned off through the menu. Also, not mentioned is the fact that you can set up a VPN, which all but ensures you can't be hacked from outside the network. Knowledge is power ;-)

Bottom line, cars with WiFi are not any less or more secure than your smart phone.