GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown

from the I'm-sorry-I-can't-do-that,-Dave dept

We’ve highlighted for years how flimsy (read: often nonexistent) privacy and security standards in the internet of things space is opening the door to all kinds of problems, from historically-massive DDOS attacks to your refrigerator leaking your Gmail login data. And while your your not-so-smart kettle exposing your network credentials is intimidating enough, the problem is far more worrisome in the “smart” automobile space, where a compromised system could prove decidedly more, oh, fatal.

Most modern car infotainment GUIs hint at the sloppiness lingering just beneath. Security researchers have routinely highlighted how many cars are absurdly vulnerable to not just hacking but a near-total takeover of in-car systems. They’ve similarly noted how historically, automaker efforts to patch these vulnerabilities are slow to arrive–if they arrive at all.

Granted it’s not just retail vehicles that pose a security risk. Last week, researchers highlighted how GPS units installed in many fleet automobiles (designed to help companies track their shipments or employees as they travel) could also be somewhat easily compromised, allowing attackers to track these vehicles and their drivers without their permission:

“The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines.”

The origin of this vulnerability? The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of…”123456.” Worse perhaps, because these systems are so closely tied to a vehicle’s network and computers, the hacker found he could actually disable some vehicle systems (since that’s a function already embedded in these services app platforms). In this case (fortunately), only if the vehicles are traveling at speeds slower than 12 miles per hour.

The researcher who discovered the problem noted it wouldn’t be hard to use such vulnerabilities to create some notable urban headaches:

“On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices…?My target was the company, not the customers. Customers are at risk because of the company,? L&M told Motherboard in an online chat. ?They need to make money, and don’t want to secure their customers.”

Comforting. Over the last decade some have tried to argue that dismal vehicle security practices are being over-hyped, yet a steady parade of reports have indicated the problem is very real. As everything becomes interconnected and the quest to build interlinked smart cities and smart vehicles takes off, the door opens ever so wider to somebody using our collective privacy and security apathy in a very troubling way at an even more troubling scale — something security experts like Bruce Schneier have been warning about for some time.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown”

Subscribe: RSS Leave a comment
28 Comments
Anonymous Coward says:

Note what is being discussed here is cars a product that existed for a hundred years without digital computer control.

Also note that a web interconnected computer is not required for any environmental reason.

That being is the only reason for computer control a lock in of the repair service as per John Deere?

PaulT (profile) says:

Re: Re:

"Note what is being discussed here is cars a product that existed for a hundred years without digital computer control."

So has the printing press, that doesn’t mean it’s better for everybody to typeset by hand.

"That being is the only reason for computer control a lock in of the repair service as per John Deere?"

If you ignore all the stuff it actually does, sure.

Anonymous Coward says:

Re: Re: Re: Re:

The NSA was even more incompetent in Under Siege 2 since it was noted that Grazer One could only be hacked by a moving computer station (hence the need for a train). So instead of Steven Seagal needing to run through a burning, collapsing train to take a flying leap onto a waiting ladder strung from a helicopter, they could have just cut power to the third rail and disabled the satellite.

PaulT (profile) says:

Re: Re:

My view is that there’s a non-zero danger with those kinds of cars and there will certainly be some major problems caused. But, the overall realistic amount of damage will still be lower than with the current number of drunk/distracted/outright bad drivers on the roads that self-driving cars will remove from the roads.

Plus, the major problem here is that ease of use, extra features and the like take priority over security with this tech. As soon as it becomes a marketable or even legally actionable problem, this stuff will start getting a lot better. The current car manufacturers just don’t care because their market doesn’t care. They’ll change their tune as soon as that changes.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:2 Re:

Ah, your thinking about the end user’s insurance, and that might part of the process. I was thinking about those that insure the manufacturers. They are going to do everything they can to mitigate the manufacturers liability.

I am surprised they haven’t taken action with regard to the security of the software mounted in their products, as it will only take a couple of successful cases where that insecurity will cause them major liability, possibly for negligence. Those insecurities, and the potential problems, are becoming more and more apparent. It is only a matter of time, or a few cases, before those that insure the manufacturers bring the hammer down, fix it or lose your insurance.

It is too bad that those few cases might catastrophic for those end users, but sometimes it takes a good smack to wake someone up, especially when they are blinded by profit.

PaulT (profile) says:

Re: Re: Re:3 Re:

"I am surprised they haven’t taken action with regard to the security of the software mounted in their products"

I’m not. Again – nobody seems to give a crap until something happens. It’s only where liability becomes obvious that action will be taken. Until then, there are a thousand other factor that insurance companies will take notice, as until then it doesn’t open up new liability that’s recognised.

"It is too bad that those few cases might catastrophic for those end users"

But, this is the way of things. Car manufacturers are literally known to hold off vehicle recalls if they calculate that the cost of recall would be more than the financial costs of paying off accident victims. I don’t know why you’d be surprised that they haven’t taken action on an issue that, to the best of our knowledge, has not been exploited to actually cause any serious accidents yet.

Hisonka (profile) says:

INJECTION PUMP

In fact, many people have difficulties now even to understand how the engine works in cars, where there are already more complex matter. That is why I will say from myself that it is necessary to think and look for mechanisms several times concerning the study of at least the basics, then it will be easier to know the rest of the car in a meaningful way. It is also good that I was once helped by an avid motorist I know and shared an article about the INJECTION PUMP https://avtotachki.com/en/chto-takoe-toplivnyj-nasos-vysokogo-davleniya/
and what it is for, in fact, this pump for the engine. This is not enough where else you can read, so be sure to everyone to start at least with this and continue to read, to study what you need, then there will be no problems. I hope that it will be really useful and I can somehow help with it. In addition, such a fuel pump is exactly what really helps the engine to move forward, which must be understood by everyone, because it is important in reality.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...