The time a hacker remotely bricked cars in Texas


#1

[Permalink]


#2

“hacker”? Um, it was a disgruntled former employee using a password he knew … Is that hacking?


#3

[quote=“adam_g, post:2, topic:52442, full:true”]“hacker”? Um, it was a disgruntled former employee using a password he knew … Is that hacking?[/quote]That depends - are you a prosecuting attorney?


#4

Presumably, the business has now branched out into “HeartTeck” for medical implants.


#5

Because I am an optimist I am imagining that despite movies and some news stories to the contrary most people that work as sysadmins and in this industry are honorable people who try to do the best they can. They hold a lot of power, treat them right.

Although it should be said, treating people right is a good policy for making the world a better place.


#6

Seems like a class action suit waiting to happen, though I suppose if your sales target the sort of people likely to default on payments, they’re also a lot less likely to sue when you screw them over.
Car dealers better get their shit together before autonomous vehicles hit the roads, because someone could do a lot more than remotely disable a vehicle in that case - you’d have cars that could repo themselves.


#7

According to reports: “Ramos-Lopez reportedly accessed the remote system by using the ID and password of another employee.” I’m guessing some social engineering was involved.


#8

hack
hak/Submit
verb
gerund or present participle: hacking

  1. cut with rough or heavy blows.
    2. use a computer to gain unauthorized access to data in a system.

Would seem so.

On a less snarky note, I would say hacking is often misunderstood as requiring that on ‘break into computer systems using z-days and madhaxxors’. While the use of devious malarky is always encouraged, the old usage of the term indicated a method of unorthodox enginuity. Social engineering is, after all, just a term for the hacking of human interpersonal systems; it’s the ‘means to an end’.

Now we can second-guess the ingenuity of the malingering ex-employee, but he or she certainly did not have ‘authorized access’ to the system in question.


#9

I agree wholly in principle, but I wonder if some of the problems we’re suffering with lax security are born of the trust society has had in sysadmins to always keep everything fixed always forever.

Inevitably when they turn out to be less than perfect…


#10

I want to trust because the alternative makes me miserable. Trust but verify?

There was a piece on Marketplace about the book Future Crimes and the author commented that we are happy to have the convenience of an internet of things and everything connected, but we have been reluctant or too lazy to secure it all while we are building it.

Now let’s race to see how fast something bad enough happens to make us wake up and secure things vs. the connectivity providing enough dependence that the next bad event is a total disaster. And connectivity has a long head start. On your mark go…


#11

I will take the path of optimism as well, primarily because I refuse to return to the dark ages before AmazonPrime, Netflix and the Onion.

What’s that you say? I’m part of the problem?
Well, we all can’t be sensible, less we put the good security researchers out of a job!

PS. That book looks fascinating and I may have to read it. Appreciate the tip.


#12

Texas Auto Center’s Web-based remote vehicle immobilization system

Web-based? Really? What could possibly go wrong?


#13

Exactly the same kind of things that regularly go wrong with any IP-based and/or Internet-connected system.

And a mild superset of what can go wrong with any remote command/control system.


#14

I liked the article because I work in comp sec and love Austin, but it was a disgruntled employee who probably had very few computer skills beyond being able to operate the site. (I am sure, however, such systems are easily hacked, web app systems tend to be swiss cheese and when run by small operators - worse if coded by them - they tend to be especially bad.) I was expecting this to have been a case like the swathe of hotel rooms hacked by a real hacker who had broken the electronic locking system… or hacked like Barnaby Jack’s hacking of heart monitoring systems.

Not the only case where an ex-employee’s credentials were not properly wiped or where they retained access their employers did not know about and caused damage. Always a threat. This is an extreme example, though, reminds me a bit of the SF city engineer who went crazy after being let go… though on a much lesser scale.


#15

My stove caught a bot, and now it’s blackmailing my fridge into getting me to buy more cheese.
PK Dick was an optomist and the weirdos with shiny hats were right. What a strange world.


#16

Optomism - a state of mind in which one anticipates seeing?

[ducks and covers]


#17

“Gerund” is such a lovely word.


#18

These guys did serious research into hacking cars and published the results.

http://www.autosec.org/pubs/cars-oakland2010.pdf

Experimental Security Analysis of a Modern Automobile

“Even at speeds of up to 40 MPH on the runway, the attack packets had their intended effect, whether it was honking the horn, killing the engine, preventing the car from restarting, or blasting the heat. … In particular, we were able to release the brakes and actually prevent our driver from braking; no amount of pressure on the brake pedal was able to activate the brakes. Even though we expected this effect, reversed it quickly, and had a safety mechanism in place, it was still a frightening experience for our driver.”


Hackers can pwn a Jeep Cherokee from the brakes and steering to the AC and radio
#19

Who thought it is a good idea to not firewall the braking (and other prime-importance safety systems) from the car’s bus? Nobody thought about the possibility of the car stereo getting crazy after hours and hours of having to deal with the driver’s poor music choices, and trying to kill the driver?


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.