From carjack to carhack

Paul Raven @ 16-08-2010

As if you didn’t have enough things to worry about when you’re driving… researchers have demonstrated some rather worrying security holes that could allow an attacker to PWN your car’s onboard computer systems by spoofing the signals from the wireless tyre pressure sensors [via George Dvorsky]:

… previous experiments showed what could be done with a physical connection to a vehicle’s computer. The new work by teams from the University of South Carolina and Rutgers tried a different tack: spoofing the wireless sensors in wheels used by tire pressure monitoring systems, required in all new U.S. vehicles since 2008.

The researchers didn’t find a wide-open door so much as the security employed by a 1920s speakeasy: once they learned the secret knock, the unidentified test car’s controls let them in no questions asked. The team sent fake warning messages from 40 meters away, and in another experiment, got the test car to flash a warning that a tire had lost all pressure while beaming the signal from another car as both drove 68 mph.

Because each sensor uses a unique ID tag, it was also possible to track specific vehicles, in a way that would be far less noticeable than roadside cameras.

The hacked car usually reset its warnings after the spoofed messages stopped. But after two days of tests, the electronic control unit for the tire monitors fell off its twig and had to be replaced by a dealer. The researchers note that it took several hours of graduate-level engineering to devise their tools and crack into the monitors, but that the actual technology for doing so cost about $1,500.

Buying off-the-shelf kits to accomplish this sort of hack will be as easy as buying an ATM credit card skimmer or a few hours of run-time on a botnet; it’s just chips and code, after all. And now, would the congregation please join with me in chanting the votive mantra of Futurismic: Everything Can And Will Be Hacked.


Would you accept in-car surveillance for cheaper insurance?

Paul Raven @ 15-09-2009

car dashboard, TokyoSometimes it feels like there’s a camera watching us everywhere we go… and maybe the next step will be cameras watching us as we go between places, too. If you thought the idea of allowing the cable companies to watch you watching TV so they can serve you more relevant advertising was a bit weird, then try this for size: an insurance company offering to install a camera in your car so as to lower your premiums once you start letting your teenager borrow it. [via SlashDot, image by w00kie]

Of course, the TeenSafeDriver Program insists that no data would be gathered on other drivers of the same vehicle… just like the cable companies insist that their watching of the watchers would be benign and unobtrusive. Yet somehow I’m still reminded of the vampiric cliché: you’re only at risk if you invite them in to the house.

My immediate thought was “who’d be mad enough to sign up for that?” But then I thought back to Jan Chipchase’s post about augmented reality marketing:

nobody’s going to stick an advertising driven augmented reality lens in their eye, right? How about for ‘free’ healthcare monitoring? Or because speed-dating is so much more fun when you have real time sexual preference look-ups on the people you’re looking at?

The TeenSafeDriver people have evidently sussed that you need to incentivize an intrusive technology if you want to roll it out successfully; I’ll be interested to see if similar schemes gain any traction in these times of lean finance.

Also worthy of note to any business nerds in the audience: this looks like an interesting iteration of the Andersonian “Free” business model, with the insurance company gambling the cost of the camera installations against the increased sign-up volume it hopes to obtain by offering the reduced premiums. I really have no idea whether it’ll catch on… but if it does, the car insurance landscape is going to change very fast.


What BitTorrent can teach you about highway traffic control

Paul Raven @ 14-01-2009

highway vehicle headlightsThe guys at the RIAA may loathe BitTorrent with an unholy passion, but researchers at the University of California have found another use for the peer-to-peer protocols that could win it a lot more fans. In a nutshell, you fit cars with wireless modems and make them into a peer-to-peer network that works to reduce traffic jams:

Their Autonet plan would center around ad hoc networks of vehicles and roadside monitoring posts supported by 802.11 technology (the prototype uses 11b). The vehicles would essentially be the “clients” in such a system and feature graphical user interfaces to pass along information to drivers.

The caveat at the moment is that not enough roads have the monitoring infrastructure available to make the system work all the way from the big highways to the small streets. But given the proliferation of monitoring technology, not to mention the continuing (if now more muted) promises of municipal wi-fi networks, that can’t be far off. [via SlashDot; image by IM SNOT REAL]

Of course, what might make even more sense would be investing in the public transport networks so there was less traffic in the first place…


Spam ubiquity – even your Lexus is no haven

Paul Raven @ 13-01-2009

Lexus concept carOnce again, the physical space in which you can expect (or even hope) to avoid being relentlessly marketed at contracts in a dying spasm… that’s right, not even your car is a scared space any more, as
Lexus has announced plans to send targeted messages to owners of its cars based on the buyer’s zip code and vehicle type. Knowing how dependent on customer goodwill the luxury car brands are, I’ll be very surprised if this plan actually makes it to market. [via SlashDot]; image by SecondPrint Productions]

Speaking of spam, computer security researchers in Germany reckon they’ve found a serious chink in the Storm botnet’s armour that means it’s nowhere near as impregnable as previously thought. So why haven’t they smashed it up like a box of cheap crockery, then?

The team has not yet taken the final step of putting the whole thing into action with a genuine Storm Worm botnet in the wild. From a legal point of view, that could involve many problems. Any unauthorised access to third-party computers could be regarded as tampering with data, which is punishable under paragraph § 303a of the German Penal Code. That paragraph threatens up to two years’ imprisonment for unlawfully deleting, suppressing, making unusable or changing third-party data.

Oh, the irony. [also via SlashDot]