Hypocrisy? FBI Warns of Vehicle Hacking, Fights War on Encryption

Hypocrisy? FBI Warns of Vehicle Hacking, Fights War on Encryption

Remote Exploit

In conjunction with the National Highway Traffic Safety Administration, the FBI recently released a warning stating that vehicles are becoming more and more vulnerable to hackers taking advantage of remote exploits. The FBI specifically pointed to modified software as being dangerous.

"Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could be exploited by an attacker," warned the FBI.

Many in the tech community, including Facebook board member Marc Andreessen, immediately claimed the FBI was being hypocritical due to the fact that the government agency is currently battling Apple for the right to unlock an iPhone via the hacking of encrypted software.

image

With self-driving cars around the corner, the threat of hacking will only grow. In fact, some members of Congress recently pushed for minimal safety standards to be implemented to thwart hackers.

"Imagine what would happen to autonomous vehicles to get hacked while they're out on the road," said Sen. Bill Nelson (D-Fla.), "one small defect could end up in a massive safety crisis."

Critics of the FBI insist that if the agency wins against Apple in federal court (and Apple engineers don't quit before complying), a precedent will be set that will do irreperable harm to encryption and privacy.

Permalink

This is the sort of thing that puts me off of buying new cars.

All of the new technology in these cars is oftentimes unnecessary, and adds to the complexity. My grandpa bought a 2012 Ford Explorer, and he's had nothing but problems with it, including having the main screen panel go out.

What would make me more comfortable buying one of these cars would be a way to turn off remote access. Even if it involves messing with the car's firmware, I'd feel more comfortable if I could disable the wireless functions or any other vulnerabilities that a hacker can attack.

HMMMMMMM, a government agency saying one thing and doing another? Utterly impossible.

SlumlordThanatos:
This is the sort of thing that puts me off of buying new cars.

All of the new technology in these cars is oftentimes unnecessary, and adds to the complexity. My grandpa bought a 2012 Ford Explorer, and he's had nothing but problems with it, including having the main screen panel go out.

What would make me more comfortable buying one of these cars would be a way to turn off remote access. Even if it involves messing with the car's firmware, I'd feel more comfortable if I could disable the wireless functions or any other vulnerabilities that a hacker can attack.

You can do it, but it involves taking a hammer to it so I hope you like voiding warranties.
Though seriously, I agree entirely because not everything needs to be connected to the damn internet.

Hypocrisy. I don't think that word is no longer used or has never been used within any political/governmental structure. It's unknown. Along with;

Logic

and

Common Sense.

FBI does not want you to mess with the car software...that is their job and they don't want no commie halfwit showing them up on the international stage for the umpteenth time and comprimising their *snigger*...comprimising their integrity.

I'm more concerned about what a hacker could do to my fridge - I like my beer chilled just so, so if there's a chance someone could disrupt that, I'm going to turn off my electricity and buy lots of ice instead.

False equivalence.

Taking control or breaking into someone's phone is not going to result in the potential deaths of bystanders or the phone's owner - especially when being conducted by a government agency. Put your tinfoil hats away.

Taking control of breaking into the software of a self-driving car can. It wouldn't even need complete control, just to corrupt the data somehow could result in a dangerous vehicle.

A backdoor into a private personal storage device is minor. A backdoor into a piece of equipment that can kill is not minor.

LJ Ellis:
"Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could be exploited by an attacker," warned the FBI.

The latter part of that point was:

Such modifications may also impact the way in which authorized software updates can be installed on the vehicle.

So, you see, it isn't hypocrisy. The FBI just doesn't want you making it harder for them to upload their "authorized software updates" to your vehicle so that they can do who knows what. That would fit in line with their current approach to the whole Apple case.

So I guess my question is this, if they do provide a back door to their encryption, let's say it's a keyword like bit locker uses but tied to an algorithm so it changes and also tied to two or even third factor authentication (like it has to get confirmation from multiple sources before working like an email account and a phone system), would creating a backdoor really open everyone up if kept in that kind of condition? Is the idea that as long as humans are using it, it will always get leaked?

Let's say it's even a team of 40 people who are managing the project and opening phones and such. While those 40 could abuse their jobs wouldn't they be very closely monitored and once abused let go? Then, once terminated they would no longer have access to the second and third factor authentication forms even if they were able to code the key algorithm (which itself could remain encrypted with a non-backdoor encryption). If the algorithm itself was behind true encryption then the most a person could ever do is steal it and even that would be difficult in the right network setup.

Would we really be that less safe in that scenario? You could have the two factor authentication trying to contact anything, including itself using encrypted communication between an actual computer that has to be in physical range.

SlumlordThanatos:
This is the sort of thing that puts me off of buying new cars.

It's not widely known but every car from the past 20 years has a MASSIVE vulnerability where the diagnostic tool can reprogram the on-board to do anything from not run to recognize a different key.

Dumb question...

Why is the FBI wasting investigation on self-driving cars instead of spending a bit more time/effort in prosecuting a HIGH LEVEL SECURITY OFFICIAL who purposely stored TOP SECRET GOVERNMENT INFORMATION on an insecure, open, private database? State secrets. Information that -whether or not labeled as such- were clearly top secrete in nature to even the most outside of people, let alone someone who was a vetted official.

Self-driving cars can wait; officials who mishandle state secrets should not get a pass.

Deathfish15:
Dumb question...

Why is the FBI wasting investigation on self-driving cars instead of spending a bit more time/effort in prosecuting a HIGH LEVEL SECURITY OFFICIAL who purposely stored TOP SECRET GOVERNMENT INFORMATION on an insecure, open, private database? State secrets. Information that -whether or not labeled as such- were clearly top secrete in nature to even the most outside of people, let alone someone who was a vetted official.

Self-driving cars can wait; officials who mishandle state secrets should not get a pass.

Big organization. They can handle two things at once. Sometimes three...

I'm not exactly a fan of what many government organizations and officials have had to say about cyber security (or what they haven't said, in many cases), but they do have a point here. (I still share the opinions said above about them likely wanting their own backdoor in auto software, and we'll see how that Apple case plays out.)

Auto makers have been absolutely ignorant with the connectivity their products have been offering. There is almost no security. Recalls have finally happened over this, only after independent hackers proved how easy it was (and they were ignored at first) to take near total control away from the driver.

Unfortunately, the general public is slowly getting addicted to the conveniences offered by this connectivity (remote start and automatic door unlocking via smart phone, etc). It's a big mess because it would be hard (and expensive) to isolate the critical systems and very hard to drop these new bells and whistles from future autos.

Also, those extra features that are options will soon work their way down to the base trim level of even the cheaper models. Someday, I might want to get a nice car that has some feature I want (manual trans, AWD/4WD, etc). but I might be stuck choosing between loosing a feature I want or buying extra techno crap that makes me uncomfortable in the long run.[1] With the reliability concerns regarding every brand out there, the recalls, and the rising extraneous features, someone like me will be scrutinizing every new and old car for sale from now on.

MCerberus:

SlumlordThanatos:
This is the sort of thing that puts me off of buying new cars.

It's not widely known but every car from the past 20 years has a MASSIVE vulnerability where the diagnostic tool can reprogram the on-board to do anything from not run to recognize a different key.

At least with the older cars with OBD II, direct control of the vehicle in motion can not be obtained, not even if a device that allowed wireless remote control was secretly plugged into the OBD port. The plug is also inside, under the dash. You can at least lock the doors to deter any opportunists. I don't know for sure with some cars, but most operations with an electronic diagnostic tool require the ignition to be in run.

Slightly more OT but goes along with this: Once you add throttle by wire, electric or computer controlled hydraulic power steering, modern ABS, electronically shifted transmissions and more, then top that off with the insecure wireless connectivity, you get a multi-ton target waiting to become the next RC car, with the right software. I'm all for modern computer control that offers better fuel efficiency and safety, but wireless connectivity is getting out of hand.

[1] I'm not fond of those keyless entry and ignition systems. Give me keys. I don't care if it has an immobilizer chip in it. At least a spare isn't quite as expensive.

Eh, can we not pretend like every single branch of the FBI is working on the exact same issue at all times. There are independent branches of the FBI that are doing different things at different times. The entire FBI isn't trying to break into an iPhone.

Also, there is no reason self driving cars can't be self contained with only a GPS connection to make the decisions on routes. There is no reason to have an open wifi connection or a constant connection to a network that has vulnerabilities.

MCerberus:

SlumlordThanatos:
This is the sort of thing that puts me off of buying new cars.

It's not widely known but every car from the past 20 years has a MASSIVE vulnerability where the diagnostic tool can reprogram the on-board to do anything from not run to recognize a different key.

well i dont know about 20 years but my car is from 1990 and the onboard computer being 25 years old is getting a bit crazy. so i took it to the mechanics from company that made the car and their diagnostic tool could not reprogram anything so the only solution was a replacement of the car computer. they literally had to take the one from there out and put another one in because they could not reprogram it in any way. Not that it helped that much, the computer seems to behave a bit better but still messed up once already (nothing that can cause an accident, but fuel efficiency suffers)

How have we not already had a 100 badly made SyFy movies (ie SyFy movies) with hacked cars as the central premise?

 

Reply to Thread

Posting on this forum is disabled.