CONNECTED CARS continue to pose a security problem, and Trend Micro has warned that a flaw could let hackers take control of the vehicle and its emergency systems.
This is bad news because the INQUIRER was planning on chipping in together on a connected car and seeing if we could get it to agree to come on a Thelma and Louise style road trip with us. It looks like it might, but only if we can get Trend Micro or a hacker involved.
Trend Micro says that this is a blockbuster hack, which should make us glad that it was it that found it. It reckons that it is so capable that it can reduce a car to a box of crap.
"[The hack] is currently indefensible by modern car security technology, and to completely resolve it would require broad, sweeping changes in standards and the ways in-vehicle networks and devices are made. Realistically, it would take an entire generation of vehicles for such a vulnerability to be resolved, not just a recall or an OTA (on-the-air) upgrade," it said.
"What's new is that it's an attack that disables a device (e.g., airbag, parking sensors, active safety systems) connected to the car's device network in a way that is invisible to state-of-the-art security mechanisms".
Oh jeez. That does sound bad. We wonder what vehicles it affects. Oh, all of them. That makes this perhaps more significant than the attack on Jeeps that led to a recall, or two.
"Our attack is vendor neutral. However, specific vendors may take non-standard countermeasures to make the attack more difficult to carry out," it added. "The "Jeep hack" was very advanced and effective. However, currently available in-car cybersecurity technology could detect such an attack because it requires frame-injection capability. In addition, car manufacturers could simply upgrade the software running on a car device to patch the vulnerabilities exploited by that attack."
It is not the fault of the car manufacturers though, they can blame the system. In this case the controller area network (CAN) standard, which is old and apparently busted.
"It's not the car manufacturers' fault, and it's not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works," added Trend.
"Car manufacturers can only mitigate the attack we demonstrated by adopting specific network countermeasures, but cannot eliminate it entirely. To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles." µ
Flaw allows hackers to extract plaintext passwords from the Keychain
Firm explains how to properly build websites for its upcoming flagship
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking