Remote exploits

Intel just fixed a nine year old bug it was warned about five years ago. Remote management software, meant to allow corporate IT to set up your system, would allow anybody on the internet unlimited access to your system.  Intel is a big company with over 10,000 technical staff.  They still couldn’t get it right.

We’ve been hearing about security holes in cars for some years now.

21st Century cars aren’t supposed to start unless you have a key with the right chip. The key turns the ignition (on cars that have a lock cylinder). The chip tells the engine “OK to start.”

Except Honda let anybody login with a password. You call up the maker pretending to be a locksmith or dealer or somebody who needs access to the car, give the VIN, and they’ll tell you the password. Enter the code with the parking brake handle, start the engine, and drive the stolen car away.

Maybe it was a calculated tradeoff.  Professional criminals know how to take your car. The kid next door does not.

That was 15 years ago, before YouTube instructional videos.

While Honda required physical access to take control, GM took another route. With OnStar anybody anywhere in the world can shut down your car by telling a convincing story.  Or eavesdrop on you.  Federal authorities got a warrant to use OnStar to spy on passengers.  But the car doesn’t know if there’s a warrant, and in that case courts ruled the warrant was invalid.  The car knows somebody told it to spy on you.  Or shut down.  Or lock you in.  Or unlock to let the attacker in.

These days remote control is not just a GM feature, and nobody cares enough about security. One firmware engineer had the attitude, we can barely get the software to work so what are the odds anybody else can?

That’s “security by obscurity,” not real security.

Security doesn’t sell systems. Security means the customer who loses her keys is inconvenienced. Somebody with lots of Twitter followers has to make a trip to the dealer instead of loading a software update over the airwaves.

Car makers figure they’ll have more real owners with lost keys than thieves claiming to lose their keys. That the man on the phone yelling “shut it down now!” probably is a police officer instead of…

Imagine if the cop running a speed trap found himself locked inside an immobile car by the side of the highway while traffic moved past.

There’s a good chance you could make that happen, if you could find out the VIN and tell a convincing story, or by figuring out the radio codes to call direct. Bypassing security by being deceptive and persuasive is called “social engineering.” It might also be called “wire fraud.” The record of your phone call could be used against you.

Did I say “your” phone call?

The phone network is not secure either. Part of the industry is still stuck in the days when The Phone Company managed everything, so everything on the network was trustworthy. If you fake your phone number, you might get away with it, like some people get away with “swatting.”

Then the government will start drafting security regulations.

The opinions expressed in this post belong to the author and do not necessarily represent those of the National Motorists Association or the NMA Foundation. This content is for informational purposes and is not intended as legal advice. No representations are made regarding the accuracy of this post or the included links.

Not an NMA Member yet?

Join today and get these great benefits!

Leave a Comment