That’s pretty well explained in the article. @doctorow goes on to suggest that remote access is not to be considered out of the question. I dislike “what if” scenarios, but it’s not a big leap considering industry practices. The Jeep / Chrysler hack was done precisely because of earlier work on the CAN bus in automobiles, and suggestions that there was “no way” to exploit them remotely. It took a year to prove that to be untrue.
There is a repeated cycle we go through with security in new devices, where it seems all of the lessons of the past are forgotten or ignored. How long has it been that network segmentation and air gapping have existed as concepts in computer science? Yet designers of cars stack everything on the CAN bus, from engine control to the entertainment system. How confident are you that these problems don’t exist with J1939 and all of the “features” companies have decided to piggyback onto it?
Rather than go into the full cyberwar scenario, there are less sinister usages of this: rival companies hiring hackers to meddle with the competitor’s trucks, to cause phantom breakdowns, have trucks behave irregularly, have to be taken out of service because they (hopefully almost) caused an accident, and stuff like that. There, it doesn’t take much to imagine social engineering giving access to the OBD port, or making the infotainment system freak out and distract the driver, or rob him of sleep, things like that.
I work with heavy vehicle measurements on a chassis dynamometer. Quite often we are accessing the vehicles’ CAN bus. We don’t want to mess with them but we just want to know certain values and CAN bus is useful for that purpose.
But we have noticed that nearly all modern heavy vehicles have some kind retrofitted communication device(s) attached to vehicle’s CAN busses (there are several of these but some use protocols that are unknown to us). Sometimes there are several of these communication boxes too. We don’t know what they are doing and sometimes even the owners of the vehicle don’t have any idea if there are those.
Most of these are some kind of fleet managements system or related to the ticketing systems (in city busses). But my point was that there are already remote access links in many vehicles. Accessing or misusing those might be difficult but it still could be possible.
This makes me imagine a future where the highest security driving jobs (presidential convoy, transporting a huge rare diamond from the airport to the museum) are the only ones that are filled by humans, the only humans who learned how to drive. When the network gets hacked by a malicious super villain, they are the only ones who can save the day, against fleets of coordinated cars. Ok, so not so much a future, as a middling 80s action movie with an Atari tie-in, but still.
So playing with remote control cars and airplanes could soon be not simply entertainment but also professional training?
“Good afternoon, this is your pilot. I’m coming to you live from the beach in Hawaii, and I’ll be flying you from New York to Los Angeles today. Your estimated time of arrival in LA is …”
The currently known attack requires physical access to the diagnostic port. It may be possible in the future to devise a variant on that attack that can be performed remotely, perhaps by compromising something (the radio, the driver’s cell phone, an Internet of Things device) that has a legitimate reason to be connected to other devices.
Well, I was thinking about how people were thinking of someone using this as a terrorist attack. It doesn’t have to be an attempt to kill people, it can be attempts to inconvenience and to drive costs up.
