I'm quite worried about the future of networked cars.
Same with computers, TVs, phones, IoT, routers etc.
I asked one of these companies about security, apparently the major governments insist by law on weak encryption and they only have to stand up to 15 minutes of hacking... Pretty terrible right?
I would beg to differ... I've got pretty extensive experience of both and can say for sure that there is a negligible difference between the two as far as productivity goes.
That view is against popular opinion, but the only thing that really makes a difference is the commitment and intelligence of the people on the team... not the development process.
Also.... agile development is a less-good fit with hardware development... and the embedded software that goes on the hardware has to fall in line with that.
I know agile and hardware doesn't go too well together and software of course is told by management to be more agile (because some manager heard it's great). The customer expects fixed incremental feature delivery (which they measure your performance on and scale your bonus with) and somehow as a software engineer you have to be agile in step with the waterfall process.
I think in general agile is better for software and waterfall is better for hardware - the problem is somehow they have to go together. It's not the best to say the least - often shipping with errors and bugs.
"Volkswagen Group IT consistently uses agile workstyles and intensive cooperation with universities, technology partners and Volkswagen Group departments to develop digital solutions."
Of course, cars do have a lot of legacy (not least because of inertia caused by regulatory processes) but I think they do a bit of what they say.
I guess this is a point people will argue for days, all I can say is I have been there. There is strong emphasis on incremental feature delivery with little risk management. It usually came down to engineers pulling magic wands from somewhere and soothing the software into a workable state.
Receivers for much more complicated modulation schemes have been built by amateurs for many decades, so I think in the case of analyzing the keyfobs' security SDRs were not a necessary tool.
But of course with the advent of cheap Rx and Tx capable SDRs the amount of people able to decode (and transmit) all kinds of modulated signal in all kinds of frequency bands has exploded, and for example my ability to quickly change from running a cell-tower to receiving satellites signals to decoding/analyzing/transmitting the keyfob radiwaves and unlocking a car is only one "./configure ; make" away, once I have acquired a sufficiently advanced SDR. No need to build, solder, tune, debug an electronic circuit tediously custom built for one application.
It is like the vehicle industry is stuck in the 1990s. We've moved so far beyond that elsewhere, software designed to be updated, working WITH not AGAINST white hats, and having designs secure on paper first before you implement.
Vehicle manufacturers put convenience and speed ahead of solid security principles, and it is only going to get worse with more wireless connectivity making it into vehicles year upon year.
Don't look for the CFAA to be nerfed anytime soon, let's put it that way. The politicians will hit back at hacker culture with the only weapon they have.
I think for car manufacturers, they are limited to 128 bit encryption and cars only have to stand up to about 15 minutes of hacking - that last one isn't particularly well defined either.
Also properly implemented 128-bit encryption is generally secure for 15 minutes or 15 days or probably years (the largest key I'm aware of having been cracked is 64-bit and that took a lot of computers a looong time)
It seems you're interested, I'll see if I can contact them and find out more. I know they mostly adhere to the Ford specs, so it might be worth a hunt through them. I honestly can't seem to find any of the security spec we were given online.
Even so, it's worth pointing out that the car companies have the private keys for flashing the vehicles themselves, all stored nicely in a massive database. The dealerships simply plug in a code to a computer and returned is a key to unlock. I know that they bend over backwards to any requests from Government agencies.
Also, the only difference in the software is usually just a language setting, something that's a few bits in the config file. Other than that, they are identical. So a hack for one Country is a hack for all - across multiple models and multiple years.
Stop trying to blame the government for corporations not doing due diligence.
If anything, the real failure is Government not enforcing agreeable security measures like NIST and ISO across all US Organizations.
> They just hire a bunch of hackers and make sure it stands up to 15 minutes.
Stands up to 15 minutes of what? Smashing the side window with a crowbar? Angle grinders through the driver side door? Who hires them? What sources do you have that say this? You seem very authorative in this thread, yet have nothing to support your claims.
"Stands up to 15 minutes of what? Smashing the side window with a crowbar? Angle grinders through the driver side door?" - Exactly the point I was making. They just hire a random number of hackers (not random obviously, but probably not much research into what is truly sufficient either) and leave them alone with the system for a few days to see if they can do anything to it. If nothing happens they get a pass. It was literally a case of getting a tick in the right box.
"Who hires them? What sources do you have that say this?" - The place I work/ed.
I need to see if the specification are public. I checked with an old colleague and they weren't sure if they published them - so they are now checking themselves. They agree that it was Government defined, but now I'm interested in finding out who else had to adhere to that.
I'm fairly sure that automotive security testing doesn't have an arbitrary limit on time of attack...
It was a few years back, but I think (not entirely sure) the requirement time aligned with the time it took to hack bluetooth or something. I think there was a case about hacking car wheels that reported their tire pressure via bluetooth and that was used as a time to be better than. Perhaps this story . I think they were using it to get people to pull over and hijack their vehicle.
But that could be wrong, I just remember there was some discussion about that around the time we were talking about the security requirements. That's the best I can do.
Security assessments are usually measured in days or weeks or for large projects months
If I remember rightly they test the CAN and all wireless signals. I think one of the things they were worried about is an owner re-flashing the on-board software and selling on the car as it might still be under warranty.
But of course now that the vehicles are both online and moving towards self-driving, the threat space is completely changing. I think we're approaching the days where a computer virus actually takes lives.
"from 10 years as a security consultant..." Out of interest what area do you consult in?
It's easy to get a replacement key, but you need VW to program it. Hopefully that process becomes public.
you'll just need the contents of the 95040 eeprom on your ECU - you can dump it from the OBD2 port with various tools
My model (2013 Polo Vivo Blueline) came with one electronic key/remote, and one mechanical key. So I can buy another electronic key, but I can't use the remote without VW programming it.
That's because as of today, not having security in this domain hasn't bitten anyone hard enough, ever.
Just think about it. At least I haven't heard that despite all these car key hacks any significant number of people would've had their cars and/or belongings stolen. Nor have I heard that any one car manufacturer's sales have significantly plummeted because their cars "can be hacled".
After that, it's just pure economics. As of now, the ROI for implementing good security in cars (or anything IoT for that matter) just doesn't pay itself back. At all.
Now, I'd like for the car makers to actually do something before chaos-by-hacked-cars ensues as much as anyone and people have to actually die. But it won't happen before the incentive is there. This is one place where government regulation really, really should come into play. There should already be laws for massive fines plus complete obligations to fix every security and safety related bug in all cars sold. Sound too hard on the makers? I don't think so, just look at the mechanical side of the cars: call-backs to fix those are happening all the time, because everyone understands that you can't drive a car which may hit you with an airbag at 60 mph. Or have a broken airbag system.
Security costs money.
 The Blaster worm woke up a lot of people to the very real problem of security vulnerabilities https://en.wikipedia.org/wiki/Blaster_(computer_worm)
In fact, the attack used in this whitepaper would've likely been thwarted had VW used a secure hardware device analogous to the iPhone's secure enclave.
Maybe it would be cool to try and implement a round robin for posts. So the new posts are shown to small distributions each - if they gain traction then they become more likely to appear in other's feeds? Maybe a person's feed would be a third new posts, two thirds round robin winners? Just an idea.
I hate to think how much good material is missed because nobody sees it.
HN karma might be 'meaningless internet points', but as long as some functionality, like the downvoting the GP complains of, is gated by karma levels, it's definitely not worthless.