Computer hacker’s demonstrate they can take control of vehicles

[RowdyRebel]

Call me crazy, but I prefer the out-dated "technology" full of mechanical linkages and relies upon direct physical inputs by the person wishing to control the vehicle. If somebody wants to take control over the vehicle I'm driving, they should have to find a way inside and take my place behind the wheel. Hell, what's next? Hacking into a parked car's system, firing it up, and driving it to the chop-shop from the comfort of the couch in your mother's basement?

[41chevy]

They can't do it from the couch . . yet. But they probably will when the self drivers hit the streets. As for getting in and starting it up, the path through the hands free phone link, On Star or Sirus is wide open to entry. The links work to disable the anti-theft systems in seconds to steal wheels and/or the headlamp modules. Some of which are 5 to 7 grand a piece. Paul

[RowdyRebel]

They can remotely hack in and control the engine and transmission. The hackers admitted to being able to control steering in reverse, and that they were still working on forward control. I certainly don't want to be anywhere near that vehicle when they DO figure it out.

[41chevy]

With the newest drive by wire systems hackers have taken over the cruise control on some vehicles, up and down shifted the trans and controlled entry and climate controls. The new 2016 Corvette ZO7-R option with the 650 h.p.and Magnetic computer controlled suspension also has adaptable electronic steer by wire. The system senses road conditions from suspension load, traction, G force and speed and will compensate if the driver is overwhelmed by his inability to drive the car. A hackers dream come true...

[kscarbel2]

This is all a scam in the making, designed to shift billions of dollars of liability away from the vehicle manufacturers onto security software suppliers who have no liability as they make no promises of 100 percent guaranteed effectiveness.

The vehicle manufacturers will most likely succeed with their scheme, because people have long accepted paying money from their own pocket to provide their computers with security software.

In the end, the vehicle manufacturers will have rid themselves of the cost of providing security software with the car as a factory package, and most importantly in the cost perspective, rid themselves of the security responsibility and liability (it will be in the fine print when you buy the vehicle).

[41chevy]

People also fail to realize that any computer system can be hacked and any security program and it's updates can be defeated.

[kscarbel2]

United States Secretary of Energy Ernest Moniz worries more about cars being hacked than the electric grid being attacked.

At the National Clean Energy Summit, former Chief of Staff John Podesta asked Moniz if the prospect of cyber attacks on the electric grid keeps him awake at night.

“Yes,” Moniz replied, but he suggested the electric grid was not the most vulnerable system.

“The grid is usually the poster child for the discussion,” Moniz said, but DOE has been working with utilities to increase cyber security, training utility executives and helping them get security clearances they need to be fully informed of risks.

“We have a very effective working arrangement with utilities right now to increase cybersecurity.”

More attention should be paid to other vulnerabilities, Moniz continued, such as major natural-gas compressor stations and private vehicles.

“We have to worry about the increasing intelligence in things like vehicle and traffic management. This is a big and growing threat. We are paying a lot of attention to it,” he said.

Podesta asked, “So we should worry about our cars being hacked?”

“It’s an issue,” Moniz replied. “Information technology is so critical, and yet obviously it creates exposures that we have to stay ahead of. We always emphasize that this is not an area where a stationary defense helps. It’s got to be a dynamic, continually evolving one.”

Podesta asked Moniz why Congress has been slow to act on cyber security, and Moniz replied that cyber security touches many aspects of society and involves issues, such as privacy, that Congress has not yet resolved to its satisfaction.

Earlier this year Sen. Ed Markey’s office released a report on the vulnerability of vehicles to cyber attacks, which found that nearly all new vehicles “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”

Markey’s office surveyed vehicle manufacturers and found that most could offer no information on past attacks and that efforts to prevent future attacks are “inconsistent and haphazard.”

Moniz called for increased training of cyber security professionals, an initiative partially undertaken by the National Nuclear Security Administation.

“This is a case where the training of professionals is not keeping up with demand.”

[kscarbel2]

Hackers arrested after stealing more than 30 Jeeps in Texas

Autoblog  /  August 4, 2016

It seems the news regarding vehicle hacking continues to get worse, especially when it comes to products from Fiat Chrysler Automobiles. Last year, a Jeep Cherokee in St. Louis, Missouri, was wirelessly hacked from Pittsburgh. Nissan had to shut down its Leaf app because of vulnerabilities. Now, a pair of hackers in Houston, Texas, stole more than 30 Jeeps over a six-month period. The two were arrested by police last Friday while attempting to steal another vehicle.

ABC 13 in Houston reports that police had been following Michael Arcee and Jesse Zelay for several months but were unable to catch them in the act until now. The two were using a laptop to connect to and start a vehicle. It's unclear if the connection was through OBD II or USB or if the software they used has anything to do with the UConnect infotainment exploit from last year.

In April, this surveillance video showed the theft of a Jeep Wrangler Unlimited. It was this footage that first led the police to Arcee and Zelay. The police began to follow and record the pair. That investigation eventually led to Friday's arrest. Both are charged with unauthorized use of a motor vehicle. In addition, Arcee is charged with felon in possession of a weapon and possession with intent to deliver a controlled substance.

According to ABC 13, Homeland Security is investigating more than 100 stolen FCA vehicles that they believe were hacked using similar software. After their theft, the vehicles were brought across the border to Mexico. FCA is currently conducting an internal investigation into the matter.

.

 

[kscarbel2]

Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks

The Wall Street Journal  /  September 29, 2016

Attackers used an army of hijacked security cameras and video recorders to launch several massive internet attacks last week, prompting fresh concern about the vulnerability of millions of “smart” devicesin homes and businesses connected to the internet.

The assaults raised eyebrows among security experts both for their size and for the machines that made them happen. The attackers used as many as one million Chinese-made security cameras, digital video recorders and other infected devices to generate webpage requests and data that knocked their targets offline, security experts said.

Those affected include French web hosting provider OVH and U.S. security researcher Brian Krebs, whose website was disabled temporarily.

“We need to address this as a clear and present threat not just to censorship but to critical infrastructure,” Mr. Krebs said.

Closely held OVH confirmed the attack, but declined to comment further.

“We’re thinking this is the tip of the iceberg,” said Dale Drew, head of security at Level 3 Communications Inc., which runs one of the world’s largest internet backbones, giving it a window into many of the attacks that cross the net.

The proliferation of internet-connected devices from televisions to thermostats provide attackers a bigger arsenal of weapons to infiltrate. Many are intended to be plugged in and forgotten. These devices are “designed to be remote controlled over the internet,” said Andy Ellis, security chief at network operator Akamai Technologies Inc., some of whose clients were affected. “They’re also never going to be updated.”

Experts have long warned that machines without their own screens are less likely to receive fixes designed to protect them. Researchers have found flaws in gadgets ranging from “smart” lightbulbs to internet-connected cars. Wi-Fi routers are a growing source of concern as many manufacturers put the onus on consumers to do the updating.

Level 3 identified cameras and video recorders made by Chinese manufacturer Dahua Technology Co. as the sources of a large share of the recent attacks, but Level 3 said other devices are being roped into a new attack network currently being assembled. Hackers often hijack the machines through computers that are already infected or poorly protected Wi-Fi routers.

A Dahua spokeswoman said on Thursday the company is still reviewing Level 3’s research. She cautioned that malware could succeed in attacking older devices that have outdated software.

“We strongly recommend users to upgrade the firmware of devices” and set a strong password to reduce risks, she added.

Dahua, which claims it is one of the world’s biggest makers of security cameras and digital recorders, sells directly to consumers and businesses through its website and retailers like Amazon.com Inc. It also lists 71 technology partners on its U.S. website, from startups like AngelCam to better known firms like Canon Inc.

Many of Dahua’s cameras and recorders are used by small businesses for security systems. Level 3 said H.264 DVRs made by Dahua were especially prevalent, though security researchers said other brands were affected. In some cases the devices weren’t protected with passwords or had generic passwords, Mr. Drew said.

“I suspect that a lot of people have been caught by surprise by how soon” the attacks happened, said Akamai’s Mr. Ellis. His company said it was blindsided by one of last week’s attacks.

Mr. Ellis said traffic on Sept. 20 reached 700 gigabits a second—equivalent to 140,000 high-definition movies streaming at once—on his company’s network, twice the size of the previous biggest stream.

Arbor Networks Inc., a security firm that defended several websites affiliated with the Rio Olympics against similar attacks this summer, found cable set-top boxes and home routers used to bombard the websites with data. Those attacks reached as much as 540 gigabits a second, Arbor said.

“There are tens and tens of millions of these embedded devices out there,” said Roland Dobbins, Arbor’s principal engineer. “But they ship by default with very poor security.”

Denial-of-service attacks—so-called because they flood websites with unwanted data crashing the sites and denying access to legitimate users—are nothing new. In prior iterations, hackers have exploited weaknesses in the operating systems of personal computers hijacking them to carry out these actions. Microsoft Corp. for decades has been playing a running game of Whac-A-Mole to patch each flaw in its Window’s operating system as it arises.

“It’s going to be very difficult to convince consumers to patch their refrigerator,” said Matthew Prince, chief executive of security provider CloudFlare Inc. “Where the security is more likely to be placed is in the network.”

 

[kscarbel2]

NHTSA issues nonbinding guidance on vehicle cybersecurity

Automotive News  /  October 24, 2016

The National Highway Traffic Safety Administration (NHTSA) released new guidance for how car and truck manufacturers should approach cybersecurity amid growing scrutiny prompted by high-profile vehicle hacks and the spread of car connectivity technologies.

NHTSA says cybersecurity should be a top priority of vehicle makers and suppliers that should be formally addressed during the product development process of new vehicles.

The agency also says car and truck makers, and suppliers, should conduct “penetration tests” to seek out potential vulnerabilities. Test results should be documented to describe how weak spots were addressed or the rationale for not addressing vulnerabilities found in testing.

The 22-page guidance is nonbinding and follows earlier cybersecurity “best practices” released in July by the Automotive Information Sharing and Analysis Center, a consortium of major automakers formed to act as a clearinghouse to share cybersecurity information.

“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” NHTSA Administrator Mark Rosekind said in a statement. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”

The guidance also highlights NHTSA’s view that its authority covers auto cybersecurity even though the issue is not addressed by one of the existing Federal Motor Vehicle Safety Standards (FMVSS).

The agency and automakers alike have felt pressure from lawmakers to take a more aggressive approach on vehicle security in the last two years, with some proposing legislation to direct NHTSA and the Federal Trade Commission to write new regulations setting minimum digital protections.