Chevrolet Cruze Forums banner
1 - 20 of 36 Posts

·
Premium Member
Joined
·
3,975 Posts
Discussion Starter · #1 · (Edited)
Cars are apparently getting more hackable. Even though our federal government is trying to pass legislation to prevent this (definition of a fat chance), don't hold your breath (or your hand over your A$$) waiting for it. I would have posted the PC Magazine article, but it keeps crashing my computer, so here's another one with the same information.

Hack of connected car raises alarm over driver safety
 

·
Premium Member
Joined
·
759 Posts
its all done through the XM/Onstar radio waves. All they did was use the same techniques that currently effect airplanes ADS-B communications. Only way the car manufacturers are going to get around this is to switch to a wide band and constantly jump frequencies. They could add in symmetric encryption and embed the keys into the car which prevents man in the middle attacks. This only works if Chevy doesn't get hacked and the keys are taken, adds a whole new method of unlocking cars and stealing them from the press of a button on any cell phone/tablet/laptop.
 
  • Like
Reactions: brian v

·
Premium Member
Joined
·
25,596 Posts
its all done through the XM/Onstar radio waves. All they did was use the same techniques that currently effect airplanes ADS-B communications. Only way the car manufacturers are going to get around this is to switch to a wide band and constantly jump frequencies. They could add in symmetric encryption and embed the keys into the car which prevents man in the middle attacks. This only works if Chevy doesn't get hacked and the keys are taken, adds a whole new method of unlocking cars and stealing them from the press of a button on any cell phone/tablet/laptop.
No need to use symmetric encryption. We have the techniques to create a two way secure connections that are basically unhackable. These include using TLS 1.2 or newer encryption, Perfect Forward Secrecy to create the secure connections, and extremely long (> 8192 bit) keys to prevent brute forcing. If the secure connections are recreated every single time the car starts we could use shorter keys (> 4096 bit) and still be safe. Two major stumbling blocks to doing this. First, governments will do everything they can to block this technology from being commercialized. Second, auto manufacturers will need to get off their collective a$$es and start providing regular updates and patches to their software. Even the best encryption won't work if there's a bug in the code.
 

·
Premium Member
Joined
·
8,003 Posts
Second, auto manufacturers will need to get off their collective a$$es and start providing regular updates and patches to their software. Even the best encryption won't work if there's a bug in the code.
QFT. Car manufacturers are loath to do updates unless they absolutely have to.

As for the Jeep, it appears the Uconnect uses a public IP (or at least a network IP that one only has to be on the same network). And apparently there's no firewall or good authentication between it and the big, bad internet.

I'm not sure how OnStar works, if it's IP based or not. The owners of the 2016 might have to worry since it has a hotspot, but I think the 2011-2014 are less "connected". If worst comes to worse, I'll just unplug the OnStar antenna.
 
  • Like
Reactions: Merc6

·
Premium Member
Joined
·
3,975 Posts
Discussion Starter · #5 ·
If these automotive systems are ever going to be robust enough to be secure in tday's (and tomorrow's) environment, the cost is going to have rise dramatically. Standards will have to be implemented like in computer to computer communications, and we see how involved that is.
 

·
Moderator
Joined
·
10,712 Posts
There was a video of a guy hacking into a last gen impala through OnStar on ABC or CNN or something like that when we made a thread like this 6 months to a year ago. Since then you have cars that have adaptive cruise control, crash avoidance braking, pedestrian mode(If equipt, LOL!) and self park. At what point will they just let us use OnStar to put in the directions, sit back, and not drive at all?

If these automotive systems are ever going to be robust enough to be secure in tday's (and tomorrow's) environment, the cost is going to have rise dramatically. Standards will have to be implemented like in computer to computer communications, and we see how involved that is.
Making back up cameras law is already gonna cost us. Not saying we shouldn't have them, just saying they will just throw random packages into the mix making it standard so you can't order without like Poineer and sunroof.
 

·
Premium Member
Joined
·
25,596 Posts
If these automotive systems are ever going to be robust enough to be secure in tday's (and tomorrow's) environment, the cost is going to have rise dramatically. Standards will have to be implemented like in computer to computer communications, and we see how involved that is.
Everything I described is available today on commodity hardware. The reason PCs are broken into so often isn't the underlying security of the OS, it's applications that were written for a less hostile environment.
 

·
Resident Forum Drunkard
Joined
·
9,273 Posts
There was a video of a guy hacking into a last gen impala through OnStar on ABC or CNN or something like that when we made a thread like this 6 months to a year ago. Since then you have cars that have adaptive cruise control, crash avoidance braking, pedestrian mode(If equipt, LOL!) and self park. At what point will they just let us use OnStar to put in the directions, sit back, and not drive at all?



Making back up cameras law is already gonna cost us. Not saying we shouldn't have them, just saying they will just throw random packages into the mix making it standard so you can't order without like Poineer and sunroof.
The Google car got rear ended again .
 
  • Like
Reactions: obermd

·
Premium Member
Joined
·
25,596 Posts
The Google car got rear ended again .
That makes it five, or is it now six, times the Google car has been hit while sitting still where you're supposed to sit still. Is Google paying these guys to hit their car to try to prove how much safer it is. After looking into security vulnerabilities for last year I don't think I would trust Google to write a secure car. Chrome had 504 reported vulnerabilities, IE 289, and FF 171. Java and Flash rounded out the top five. (Information Security, Software and Alerts - Secunia)
 

·
Banned
Joined
·
10,296 Posts
No need to use symmetric encryption. We have the techniques to create a two way secure connections that are basically unhackable. These include using TLS 1.2 or newer encryption, Perfect Forward Secrecy to create the secure connections, and extremely long (> 8192 bit) keys to prevent brute forcing. If the secure connections are recreated every single time the car starts we could use shorter keys (> 4096 bit) and still be safe. Two major stumbling blocks to doing this. First, governments will do everything they can to block this technology from being commercialized. Second, auto manufacturers will need to get off their collective a$$es and start providing regular updates and patches to their software. Even the best encryption won't work if there's a bug in the code.
So why isn't isn't United Airlines using this, or other governmental agencies?
 

·
Premium Member
Joined
·
25,596 Posts
So why isn't isn't United Airlines using this, or other governmental agencies?
I'm not sure UA is even encrypting the traffic between the ground and their aircraft. As for the government...
 

·
Premium Member
Joined
·
8,003 Posts
That makes it five, or is it now six, times the Google car has been hit while sitting still where you're supposed to sit still. Is Google paying these guys to hit their car to try to prove how much safer it is.
There are a number of cars and collectively they rack up a lot more miles then normal users. Maybe they're just driving in the stupid part of town.
 

·
Premium Member
Joined
·
25,596 Posts
Maybe they're just driving in the stupid part of town.
You mean just about any good sized US city? :) I do find it interesting that all the accidents with self driving cars have been the fault of the other driver.
 

·
Resident Forum Drunkard
Joined
·
9,273 Posts
That makes it five, or is it now six, times the Google car has been hit while sitting still where you're supposed to sit still. Is Google paying these guys to hit their car to try to prove how much safer it is. After looking into security vulnerabilities for last year I don't think I would trust Google to write a secure car. Chrome had 504 reported vulnerabilities, IE 289, and FF 171. Java and Flash rounded out the top five. (Information Security, Software and Alerts - Secunia)
These vulnerabilities are a fact that there are too many unemployed hackers that have too much time to do what they are good at and have chosen Google as a target . 1 target is as good as any ..

Google is after all Monopolising many markets including and not to be overlooked the buy out of Motorola here in Schaumberg IL.

That whole R&D has transfered to San Jose CA. .. Copy Rights.....
 

·
Resident Forum Drunkard
Joined
·
9,273 Posts
So why isn't isn't United Airlines using this, or other governmental agencies?
As well as you may know already Nick United Airlines is implementing their own Satelites for communication purposes and has taken a proactive approach to these and any known threats to it's communication systems ..we know this because they have already stated that we will be getting cell phone services aboard any of their flights .........
 

·
Premium Member
Joined
·
759 Posts
So why isn't isn't United Airlines using this, or other governmental agencies?
Right now everyone is using radar and ADS-B together, the only thing right now enabled on ADS-B is the ability to tell other aircraft around you there's traffic. So when you come within say 1-3 miles of a plane, ADS-B says "traffic....traffic....traffic"...I will not go over all the capabilities of ADS-B because I would type a book on it (which I have done already hahaha). ADS-B can be spoofed or jammed easily through GPS and its actual signal, right now since ADS-B is not in its fully functional state pilots pick up a "secret key" enter this frequency into the radio, establish connections and fly away until the second your over water or open land with no towers, the airliners revert to the manual for a one in one out "box" over the area without communications. everything right now is pretty much VFR and radar, I will post a video bellow explaining these vulnerabilities that can be used on anything via radio frequencies. ohh and to add to this to show you haw scary it can be, I have a small antenna hooked up to my computer and a little program that shows me any airplane flying within 300 miles of my house. I know tail numbers, speed, altitude, where its going and where it came from etc. these are the unprotected info sent but if I were to hack into the signal (if I had the pilots secret key) I can fly the plane with an xbox controller where ever I wanted hahahahaha oh its so bad lol. ohhh to add to this I can also inject other planes around the airliner thinking he is surrounded by planes essentially making him crash. ok ok I need to stop lol

watch the whole thing or click on 40:00 mins in.....this is where he hacks into the planes ADS-B system

https://www.youtube.com/watch?v=CXv1j3GbgLk
 

·
Premium Member
Joined
·
8,003 Posts

·
Premium Member
Joined
·
25,596 Posts
1 - 20 of 36 Posts
Top