I have no idea what exactly will be exposed to the manufacturer's backend, what can be manipulated and hacked on the front-end, and the possible safety repercussions involved with this.
Who's to say some government/corporate espionage results in a manufacturer getting their back-end hacked and having every online vehicle immediately get their brakes applied? Definitely some Black Mirror-esque stuff...
Not to mention the convenient ability to surveil any vehicle and their locations with a busted and easily crackable API - why does it take external hackers with a (thankfully good) sense of morals and ethics to bring these things to companies' attention?
It'll probably take something hitting national/international news before lawmakers or companies take this security seriously.
The automotive industry has simply been slow to adapt. Manufacturers were almost universally founded in an era when mechanical systems dominated and that's how they want to treat everything. There's been a painful and ongoing learning process for them to realize that software and computerized systems are fundamentally different from the mechanical systems they understand well.
On the inside, doing things securely takes a lot of deliberate and careful work. COTS stuff is rarely designed for high security systems. I've sat in more than one pen test where we found a wireless interface unintentionally added by some dev board that was selected for a completely different purpose. I've also seen cases where the security team/software teams were hired/onboarded after the vehicle design was essentially finalized with little consideration for their requirements.
And so have the legislators and regulators who should have been preventing the automotive industry from selling products where it increasingly seems plausible or even likely that a vulnerability will be found and exploited at scale by someone really trying to do harm and the consequences will be catastrophic.
The danger has been obvious to many who work in tech for a long time and has been publicly demonstrated often enough against enough different types of vehicles that the threat should be like a giant billboard that is repeated every 100m along every road in the world by now. Someone in power needs to realise that even the kind of intense scrutiny and safety culture that we see in for example aviation or some medical fields or nuclear power stations doesn't scratch the surface of what we need for an industry that sells around 100,000,000 new vehicles every year.
The auto industry is infamous for treating the human cost of its failures as a mere financial cost of doing business and operating accordingly. It simply can't be trusted to "adapt". It must be forced through unprecedented levels of oversight, regulation and sanctions for businesses, executives and investors who don't act responsibly.
That is a huge understatement, as they mostly (majorly?) employ electrical/mechanical engineers who end up writing code for the ECU's. Cloud services are mostly an afterthought in design. In my experience, regulation isn't the main problem.
I've personally sworn off any more responsible disclosures to companies not paying at least $1,000/hr(USD) in rewards or without clearly good intentions. I am not bending and very backwards to find it either. Any shenanigans is instant disclosure and shenanigans exposure.
I'm about to be homeless and know of exploits currently working at 20billion dollar companies. They can't even bother responding to emails...
There's a point where one has to focus on needs. Morality I want, food I need.
Yes, but jail food isn't all that it's cracked up to be and if you are able to get that kind of work done then your choice isn't $1000/hour for undisclosed vulnerabilities or starving, the viable alternative is just to get a job.
With those skills you are 10x as employable as most people that are currently jobless. At least.
I imagine my odds of being an accident in which 25 years of crash safety advancements help are higher than being hacked.
(and for the inevitable flood of "But the A pillars are bigger" comments, if you're safety conscious you can still get cars with reasonably sized A pillars. A few years ago Honda specifically called out smaller, further recessed, A pillars for visibility in the Accord redesign)
I've gritted my teeth every time somebody on HN has referred to their computer as their "daily driver", but I will remain silent no more: You, sir, are the daily driver of your automobile, and NOT vice versa.
However, I'll allow that to connect any new auto you purchase to your computer, you might need to download new drivers.
There’s no way they would remove remote control functions in cars, regardless of the safety implications for the drivers.
I bet after we get the first terrorist act in history to reach millions of victims, they will. And then they will claim nobody could predict it.
Surprised to see these even mentioned on HN. I've read R155 as part of my job and am responsible for implementing it.
There are a lot of money to be made if you're good, so there's the incentive as well.
And Google's bounty program reward hackers who will find bugs in apps with over 100 million installs, or in google's open source apps. And they pay up to $30,000 per bug depending on impact.
- Broken API authentication mechanisms, SSO that doesn't work properly. The frequency with which they could simply register accounts and then make themselves some sort of admin by sending ordinary HTTP requests, without ever once needing to confirm with anyone in person, is quite astounding.
- Everything being totally exposed on the internet: frontends, backends, all of it. Apparently IP firewalls are history.
- Stringly typed APIs and protocols in which adding escaped control characters in various places allows bypass of critical comparison logic.
- And a bit of SQL injection. Apparently only worth looking for on old web apps - progress?
It feels like the ad-hoc way user accounts were added to the web platform have led to a universe of different implementations and varying exploits. Still, it'd be good to know what their failure rate was. How many companies did they attack without finding any (serious) problem?
Yes, but very minimal and disappointing.
Sure, people got serious about this and today, SQL injection is hard to near-impossible to introduce using modern frameworks and practices. But we got there by learning the wrong lesson.
We've treated SQL injection as its own vulnerability class. We've taught a generation of developers to Not Write SQL Statements By Hand, to Use Prepared Statements or Use ORMs. Libraries and frameworks were changed accordingly. Sanitizing, which evolved to "Web Application Firewalls", was introduced to detect and block SQL injection attempts. We've solved this as a specific case, instead of learning the general principle: never work with structured operations on structured data in their string representation form.
"Stringly typed APIs" you mention are just another form of this, they're the same class of problems as SQL injection. So are XSS attacks. So are ${any other query language} injection attacks. So is your site breaking apart because of a stupid mistake or malformed user input that broke your templating engine. All of them are caused by gluing unstructured strings together and then deserializing the result.
Operations like "interpolate this value in this place of structure/query" aren't string-level operations, they're structure representation level operations (e.g. DOM node replacements). If you do them in their natural representation, injection vulnerabilities cease to exist.
This is something I bang on about a lot in the last few years. So many exploit classes go away entirely if you write an app using standard OOP desktop UI frameworks and tooling. Take a toolkit like Jetpack Compose, JavaFX, WPF and combine it with gRPC or, alternatively, log in directly to the database (as your own user). Now it becomes nigh on impossible to mount injection attacks.
In particular, if your ACL logic is expressed in the database itself (row level security, security-definer views, stored procedures etc), and every user of the system has a database user, then SQL injection goes away entirely by design because you're now designing on the assumption that the user can run arbitrary SQL anyway. If something goes wrong with the containment it's a flaw in the database or your declarative ACLs, and can be patched in one place (+if it's a db bug you can hold the vendor responsible if you license a commercial rdbms).
Now, this type of design can't solve all the problems that cropped up in their explorations, and it adds a few new ones - you have to be careful to configure your database correctly, obviously, and you might become more vulnerable to DoS attacks, although for web apps like dealer consoles DoS is probably not your primary concern. But you will at least have one place to declaratively assert what data everyone should be able to see, and authorization is enforced by centralized logic. Some of the problems found in these websites seem to be caused by devs losing track of what bits of code are meant to enforce security. There are auth tokens everywhere but nothing is being enforced properly. Two tier direct-to-db designs would fix that.
Still, the worst vulns here all seem to be related to creation of new accounts for semi-private systems and the onboarding process for how to assign roles to them. Most auth systems consider account creation and role assignment to be out of scope, which encourages/forces everyone to roll their own account system on top of the web. The results speak for themselves.
Still people insist on writing their code as text strings mumbling "something something but my vim".
As long as people think strings are some "universal format" this madness won't stop.
(I worked on some parts of this research.)
It would be fun to buy a Prius Prime and play Quake on it with steering and horn as controls.
Yep, I see this all the time in junior's code.
People doing such things should never got the job in the first place.
My year 2000 car with stick-shift and window cranks seems more valuable now, it even has mechanical accelerator/throttle, lol hack that.
Not good, but seems to be the IT curse repeating again and again.
