# If Your Car Just Has To Be Internet Connected...



## Jim Frye (Mar 16, 2011)

Cars are apparently getting more hackable. Even though our federal government is trying to pass legislation to prevent this (definition of a fat chance), don't hold your breath (or your hand over your A$$) waiting for it. I would have posted the PC Magazine article, but it keeps crashing my computer, so here's another one with the same information.

Hack of connected car raises alarm over driver safety


----------



## Ger8mm (Mar 13, 2014)

its all done through the XM/Onstar radio waves. All they did was use the same techniques that currently effect airplanes ADS-B communications. Only way the car manufacturers are going to get around this is to switch to a wide band and constantly jump frequencies. They could add in symmetric encryption and embed the keys into the car which prevents man in the middle attacks. This only works if Chevy doesn't get hacked and the keys are taken, adds a whole new method of unlocking cars and stealing them from the press of a button on any cell phone/tablet/laptop.


----------



## obermd (Mar 3, 2012)

Ger8mm said:


> its all done through the XM/Onstar radio waves. All they did was use the same techniques that currently effect airplanes ADS-B communications. Only way the car manufacturers are going to get around this is to switch to a wide band and constantly jump frequencies. They could add in symmetric encryption and embed the keys into the car which prevents man in the middle attacks. This only works if Chevy doesn't get hacked and the keys are taken, adds a whole new method of unlocking cars and stealing them from the press of a button on any cell phone/tablet/laptop.


No need to use symmetric encryption. We have the techniques to create a two way secure connections that are basically unhackable. These include using TLS 1.2 or newer encryption, Perfect Forward Secrecy to create the secure connections, and extremely long (> 8192 bit) keys to prevent brute forcing. If the secure connections are recreated every single time the car starts we could use shorter keys (> 4096 bit) and still be safe. Two major stumbling blocks to doing this. First, governments will do everything they can to block this technology from being commercialized. Second, auto manufacturers will need to get off their collective a$$es and start providing regular updates and patches to their software. Even the best encryption won't work if there's a bug in the code.


----------



## ChevyGuy (Dec 13, 2014)

obermd said:


> Second, auto manufacturers will need to get off their collective a$$es and start providing regular updates and patches to their software. Even the best encryption won't work if there's a bug in the code.


QFT. Car manufacturers are loath to do updates unless they absolutely have to.

As for the Jeep, it appears the Uconnect uses a public IP (or at least a network IP that one only has to be on the same network). And apparently there's no firewall or good authentication between it and the big, bad internet.

I'm not sure how OnStar works, if it's IP based or not. The owners of the 2016 might have to worry since it has a hotspot, but I think the 2011-2014 are less "connected". If worst comes to worse, I'll just unplug the OnStar antenna.


----------



## Jim Frye (Mar 16, 2011)

If these automotive systems are ever going to be robust enough to be secure in tday's (and tomorrow's) environment, the cost is going to have rise dramatically. Standards will have to be implemented like in computer to computer communications, and we see how involved that is.


----------



## Merc6 (Jun 8, 2013)

There was a video of a guy hacking into a last gen impala through OnStar on ABC or CNN or something like that when we made a thread like this 6 months to a year ago. Since then you have cars that have adaptive cruise control, crash avoidance braking, pedestrian mode(If equipt, LOL!) and self park. At what point will they just let us use OnStar to put in the directions, sit back, and not drive at all?



Jim Frye said:


> If these automotive systems are ever going to be robust enough to be secure in tday's (and tomorrow's) environment, the cost is going to have rise dramatically. Standards will have to be implemented like in computer to computer communications, and we see how involved that is.


Making back up cameras law is already gonna cost us. Not saying we shouldn't have them, just saying they will just throw random packages into the mix making it standard so you can't order without like Poineer and sunroof.


----------



## obermd (Mar 3, 2012)

Jim Frye said:


> If these automotive systems are ever going to be robust enough to be secure in tday's (and tomorrow's) environment, the cost is going to have rise dramatically. Standards will have to be implemented like in computer to computer communications, and we see how involved that is.


Everything I described is available today on commodity hardware. The reason PCs are broken into so often isn't the underlying security of the OS, it's applications that were written for a less hostile environment.


----------



## brian v (Dec 25, 2011)

Merc6 said:


> There was a video of a guy hacking into a last gen impala through OnStar on ABC or CNN or something like that when we made a thread like this 6 months to a year ago. Since then you have cars that have adaptive cruise control, crash avoidance braking, pedestrian mode(If equipt, LOL!) and self park. At what point will they just let us use OnStar to put in the directions, sit back, and not drive at all?
> 
> 
> 
> Making back up cameras law is already gonna cost us. Not saying we shouldn't have them, just saying they will just throw random packages into the mix making it standard so you can't order without like Poineer and sunroof.


The Google car got rear ended again .


----------



## obermd (Mar 3, 2012)

brian v said:


> The Google car got rear ended again .


That makes it five, or is it now six, times the Google car has been hit while sitting still where you're supposed to sit still. Is Google paying these guys to hit their car to try to prove how much safer it is. After looking into security vulnerabilities for last year I don't think I would trust Google to write a secure car. Chrome had 504 reported vulnerabilities, IE 289, and FF 171. Java and Flash rounded out the top five. (Information Security, Software and Alerts - Secunia)


----------



## NickD (Dec 10, 2011)

obermd said:


> No need to use symmetric encryption. We have the techniques to create a two way secure connections that are basically unhackable. These include using TLS 1.2 or newer encryption, Perfect Forward Secrecy to create the secure connections, and extremely long (> 8192 bit) keys to prevent brute forcing. If the secure connections are recreated every single time the car starts we could use shorter keys (> 4096 bit) and still be safe. Two major stumbling blocks to doing this. First, governments will do everything they can to block this technology from being commercialized. Second, auto manufacturers will need to get off their collective a$$es and start providing regular updates and patches to their software. Even the best encryption won't work if there's a bug in the code.


So why isn't isn't United Airlines using this, or other governmental agencies?


----------



## obermd (Mar 3, 2012)

NickD said:


> So why isn't isn't United Airlines using this, or other governmental agencies?


I'm not sure UA is even encrypting the traffic between the ground and their aircraft. As for the government...


----------



## ChevyGuy (Dec 13, 2014)

obermd said:


> That makes it five, or is it now six, times the Google car has been hit while sitting still where you're supposed to sit still. Is Google paying these guys to hit their car to try to prove how much safer it is.


There are a number of cars and collectively they rack up a lot more miles then normal users. Maybe they're just driving in the stupid part of town.


----------



## obermd (Mar 3, 2012)

ChevyGuy said:


> Maybe they're just driving in the stupid part of town.


You mean just about any good sized US city?  I do find it interesting that all the accidents with self driving cars have been the fault of the other driver.


----------



## brian v (Dec 25, 2011)

obermd said:


> That makes it five, or is it now six, times the Google car has been hit while sitting still where you're supposed to sit still. Is Google paying these guys to hit their car to try to prove how much safer it is. After looking into security vulnerabilities for last year I don't think I would trust Google to write a secure car. Chrome had 504 reported vulnerabilities, IE 289, and FF 171. Java and Flash rounded out the top five. (Information Security, Software and Alerts - Secunia)


These vulnerabilities are a fact that there are too many unemployed hackers that have too much time to do what they are good at and have chosen Google as a target . 1 target is as good as any ..

Google is after all Monopolising many markets including and not to be overlooked the buy out of Motorola here in Schaumberg IL.

That whole R&D has transfered to San Jose CA. .. Copy Rights.....


----------



## brian v (Dec 25, 2011)

NickD said:


> So why isn't isn't United Airlines using this, or other governmental agencies?


As well as you may know already Nick United Airlines is implementing their own Satelites for communication purposes and has taken a proactive approach to these and any known threats to it's communication systems ..we know this because they have already stated that we will be getting cell phone services aboard any of their flights .........


----------



## Ger8mm (Mar 13, 2014)

NickD said:


> So why isn't isn't United Airlines using this, or other governmental agencies?


Right now everyone is using radar and ADS-B together, the only thing right now enabled on ADS-B is the ability to tell other aircraft around you there's traffic. So when you come within say 1-3 miles of a plane, ADS-B says "traffic....traffic....traffic"...I will not go over all the capabilities of ADS-B because I would type a book on it (which I have done already hahaha). ADS-B can be spoofed or jammed easily through GPS and its actual signal, right now since ADS-B is not in its fully functional state pilots pick up a "secret key" enter this frequency into the radio, establish connections and fly away until the second your over water or open land with no towers, the airliners revert to the manual for a one in one out "box" over the area without communications. everything right now is pretty much VFR and radar, I will post a video bellow explaining these vulnerabilities that can be used on anything via radio frequencies. ohh and to add to this to show you haw scary it can be, I have a small antenna hooked up to my computer and a little program that shows me any airplane flying within 300 miles of my house. I know tail numbers, speed, altitude, where its going and where it came from etc. these are the unprotected info sent but if I were to hack into the signal (if I had the pilots secret key) I can fly the plane with an xbox controller where ever I wanted hahahahaha oh its so bad lol. ohhh to add to this I can also inject other planes around the airliner thinking he is surrounded by planes essentially making him crash. ok ok I need to stop lol 

watch the whole thing or click on 40:00 mins in.....this is where he hacks into the planes ADS-B system

https://www.youtube.com/watch?v=CXv1j3GbgLk


----------



## ChevyGuy (Dec 13, 2014)

Ger8mm said:


> watch the whole thing or click on 40:00 mins in.....this is where he hacks into the planes ADS-B system and crashes it into a building.


Just to be clear, he's didn't crash it, he just took a flight simulator for a joyride. The real issue is that it appears he's able to create false airplanes on the ATC's radar.


----------



## Ger8mm (Mar 13, 2014)

I haven't watched it in so long but ill change it


----------



## Jim Frye (Mar 16, 2011)

Tesla is the latest victim.

Hackers turn off Tesla Model S at low speed: FT | Reuters


----------



## obermd (Mar 3, 2012)

Jim Frye said:


> Tesla is the latest victim.
> 
> Hackers turn off Tesla Model S at low speed: FT | Reuters


And Tesla has already over the air updated their cars. Chrysler is having to bring all their cars into a dealership to get their security flaw fixed. Sounds to me like Tesla has the better firmware update model to me.


----------



## Jim Frye (Mar 16, 2011)

obermd said:


> And Tesla has already over the air updated their cars. Chrysler is having to bring all their cars into a dealership to get their security flaw fixed. Sounds to me like Tesla has the better firmware update model to me.


Yes, they've been doing over the air updates for quite some time now. They rolled "Insane Mode" (0 - 60 in 3.17 seconds) out to P85D owners earlier and then updated it again last week. Insane Mode was an added function that they gave out. Sort of like making your Cruze into an SS model with just a software change. They have also made range extension changes over the air.


----------



## obermd (Mar 3, 2012)

Anyone know if Tesla updates their navigation system over the air?


----------



## Jim Frye (Mar 16, 2011)

obermd said:


> Anyone know if Tesla updates their navigation system over the air?


Yes, they appear to be part of the normal system software update process.


----------



## ChevyGuy (Dec 13, 2014)

obermd said:


> Sounds to me like Tesla has the better firmware update model to me.


Only as long as the update process is secure. I'm not sure as I like the idea of someone being able to send a flash update without my authorization.


----------



## brian v (Dec 25, 2011)

Ahh so OB in a Tesla ..I always have wanted to test drive a Tesla , Just to feel that Motor Torque off of the line . I have heard they are pretty freaken fast ..Oh the days of me youth ..

Hey I have a H.U. IT has every concievable module even NTSC ..wifi and 4G ..4.44 os . 5 channel preamp . 4 channel hard wiring . Bass boost . I pod in . And the best I Go Nav . Sweet H.U. shoot for the right price I will install IT for ya ..


----------



## Jim Frye (Mar 16, 2011)

Tesla also has a robotic charging cord that will "crawl" across your garage floor and plug itself into your car when you exit the vehicle.


----------



## brian v (Dec 25, 2011)

That would be that other $ 10.000.00 option . Jim .......................


----------



## Jim Frye (Mar 16, 2011)

brian v said:


> That would be that other $ 10.000.00 option . Jim .......................


Pocket change if you can afford a Tesla.


----------



## Jim Frye (Mar 16, 2011)

Well, it doesn't actually crawl across your garage floor yet. Still kinda creepy thugh.

Tesla Shows Off Scary Snake-Like Automatic Charger - NBC News


----------



## ChevyGuy (Dec 13, 2014)

ChevyGuy said:


> Only as long as the update process is secure. I'm not sure as I like the idea of someone being able to send a flash update without my authorization.


Case in point: Windows patches can be intercepted and injected with malware.


----------



## Jim Frye (Mar 16, 2011)

The Tesla model explained a bit better.

Tesla’s Response to Hacked Car Offers a Road Map for Fast Fixes - Bloomberg Business


----------



## Jim Frye (Mar 16, 2011)

And another port into your car. Don't Dangle The Dongle!

Internet-Connected Gadget Enables Car Hack | GM Authority


----------



## ChevyGuy (Dec 13, 2014)

Jim Frye said:


> And another port into your car. Don't Dangle The Dongle!
> 
> Internet-Connected Gadget Enables Car Hack | GM Authority


The upshot: "the hack was enabled by third-party, *internet-enabled* OBD2 dongles, which drivers much plug into the OBD2 ports of their vehicles". Time to re-think plugging in those insurance discount devices.


----------



## Muller21QQQ (Feb 27, 2020)

how much for internet?


----------



## Blasirl (Mar 31, 2015)

Muller21QQQ said:


> how much for internet?


About the cost of having a cell phone.


----------



## Ann11 (Jun 1, 2020)

Oh, I also has this want to connect my car to the internet, because I travel a lot and it is much easier when it is connected to the network. But unfortunately, I didn’t know that my provider can not give me this opportunity. I really wanted this option, so I decided to change the provider. I found just one that can give me this at a nice price, usave, I connected to it because some advices of my friends and it really works. I pay just a little and have all needed to travel wherever I want. I am really lucky because I found it. These guys, also helped me to fix the connection to the internet at my home.


----------

