
Hacking industrial vehicles from the internet - akavel
http://jcarlosnorte.com/security/2016/03/06/hacking-tachographs-from-the-internets.html
======
Vintila
At least their product page doesn't have some marketing wank about their
security. In fact it has no mention of security whatsoever, which is apt
because it doesn't seem to have any!

~~~
mirimir
There's nothing "new" at [http://www.mobile-devices.com/news-and-
prs/](http://www.mobile-devices.com/news-and-prs/), either.

------
tt44
Is it really even considered hacking if there is no security at all?

~~~
brokenWindows
The knee-jerk, canned response from most parties erring on the side of Law &
Order claims:

    
    
      Even if the door is wide left open, crossing the threshold 
      is still trespassing, if you don't belong on the property.
    

This is why burglars are typically charged with breaking _AND_ entering.

Unlawful entry is still a crime one can commit, without breaking open, or
otherwise circumventing pro-active security measures.

When it comes to the idea of "hacking" we often find our words fail to
describe activities with precision.

The nuanced distinction some tend to draw between "hacking" and "cracking" is
mostly relegated to specialized jargon, community slang, and pedantry. Laymen
often do not distinguish between the two.

~~~
erikpukinskis
I can't find any reference to "unlawful entry" in the law books. There is a
Kurt Russell film by that name though.

Trespassing is an actual crime, but it does not fit your description, at least
in California. Here, you must have an intent to interfere with the owner's
property for it to be considered trespassing. If I enter your open door
because I want to invite you to a party, or use your restroom, or hang out
with your cats and play video games until you come home I have not committed
any crime. Well maybe you could get me for stealing water and electricity, but
the entry is not a crime.

"Breaking and entering" is also not a crime in California. However, if you
actually steal something that is burglary, which is a crime, and does not
require forced entry.

~~~
mkagenius
Or if you heard a baby crying inside and the door is unlocked.

------
andrewchambers
I think the companies that make this junk need to be held accountable or else
it will keep happening.

~~~
majcherek128
No! It's the companies who buys and USE this crap, even when they are
configuring the devices and see that they cannot protect them, that needs to
be held accountable.

It's like buying a bus with broken brakes, and still use it as public
transportation. Nothing wrong with buying the bus.

~~~
andrewchambers
Its like a company selling a bus with broken brakes, not telling the customer
it is broken and then the customer either knowingly or unknowingly use it
after working that out for themselves.

------
jacquesm
Is this supposed to be a poster example of irresponsible disclosure?

~~~
wepple
I'd hazard a guess that unless the vendor can provide over-the-air updates and
every system which plugs into these telematics units can also be easily
upgradeable to incorporate the new added auth functionality, it might be
better just to make everyone aware of the issue?

Ultimately this blog post doesn't describe any rocket science at all: anyone
wanting to cause trouble on the internet is well aware of Shodanning for
exposed ICS systems that fail to even implement authentication.

~~~
jacquesm
I'd be pretty wary of pushing information like this out in the open without
first making sure the vendor had time to alert their customers that his is
about to hit the streets. Who knows what kind of vehicles we're talking about
and under what conditions they operate. Of course it isn't rocket science, but
that doesn't mean you need to advance your stature in the security community
by blindsiding some manufacturer on Sunday evening.

Anyway, call me old-fashioned, I don't think this is the way it should be
done.

FWIW I'm aware of a SCADA system that is widely deployed that is just about as
secure as this system here and I'd be the last person on the planet to publish
the details of it because I know for a fact that it is used to control HVAC
equipment and other building infrastructure in hospitals and prisons. These
things are not toys and being aware of them does not actually allow you to
play god. (In that particular case as far as I know the systems are so old
that fixing them with an update is not even an option).

~~~
chatmasta
Would it be "ethical hacking" to DDOS any website hosting or linking to this
article?

~~~
IncRnd
Are you unsure of the answer?

~~~
chatmasta
It's a thought question.

If releasing irresponsibly a vulnerability puts people in real danger, is it
worth it to suppress the release of that vulnerability?

------
miahi
There is a way to secure this kind of devices. The mobile data providers can
offer VPN services for customer devices, so they could be "hidden" from the
Internet an the network level, without changing their configuration.

------
nekinie
This is reckless for the manufactures and operators involved, the manor this
information was released was also reckless. Poor show all round.

------
wereHamster
> I.P. address

That's a novel way to abbreviate _Internet Protocol address_.

~~~
niij
I'll bite. What's the problem with his abbreviation?

~~~
wereHamster
Did I say there was a problem? I just said novel. As in: From Old French novel
‎(“new, fresh, recent, recently made or done, strange, rare”) (modern nouvel),
from Latin novellus ‎(“new, fresh, young, modern”), diminutive of novus
‎(“new”).

More towards the meaning of strange, rare rather than young, modern. Google
automatically corrects "I.P. address" to "IP address", so I can't easily say
how much more widespread the second spelling is. But I bet is a lot more.

------
31reasons
Just like FDA we need public or private organization that certify all IoT
devices for their internet security level.

