
Hacker Finds He Can Remotely Kill Car Engines After Breaking into GPS Tracking - LinuxBender
https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps
======
cdtwoaway
Not surprised. I built automotive test benches for some time. The moment you
have something that can remote-access the CAN-bus, you have a problem.

There are typically only a few busses in a car. In many cases, there is a LIN
bus for entertainment / radio / lights etc that is physically separated from
the main CAN bus. This one is mostly harmless.

But if you can somehow talk to the main bus... There are like 5 critical ECUs
that have to communicate "I'm OK" (engine, breaks etc) - otherwise nothing
works. Those communicate with some minor encryption, and that communication is
somewhat validated (they send counters to each other etc). But it doesn't
matter. First of all, the protocols and databases are similar for different
models, and known to A LOT of people who had jobs similar to mine. In order to
test or build any ECU, you have to simulate the correct communication,
otherwise the ECU won't start up.. Second, just sending nonsense with the
right identifier could probably shut down the car or at least make it think
there is a major problem. Third, there are messages that simulate power-
cycling the bus..

~~~
nwmcsween
Hey that's interesting, most of these devices IIRC work via the OBD port with
an additional cutoff wiring. I haven't looked but I'm assuming the OBD port is
somewhat restricted?

~~~
quake
Really depends on the vehicle. Some will have broadcast traffic that is easier
to spoof, and ride on CAN addresses that aren't reserved for OBD. OBD quite
often rides on the main CAN network, and without a gateway any ECU can be
queried. The secondary CAN network (if the vehicle has one) is also on the OBD
plug but on different pins.

~~~
cdtwoaway
Yip. And if you can query any ECU, and know what you are doing/have more
information on the system, you can get higher level security access (and that
information, is again, not THAT hard to find). This allows you to call
functions that modify the parameters and probably restart it as well..

~~~
quake
Precisely. It's also interesting to see what you can do with vehicles where
the broadcast traffic 'leaks' out the OBD port. A lot of makes use the same
ECU across models for common parts.

------
tananaev
There is surprisingly little security when it comes to GPS tracking. Just a
couple of examples:

\- Majority of GPS tracking devices use un-encrypted TCP or UDP connection to
send location and sensor data

\- There is also no authentication for devices; you can spoof data if you know
device identifier (usually IMEI)

Source: working on an open source GPS tracking solution for almost 10 years

------
babuskov
> By reverse engineering ProTrack and iTrack’s Android apps, L&M said he
> realized that all customers are given a default password of 123456 when they
> sign up.

Pretty much sums it up.

~~~
cozzyd
Slightly more secure than the password on my luggage!

------
gcb0
people in this thread have a crazy assumption of in-car network security.

leave this thread with one single knowledge: cars have a single canbus
network, with zero security. your radio, turn signal, engine intake computer,
are all talking in the open _over a single data wire_.

anything you plug to that network can listen /talk to anything, and instead of
security you have a priority bit (or a few of bits, don't remember) that is
completely self regulated by each device.

~~~
Too
Single network? All manufactures i've worked with in recent times have tons of
internal networks and buses. Some are more isolated than others, eg connected
infotainment and OBD often being behind some kind of secure gateway to not
have direct access to engine network. If anyone is aware of manufacturers that
don't do this please shout out.

But yeah, otherwise the data buses are kindof assumed to be internal and only
contain trusted input, only recently some cars are now also starting to have
cryptographically signed packets. It's really not such a big deal until you
mix connected ecus with secure ecus or install cheap third party stuff
yourself on same network, if someone could physically access the data bus
there are other more dangerous things they could do anyway.

~~~
Piskvorrr
In other words, the 1990s called, with "everything is now network-exposed,
surely it's all secured by something more than wishful thinking. Right?"

------
fareesh
If an accident took place as a result of something like this would there be
any way of finding out during an investigation?

~~~
freeflight
Really depends on how throughout the investigation is/what hardware survives
the crash.

Depending on the surrounding circumstances of the incident, it would probably
not even be considered a possibility because fatal car crashes are so common
that "just another accident" is the most probable, and thus most usual answer.

That's also the reason why Michael Hastings death is so controversial to this
day [0].

[0]
[https://en.wikipedia.org/wiki/Michael_Hastings_(journalist)](https://en.wikipedia.org/wiki/Michael_Hastings_\(journalist\))

~~~
paulkon
Do cars have something equivalent to an airplane black box?

~~~
cdtwoaway
Nope. ECUs have something called a "fault memory" where the last n detected
errors are stored, and that can be recovered. This is actually what workshops
use for diagnosing a car.

This can give lots of information about what happened (faults could be "didn't
receive message xyz" "sensor xyz gave signal out of tolerance"). But there is
definitely no system trace for the communication - too many messages to really
store them I guess.

------
joshe
Just want confirm that vehicle security is a trash fire.

The CAN bus [1] has no security, you just put packets on it and read packets
off it. Like "tell me the speedometer reading" or "activate the brakes" and
CAN bus does it. You and I might think, gosh those are radically different
things. Well the CAN bus disagrees.

Did I mention that there is no encryption? There isn't. To the CAN bus, the
packets from the GPS tracker that say "tell me the speedometer reading" and
the packets from the manufacturer created by pressing the brake are treated
with the same authority.

Does vehicle electronics firmware use a weird 20 year old non ANSI version of
C? Well of course it does. Does it require signed firmware? Hah!

Do most vehicle electronics suppliers not have the top quality security people
they need? They do not. Do they have management support for making security
conscious decisions? They don't.

Anything that can put packets on the CAN bus can completely control the car.
So anything that connects the the CAN bus, through bluetooth, wifi, cell
service, or a plug needs to be completely secure.

I'm a little distrustful of On Star and the like, because I don't think GM is
security conscious enough to manage it perfectly. I'd be very distrustful of a
company that let you keep a default password for your GPS tracker. Instead
purchase the GPS tracker that does NOT read info about the vehicle, the only
plug should be for power.

Here's a story about hacking Chrysler's Uconnect, with good details.

[https://www.wired.com/2015/07/hackers-remotely-kill-jeep-
hig...](https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)

If you are writing software/firmware that will control a vehicle, you should
hard code the packets it can write and never include dangerous ones. Even
though it might seem cool to be able to "stop the vehicle" in an "emergency".
If you want to use dangerous commands, you need to level up your security org
to google/facebook levels. If you are talking to management that means
spending $50 million a year just on security.

These are not attacks that require state level NSA/Chinese/Russian attackers.
This is well within the reach of an advanced individual. It is very lucky
indeed that there is no monetary or other advantage to this, if actuating
brakes in cars produced social security numbers we'd have hundreds of excess
deaths a year.

[1]
[https://en.wikipedia.org/wiki/CAN_bus](https://en.wikipedia.org/wiki/CAN_bus)

~~~
cdtwoaway
Yeah, firmware is another issue. You read and flash firmware or parameters
often directly over that CAN bus. There is nothing to validate that, for one
manufacturer, I needed passwords (casually handed out to every supplier, the
same for every unit), for one, the "encryption" was a XOR with the same number
that had been used for every model for years. I didn't know why they even
bothered. One of the manufacturers at least stopped you from flashing new
software to an ECU more than 3 times.

Did I mention that we had incredibly high fluctuation (at least production
line test benches - brutal deadlines and 2am deployments, working in loud
production halls, lots of travel, no technical innovation,..). We basically
hired anyone who was alive and somewhat skilled. I don't think anybody ever
talked to me about security - ever.

What these articles are showing, is amateurs' work. I'm terrified by the idea
of what a disgruntled / crazy / .. person with experience in the field could
do.

------
cjohansson
Sounds like another ’Boeing software bug’ is likely to hit the smart cars
business.

From working with military computer security I know that nothing directly
connected to the Internet should be considered safe. Sounds like a bad design
decision

------
neuralRiot
If the device is correctly installed it should not kill the engine but prevent
it from starting, just like smart keys.

~~~
wpearse
Correct; usually the installer instructions will say to wire the hardware so
it disables the starter motor. This means that the engine won’t stop, but
rather be prevented from starting.

Some of the cheaper (AliExpress) hardware installation instructions say that
the relay should be wired to the fuel pump.

I wonder if the starter vs. fuel pump is a regional difference? Perhaps in
countries where vehicle theft is more prevalent/violent installers would lean
towards cutting the fuel pump?

~~~
sokoloff
On a car with a manual transmission, killing the starter doesn't do much as
you can bump start the car (get the engine spinning by driving the engine via
the transmission rather than the starter).

------
Causality1
Unless my car can drive itself, I will always disconnect any of this "IoT writ
large" bullshit. I have my phone for navigation. My car does not need a
cellular transceiver or a GPS antenna and I will happily rip both of them out
by the wires.

~~~
wallace_f
You can only go so far with it. Fundamentally it scares me that I no longer
have a mechanical connection between myself and the brakes, or other
drivetrain components.

~~~
jimktrains2
You should be able to pump the breaks with a pedal in the case of a power
breaking failure. That doesn't mean the car can engage the break via other
means.

What gets me is electronic parking breaks, as that feels like it goes against
the while purpose of the parking break.

~~~
wallace_f
[https://en.m.wikipedia.org/wiki/Brake-by-
wire](https://en.m.wikipedia.org/wiki/Brake-by-wire)

------
2T1Qka0rEiPr
Vaguely related, and would recommend:
[https://www.goodreads.com/book/show/40718386-the-
passengers](https://www.goodreads.com/book/show/40718386-the-passengers)

------
rossdavidh
Well, what a complete and total surprise that adding this kind of
functionality to an automobile would result in it being so insecure that it
can be hacked into.

~~~
robertAngst
Because a GPS signal gives coordinates to your navigation screen.

Your radio has 0 control over an Engine. Or at least, shouldn't.

Source: Connected Car is my day job.

~~~
hedora
You’re completely wrong.

First of all, many manufacturers market remote engine kill as a subscription
service.

Second, many cars use CAN busses and connect the radio to it. That makes it
very easy for the radio to interfere with crucial functions, like braking.

The CAN bus uses realtime time multiplexing for congestion control, so it is
very easy to target traffic from a particular device subsystem, even
accidentally.

Sources: search for “can bus vulnerabilities”. Also, a ~2012 GMC I used to own
had a bug in the radio firmware that caused the ABS system to stay on when the
engine was off, which ran down the battery overnight.

On my current Dodge, there is a recall where the head unit firmware leads to
confusing semantics around “park” on the transmission, and a separate firmware
update where it refuses to disengage cruise control.

On recent Ford mustangs, the radio can display all sorts of engine statistics,
and tune the engine in real time.

European luxury cars are even more integrated on this front, and have sport
modes where the radio changes the response curves for the engine, steering,
transmission and suspension.

The first generation Prius had the engine control computer physically inside
the radio.

That covers the major car manufacturers across three continents.

~~~
jacquesm
> and a separate firmware update where it refuses to disengage cruise control.

Wow, that's a bad one.

------
ccnafr
Wasn't this article debunked as fake?

~~~
nstart
I tried searching for keywords on Google and Twitter and couldn't find
anything to suggest this was the case. Do you have a source that you can
suggest for this?

