Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).
No doubt today, but in another very realistic in the sense that's perfectly logic and possible since more than a decade, where government have digital IDs who are smart-cards not crapplications, and with them certified mails with a personal domain and the ISP router is just a FLOSS homeserver (as it is actually, being GNU/Linux embedded machines with a tailored PBX, Samba to offer usb network storage, CUPS for serving a usb-connected printer and so on, just a bit more powerful and open.
In such world thanks to the commonality of FLOSS we have dedicated distros and package for such iron, widespread enough to be commonly available in users hands. As a result the security risks are still more than zero but much, much less and many who could since their car is their own, not owned for real by the OEM, they could simply cut the connection if they do want so.
Such open world could be done in few years by laws, and anything is already there since decades. It's a matter of knowledge and will.
Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
Many of the earlier aftermarket remote start kits were cheap and simple because the vehicles had fewer security features. They are more complex and expensive today, and some are questionable in their implementation.
Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
My key fob has two way communication and like a half mile range in urban areas.
If I ever park and wonder “damn did I lock my car” I can look at my key fob and see if it has a locked or unlocked padlock on it. As long as I remember sometime within like 20 minutes of parking (assuming I spend 20 minutes walking away from it in a straight line), I can lock it if I _did_ forget. I’ll get confirmation that it locked if I do that and the command makes it through.
Mine also works even where there’s no cell reception!
Which is all to say… I’d prefer better key fobs instead of cellular modems and cloud services.
Doubt it. Mine's aftermarket. The manufacturer doesn't offer remote start on their manual transmission vehicles so I had to get an aftermarket system if I wanted remote start for those -50 days. Mine's a little older / less fancy than some of those linked[0] but essentially the same.
I doubt it would ever solve my problem (they're still not going to offer half the functionality on a M/T vehicle), but there's no reason they couldn't offer something like this as a couple hundred dollar option on most of their vehicles. They already basically have all the hardware in the car I figure.
Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
For safety, you're really not supposed to remote start a vehicle if you can't observe it / are in contact with someone who is observing it. Lots of potential hazards, but it can be convenient.
With an EV, this isn't a concern. No tailpipe fumes or whatnot to worry about. Also, in pretty much any public space where you would park it (i.e., outside of your own garage), this isn't a concern either.
Can you give an example of a hazard? I genuinely can't think of one- at least on my car, when you remote start it is still locked so it's not like anyone can get in and drive it away (and even if someone breaks in I don't think it'll go into Drive without a key in the vehicle)
If the tailpipe is restricted (by snow, say), you're likely to damage the car. If it runs poorly when it starts, and it's unsupervised, it could result in damage that would have been avoided if you were present and shut it down in a reasonable amount of time.
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
> I haven’t carried keys of any kind for… 6 years at this point?
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
> Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
In the UK, and I'm guessing a lot of other parts of the world, many people live in apartments with only a single entrance door.
Pets which require medications on a schedule might become very ill without them. But yes, I suspect that any country where the weather is enough to kill your pet should probably be running AC/heat on a thermostat instead of manual. (Here in the UK, we rarely have AC, and a lot of people just put on heat manually when they're cold - but our weather is pretty mild.)
Personally I would never rely on a phone to get me into a house or vehicle. Mine runs out of battery too frequently. I've already been bitten by not being able to take a bus because my phone died and I couldn't pay for a ticket.
Smart locks typically have more option than just a phone to open them. Keypad, fingerprint, etc.
For ones that support Apple's Homekey, it doesn't even matter if your battery runs out. Apple devices still provide Homekey via NFC even with a dead phone.
I don't think this exists yet for car keys, although I know there's work on UltraWide Band key support.
Also, this seems substanially less fragile than just... losing a pair of keys. It's not evitable that your battery in your lock runs out (again, unless you ignore warnings), but losing your keys is one of those 'hard to prepare for' events.
Migitation for losing your keys could just be keeping a spare key with a neighbor/friend/whatever... but, well, you can do that with an e-lock too (cause they all have regular keys for true backup).
I've found myself stuck out of the office in minus fifteen degrees because the keylock app had stopped working due to a backend upgrade gone subtly bad.
Fortunately this was in an urban area and I could find a cafe that was open within the walking distance. I don't know if they allowed pets to thaw in there. It took about an hour for maintenance to open the doors (with a damned key) and let people in.
> the doors were locked from the inside by the dog
That happened to me once. Keys were in the car too. We had to try to get the dog to step on the button again to unlock the car, which she eventually did. Glad it wasn't a hot day.
> Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
I didn't want it off. It was New Orleans in summer. I wanted it unlocked.
I suppose you could dream up some situation in which the fob is outside the car, someone is inside, creepy people come up and take the fob, and you want to be protected by locking from the inside.
But in that case, internet unlocking should be blocked as well, right?
It was a very bizarre experience. Anyway, wouldn't have mattered: it's my wife's car, not mine. So I wouldn't have the app.
I also don't understand the weird rules key fobs and locks have, the states seem totally divorced from the real world.
But part of the nice thing about the app is that there's no cost to having extra "keys," so there's no reason to not have the app for your wife's car on your phone.
I would have to have Mercedes.Me service (which we do not) and be willing to let them spy on everything we do. No thanks.
When I press unlock on the fob for my 2001 car, it unlocks unless the battery is dead. I can even reprogram it for two brand-new fobs without going to a dealer.
I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."
Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.
Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?
If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.
Well aren't you a precious little princess. I have none of that. It's very unlikely my early 2000s car will ever be attacked in this manner. I am going to maintain that car as long as possible. Enjoy your ticking time bomb.
Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?
How? These were terrible P5 reports that would get closed as informative in ANY PROGRAM. He has no evidence behind the claims of the "xss" and the "OneLogin bypass" which they would have indeed paid out if it was valid. I'm highly disappointed in people here, geez.
Posted this as a response on Medium but got blocked cause I guess he just wants yes men around lol:
“I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system.”
Where’s the proof? I don’t see any whatsoever. I highly doubt that you were actually able to bypass the OneLogin because if you did, they’d definitely pay out and it’d be an actual issue rather than some crappy bugs.
Lack of certificate pinning IS NOT a critical issue. Critical issues are code execution, file read, etc.
The odds of you actually guessing UUIDs are super low and pretty difficult, they did the right thing in closing as informative. You’d have to try “~ 10²⁹ values to get a valid token assuming a billion accounts, which would take millions of years at 1 trillion requests per second.” You claimed their PRNG was broken but had no evidence or support to back it.
“Are you seriously the Program Manager for Uber’s Security Division, with a 2013 psych degree and zero relevant industry experience other than technical recruiting?” — you’re a complete moron, glad you know how to personally attack people, Uber definitely had the right to ban you from their program.
Programs CANNOT delete comments from HackerOne Reports (as you claim in https://hackerone.com/reports/293359)
Uber DEFINITELY made the right choices in closing your reports as informative, but go ahead, fool yourself
No, they where not 100% right, your blog post reads full of quickfire/offbrand outrage. Especially when you resort to personal attacks whilst chastising him for personal attacks.
All of your other points are "I don't believe him" and "here is some unrelated technical information about uuids that while correct is not really the point". Cool, good for you. Didn't need to put that in a blog post though.
reply