Self Driving Taxis Are Going To Be A Nightmare To Secure, Warns Ex-Uber Security Researcher
from the I'm-sorry-I-can't-do-that,-Dave dept
So over the last few years you probably remember seeing white hat hackers demonstrate how easily most modern smart cars can be hacked, often with frightening results. Cybersecurity researchers Charlie Miller and Chris Valasek have made consistent headlines in particular by highlighting how they were able to manipulate and disable a Jeep Cherokee running Fiat Chrysler’s UConnect platform. Initially, the duo documented how they were able to control the vehicle’s internal systems — or kill it’s engine entirely — from an IP address up to 10 miles away.
But the two would go on to highlight how things were notably worse, pointing out last year that they’d also found a way to kill the vehicle’s brakes, cause unexpected acceleration, or even direct the vehicle to perform sudden and extreme turns:
“Last year, they remotely hacked into the car and paralyzed it on highway I-64?while I was driving in traffic. They could even disable the car?s brakes at low speeds. By sending carefully crafted messages on the vehicle?s internal network known as a CAN bus, they?re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car?s brakes or turning the vehicle?s steering wheel at any speed.”
Just the gift for intelligence or private sector ne’er-do-wells looking to cause mayhem — or worse.
After Miller and Valasek’s hacks made consistent headlines, the two were quietly hired by Uber to help the company secure its self-driving taxi service. Miller has since moved on to Chinese competitor Didi, and tells Wired he’s much more free to speak about the perils of securing automated cars and taxis. What he’s saying isn’t what you’d call comforting:
“Autonomous vehicles are at the apex of all the terrible things that can go wrong,? says Miller, who spent years on the NSA?s Tailored Access Operations team of elite hackers before stints at Twitter and Uber. ?Cars are already insecure, and you?re adding a bunch of sensors and computers that are controlling them? If a bad guy gets control of that, it?s going to be even worse.”
The problems that Miller highlighted with the Jeep Cherokee are significantly worse when you’re talking about a taxi that sees significantly more use each day. A taxi that, under current federal law, won’t be able to block consumer access to the vehicle’s OBD2 port (something consumers want the freedom to tinker with in their own vehicle, but perhaps not so much in a communal car):
“There?s going to be someone you don?t necessarily trust sitting in your car for an extended period of time,? says Miller. ?The OBD2 port is something that?s pretty easy for a passenger to plug something into and then hop out, and then they have access to your vehicle?s sensitive network.”
Miller notes that securing an automated vehicle isn’t impossible, but it’s going to require the use of “codesigning,” restrictions built into the OBD2 port, better internal segmentation and authentication — and basically a complete retooling of how self-driving vehicle security is implemented. But Miller notes that companies like Uber are bolting their computer systems onto already built vehicles, which complicates things. And the slow pace of finding and patching security vulnerabilities in vehicles poses an additional layer of problems.
The solution will also involve greater “open conversation and cooperation” among carmakers and developers, something Miller says was lacking at Uber, and hasn’t exactly been the trademark of other automated vehicle vendors.
Right now, we continue to find the lack of security in our smart fridges and TVs kind of cute. But it’s threats like those being exposed by Miller that have some security researchers like Bruce Schneier consistently predicting some massive problems on the horizon that may result in notable human casualties. And we’re not helping the problem by letting companies monopolize repair, or consistently erode our privacy rights or our freedom to tinker.
Filed Under: autonomous vehicles, security, self-driving cars
Comments on “Self Driving Taxis Are Going To Be A Nightmare To Secure, Warns Ex-Uber Security Researcher”
Won’t someone think of the children?
Re: Re:
Good point. When you sent them off to school, the little bastards could redirect the self-driving taxi to Disneyland.
Re: Re: Re:
Sending them in a “taxi” with free candy written in spray paint on the side is a bad idea
Wait a minute...
Aren’t these guys the ones who were only able to "hack" the Jeep by changing hardware? Like, they had to install compromised chips, and the like?
If so, how is what they are doing so different from cutting brakelines and sugaring gas tanks?
Because, face it, any security system’s greatest flaw is a criminal having physical access to it’s inner workings.
Re: Wait a minute...
Yeah, this is sensationalist clickbait. Yes, current federal law says the manufacturer “…can’t block consumer access to the vehicle’s OBD2 port…” It doesn’t say the taxi company can’t put a locked metal door over it or, perhaps even better, install a manual multi-throw switch under the hood that physically breaks the wires so the port is disconnected until it’s needed and someone lifts the hood and turns the switch.
Yes, it would cost more money but there’s no reason you can’t have two separate systems with separate buses in the vehicle. One system is entertainment, etc. and has a wireless connection capability. The other system controls the cars engineering, steering, etc. and has no wireless capability. Have a link between the two systems so that when a physical switch is in the ON position, the two two systems can talk. Thus you can download an update, say, over the entertainment system and send it to the control system. When the switch is in the OFF system, there is no communication between the systems or, if you want to be able to read and report information from the control system, have a transmit cable from the control to the entertainment system but have the receive cable physically separated until the switch is turned ON. The switch should be physically inaccessible from the passenger compartment. Sure, someone can still hack the car if they get physical access to under the hood. Full physical access usually means “game over” for any system. But so far as a passenger or someone outside the vehicle hacking in with a laptop and a transmitter, problem effectively solved.
Re: Re: Wait a minute...
No, the whole point is to scare the authoritarians into “doing something”. A.k.a. “We can’t give you the right to repair because that would make cars less safe” BS.
Nevermind that codesigning doesn’t prevent hackers from compromising a system. It just prevents the average owner from fixing the vulnerability legally without the manufacturer’s permission. Which is the point.
A better solution would be to invest in mass transit systems, encourage people to live closer to their job, and overall make better urban planning decisions that don’t discourage people from following driving laws. (Dumb decisions like, requiring a 4-lane highway to have a speed limit of 45mph because the people living nearby don’t like the noise. Or the complete lack of faster alternative routes that require people to drive through residential areas to get from one side of town to another.) But that’s not the goal. The goal is ever increasing power over the lives of others, not the betterment of life for everyone.
Re: Wait a minute...
No. They used physical access to a Jeep to figure how to hack it, but not to perform the hack itself. They claim that the hack would have worked on other Fiat Chrysler models.
On the other hand the hack required a car with cellular Internet service. And by the time they demonstrated the hack, Fiat Chrysler had already fixed the software to make it impossible.
I can see this being a problem but most of it has to do with physical tampering? Put a Tamper proof barrier over any data port. Integrate it with a lojack system so that it phones home if someone is tampering with it. Otherwise, set the taxis computer systems to only accept certain servers. Then complete that with providing a different encryption keys per vehicle or maybe just the fleet of vehicles per buyer. There will always be back doors but doing a lot of the basic security practices will eliminate 99.9% of the regular hackers. Lastly maybe have the taxis send notification on any logs out of the ordinary, everything from temperature to networking. Probably would be a good idea anyway since you may be able to catch engine problems while the solution is still cheap. You probably could even configure a kill switch that would shut down the car if it deviates to far from its path.
So how long until the first self-driving car bomb?
“And we’re not helping the problem by letting companies monopolize repair, or consistently erode our privacy rights or our freedom to tinker.”
I don’t understand how this relates to the dangers of self driving cars. Wouldn’t this tend to ensure that there would be less people able to tamper with the cars?
Re: Closed/consumer proof platforms and security
The history of hacking is that the tools become rapidly democratized. Just look at DRM and games and the cat-and-mouse game there.
What the closed platform does is keeps the whitehats out, so the vulnerabilities remain secret and go unpatched. Whitehats need to tinker to find the problems, and they don’t need big brother getting mad at them (because the privacy invasion lets them know) and stopping them from tinkering.
Re: Re:
The security/vulnerability of code is most often directly related to the number of knowledgeable developers who are allowed to review it. Most open source software is a lot more secure than closed source software because it goes thru scrutiny. Much of the security of closed source is security thru obscurity (none but a select few can see the code so they can’t take advantage of vulnerabilities). Open source means there is no obscurity, so if it is secure, it is such by design.
New game out this Fall:
– Grand Theft Taxi
Nice car you got there...too bad if I steal it!
So, I’m a crook….
Car comes to me, I hop in, we go through my favorite cellular deadspot, I swap out the controller software.
In a few weeks, the car drops off the cellular network in the middle of a traffic jam…
and drives to my house…
Damn, that’s a nice car there! I wonder what my favorite, semi-fraudulent used car dealer is willing to pay for it?
So I’m a crook…..
My wife was killed in an unfortunate accident in a parking lot when a driverless car ran over her! I’m so upset! (not!)
Coming
For decades, computers were not terribly secure and didn’t have an incentive to be – read The Cuckoo’s Egg for a fun romp through our past. Systems were wide open because passwords were too much like work to implement. Then, it became serious and now we have much tighter systems; despite the fear-mongering, the vast majority of home computers are not something a random hacker can simply connect to on a whim.
the same will be true of cars. The connected, computerized car is in its infancy. the current impetus is to provide proof of concept, to add features and determine that they work, such as “self-driving”. When this tech becomes ubiquitous, so will the incentive to provide decent protection, from wireless or wired connections.
As mentioned – a simple fix for taxis is to remove physical access. Just because a vehicle must have an accessible data plug upon purchase, does not mean the owner – a taxi company – cannot make it inaccessible after purchasing the vehicle.
Ownership Problem
An autonomous taxi is a particularly sticky version of both the ownership problem and the autonomous weapon problem:
Any car can be an effective murder weapon. Will it recognize the target correctly?
Secondly, as a taxi, it is out in hostile territory…cell tower spoofers (stingrays) are cheap… and if they own your communications, they own you.
Inside, there’s a bunch of computers that no one completely owns. Yes, that handy OBD port can be blocked, but it goes all over the car, can you armor it everywhere?
This wouldn’t be such a problem *if* there was some security on that bus…but there isn’t.
It's worse than a nightmare
“But Miller notes that companies like Uber are bolting their computer systems onto already built vehicles, which complicates things”
No. It doesn’t complicate things. It makes them very simple and very clear. This is a full admission that they failed at the moment they began. One of the things we’ve learned — and some people are learning it over and over and over again — is that it’s impossible to retrofit security. Not hard. Impossible. You have to design it in at the whiteboard stage, otherwise you will inevitably fail.
Uber has failed. All the money, all the time, everything they’ve invested in this has been wasted — modulo perhaps some lessons learned. If they REALLY want to design a secure taxi, and I doubt they do (I think they want to design a taxi that they can claim is secure), then they need to start with a blank whiteboard. And they need to be prepared to spend a lot of money and wait a long time.
Meme commencing in 3.2.1.
“Johnny Cab Ain’t in charge no more!” (maniacal laughter)
What about Mr Big(Robot)
There will soon come to be fleets of free roaming cabs, all racibg to pick up the next client. For a while – until Mr Big steps in. Mr Big is a Robot cloud mind, who will bring order to this chaos – it will work, but prices will rise, but that’s what we have now isn’t it?
Laughing at this one...
OMG, this one is funny. I know you guys are trying to push a “they can hack anything” agenda, but damn, did you even read the stuff?
Almost all of this guy’s concerns are focused on the OBD2 port, which on most cars is generally under the edge of the dashboard. It gives fairly full access to the on board systems, within the limitations provided by the manufacture. Often, this means “read and reset” only and little or no ability to actually add anything.
But, going along with your “hacking anything” narrative, it is of course entirely possible to develop a tool that would plug into the port and might be able to override some of the action happening on the canbus. However (and this is a big however) that is generally NOT the part that does the automated steering and such. It’s mostly the engine control (mixture, idle settings, and such) and disagnostics on brakes, transmission, cooling system, lights, and the like.
Now here’s the key: He is worried because the port is accessible to the public by mandate. Well, umm, yeah. Not that it’s a big thing, but relocating the port on self driving cars to a secured area (under hood) or behind a locked panel would essentially negate this problem. Heck, even a lock on cover over the OBD2 plug would be enough to thwart this supposed security issue.
He is right to say we should be concerned, but if his huge security hole can be fixed with a simple relocation of a plug or a few dollars for a locking cover, then we don’t have much to deal with.
Beyond that, it’s not clear that self-driving features would be accessible via the canbus system. Even if they are, it would seem obviously prudent for those features to be locked down in a manner that requires much more than a simple plug to get around. It perhaps even expresses the need to assure that the systems are developed over time as being unconnected for maintenance, requiring a completely different and much more secure system to look into the self-driving part of the car.
Story makes me laugh. These guys are working hard to justify their salaries, I guess!