[HN Gopher] Web hackers vs. the auto industry
___________________________________________________________________
Web hackers vs. the auto industry
Author : quicksilver03
Score : 104 points
Date : 2023-01-03 11:07 UTC (11 hours ago)
(HTM) web link (samcurry.net)
(TXT) w3m dump (samcurry.net)
| ballenf wrote:
| The scary thing with any of these disclosures is the thought that
| state intelligence would be stupid to not spend a lot more
| resources than these ethical hackers did to discover the same.
| AlexandrB wrote:
| Would love to see a regulatory requirement for a physical off
| switch for vehicle network connectivity. Probably won't happen
| though.
| cuddlyogre wrote:
| The people that are responsible for writing a law like that
| want to make encryption illegal to make law enforcement easier,
| with no thought whatsoever to the obvious everyday security
| implications of doing so.
|
| There's no way they would remove remote control functions in
| cars, regardless of the safety implications for the drivers.
| marcosdumay wrote:
| > There's no way they would remove remote control functions
| in cars, regardless of the safety implications for the
| drivers.
|
| I bet after we get the first terrorist act in history to
| reach millions of victims, they will. And then they will
| claim nobody could predict it.
| berjin wrote:
| The problem is that the power thirsty law makers aren't much
| different than hackers since they also want access to
| everything.
| mike_hearn wrote:
| A few recurring patterns here:
|
| - Broken API authentication mechanisms, SSO that doesn't work
| properly. The frequency with which they could simply register
| accounts and then make themselves some sort of admin by sending
| ordinary HTTP requests, without ever once needing to confirm with
| anyone in person, is quite astounding.
|
| - Everything being totally exposed on the internet: frontends,
| backends, all of it. Apparently IP firewalls are history.
|
| - Stringly typed APIs and protocols in which adding escaped
| control characters in various places allows bypass of critical
| comparison logic.
|
| - And a bit of SQL injection. Apparently only worth looking for
| on old web apps - progress?
|
| It feels like the ad-hoc way user accounts were added to the web
| platform have led to a universe of different implementations and
| varying exploits. Still, it'd be good to know what their failure
| rate was. How many companies did they attack without finding any
| (serious) problem?
| scohesc wrote:
| This is exactly the reason why I'm trying my best to keep my non-
| smart vehicle running as well as possible for as long as
| possible.
|
| I have no idea what exactly will be exposed to the manufacturer's
| backend, what can be manipulated and hacked on the front-end, and
| the possible safety repercussions involved with this.
|
| Who's to say some government/corporate espionage results in a
| manufacturer getting their back-end hacked and having every
| online vehicle immediately get their brakes applied? Definitely
| some Black Mirror-esque stuff...
|
| Not to mention the convenient ability to surveil any vehicle and
| their locations with a busted and easily crackable API - why does
| it take external hackers with a (thankfully good) sense of morals
| and ethics to bring these things to companies' attention?
|
| It'll probably take something hitting national/international news
| before lawmakers or companies take this security seriously.
| jollyllama wrote:
| We need an open database correlating make/model and years with
| connectivity information.
| AlotOfReading wrote:
| There have been many, many past instances of automotive
| security issues hitting national and international news.
|
| The automotive industry has simply been slow to adapt.
| Manufacturers were almost universally founded in an era when
| mechanical systems dominated and that's how they want to treat
| everything. There's been a painful and ongoing learning process
| for them to realize that software and computerized systems are
| fundamentally different from the mechanical systems they
| understand well.
|
| On the inside, doing things securely takes a lot of deliberate
| and careful work. COTS stuff is rarely designed for high
| security systems. I've sat in more than one pen test where we
| found a wireless interface unintentionally added by some dev
| board that was selected for a completely different purpose.
| I've also seen cases where the security team/software teams
| were hired/onboarded after the vehicle design was essentially
| finalized with little consideration for their requirements.
| jacquesm wrote:
| Same here, I've pretty much given up on owning a modern
| vehicle, my daily driver is 25 years old this February and it's
| the last car I'll own.
| BoorishBears wrote:
| My threat model must be a bit different.
|
| I imagine my odds of being an accident in which 25 years of
| crash safety advancements help are higher than being hacked.
|
| (and for the inevitable flood of "But the A pillars are
| bigger" comments, if you're safety conscious you can still
| get cars with reasonably sized A pillars. A few years ago
| Honda specifically called out smaller, further recessed, A
| pillars for visibility in the Accord redesign)
| jacquesm wrote:
| I'm fine. But I was almost in _two_ crashes with a very new
| model car on account of buggy software. And the chances of
| that are higher than being hacked. Considerably higher.
|
| The best way to avoid crashes is to drive less, which is
| what I'm also doing and why I expect this car to last the
| rest of my life (and probably well beyond, the way I'm
| maintaining it). It's my daily driver because that's what I
| would be driving if I were to drive on any given day but
| I'm actually quite surprised to find out that I spent more
| last year on insurance than on fuel.
| Gordonjcp wrote:
| I have a couple of late-90s Range Rovers. They're pretty secure
| from hacking, having nothing more sophisticated than an FM
| stereo on board.
| [deleted]
| iinnPP wrote:
| With inequality on the rise, I would expect hats to start
| darkening at increased rates.
|
| I've personally sworn off any more responsible disclosures to
| companies not paying at least $1,000/hr(USD) in rewards or
| without clearly good intentions. I am not bending and very
| backwards to find it either. Any shenanigans is instant
| disclosure and shenanigans exposure.
|
| I'm about to be homeless and know of exploits currently working
| at 20billion dollar companies. They can't even bother
| responding to emails...
|
| There's a point where one has to focus on needs. Morality I
| want, food I need.
| jacquesm wrote:
| > Morality I want, food I need.
|
| Yes, but jail food isn't all that it's cracked up to be and
| if you are able to get that kind of work done then your
| choice isn't $1000/hour for undisclosed vulnerabilities or
| starving, the viable alternative is just to get a job.
|
| With those skills you are 10x as employable as most people
| that are currently jobless. At least.
| iinnPP wrote:
| Prison food is okay, depends where you go and how you
| handle yourself. Low security prison is just adult daycare,
| which is where a hacker will end up. Hacker knowledge is
| highly appreciated in prison.
|
| I should mention that I don't intend to release or sell
| anything harmful. I just recently experienced this issue
| and I came out on the right side(?). I can see someone
| coming out the other side too, too easily. My intent rather
| is to stop working for free. I will notice it, note it,
| eliminate my personal exposure, and ignore it. I would say
| that puts me somewhere between white and black.
|
| It's not easy (for me) to find employment. My last company
| was in automotive advertising(bankrupt) and I am aware of
| quite a few more problems than what you see in this
| disclosure. Though the listed brands are outside of my
| knowledge.
| j0hnyl wrote:
| This attitude isn't helping anyone, yourself included... but
| if you leaned into responsible disclosure you might find your
| way into a job that saves you from homelessness.
| bhargav wrote:
| Great finds. I always wondered how "White hat" hackers didn't
| land themselves in legal trouble while probing and toying around
| with systems like this. How do you ensure you won't be tracked
| down and legally charged?
| stefanoco wrote:
| Although all vulnerabilities affect cloud services and/or mobile
| apps (SaaS and similar areas) looks like this eventually leads to
| closely interact with the single vehicles. Which raises questions
| about the recent Cybersecurity UNECE Regulations R155 and R156
| that any new vehicles manufacturer must take into account while
| submitting a new model for approval in Europe and other areas.
| Those regulations explicitly cover the vehicle itself and not
| connected cloud services. Should an urgent revision extend
| coverage?
| tambre wrote:
| From R155 4.3.1 "threats regarding back-end servers related to
| vehicles in the field" covers it? Of course the whole standard
| is still pretty focused on the on-vehicle side of things, but
| it certainly touches on it.
|
| Surprised to see these even mentioned on HN. I've read R155 as
| part of my job and am responsible for implementing it.
___________________________________________________________________
(page generated 2023-01-03 23:00 UTC)