Computer hacker’s demonstrate they can take control of vehicles

[kscarbel2]

Wall Street Journal / July 21, 2015

Two computer-security researchers demonstrated they could take control of a moving Jeep Cherokee using the vehicle’s wireless communications system, raising new questions about the safety of Internet-connected cars and trucks.

Fiat Chrysler Automobiles (FCA), owner of the Jeep brand, expressed displeasure with the researchers, slamming them on Tuesday for disclosing their ability to hack into the sport-utility vehicle’s software and manipulate its air conditioning, stereo controls and control its speed by disabling the transmission from a laptop many miles away.

The hackers, one of whom works for Twitter Inc. and is a former analyst for the National Security Agency (NSA), counter they are bringing attention to an issue auto makers have for too long ignored. Nearly all modern automobiles, not just those manufactured by Fiat Chrysler, feature computer controls that are potential targets for hackers.

The problem has caught the attention of most major car companies. General Motors, for example, has been working with the National Highway Traffic Safety Administration on ways to protect the loads of data that a vehicle carries, and fortify a car’s control system from outside tampering.

Auto executives generally admit the industry is behind in tackling car cybersecurity. Consulting firm Booz Allen Hamilton is pushing them to develop common security measures.

The Jeep manufacturer, in touch with the hackers for months, released a software patch last week that it said can fix the security flaw. Consumers must either take their vehicle to a dealership or use a USB stick to obtain the update.

The cyberattack demonstration comes amid concerns over how susceptible U.S. automobiles are to hackers taking control of vehicles or accessing motorists’ private information. Other researchers next month plan to show how they can hack a Tesla Motors vehicle.

Tesla said members of its security team would attend the conference in Las Vegas to discuss its security, but it isn’t making a vehicle available to hackers. Last year, it sent a manager to the Def Con hacker convention in Las Vegas to recruit hackers to test its vehicles.

It isn’t clear how many vehicles are affected by the Jeep security flaw. Fiat Chrysler this year through June 30 sold more than 105,000 Jeep Cherokees, according to Autodata Corp. The researchers believe their hack would work on any late 2013, 2014 or early 2015 vehicle with Fiat Chrysler’s Uconnect system.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the auto maker said in a statement.

The two hackers, Charlie Miller, a Twitter employee based in St. Louis, and Chris Valasek, a director at the security firm IOActive, demonstrated in an article and video published in technology magazine Wired their ability to access a vehicle’s systems wirelessly. The researchers, who have been probing vulnerabilities in connected automobiles for years, previously could only take over a car by hacking from a laptop connected by cable to a moving vehicle.

Mr. Miller defended releasing the information, arguing he is improving auto safety by drawing attention to the issue. “We both want the same thing, to keep drivers safe from a cyberattack,” said Mr. Miller, who used to work on hacking tools for the NSA. “All I can do is point out flaws in their vehicles, get other researchers working on this issue and make suggestions.”

Messrs. Miller and Valasek have kept some of the flaws they uncovered under wraps to prevent copy cats from wreaking havoc on the highway. But they do show in a video that they can effectively disengage a car’s transmission or, when it is moving at slower speeds, its brakes. The two researchers say they will show more details during a talk at the Black Hat hacker conference next month.

In February, staff for Sen. Edward Markey (D., Mass.) released a report claiming that nearly all cars and trucks on U.S. roads feature wireless technology prone to hacking or privacy intrusions. The report queried more than a dozen manufacturers in light of studies demonstrating how hackers can infiltrate vehicles to gain control of steering, braking and other functions. The report also raised concerns about companies sweeping up information from navigation systems and storing data with third parties.

Sens. Markey and Richard Blumenthal (D., Conn.) on Tuesday introduced legislation that would require NHTSA officials and the Federal Trade Commission to develop standards for securing vehicles and protecting consumers’ privacy. The legislation would also create a “cyber dashboard” ratings system to inform consumers how well a vehicle protects against hackers.

“Drivers shouldn’t have to choose between being connected and being protected,” Sen. Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”

[mrsmackpaul]

I heard this out in the shed only a hour or so ago on the radio I nearly fell over well I know I will never have these problems with my old R model

Paul

[kscarbel2]

And it never dawned on the highly talented software engineers of the wireless communications systems in today's vehicles that this danger was possible.........right.

[carlotpilot]

simply more ways to control - hack= gov fix =6or8 new ways to snoop into privacy. cure leave all this new junk set in dealer lots

[gearhead204]

why do you think we had cash for clunkers?...........so we would buy some new p.o.s. and then who ever wants can hack into it!

[mrsmackpaul]

now I seem to remember hearing that Ford US or maybe it was GM got into trouble a few years ago for doing that exact thing tracking what the customers are doing they had all the excuses in the world but they get very red faces whom ever it was

Paul

[kscarbel2]

now I seem to remember hearing that Ford US or maybe it was GM got into trouble a few years ago for doing that exact thing tracking what the customers are doing they had all the excuses in the world but they get very red faces whom ever it was

Paul

On Wednesday January 8, 2014, Ford global marketing chief Jim Farley said:

"We know everyone who breaks the law, we know when you're doing it. We have GPS in your car, so we know what you're doing.”

Farley was speaking at a panel discussion about data privacy at the Consumer Electronics Show in Las Vegas where he tried to describe how much data Ford was able to collect on its customers and how its uses the data to avoid privacy issues.

.

[kscarbel2]

Hackers take control of a Jeep Cherokee and crash it into a ditch by gaining access through the entertainment system

Daily Mail / July 21, 2015

Hackers took control of a car and crashed it into a ditch by remotely breaking into its systems from 10 miles away whilst sitting on their sofa.

In the first such breach of its kind, security experts cut out the engine and applied the brakes on the Jeep Cherokee - sending it into a spin.

The US hackers said they used just a laptop and mobile phone to access the Jeep’ s on-board systems via its wireless Internet connection.

Over 470,000 cars made by Fiat Chrysler are at risk of being attacked by similar means.

The breach was revealed by security researchers Charlie Miller, a former staffer at the NSA, and Chris Valasek.

They worked with Andy Greenberg, a writer with tech website Wired.com, who drove the Jeep Cherokee on public roads in St Louis, Missouri.

In his disturbing account Greenberg described how the air vents started blasting out cold air and the radio came on full blast.

The windscreen wipers turned on with wiper fluid, blurring the glass and a picture of the two hackers appeared on the car’s digital display to signify they had gained access.

Greenberg said that the hackers then slowed the car to a halt just as he was getting on the highway, causing a tailback behind him - though it got worse after that.

Greenberg wrote: ‘The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.

‘The researchers say they’re working on perfecting their steering control - for now they can only hijack the wheel when the Jeep is in reverse.

‘Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.’

The hack was possible thanks to Uconnect, the Internet connected computer feature that has been installed in fleets of Fiat Chrysler cars since late 2013.

It controls the entertainment system, deals with navigation and allows phone calls.

The feature also allows owners to start the car remotely, flash the headlights using an app and unlock doors.

But according to Miller and Valasek, the on-board Internet connection is a ‘super nice vulnerability’ for hackers.

All they have to do is work out the car’s IP address and know how to break into its systems and they can take control.

Independent security expert Graham Cluley said: ‘Note that the researchers believe that, although they’ve only tested it out on Jeeps, the attacks could be tweaked to work on any Chrysler car with a vulnerable Uconnect head unit.’

The incident is the latest hacking episode which shows just how vulnerable we are to modern technology.

It comes after the FBI claimed a US hacker took control of a passenger jet he was on in the first known such incident of its kind.

Chris Roberts plugged into the plane’s computer systems through the electronics box under his seat - and briefly moved the aircraft sideways.

After being contacted by the hackers nine months ago, Fiat Chrysler released an update to its car systems.

In a statement to Wired.com Fiat Chrysler said: ‘Under no circumstances does FCA condone or believe it’s appropriate to disclose "how-to information" that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

‘We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.’

--------------------------------------------------------------------------------------------

Now, would you provide a vehicle for your wife and children that had electric power steering (EPS) and a wireless internet connection? With the days of hydraulic steering are coming to a close, you'll soon have no choice but EPS.

The automakers don't want to add additional cost to vehicles by adding anti-hacking protection, which like your computer's anti-virus software requires daily updating and is never 100 percent effective. The ramifications of a large scale vehicle hack are staggering.

.

[mrsmackpaul]

WOW

[Timmyb]

This comes as no surprise. All these smart cars, with keyless entry and a latte machine (soy) make me sick!

But, it gives me a good excuse next time the boys in blue pull me over. "Honestly sir, this old mack is being hacked by Internet hackers, it's not my fault!"

[RowdyRebel]

...and they're pushing for automated TRUCKS! Imagine...you're hauling a high-dollar electronics load, or cigarettes, or booze, or anything else a hijacker could profit handsomely from obtaining. He no longer has to find you on the road, convince you to stop, or anything else...just hack into your truck's ECM and route it to a nice, secluded warehouse where you quickly discover you are outnumbered and outgunned. The truck pulls up, a door opens, it rolls inside and shuts off as the door closes behind you. Or worse, you're hauling fuel or any other hazardous substance and a terrorist hacks in and uses your truck (with you inside) to torpedo a target of their choosing. You're dead, and the FBI is investigating YOU for terrorism (they only seem to resist that determination if you're a radical muslim extremist with ties to known terrorist organizations, as they don't want to "offend" or be accused of "profiling") meanwhile the hackers are sitting comfortably wherever they might be preparing to do it again to somebody else. Sorry, but I'll keep the electronics out of my vital controls...brakes, steering...and even though my truck is drive-by-wire for the throttle, I have a clutch and full control over what gear I'm in. There is no "communications" sent or received by my truck...so no way for a hacker to get in unless he's sitting in the truck plugged into the port. I'm OK with that, even though I'd PREFER full mechanical linkages without any electronics. Best way to prevent hacking is to not have anything to hack...kinda like my fool-proof measure for preventing fuel theft when I am out overnight...I fuel in the morning...350-400 miles before I plan on shutting down...so that I have no more than 1/8 of a tank...just enough to get me to a fuel stop to start my day. They can't steal what I don't have, and they can't hack what isn't controlled by a computer.

[Brocky]

I sure am glad I am an old fashioned "Old Fart", Bought a new truck last summer WITHOUT any GPS, auto start, or any of this fancy s**t, and carry an old flip style cell phone.. I realize I am not totally immune. but it will make it a lot harder..

[fxfymn]

Watch the PBS show "Earth from Space" http://www.pbs.org/wgbh/nova/earth/earth-from-space.html if you really want to get your eyes opened about how totally interconnected all of this is. Pretty scary, but inevitable in the world we have created.

[Freightrain]

Drove the owners late model Acura SUV to Indiana last week, It has that accident avoidance crap. The cruise constantly kicks off if you get without 200+ ft of another vehicle on the highway. Ugh, makes it hard to pass someone when the car slows itself down. Ugh. Then there is the automated braking crap. Ya, collision avoidance crap again. If you don't get on the brakes soon enough FOR IT, then it applies them for you. Ugh. Really. I can drive myself!!!!

At lunch, I tend to go to Lake Anna(center of town) and eat lunch and watch the people, ducks and whatever. There is parking along 2 sides of the lake(big pond). The funny thing to see is how many people CAN NOT parallel park. At all!!! Period. If they can't pull in and stop, then can't get in a spot. So many try to pull their nose in first then try to jack the back end into the spot. Not happening(duh). They usually leave and find a spot then can pull into(2-3 open spaces). Kinda like going to a boat ramp for entertainment purposes. Of course, in Barberton, the financial area does not support many new cars, usually 10-15 yr old clunkers. Have not seen one that had park assist.

My g/f will atest that she is horrible at parking any direction. She freaks when I whip into a spot, especially backwards. Can parallel park my pickup in the dark in a spot barely long enough for the truck and not hit anything. She just shakes her head. Her new Jeep is very noticeable, the right side tires are all chewed up from "finding" the curb when she parks.

[RowdyRebel]

I can parallel park a vehicle towing a trailer better than most people can parallel park their small car. That skill seems to evade such a great portion of the population that many states are removing the requirement from their road test for kids getting their license...which will lead to even fewer people having even the slightest clue how to, whether or not they can actually DO it.

[41chevy]

No parallel parking, no 3 point turn, no entering and exiting a limited access highway and no need to read speak or understand English. Can't have none of that for the zero generation and illegals. They are told that's not needed. Wander out of your lane from texting? The car corrects you. Texting in traffic...Collision Avoidance will stop you from wrecking, to busy to check your mirrors to change lanes? The car will warn you before you wreck. No give the "driver" enough knowledge to get a CDL and in a semi if the new 18 year old law passes....with none of the "expected Safety Systems, Let the carnage begin!

People don't spell or use punctuation because of spell check and text slang. Don't learn math because the computer will figure it out, learn hiistory? why? Watch a movie called Abe Lincoln Vampire Hunter, that will show you his history in the U.S.A. . Want a real test of our education system? Go to a store and get a total of say $14.77 give the "associate" $20.03. Watch the confusion, followed by A) Panic, calling a manager for help or C) the best one giving you asking you to explain the "extra money".

I own part of a Hobby Shop in Glen Head L.I. the point of sale system crashed yesterday, the adult working could not add the costs, figure 8.65% sales tax and if needed give change. Did not have any idea how to use a calculator, or count up change. Sad that this is our future a generation less educated than their parents.

[kscarbel2]

Per Volvo Group, Mack Trucks has activated its GuardDog Connect integrated telematics solution in more than 25,000 models since the product launched in 2014. Built upon the Mack Asist platform, it ensures timely information sharing, communication and tracking.

The highly talented software engineers of today's vehicular wireless communications systems knew the danger. All software has a backdoor (the NSA insists on them).

The truckmakers weighed their options:

A. Provide no cybersecurity system and hope the public would accept buying security software from a third party supplier as you purchase anti-virus/malware software for your computer at additional costs with no 100 percent guarantee of performance;

B. Or offer their wireless communications system with cybersecurity software and create liability, given they can not give 100 percent assurance that the customer will never be hacked.

After consulting with the corporate lawyers and accountants, they went with plan A.

So one day in the future, your truck's information screen is going to go gray, followed by a message from a hacking group based in Russia or Ukraine politely explaining that your truck's electronic system has been encrypted, locking you out. But after you pay a Bitcoin ransom, they will gladly unlock your system.

[Dirtymilkman]

Vlad is gonna hack into my truck?

[41chevy]

Why is this bigger news than Hackers taking over the control launch and tracking computers for the NATO /German, Patriot Anti Missile Batteries in Turkey in July? Brief mention in the news and all is forgotten.

German missiles 'hacked by foreign source'

By Conor Gaffey 7/8/15 at 4:52 PM European News Week / Bohorden Spiegel

Germany's President Joachim Gauck and his partner Daniela Schadt listen to commander of German troops in Turkey Colonel Stefan Drexter as they visit Patriot missile batteries in Kahramanmaras April 27, 2014.Osman Orsal/Reute

A German missile system stationed on the Turkish-Syrian border was reportedly hacked by a "foreign source" and carried out "unexplained commands".

The Patriot missiles, stationed on the Turkish side of the border under the Nato pact, were briefly taken over by an unidentified hacker, according to German civil service magazineBehörden Spiegel.

The magazine does not give details about what these orders were or when they were carried out, but states hackers may have gained access to the missile system through an Asian manufactured computer chip which guides the missiles, or through an un encrypted, real-time information exchange which allows the missiles to communicate with their control system.

Experts say that such a hack could lead to the battery failing to intercept incoming missiles or even firing at an unauthorised target.

Patriot missiles have been in US army service since 1984 and were first used in operation in the 1991 Gulf War.

Germany recently announced it would be spending several billion euros to replace its Patriot system with a next-generation missile system designed by the US and Italy, with the replacement due to be completed by 2035.

The missile system has been stationed on the Syrian border for two years after Turkey asked its Nato partners for support in light of the Syrian civil war, which is still raging the other side of Turkey's border.

The missiles are owned and operated by the Bundeswehr, the German army. According to Die Welt, the battery consists of six launchers and two radars.

Ewan Lawson, a cybersecurity expert at defence think tank RUSI, says that hacks of NATO and US military missile systems are more common than realised but go unreported for security reasons.

"This is also likely to have been a fortunate amateur hacker. If it has happened it would have been a focused effort on behalf of someone," says Lawson.

He cites Russia, China, the US, the UK, Israel, IS and potentially Iran as the only nations with the capacities to infiltrate a stand-alone missile battery, but adds that the Patriot technology is old and needs to be updated.

The media report suggests two possible reasons for infiltrating the system: to remotely operate the missiles or to steal sensitive data from the system.

Caroline Baylon, cybersecurity research associate at Chatham House, says the results of such a hack could be catastrophic.

"You could imagine the missile not launching in response to incoming missiles that it's supposed to defend against, you could imagine it launching at the wrong target," says Baylon. "Missile systems have the same vulnerabilities that exist in civilan infrastructure."

[kscarbel2]

Fiat Chrysler Recalls 1.4 Million Vehicles to Defend Against Hacks

Bloomberg / July 24, 2015

Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.

The move marks a milestone for the industry, which last year set a record with 64 million autos called back for fixes in the U.S. The National Highway Traffic Safety Administration, under fire from Congress for not catching defects more quickly, has been considering punitive action against Fiat Chrysler for failing to protect vehicle owners.

Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on Thursday, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.

Fiat Chrysler was already distributing software to insulate some connected vehicles from illegal remote manipulation after Wired magazine published a story about software programmers who were able to take over a Jeep Cherokee being driven on a Missouri highway.

The company led by Chief Executive Officer Sergio Marchionne reiterated that it’s not aware of any real-world unauthorized remote hack into any of its vehicles and stressed that no defect was found and that it’s conducting the campaign out of “an abundance of caution.”

NHTSA said it encouraged the action to protect consumers against a vulnerability that could affect a driver’s control.

“Launching a recall is the right step to protect Fiat Chrysler’s customers, and it sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities,” NHTSA Administrator Mark Rosekind said in a statement Friday.

Expanded Action

The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.

“That’s not a small number to go after,” Mark Boyadjis, an analyst with IHS Automotive, said in a telephone interview. “This is a pretty quick response and much of it could be P.R. driven. But I think it will keep consumers comfortable and prevent current ones and future ones from straying away from the brand.”

Fiat Chrysler shares fell 2.5 percent, the most in two weeks, to $15.15 Friday at the close in New York. The drop pared the stock’s gain for the year to 31 percent.

This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.

That capability makes the possibility of remote hacking of cars a reality. Earlier hacks have mostly been achieved by jacking the researchers’ laptops into diagnostic ports inside the cars.

Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.

“This is not a Sprint issue but we have been working with Chrysler to help them further secure their vehicles,” said Stephanie Vinge Walsh, a spokeswoman.

NHTSA said it would open an investigation on the remedy “to ensure that the scope of the recall is correct and that the remedy will be effective,” agency spokesman Gordon Trowbridge said in an e-mailed statement. The agency said its electronics and cybersecurity experts will continue to monitor hacking threats and take action when necessary.

Consumer Confidence

There’s a possibility the recall could affect consumer confidence in Fiat Chrysler, even though the company isn’t the only one with cybersecurity challenges, said Thilo Koslowski, vice president and automotive practice leader at technology consultant Gartner Inc.

“It validates that cyber-hacking with cars is a serious issue that the auto industry must pay attention to,” he said. “The auto industry needs to develop new technology to combat these technological problems.”

General Motors Co. has a team working on cybersecurity and has hired Harris Corp.’s Exelis and other firms to develop anti-hacking systems, said Mark Reuss, the Detroit automaker’s executive vice president for global product development. GM seeks to block hackers’ access to its autos, he said, and if they do get in, it tries to prevent them from gaining control.

“It’s probably one of the most important things we spend time on,” Reuss said. “Anyone who wants to do something like that will probably get on, so you have to look at what happens when they do.”

GM has worked with the U.S. military and with Boeing Co. on its anti-hacking systems, he said.

Proposed Legislation

Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.

The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements. The lawmakers released a report last year on gaps in car-security systems, concluding only two of 16 automakers had the ability to detect and respond to a hacking attack.

Markey questioned why it took nine months after learning about the security gap for Fiat Chrysler to order a recall.

“There are no assurances that these vehicles are the only ones that are this unprotected from cyberattack,” he said Friday in an e-mail. “A safe and fully equipped vehicle should be one that is equipped to protect drivers from hackers and thieves.”

Representatives Fred Upton and Frank Pallone, leaders on the House Energy and Commerce Committee, sent letters to 17 manufacturers and NHTSA in May to gather information about how the industry is addressing cybersecurity.

“As the underlying technologies seemingly evolve by the day, so too must our manufacturers and regulators keep pace to protect drivers from these growing threats,” the Michigan Republican and New Jersey Democrat said in a statement Friday.

[kscarbel2]

Why is this bigger news than Hackers taking over the control launch and tracking computers for the NATO /German, Patriot Anti Missile Batteries in Turkey in July? Brief mention in the news and all is forgotten.

German missiles 'hacked by foreign source'

By Conor Gaffey 7/8/15 at 4:52 PM European News Week / Bohorden Spiegel

Germany's President Joachim Gauck and his partner Daniela Schadt listen to commander of German troops in Turkey Colonel Stefan Drexter as they visit Patriot missile batteries in Kahramanmaras April 27, 2014.Osman Orsal/Reute

A German missile system stationed on the Turkish-Syrian border was reportedly hacked by a "foreign source" and carried out "unexplained commands".

The Patriot missiles, stationed on the Turkish side of the border under the Nato pact, were briefly taken over by an unidentified hacker, according to German civil service magazineBehörden Spiegel.

The magazine does not give details about what these orders were or when they were carried out, but states hackers may have gained access to the missile system through an Asian manufactured computer chip which guides the missiles, or through an un encrypted, real-time information exchange which allows the missiles to communicate with their control system.

Experts say that such a hack could lead to the battery failing to intercept incoming missiles or even firing at an unauthorised target.

Patriot missiles have been in US army service since 1984 and were first used in operation in the 1991 Gulf War.

Germany recently announced it would be spending several billion euros to replace its Patriot system with a next-generation missile system designed by the US and Italy, with the replacement due to be completed by 2035.

The missile system has been stationed on the Syrian border for two years after Turkey asked its Nato partners for support in light of the Syrian civil war, which is still raging the other side of Turkey's border.

The missiles are owned and operated by the Bundeswehr, the German army. According to Die Welt, the battery consists of six launchers and two radars.

Ewan Lawson, a cybersecurity expert at defence think tank RUSI, says that hacks of NATO and US military missile systems are more common than realised but go unreported for security reasons.

"This is also likely to have been a fortunate amateur hacker. If it has happened it would have been a focused effort on behalf of someone," says Lawson.

He cites Russia, China, the US, the UK, Israel, IS and potentially Iran as the only nations with the capacities to infiltrate a stand-alone missile battery, but adds that the Patriot technology is old and needs to be updated.

The media report suggests two possible reasons for infiltrating the system: to remotely operate the missiles or to steal sensitive data from the system.

Caroline Baylon, cybersecurity research associate at Chatham House, says the results of such a hack could be catastrophic.

"You could imagine the missile not launching in response to incoming missiles that it's supposed to defend against, you could imagine it launching at the wrong target," says Baylon. "Missile systems have the same vulnerabilities that exist in civilan infrastructure."

http://www.bigmacktrucks.com/index.php?/topic/40823-hackers-give-orders-to-german-patriot-missile-battery/?hl=missile

You already know why the vehicle hacking issue is in the news but the hacking of a Patriot missile battery isn't.

[kscarbel2]

Hack attack vs. FCA shows flaws with rush to connectivity

Automotive News / July 27, 2015

As a Jeep Cherokee rolled down a highway near St. Louis, a pair of professional computer hackers sat on a couch 10 miles away, slowly taking over some of the SUV's basic functions from a suddenly panicked driver.

They set the air conditioning to cold, and the fan to high. They obscured the windshield with a torrent of washer fluid. They set the radio to play ear-splitting hip-hop. Then, in a move that petrified the driver -- a Wired magazine reporter who had agreed to play guinea pig for the demonstration, captured on video -- they abruptly cut power to the engine, letting the vehicle coast to a crawl in traffic on a narrow portion of interstate.

The hackers' demonstration did one other thing: It flipped the high beams on an industry still unprepared for its headlong rush toward Internet connectivity.

By the time the hackers' exploits were publicized last week, Fiat Chrysler had posted an urgent security patch on its website and was scrambling to further lock down the system.

On Friday, July 24, the company issued a formal recall for 1.4 million 2013-15 vehicles to install the protective software. Consumers seeking to protect their vehicles can download the patch on a computer and install it themselves or have a dealer do it.

The recall and software patch addressed the security hole, but they didnot allay fears about the prospect of malicious hackers exploiting connectivity technology to gain access to sensitive components and systems.

Those fears have been percolating for some time. In Washington, lawmakers have been pressing automakers to spell out their strategies for counteracting cyberattacks, and two senators introduced a bill on the issue last week.

But the industry's response is only now ramping up, as automakers come to terms with the implications of building devices that increasingly function as networked computers on wheels.

Since last year, the auto industry's two main trade associations have been working to establish an information sharing and analysis center for the industry, a clearinghouse for information about digital threats and vulnerabilities. Such centers are in place in other sensitive industries, such as oil and gas and financial services.

Robert Strassburger, vice president of vehicle safety at the Alliance of Automobile Manufacturers, said July 14 that the automotive information sharing and analysis center was on track to begin operations by year end.

IHS Automotive forecasts that more than 82.5 million vehicles worldwide will be connected to the Internet by 2022, more than triple the current number.

Automakers have heavily marketed these connections as a consumer benefit that allows for more entertaining or productive rides, as well as remote improvements. But as last week's report makes clear, there's more to connectivity than streaming movies.

"As cars get more connected than ever, they become more exploitable to technology vulnerabilities," said Akshay Anand, an analyst with Kelley Blue Book.

Automakers have traditionally sought to keep tight control over the way their vehicles interface with technology, such as cell phones and related applications -- and with good reason, given the safety concerns involved.

In practice, that has meant long delays to test products and search for vulnerabilities internally before new technology is released to the public. In that model, hackers are largely viewed as outside nuisances or ne'er-do-wells.

Technology companies, by contrast, keep their enemies closer. For example, Google now advertises bounties ranging from $100 to $20,000 for hackers who identify vulnerabilities in the company's many websites and businesses.

The auto industry may have to learn to work that way.

"We see the value of software and software content in the average car rising to around 60 percent over the next 15 years from less than 10 percent today," said Morgan Stanley auto analyst Adam Jonas. "Who has greater expertise and experience in protecting connected assets and systems from the perils of hacking? Detroit or Silicon Valley?"

Fortunately for FCA, the recent attack came from Charlie Miller and Chris Valasek, a pair of so-called benign hackers who use such demonstrations to try to help companies understand their vulnerabilities rather than to make mischief. They're known for a similar hack into a Toyota Prius, but that time, they were in the back seat.

The open doorway they used on the Jeep was Uconnect, the infotainment system that's used widely across FCA brands and includes an optional Internet connection through Sprint's cellular data network called Uconnect Access.

Uconnect, in turn, offered the hackers a gateway into the vehicle's network that coordinates various electronic functions.

Yet, unlike some other automakers, FCA cannot use that connection to "push" important software updates to its vehicles automatically. A source within the company indicated that may soon change.

Security experts say that ability to push patches "over the air" is a crucial complement to any system with an open Internet gateway, because it allows automakers to better keep pace with potential hackers.

According to a Twitter message from Miller, the patch FCA posted on July 16 blocks the vulnerability he and Valasek exploited. But FCA and Sprint were still scrambling to block the broader network door through which the hackers had gained access to the vehicle.

A spokesman for FCA wrote in an email to Automotive News that the companies were working to block remote access to hundreds of thousands of potentially vulnerable 2013-15 Chrysler,

Dodge, Ram and Jeep vehicles equipped with the newer 8.4-inch Uconnect system. Fiat and Alfa Romeo vehicles are unaffected.

A source within FCA said the automaker tried to work with the hackers to close the vulnerabilities before they went public, but was rebuffed.

[kscarbel2]

Bloomberg / July 28, 2015

Daimler, BMW and Audi said they separate different vehicle domains -- walling off the radio from the brakes, so to speak -- with firewalls and additional features such as public-key-cryptography and virus scanners.

“Absolute, 100 percent safety isn’t possible,” said Benjamin Oberkersch, a spokesman for Mercedes’s Stuttgart, Germany-based parent Daimler AG. “But we develop our systems, tested by internal and external experts, so they’re up to date.”

While hacks of German cars have fallen short of the stunt to which the Jeep was exposed, BMW, the maker of the carbon-bodied, electric-engined i8 sports car, had to fix a security flaw in one of its digital-services systems this year.

A study by German auto club ADAC found hackers could wirelessly open BMW, Mini and Rolls-Royce vehicles in minutes. About 2.2 million vehicles equipped with BMW’s ConnectedDrive service were vulnerable. The Munich-based company closed the security gap with an automatic system upgrade that took place when vehicles connected to BMW’s server.

[kscarbel2]

Fiat Chrysler waited 1-1/2 years before telling NHTSA about hacking vulnerability

Bloomberg / August 5, 2015

Fiat Chrysler Automobiles (FCA) waited 18 months to tell federal safety regulators about a security flaw in radios being installed in more than a million vehicles that hackers later exploited to seize control of a Jeep last month.

The automaker says it was working on a fix and didn’t consider the problem a safety defect. But the National Highway Traffic Safety Administration (NHTSA) saw otherwise.

Eight days after finally being notified by FCA, the NHTSA pushed Fiat Chrysler last month to recall 1.4 million cars and trucks -- the first recall prompted by cybersecurity safety concerns.

The episode came just days before Fiat Chrysler agreed to a $105 million penalty to settle complaints about its recall performance on other issues and as NHSTA faces its own criticism for failing to promptly get unsafe vehicles off the street.

Cybersecurity threats present a new dimension to the problem, one that critics say demands even faster response to keep hackers from worming their way into vehicles and causing havoc. A Senate report last year concluded only two of 16 automakers had the ability to detect and respond to a hacking attack.

“We want to make sure the automakers and regulators stay ahead of this,” said Mark Rechtin, autos editor for Consumer Reports and a former reporter for Automotive News.

"While there have been no reports of hackers being able to access random cars, “once it happens, and it happens badly, no one will be able to trust their cars.”

Hacking details

The researchers who took control of a Jeep will detail their exploit at the Black Hat cybersecurity conference in Las Vegas Wednesday. Two days later at hacking conference in Los Angeles, another hacker said he will reveal vulnerabilities with General Motors’ OnStar navigation system mobile app. And there’s been a rise in auto thefts using key-cloning systems for electronic fobs.

To help focus regulators’ attention on cyberthreats, the U.S. Senate promised the chronically understaffed agency more resources and personnel in a bill passed last week. But the funding is contingent on NHTSA making numerous changes in the wake of a Transportation Department Inspector General’s report critical of its slow response in recalls with more typical vehicle issues.

On the cyber front, NHTSA has an open audit of the Fiat Chrysler recall to make sure it includes all potentially affected vehicles and the company’s fix actually works, agency spokesman Gordon Trowbridge said. There’s also an active investigation into Harman International Industries Inc., supplier of the Uconnect communications system used by Fiat Chrysler.

Same vulnerability

Another immediate focus is whether other automakers with similar systems have the same vulnerability, Trowbridge said. The agency has been having regular conversations with manufacturers and suppliers on cybersecurity, he said.

Automakers have reached out to NHTSA “to let us know they are aware of the issue and the steps they are taking to assess their own security protections,” Trowbridge said.

The auto industry’s two biggest trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, said July 14 they would form an information-sharing and analysis center by the end of the year to collaborate against emerging cyber threats.

The Fiat Chrysler hacking experiment should serve as “a wake-up call” to automakers to be more proactive to secure software and other systems, or else they’ll face new government regulations mandating security, said Ken Westin, a security analyst with the cybersecurity company Tripwire Inc. based in Portland, Ore.

Lacks expertise

Westin is skeptical of government regulation and isn’t convinced that an agency like NHTSA has the resources and expertise to oversee cybersecurity.

Harman needs to let independent researchers test its devices and software, Westin said.

Hacking vulnerabilities are often created not because products and software from vendors are insecure, but because of how they are applied and configured in a certain setting, he said.

“A lot of the automakers are going to start demanding independent verification” of software and products, he said. “We see this in other areas of security when there’s a breach from a third party.”

The vulnerability exposed in the Jeep hacking incident is unique to Fiat Chrysler, Harman CEO Dinesh Paliwal said in an interview Tuesday. Automakers modify radios and entertainment systems to suit their customers, he said.

“This does not exist, to our assessment, in any other vehicle,” he said.

A Harman spokesman declined to comment on why it took 18 months to inform regulators about the vulnerability.

Third party

Documents Fiat Chrysler filed with NHTSA note that it didn’t consider the software issue, identified by a third party in January 2014, to be a safety defect under U.S. law. Under the Motor Vehicle Safety Act, which governs how and when recalls are conducted, automakers must notify NHTSA within five days of discovering a flaw that presents an unreasonable risk to public safety.

Fiat Chrysler said in a statement it advised NHTSA of the security issue “in a reasonable and timely manner.” The company said it’s “conducting a remedial campaign as a safety recall in the interest of protecting its customers” out of “an abundance of caution.”

The company said it contacted NHTSA after the hackers informed the company of their plan to publicize the security flaw at Black Hat, including information to facilitate unauthorized and unlawful access to Fiat Chrysler vehicles.

Other products

The NHTSA notice of its Harman investigation noted that the vulnerability may exist in products it supplies to other companies. Harmon’s website indicates it supplies entertainment systems to BMW AG and as well as the Mercedes-Benz brand of Daimler AG. Both companies said their vehicles were safe.

BMW’s information and entertainment system is separated from the safety-relevant driving system by several gateways that implement firewalls, message filtering and message blocking, the company said in an e-mailed statement.

Mercedes-Benz spokesman Benjamin Oberkersch said the German manufacturer is taking comprehensive measures to protect its cars from hacking attacks. He declined to comment on the Harman investigation.

U.S. Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.

Rating system

The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements. The lawmakers released a report in 2014 on gaps in car-security systems, concluding that only two of 16 automakers had the ability to detect and respond to a hacking attack.

Markey said in an interview that congressional hearings into the GM ignition switch and airbags made by Takata Corp. showed that understaffed and underfunded regulators have been sometimes slow to react.

“This whole issue of computers on wheels is something new,” Markey said. “Based upon what happened over the last several years with Takata and all these other issues, we need to ensure they’ve got the resources.”

[41chevy]

How secure good question. Tesla's are up gradable from your Smart Phone, I pad or for safety upgrades are direct link to Tesla. So I would think the systems are wide open to be hacked by a kid with an I pad and a Pringles can antenna.

Homes with smart tech are easily hacked with a roving band width app from Best Buy and the like. As fast as security is updated the app to defeat it is available. Security is only good for the honest person not to have access.