[Capricio]

Anyone recall episode of Mr Robot, where they are being pursued by a latemodel Suburban or Tahoe (black, of course) and they call OnStar, use some (stolen/hacked) police emergency action code, tell the operator to override and disable the vehicle?

https://www.theverge.com/2017/10/12/...wer-saver-mode

[Casper the friendly G]

Quote:

Originally Posted by ardyzl1

I'm a retired IT systems admin. I wrote and debugged large scale internal applications for a well known three letter company. I am not a security expert, but I know about some of the basics.

I stumbled upon this article on Bruce Schneier's Blog. Bruce Schneier is one of the world's foremost IT security experts.
Remote Vulnerabilities in Automobiles

https://www.schneier.com/page/2/


He links to this article by some other security experts.

https://samcurry.net/web-hackers-vs-the-auto-industry/

This is pretty serious stuff. The good news is that GM is not mentioned in the article. The bad news is that GM and all other auto manufacturers are vulnerable to all the same hacks because they all use the same type of systems.

If you are not a computer security expert you probably won't understand much of it, and I don't understand all of it myself either. But what it means is that there are a whole bunch of ways to access your car remotely, and hackers can do it as well as unscrupulous dealers, repair shops, OnStar, auto makers, and their employees. In fact good hackers can probably do more than authorized personnel, simply because hackers understand the technology better than most authorized employees.

I don't know what the solution is, but I would guess that we really need to be using two factor authentication and go back to physical keys to lock and unlock things. Combined, this becomes three factor authentication, and even that may not be totally secure. Hackers are very clever guys.

One thing that really disturbs me is the use of the infotainment system to control non-entertainment aspects of the car. At this time there really isn't a whole lot you can do about it because everything is interconnected. That's a big security no-no. Any time you allow remote access, you have an attack vector that can't be easily closed.

I think we should all start thinking about security and perhaps find some way of letting GM know that it IS important to customers. The auto makers simply provide what customers want, and when it comes to computer security, it's a lot easier to make the system work than to make it work securely. And a lot cheaper too.

Complex systems are incredibly difficult to develop and bugs are inevitable. Just fixing the bugs is so overwhelming that security is often left behind, especially because good security makes debugging even harder, and secure code is just that much more stuff to debug.

I for one will not use SiriusXM but I don't think you can just disconnect these cars from their manufacturer without disabling functionality. I could be wrong though.

Any IT security guys out there have any thoughts or suggestions?

All you say I think is correct. Here is a tip...when entering and exiting you car don't use the keyfob button. Always use the button on your door handle to unlock and lock your door in case someone is nearby using a remote sniffer attempting to capture packets while the fob is communicating with your car.

[Casper the friendly G]

This is also another reason why the deepstate is pushing for Electric Vehicles. All electric vehicles are much easier to control remotely. Cops will be able to shut your car down at will if they need you to stop. All you do and where you go will easily be monitored much easier in an all EV. They will even be able to control your speed at will. Think I am lying? Anyone been keeping up with the crap they are discussing at the World Economic Forum this week hosted by Hitler's friend Klaus Schwab. Yep he knew Hitler as a kid as his family was friends with Hitler. They are even openly talking about how good things will be when they begin installing chips in the brains of humans. It used to be a conspiracy theory, now its openly spoken about. See for yourself....

https://twitter.com/jamesmelville/st...16478985338882

[Casper the friendly G]

Quote:

Originally Posted by JTS

So to start , get rid of OnStar (which I unsubscribed) and cancel SiriusXM?

I don't subscribe to OS or Sir. But OS can still have access to your car all they have to do is activate it from their end....same with Sir.

[Casper the friendly G]

Quote:

Originally Posted by ardyzl1

I happen to know that if a large company does business with U.S. government, they ARE in fact vetted for cyber security. And some companies do take their security more seriously than others. I suspect GM is among the "good guys" if there is such a thing because they have LOTS of government contracts. Probably Chrysler and Ford too. But nobody is perfect.

Also, every laptop has a camera in the middle of the top bezel of the lid. I keep a piece of tape on mine. And some smart TVs also have a camera, usually in that same location, ostensibly to watch eye movements so they can track if you are watching commercials. I'm the kind of guy that has duct tape all over my cell phone, and my TV too. There are several thousand companies buying and selling personal information, You've never heard of most of them. The main thing that saves us from spyware is that the amount of data collected is so enormous that only AI software can analyze it. There ain't no guys huddled around screens in undergound buildings poking though your dossier, there's just too much data wade through.

When hackers do get their script kits, they aren't likely to be worried about you personally, What they might do is unlock your car so somebody can drive it away while you are inside the the movie theater or whatever. These cars are very desirable so I don't think they want to damage or hurt for fun, they want to make a buck. My main paranoid fear is walking out of the store to find an empty parking stall where my car used to be.

Exactly first thing I do with my laptops is turn off the camera and then put tape over the lens along with adding Virus protection and VPN.

[arpad_m]

Quote:

Originally Posted by Casper the friendly G

All you say I think is correct. Here is a tip...when entering and exiting you car don't use the keyfob button. Always use the button on your door handle to unlock and lock your door in case someone is nearby using a remote sniffer attempting to capture packets while the fob is communicating with your car.

I also agree with the points ardyzl1 made, and unfortunately don't have a solution, I personally think complexity is continuously on the rise and will soon reach a point where no human, not even teams of the smartest people will be able to understand the systems we create, unless the current trajectory is abandoned.

As to the door handle button, that only works when a fob is in its proximity, so it reduces the attack surface (to hackers within 3-4 feet of you, possibly sitting in the car next to yours in a parking lot) but does not eliminate it completely.

[jcharm]

Quote:

Originally Posted by Casper the friendly G

All you say I think is correct. Here is a tip...when entering and exiting your car don't use the keyfob button. Always use the button on your door handle to unlock and lock your door in case someone is nearby using a remote sniffer attempting to capture packets while the fob is communicating with your car.

Pretty sure it doesn't work like that. Your fob is always pushing out a low power signal regardless if you are pressing the button. The hack is a device that amplifies the signal and completes the connection even though the fob is too far away normally. If you're paranoid about it keep your fob in a metal box that blocks the signal. I guess you could throw it in the fridge too. Nothing like an ice cold fob in your pocket.

[Anjilslaire]

Quote:

Originally Posted by Casper the friendly G

Exactly first thing I do with my laptops is turn off the camera and then put tape over the lens along with adding Virus protection and VPN.

VPNs don't help with your privacy the way you think it does

[grgus73]

Quote:

Originally Posted by Casper the friendly G

Exactly first thing I do with my laptops is turn off the camera and then put tape over the lens along with adding Virus protection and VPN.

I do the same…..VPN and AV. You can also use 2 factor authentication, use that for work.
With some laptops you can also disable the webcam from the BIOS.
You can also encrypt the hard disk partition and password protect your OS.

Have setup Horizon and Citrix and works good for connecting to desktop sessions remotely, pretty secure.

I like the idea of using the door handle to arm and disarm, to prevent would-be-thieves from scanning remotes.

Would be interested in 100% fully opting out of on-star if you have no intention of activating the services.

[arpad_m]

Quote:

Originally Posted by grgus73

Would be interested in 100% fully opting out of on-star if you have no intention of activating the services.

https://www.camaro6.com/forums/showthread.php?t=467634 describes the "nuclear" solution, the only one that works (for this purpose).

[Casper the friendly G]

[truckrglenn]

Heck, I'm still hopping that someone will steal my identity so that I can have better credit.

[arpad_m]

Quote:

Originally Posted by truckrglenn

Heck, I'm still hopping that someone will steal my identity so that I can have better credit.

Well played, sir

[ardyzl1]

I'm not opposed to onstar and remote control. Just as your cell phone tracks your location 4 times a minute, onstar tracks your vehicle location so they can send an ambulance if you crash. Your dealer and automaker can update your car at any time. That's not the problem.,

The real problem is that the web interfaces they use to do that are exposed to the public at large! That's the real issue.

When you dial 611 to update your cell phone account, that customer service rep is sitting in a call center and using an internal network to access your account. Nobody on the public internet can even see that web site because it's on an INTERNAL network behind a firewall. And they can't even access your location data because that data is stored on another INTERNAL internal network firewalled off from the rest of the company internal network.

The automakers have their web sites directly exposed to the public so anybody can try and log in. Just go to something.something.bmw.com and guess a username and password and you might get in. All those sites should be strictly internal access only. It's as if they don't even use the most basic security controls at all. That's what concerns me.

I just think their internal apps that actually CONTROL your car should be behind a firewall and not exposed to internet hackers. Most corporations provide a VPN service for remote employees. That does not appear to be the case with automakers. I realize real security is very complicated and difficult to get right, but I think they should try harder than they do.