GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown

from the I'm-sorry-I-can't-do-that,-Dave dept

We've highlighted for years how flimsy (read: often nonexistent) privacy and security standards in the internet of things space is opening the door to all kinds of problems, from historically-massive DDOS attacks to your refrigerator leaking your Gmail login data. And while your your not-so-smart kettle exposing your network credentials is intimidating enough, the problem is far more worrisome in the "smart" automobile space, where a compromised system could prove decidedly more, oh, fatal.

Most modern car infotainment GUIs hint at the sloppiness lingering just beneath. Security researchers have routinely highlighted how many cars are absurdly vulnerable to not just hacking but a near-total takeover of in-car systems. They've similarly noted how historically, automaker efforts to patch these vulnerabilities are slow to arrive--if they arrive at all.

Granted it's not just retail vehicles that pose a security risk. Last week, researchers highlighted how GPS units installed in many fleet automobiles (designed to help companies track their shipments or employees as they travel) could also be somewhat easily compromised, allowing attackers to track these vehicles and their drivers without their permission:

"The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines."

The origin of this vulnerability? The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of..."123456." Worse perhaps, because these systems are so closely tied to a vehicle's network and computers, the hacker found he could actually disable some vehicle systems (since that's a function already embedded in these services app platforms). In this case (fortunately), only if the vehicles are traveling at speeds slower than 12 miles per hour.

The researcher who discovered the problem noted it wouldn't be hard to use such vulnerabilities to create some notable urban headaches:

"On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices...“My target was the company, not the customers. Customers are at risk because of the company,” L&M told Motherboard in an online chat. “They need to make money, and don't want to secure their customers."

Comforting. Over the last decade some have tried to argue that dismal vehicle security practices are being over-hyped, yet a steady parade of reports have indicated the problem is very real. As everything becomes interconnected and the quest to build interlinked smart cities and smart vehicles takes off, the door opens ever so wider to somebody using our collective privacy and security apathy in a very troubling way at an even more troubling scale -- something security experts like Bruce Schneier have been warning about for some time.

Filed Under: cars, gps, remote vehicle shutdown, security, vulnerability


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 1 May 2019 @ 6:38am

    Note what is being discussed here is cars a product that existed for a hundred years without digital computer control.

    Also note that a web interconnected computer is not required for any environmental reason.

    That being is the only reason for computer control a lock in of the repair service as per John Deere?

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 May 2019 @ 6:52am

      Re:

      "Note what is being discussed here is cars a product that existed for a hundred years without digital computer control."

      So has the printing press, that doesn't mean it's better for everybody to typeset by hand.

      "That being is the only reason for computer control a lock in of the repair service as per John Deere?"

      If you ignore all the stuff it actually does, sure.

      reply to this | link to this | view in chronology ]

      • icon
        Gary (profile), 1 May 2019 @ 7:09am

        Re: Re:

        Today, my computer-controlled car will shut the engine off at stoplights. Seamlessly.

        My old non-computer car with a carburetor would rarely start on the first try. And sometimes not on the second either.

        And yes, I much prefer this keyboard to Guttenberg press.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 1 May 2019 @ 7:44am

          Re: Re: Re:

          It's a petty little peeve - but there's only one t in that Gutenberg's name. The guy with 2 t's was in the Police Academy movies.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 May 2019 @ 12:27pm

          Re: Re: Re:

          Cool - but why do I need random people on the internet to have the capability to shut down my vehicle while it is at highway speeds?

          Is there an option on new vehicles to not have these things installed?
          Is it illegal to disconnect them?

          reply to this | link to this | view in chronology ]

  • icon
    Matthew Cline (profile), 1 May 2019 @ 6:41am

    The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of..."123456."

    That's amazing! I've got the same combination on my luggage!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 May 2019 @ 7:00am

    This was the 1983 prototype for this type of system in a car:

    https://www.youtube.com/watch?v=zNSDAaeIh7U

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 May 2019 @ 7:18am

    I can imagine armored truck companies scrambling to disable the GPS systems on their vehicles.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 May 2019 @ 8:34am

    only if the vehicles are traveling at speeds slower than 12 miles per hour.

    Well, it could be worse. The vehicle could be vulnerable to remote detonation if it goes slower than 50 miles per hour.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 May 2019 @ 8:54am

      Re:

      But if that happens you can call the cops who didn't figure out that they could have stopped the speeding subway at the end of the film simply by cutting power to the third rail.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 1 May 2019 @ 9:04am

        Re: Re:

        ...and rob people of the chance to see Dennis Hopper hilariously decapitated? I'd rather they stay incompetent.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 May 2019 @ 9:51am

          Re: Re: Re:

          The NSA was even more incompetent in Under Siege 2 since it was noted that Grazer One could only be hacked by a moving computer station (hence the need for a train). So instead of Steven Seagal needing to run through a burning, collapsing train to take a flying leap onto a waiting ladder strung from a helicopter, they could have just cut power to the third rail and disabled the satellite.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 May 2019 @ 9:53am

        Re: Re:

        Come to think of it, this also ruins Money Train and probably every other "Die Hard on a Train" film.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 1 May 2019 @ 10:49am

          Re: Re: Re:

          Logic often ruins action movies if you keep your brain turned on :(

          That’s one reason why Die Hard is so great - Gruber was counting on the cops actually being competent and following procedure, not winging it in the hope they’d miss something obvious.

          reply to this | link to this | view in chronology ]

  • identicon
    TFG, 1 May 2019 @ 8:43am

    And this is why I have a dim view of the future of the self-driving car. It's not pessimism regarding the ability of the car to drive - it's pessimism regarding the security that will put into any such system, to prevent outside interference by any source.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 May 2019 @ 9:07am

      Re:

      My view is that there's a non-zero danger with those kinds of cars and there will certainly be some major problems caused. But, the overall realistic amount of damage will still be lower than with the current number of drunk/distracted/outright bad drivers on the roads that self-driving cars will remove from the roads.

      Plus, the major problem here is that ease of use, extra features and the like take priority over security with this tech. As soon as it becomes a marketable or even legally actionable problem, this stuff will start getting a lot better. The current car manufacturers just don't care because their market doesn't care. They'll change their tune as soon as that changes.

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 1 May 2019 @ 9:47am

        Re: Re:

        "The current car manufacturers just don't care because their market doesn't care. "

        But the insurance companies will, and they's got them some influence.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 1 May 2019 @ 10:46am

          Re: Re: Re:

          Yes, but the claims have to come in first and then they will need to be ones that the insurance finds it difficult to avoid paying out. That will take a while.

          reply to this | link to this | view in chronology ]

          • icon
            Anonymous Anonymous Coward (profile), 1 May 2019 @ 11:26am

            Re: Re: Re: Re:

            Ah, your thinking about the end user's insurance, and that might part of the process. I was thinking about those that insure the manufacturers. They are going to do everything they can to mitigate the manufacturers liability.

            I am surprised they haven't taken action with regard to the security of the software mounted in their products, as it will only take a couple of successful cases where that insecurity will cause them major liability, possibly for negligence. Those insecurities, and the potential problems, are becoming more and more apparent. It is only a matter of time, or a few cases, before those that insure the manufacturers bring the hammer down, fix it or lose your insurance.

            It is too bad that those few cases might catastrophic for those end users, but sometimes it takes a good smack to wake someone up, especially when they are blinded by profit.

            reply to this | link to this | view in chronology ]

            • icon
              PaulT (profile), 2 May 2019 @ 12:12am

              Re: Re: Re: Re: Re:

              "I am surprised they haven't taken action with regard to the security of the software mounted in their products"

              I'm not. Again - nobody seems to give a crap until something happens. It's only where liability becomes obvious that action will be taken. Until then, there are a thousand other factor that insurance companies will take notice, as until then it doesn't open up new liability that's recognised.

              "It is too bad that those few cases might catastrophic for those end users"

              But, this is the way of things. Car manufacturers are literally known to hold off vehicle recalls if they calculate that the cost of recall would be more than the financial costs of paying off accident victims. I don't know why you'd be surprised that they haven't taken action on an issue that, to the best of our knowledge, has not been exploited to actually cause any serious accidents yet.

              reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 May 2019 @ 1:34pm

        Re: Re:

        The death count by vehicles will definitely go down, but it will now be selected (controlled) vehicle deaths...

        I guess that's better if you're the one in control (the 1%)

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 May 2019 @ 10:02am

    I doubt it will take very long for this feature to be abused.

    reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 2 May 2019 @ 4:06am

    Now more than ever I really really don't want to ever buy a new car, esp. not one with any "smart" features.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.