There are typically only a few busses in a car. In many cases, there is a LIN bus for entertainment / radio / lights etc that is physically separated from the main CAN bus. This one is mostly harmless.
But if you can somehow talk to the main bus... There are like 5 critical ECUs that have to communicate "I'm OK" (engine, breaks etc) - otherwise nothing works. Those communicate with some minor encryption, and that communication is somewhat validated (they send counters to each other etc).
But it doesn't matter. First of all, the protocols and databases are similar for different models, and known to A LOT of people who had jobs similar to mine. In order to test or build any ECU, you have to simulate the correct communication, otherwise the ECU won't start up.. Second, just sending nonsense with the right identifier could probably shut down the car or at least make it think there is a major problem. Third, there are messages that simulate power-cycling the bus..
Why, exactly, do people think it's a good idea to connect cars' engines to the internet? If something is exposed to hostile input, it will eventually be hacked, and if there are 100,000 identical things out there, they will all be hacked at once. Unfortunately, I think it will take something like all Teslas accelerating uncontrollably off the road, because some teenager was bored, for people to get it.
As hybrid and electrics take root, mileage and location based metering/taxation will become a major revenue source.
Transponder systems like EZPass have a business model too expensive to scale.
Well, messing with this bus (audio volume.. blinking displays etc) could be disruptive as well, but not as critical as killing the engine.
Was introduced as a cheaper alternative to CAN, and to be used for non-critical aspects of cars (intended). Though seat controls are listed as common use for it. Which with some occupants and cars with the seatbelt - would enable the seat to pull the driver away from the controls. So whilst not directly deemed critical - certainly a vector of concern in some permutations of seat/driver position (thinking large 4x4's driven by small people who end up having the seat fully forward and raised, as an example).
My initial concern was the main lights, though as you cleared that up to just internal lighting - that again could prove a problem as dark roads, a sudden change in internal lighting would from internal glare reduce visibility.
Biggest take away is that the LIN bus has no form of encryption and the only verification would be checksums upon the data packet.
I'm sure we will read more about LIN over the years as the ability for car makers to cut-corners is not unheard of and as LIN is cheaper to implement than CAM, can see how that may well play out.
Combine seat adjustment with GPS position reporting and you could devise a way to make a targeted person lose control, without taking control of "critical" systems, exactly as they're crossing a bridge.
Suddenly I feel the urge to Faraday-cage my car.
But you could also design your hardware to be able to write messages on the CAN bus and/or be able to take the bus down.
Such a device would be dead easy to build even for someone who has almost no experience in electronics.
- Majority of GPS tracking devices use un-encrypted TCP or UDP connection to send location and sensor data
- There is also no authentication for devices; you can spoof data if you know device identifier (usually IMEI)
Source: working on an open source GPS tracking solution for almost 10 years
Pretty much sums it up.
leave this thread with one single knowledge: cars have a single canbus network, with zero security. your radio, turn signal, engine intake computer, are all talking in the open over a single data wire.
anything you plug to that network can listen /talk to anything, and instead of security you have a priority bit (or a few of bits, don't remember) that is completely self regulated by each device.
But yeah, otherwise the data buses are kindof assumed to be internal and only contain trusted input, only recently some cars are now also starting to have cryptographically signed packets. It's really not such a big deal until you mix connected ecus with secure ecus or install cheap third party stuff yourself on same network, if someone could physically access the data bus there are other more dangerous things they could do anyway.
the problem is not known systems failing. it's malicious actors that are also on the can network.
Depending on the surrounding circumstances of the incident, it would probably not even be considered a possibility because fatal car crashes are so common that "just another accident" is the most probable, and thus most usual answer.
That's also the reason why Michael Hastings death is so controversial to this day .
This can give lots of information about what happened (faults could be "didn't receive message xyz" "sensor xyz gave signal out of tolerance").
But there is definitely no system trace for the communication - too many messages to really store them I guess.
The CAN bus  has no security, you just put packets on it and read packets off it. Like "tell me the speedometer reading" or "activate the brakes" and CAN bus does it. You and I might think, gosh those are radically different things. Well the CAN bus disagrees.
Did I mention that there is no encryption? There isn't. To the CAN bus, the packets from the GPS tracker that say "tell me the speedometer reading" and the packets from the manufacturer created by pressing the brake are treated with the same authority.
Does vehicle electronics firmware use a weird 20 year old non ANSI version of C? Well of course it does. Does it require signed firmware? Hah!
Do most vehicle electronics suppliers not have the top quality security people they need? They do not. Do they have management support for making security conscious decisions? They don't.
Anything that can put packets on the CAN bus can completely control the car. So anything that connects the the CAN bus, through bluetooth, wifi, cell service, or a plug needs to be completely secure.
I'm a little distrustful of On Star and the like, because I don't think GM is security conscious enough to manage it perfectly. I'd be very distrustful of a company that let you keep a default password for your GPS tracker. Instead purchase the GPS tracker that does NOT read info about the vehicle, the only plug should be for power.
Here's a story about hacking Chrysler's Uconnect, with good details.
If you are writing software/firmware that will control a vehicle, you should hard code the packets it can write and never include dangerous ones. Even though it might seem cool to be able to "stop the vehicle" in an "emergency". If you want to use dangerous commands, you need to level up your security org to google/facebook levels. If you are talking to management that means spending $50 million a year just on security.
These are not attacks that require state level NSA/Chinese/Russian attackers. This is well within the reach of an advanced individual. It is very lucky indeed that there is no monetary or other advantage to this, if actuating brakes in cars produced social security numbers we'd have hundreds of excess deaths a year.
Did I mention that we had incredibly high fluctuation (at least production line test benches - brutal deadlines and 2am deployments, working in loud production halls, lots of travel, no technical innovation,..). We basically hired anyone who was alive and somewhat skilled. I don't think anybody ever talked to me about security - ever.
What these articles are showing, is amateurs' work. I'm terrified by the idea of what a disgruntled / crazy / .. person with experience in the field could do.
From working with military computer security I know that nothing directly connected to the Internet should be considered safe. Sounds like a bad design decision
Some of the cheaper (AliExpress) hardware installation instructions say that the relay should be wired to the fuel pump.
I wonder if the starter vs. fuel pump is a regional difference? Perhaps in countries where vehicle theft is more prevalent/violent installers would lean towards cutting the fuel pump?
What gets me is electronic parking breaks, as that feels like it goes against the while purpose of the parking break.
Your radio has 0 control over an Engine. Or at least, shouldn't.
Source: Connected Car is my day job.
First of all, many manufacturers market remote engine kill as a subscription service.
Second, many cars use CAN busses and connect the radio to it. That makes it very easy for the radio to interfere with crucial functions, like braking.
The CAN bus uses realtime time multiplexing for congestion control, so it is very easy to target traffic from a particular device subsystem, even accidentally.
Sources: search for “can bus vulnerabilities”. Also, a ~2012 GMC I used to own had a bug in the radio firmware that caused the ABS system to stay on when the engine was off, which ran down the battery overnight.
On my current Dodge, there is a recall where the head unit firmware leads to confusing semantics around “park” on the transmission, and a separate firmware update where it refuses to disengage cruise control.
On recent Ford mustangs, the radio can display all sorts of engine statistics, and tune the engine in real time.
European luxury cars are even more integrated on this front, and have sport modes where the radio changes the response curves for the engine, steering, transmission and suspension.
The first generation Prius had the engine control computer physically inside the radio.
That covers the major car manufacturers across three continents.
Wow, that's a bad one.
Oh, subscription service.
Not GPS signal.
I'm completely right.
From the article:
>The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.