The Truth About Cars » Security http://www.thetruthaboutcars.com The Truth About Cars is dedicated to providing candid, unbiased automobile reviews and the latest in auto industry news. Mon, 31 Aug 2015 17:30:55 +0000 en-US hourly 1 http://wordpress.org/?v=4.2.4 The Truth About Cars is dedicated to providing candid, unbiased automobile reviews and the latest in auto industry news. The Truth About Cars no The Truth About Cars editors@ttac.com editors@ttac.com (The Truth About Cars) 2006-2009 The Truth About Cars The Truth About Cars » Security http://www.thetruthaboutcars.com/wp-content/themes/ttac-theme/images/logo.gif http://www.thetruthaboutcars.com Apparently All Cars Can Be Hacked Now: Insurance Dongle Edition http://www.thetruthaboutcars.com/2015/08/apparently-cars-can-hacked-now-insurance-dongle-edition/ http://www.thetruthaboutcars.com/2015/08/apparently-cars-can-hacked-now-insurance-dongle-edition/#comments Tue, 11 Aug 2015 17:00:58 +0000 http://www.thetruthaboutcars.com/?p=1138530 Hackers say they may be able to control any vehicle with a telematics-enabled sensor — including a popular sensor that insurance companies use for consumers — plugged into the car’s diagnostic port, according to Wired report (via The Verge). In recent weeks, several hacks have surfaced — Chrysler, General Motors and Telsa — related to specific […]

The post Apparently All Cars Can Be Hacked Now: Insurance Dongle Edition appeared first on The Truth About Cars.

]]>
OBD II

Hackers say they may be able to control any vehicle with a telematics-enabled sensor — including a popular sensor that insurance companies use for consumers — plugged into the car’s diagnostic port, according to Wired report (via The Verge).

In recent weeks, several hacks have surfaced — Chrysler, General Motors and Telsa — related to specific automakers. According to the report, the On-Board Diagnostic system hack could apply to any make or model fitted with an insurance or tracking dongle. The University of California San Diego researchers say they’ll present their findings at the Usenix conference Tuesday.

And, um, there’s no easy way to put this, but … it doesn’t appear that it would be all that hard to find cars with the dongles at the moment.

The story focused on a dongle provided by a Bay Area-insurance provider, MetroMile, who uses the dongle to charge customers by the mile. Hackers remotely shutdown a Corvette using the device by sending the dongle an SMS message that confused the device into controlling the car’s vital functions. The hackers say they could control steering, throttle and brakes using the hacks. Although the target was a Corvette, the researchers said they could apply the hack to many more cars.

From the story:

“It’s not just this car that’s vulnerable,” says UCSD researcher Karl Koscher. He points to the work of researchers Charlie Miller and Chris Valasek, who revealed and published the code for a wide array of attacks on a Toyota Prius and Ford Escape in 2013 that required only access to a vehicle’s OBD2 port. “If you put this into a Prius, there are libraries of attacks ready to use online.”

MetroMile says it wirelessly updated its devices when it became aware of the hack weeks ago.

Hackers say that the hack may apply to Progressive Casualty Insurance Company’s Snapshot device, which also uses telematics to transmit information, however hackers didn’t provide a proof of concept for the device’s vulnerabilities earlier this year.

The Wired story offered a tidbit of terrifying information: UCSD hackers scanned the web using Shodan and found “thousands” of hackable devices — mostly in Spain. It was unclear in earlier hacking reports how vulnerable cars could be targeted without first having direct contact with the car or physical access. Now, apparently, there’s a web search for that.

In addition to insurance dongles, the hackers say similar hacks could be used for dongles placed in fleet vehicles used for tracking.

The post Apparently All Cars Can Be Hacked Now: Insurance Dongle Edition appeared first on The Truth About Cars.

]]>
http://www.thetruthaboutcars.com/2015/08/apparently-cars-can-hacked-now-insurance-dongle-edition/feed/ 34
Security Flaw in Uconnect Lets Hackers Remotely Kill Jeep’s Engine http://www.thetruthaboutcars.com/2015/07/security-flaw-uconnect-lets-hackers-remotely-kill-jeeps-engine/ http://www.thetruthaboutcars.com/2015/07/security-flaw-uconnect-lets-hackers-remotely-kill-jeeps-engine/#comments Tue, 21 Jul 2015 20:00:38 +0000 http://www.thetruthaboutcars.com/?p=1121753 If you’re like me, you may have found yourself asking “Why would Fiat Chrysler Automobiles release a patch for Uconnect if nothing is wrong?” last week. The answer, provided by Wired today, is “They wouldn’t,” and that hackers could remotely kill a Jeep through a zero-day exploit in the system’s software. Additionally, hackers could take control of  many […]

The post Security Flaw in Uconnect Lets Hackers Remotely Kill Jeep’s Engine appeared first on The Truth About Cars.

]]>
2013 RAM 3500 Interior, uConnect 8.4, Picture Courtesy of Alex L. Dykes

If you’re like me, you may have found yourself asking “Why would Fiat Chrysler Automobiles release a patch for Uconnect if nothing is wrong?” last week.

The answer, provided by Wired today, is “They wouldn’t,” and that hackers could remotely kill a Jeep through a zero-day exploit in the system’s software. Additionally, hackers could take control of  many other functions including steering, climate controls, brakes, throttle — the whole nine yards.

The Internet-based attack can remotely control just about any part of the car, according to the story. The two St. Louis men featured, Charlie Miller and Chris Valasek, can reportedly control any part of the car: stereo, windshield wipers, steering (only in reverse), braking, transmission and air conditioning.

The duo say they plan to release a portion of their exploit when they speak at a security conference in Las Vegas next month.

Chrysler isn’t happy.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

FCA has a dedicated team from System Quality Engineering focused on identifying and implementing software best practices across FCA globally. The team’s responsibilities include development and implementation of cybersecurity standards for all vehicle content, including on-board and remote services.

As such, FCA released a software update that offers customers improved vehicle electronic security and communications system enhancements. The Company monitors and tests the information systems of all of its products to identify and eliminate vulnerabilities in the ordinary course of business.

Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. The software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.

Customers with questions may call Vehicle Care at 1-877-855-8400.”

Miller and Valasek say they’ll leave out important parts of their code that potentially malicious hackers would require to duplicate their feats.

Last week, FCA released an update for Uconnect addressing the vulnerability. That update must be installed at dealerships, or by owners with a USB stick, which could be an encumbrance for many owners, leaving many vulnerable Jeeps left out on the road.

According to the Detroit News, two U.S. Senators are proposing a bill that would specify federal standards for automotive computer systems to combat hacking.

(I asked Chrysler last week when the patch was released and heard that “nothing in particular” prompted the update and I bought it. I have failed you, TTAC readers, and I’m sorry.)

The post Security Flaw in Uconnect Lets Hackers Remotely Kill Jeep’s Engine appeared first on The Truth About Cars.

]]>
http://www.thetruthaboutcars.com/2015/07/security-flaw-uconnect-lets-hackers-remotely-kill-jeeps-engine/feed/ 89
Data Privacy Concerns Rise Within Connected-Car Industry http://www.thetruthaboutcars.com/2014/06/data-privacy-concerns-rise-within-connected-car-industry/ http://www.thetruthaboutcars.com/2014/06/data-privacy-concerns-rise-within-connected-car-industry/#comments Fri, 06 Jun 2014 13:00:33 +0000 http://www.thetruthaboutcars.com/?p=838401 As more vehicles come with infotainment systems mounted in the dashboard console, consumers are beginning to face the issue of losing privacy behind the driver’s seat. The Detroit News reports data from a vehicle so equipped is collected every time the ignition is turned, from where one fills up their tank and stomach, to how […]

The post Data Privacy Concerns Rise Within Connected-Car Industry appeared first on The Truth About Cars.

]]>
2013 RAM 3500 Interior, uConnect 8.4, Picture Courtesy of Alex L. Dykes

As more vehicles come with infotainment systems mounted in the dashboard console, consumers are beginning to face the issue of losing privacy behind the driver’s seat.

The Detroit News reports data from a vehicle so equipped is collected every time the ignition is turned, from where one fills up their tank and stomach, to how fast one drives and their preference for doing so. While the data goes back to the automaker in question, there are few security measures as to who all is allowed to view — and use — the data for their own needs. Strategy Analytics associate director Roger Lanctot explains:

(Your car’s) presumably tracking you all the time. Somewhere along the way we need to have a better understanding because right now, the reason why it feels like the Wild West is that it’s so open. You’re basically letting the carmaker gather whatever data it wants and share it with whoever, including marketing partners and law enforcement.

His concerns were voiced during the keynote speech before attendees of this year’s Telematics Detroit 2014 in Novi, Mich. as part of a day devoted to privacy and security with automotive infotainment and diagnostics technology. Though the focus comes in light of knowledge of the National Security Agency’s overreaching hand upon U.S. citizens, a survey found some of the attendees weren’t too concerned over what their car tells anyone else. Others, however, were more worried about their car pulling a GLaDOS on the highway in traffic.

Lanctot believes consumers will have “a privacy button” in their vehicles down the road, which would at the very least provide transparency on who exactly sees the information in any given vehicle. The feature would, in turn, empower the consumer with control on their information and instill trust with the automaker at the other end of the signal.

The post Data Privacy Concerns Rise Within Connected-Car Industry appeared first on The Truth About Cars.

]]>
http://www.thetruthaboutcars.com/2014/06/data-privacy-concerns-rise-within-connected-car-industry/feed/ 17
Dealership Wheel Thefts Spotlight Security Risks http://www.thetruthaboutcars.com/2014/02/dealership-wheel-thefts-spotlight-security-risks/ http://www.thetruthaboutcars.com/2014/02/dealership-wheel-thefts-spotlight-security-risks/#comments Tue, 11 Feb 2014 05:10:53 +0000 http://www.thetruthaboutcars.com/?p=739025     In an era where even mundane family cars are shod with 18-inch-plus rims direct from the factory, dealers are prime targets for mass thefts. One Texas Chevy dealer took a big hit on Sunday, when 22 new cars were shorn of their wheels and tires by a gang of thieves. Houston CBS affiliate […]

The post Dealership Wheel Thefts Spotlight Security Risks appeared first on The Truth About Cars.

]]>
 

 

Demontrond+Thefts+003

In an era where even mundane family cars are shod with 18-inch-plus rims direct from the factory, dealers are prime targets for mass thefts. One Texas Chevy dealer took a big hit on Sunday, when 22 new cars were shorn of their wheels and tires by a gang of thieves.

Houston CBS affiliate KHOU reports that DeMontrond Chevrolet in Texas City suffered the loss sometime late Saturday or early Sunday. 88 tires and wheels went missing, as thieves pulled all the rims off the vehicles they hit. Photos from the scene show cars held up by bricks, jack stands, and other assorted junk. Unfortunately for the dealer, some of these cars fell off their precarious foundations. The resulting frame and body damage will add tens of thousands of dollars to the already steep replacement cost of the wheels. Insurance will probably pick up the tab for the direct financial losses, but the indirect costs of time and storage are likely to be significant.

From the pictures, it appears that new Camaros, Impalas, and a few trucks were targeted by the thieves. It’s easy to see why: a brand new set of Camaro takeoff wheels sells for around two grand  online. Neither the Camaro nor the Impala have wheel locks as standard equipment. GM does offer a set of locking lug nuts for both models as a $90 accessory. Such locks won’t foil the most determined thieves, who can pick or drill out the nuts. Even so, they may deter the street-level thief looking for an easy opportunity, if not the sophisticated dealership bandit.

This wasn’t the first time a Texas dealership targeted for a mass wheel theft. Back in May of last year, Mac Haik Ford in Georgetown lost nearly 200 wheels off of 48 vehicles in another overnight theft. Row after row of shiny new cars and trucks with wheels worth several hundred dollars apiece are an irresistible plum to thieves. Given the trend towards larger, more expensive rims on mass-market vehicles, OEMs owe it to their dealers and their customers to start taking wheel thefts seriously. Standard locking lug nuts will help, but it may be time to start exploring alternative technologies.

The post Dealership Wheel Thefts Spotlight Security Risks appeared first on The Truth About Cars.

]]>
http://www.thetruthaboutcars.com/2014/02/dealership-wheel-thefts-spotlight-security-risks/feed/ 101
Secret Service Buys Beastly Campaign Bus http://www.thetruthaboutcars.com/2011/08/secret-service-buys-a-beastly-bus/ http://www.thetruthaboutcars.com/2011/08/secret-service-buys-a-beastly-bus/#comments Mon, 15 Aug 2011 18:28:12 +0000 http://www.thetruthaboutcars.com/?p=407284 In the past, when a sitting president has hit the campaign trail, they’ve leased their own campaign bus which the Secret Service would then retrofit with all the latest security features. But no longer, as Talking Points Memo reports that the presidential bodyguards are buying their own bespoke campaign bus, reportedly from Hemphill Brothers Coach Company. Secret Service […]

The post Secret Service Buys Beastly Campaign Bus appeared first on The Truth About Cars.

]]>
In the past, when a sitting president has hit the campaign trail, they’ve leased their own campaign bus which the Secret Service would then retrofit with all the latest security features. But no longer, as Talking Points Memo reports that the presidential bodyguards are buying their own bespoke campaign bus, reportedly from Hemphill Brothers Coach Company. Secret Service spokesman Jim Mackin explains

We’ve never been fully comfortable with the security provided by a bus we lease and then try to retro-fit. This would be just like other vehicles we’re adding to our fleet. We’d use them for the campaign, but they’re not for campaign purposes. They would be part of our fleet — just like our limos, just like our follow-ups, just like our emergency vehicles.

And this isn’t just for President Obama: one of the two new buses will be made available to the Republican candidate as well. And because the buses are government property, they won’t be allowed to have campaign logos and both campaigns will have to reimburse the Secret Service for their use. There’s no word on what retrofits the new buses will receive, but we’d be disappointed to find there’s not at least one minigun turret. Because you can never have enough miniguns on the campaign trail… [Hat Tip: Dan Licht]

A president's precedent... Picture 438 Picture 434 Zemanta Related Posts Thumbnail Picture 435 Picture 436 Picture 432 Picture 433

 

The post Secret Service Buys Beastly Campaign Bus appeared first on The Truth About Cars.

]]>
http://www.thetruthaboutcars.com/2011/08/secret-service-buys-a-beastly-bus/feed/ 8