Friday, April 26, 2013

Security Attacks: From the Lab to the Streets: Automobiles

I dated a guy in high school that drove a Ford Escort.  I know, not that amazing. It gets more interesting, I promise. His father drove a Mercury Lynx. For those of you familiar with the American Automotive industry will know that those were essentially the same car, but with different badges on them.

I know, you're getting jealous of the exclusive circles I hung out in [1], but the point was, these cars came from different dealers and were purchased at different times.  What's interesting is that the keys for the Escort could unlock the Lynx.  The keys for the Lynx could unlock and start the Escort.  No, this family hadn't paid outrageous sums of money to get their cars rekeyed so this would work.  It just did.  These were 1980s model cars, and at the time, the American automotive industry just didn't make that many key combinations.

This became well known and break-ins would happen at the mall where I worked where there would be no evidence of forced entry.

Well, car manufacturers learned their lesson and came up with secure electronic keys.

At USENIX Security 2011, I attended a great set of talks on Analysis of Deployed Systems.  One talk, Comprehensive Experimental Analysis of Automotive Attack Surfaces (scroll down in my previous post, it was the 3rd talk), covered how it was possible, with some effort - to not only remotely unlock someone else's car, but also to start them and control them while in motion.  They found a car that had a live IRC channel on it.  You know, in case you need to chat with your car.  Heck, the researchers even reprogrammed the dashboard to display their website URL.

Really, the problem here is trying to cut costs and use as much vanilla software as possible.

Now, ABC is reporting how police are perplexed that there is a rash of automobile break-ins where the perpetrators are not physically attacking the machine.  Clearly, neither ABC nor the police attended the same USENIX Security talk that I did.

What do you think about modern cars and physical security?

[1] They did have an immaculate '57 Chevy in the garage. Yeah, but still.