I hope the Prius isn't open to this kind of hacking....

Cell data and OBDII data are separate on a Prius. The only way your OBDII data is any flavor of wireless is if you have added a bluetooth adapter. If so, you are at risk for about 10 feet.

Your Prius is completely at risk to hacks where the perpetrator has already been under the dash.

Amazon.com: iKKEGOL® v2.1 Bluetooth Mini Small Interface OBD2 Scanner Adapter Compatible with Android / Droid Torque: Home Improvement

 

i'm more concerned about lasers and drones around airports.

 

Worry more about EMP strikes and CME's turning your car into a paperweight and ushering in TEOTWAWKI.

Lots of stuff is "fly by wire" and designers have the sense to prevent "remote control" by not putting in equipment that makes it possible. Even planes that can be remotely piloted were fly by wire long before the hardware to do the remote stuff was introduced. Now, if cars were to get too integrated with PC technology and the Internet, I could see someone finding a way to upload a virus that could mess up a car at a pre-determined time.

 

The fact that it can be done means someone will do it. In this case, it happened to be the good guys to prove a point, but what about the next time? Adding integrated cell service and other access capabilities to cars definitely opens the door and it's obvious FCA (and I assume others like GM) didn't think too much about security, so the only question is how many disgruntled hackers are out there with an axe to grind against car companies like there are against Micro$oft? Or those who just want to hack because they can?

Mind you, I'm not concerned or prone to spreading fear, but we "are" designing a lot of tools these days, like the personal drones that were mentioned, that provide a lot of ways to create havoc and cause harm. We see the numbers of vehicles affected by recalls every year and as more cars come equipped with integrated cell service, the potential problems only increase. Look how many viruses are still downloaded via web browsers each day and access to those browsers is being added to our cars with each new model. We use virus scanners on our PCs, but how many use one on their cell phone, tablet, etc.?

 

TEOTWAWKI? Not yet, it may take a little longer. The new Jeep has that you connect feature which is basically a computer on board with a storage device. Our Prius does not have such a feature. I think that the media is doing this to scare us. Can they control our cars? Anything is possible but not on our Prius.

LG-D851 ?

 

Sorry, but the "nut behind the wheel" still has control. He/She can turn the vehicle off.

 

I guess we could wrap our Powertrain Control Unit in aluminum foil (j/k)..

LG-D851 ?

 

I believe the media is doing this because FCA made sure they would. From what the article said, the hackers have said they were going to release what they found after FCA released the fix for U-Connect. I think they've since throttled that back a bit to release just some info with a lot of specifics redacted. FCA and other car companies don't want them to release anything for fear it will just invite more attempts at hacking.

 

prius was hacked (hard wire) years ago

 

Technology is NOT going to move backwards.
And with advancements, will inevitably come possible vulnerabilities created by the adoption of various systems.

These guys have proven that at least with some vehicles, with some systems it is possible. But this was after YEARS of work, and a lot of reverse engineering.

While I don't think anyone should ignore the reality that this type of hacking is possible, I also choose to NOT live in fear of it's possibility. IMO it's constant competition and dance between advancement and technology and crime and havoc.

I hate to say it, and hopefully work like this will head off problems before they manifest in real life, BUT if hacking and vehicular take over becomes a high profile problem on the streets? Then the automotive industry will react. They will have to.

If it is deemed my Prius is vulnerable at that time? I'll take it in for the recall or update that it will need.

In the meantime? These are guys trying to prove a point with the auto industry. They've done a LOT of work to be able to do what they can do to a vehicle. If they convince to auto industry to become pro-active in reaction to the possibility of this type of crime? Good for them. But also, in the meantime, I'm not worrying about it.

 

They,FCA, already have a fix (counter measure)available. That was quick, something tells me they had advanced warning this was about to happen today.

LG-D851 ?

 

did you notice the best hack? half way into the video the prius turned into a ford

 

Honestly, I've never trusted cars that had any tech that let someone "control" the car remotely. I didn't think much of OnStar to start with, and I was dead set against it when a criminal case was thrown out on appeal because the evidence (gained by listening in remotely) was a violation of the inherent covenant of privacy between OnStar and the car owner...not because there was a constitutional violation for wireless eavesdropping by the police via OnStar. You can bet that legal loophole has/will be addressed.

All the talk of "be able to remotely do X to your car" sounds nice, but if you can access your car, so any anyone else if the security protocols are inadequate, and honestly, we know how often malware and virus scan programs need updates to keep up with what comes out. I can't see car manufacturers doing the same. A criminal enterprise could get pretty far before the auto maker even knows it's happening and even longer before a "fix" is created.

Some days I think "low tech" is going to come back into style.

 

Meh....

Hacking isn't the top turd on my pile right now.
I'm much more worried about some cell phone jerk turning me into an organ donor when I drive.

 

I'm sure that somebody at Fiat Chrysler (parent of Jeep) has made the same argument. The reason these researchers are doing this is to prove that the measures they're taking are insufficient to prevent attacks. The Safety Connect system uses cell data to communicate with Toyota. Looking at the service manual, the DCM (Telematics Transceiver) that is used for Safety Connect also has a DLC3 connection - this is the OBDII port. It can be used to update the preferred roaming list, read DTCs, activate a new DCM's cell service, etc. So there is a hardware path from the cell network connection to OBD. The software may not be willing to send data from the cell network to OBD, but that's moot if the cell side has any security vulnerabilities. What these researchers did was to find a vulnerability in the cell side that allowed them to overwrite the firmware controlling the cellular hardware. They then crafted their own firmware that took advantage of the available hardware connection from cell to OBD, and were able to then send messages to the rest of the car's ECUs.

Short of getting some insulated wire cutters and clipping some important power cables, you may not even be able to do that. The power button in a Prius isn't like a light switch - it doesn't physically cut off power. It is connected to an ECU, which then has software that translates your button push into a series of actions that end in turning off the car. Given the right vulnerabilities, it would be possible to reprogram that ECU (the Engine Immobilizer ECU, I believe) so that instead of turning off the car upon a button press, it would instead laugh at you over the sound system, and show you Dennis Nedry wagging his finger at you "Ah-Ah-Ah..." from Jurassic Park.

Yes, I believe they were informed of the vulnerabilities. They kinda stiffed the researchers though, not giving any credit for finding the issue. Most of the PC world has realized that it's better to learn about this sort of thing from people who are willing to warn you first (privately), and give both credit and often a bug bounty. The next time somebody decides to hack one of their vehicles, they may not be so lucky.

They picked the Jeep for a reason - they did a survey of many different manufacturers and vehicles, and the Jeep seemed like it had the most opportunities for a hack. So other cars might be more difficult to hack, and have fewer ways that you could control them. But I would be surprised if the Prius had no vulnerabilities at all; PC manufacturers have been fighting to keep their products secure for decades, and have yet to come up with a magic design that is unhackable.


Random thought: What if the SUA issue were caused by such hacking? Somebody takes advantage of a cellular connection to the car, reprograms an ECU (but only in the volatile memory, so next time the car turns on it's back to normal), the malicious ECU starts telling other ECUs that the gas pedal is floored, and disables the power switch, shift knob, and brakes. After the fact, investigation of the event data recorder reveals that the accelerator was being floored, and the brake was untouched. Testing of the car shows that the ECUs are all functioning normally. Toyota and the police blame it on driver error and/or a stuck floor mat, and nobody is the wiser.

I don't honestly think that this is what happened - but it is plausible that it *could* happen.


As far as the argument that nobody would do such hacking - it only takes one person. One person develops such a hack, maybe not even maliciously, but just to show how skilled they are. They publish it on the internet, where anybody with minimal skills can reproduce it. Somebody else comes along (commonly referred to as a 'script kiddie' - someone, often a minor, with no hacking skills at all, who can just re-run somebody else's exploit) and decides it would be a funny thing to do to somebody, or they want to see if it works. Everybody knows how terrible people can be in online anonymous forums where they don't have to look at the other party as they insult and threaten them - now imagine if the other party is just a dot on a map. Press a button, and the dot stops moving! Meanwhile, somewhere else, a young family just lost a parent to a horrific car accident.

Auto manufacturers need to seriously step up their game now, rather than wait for some sufficiently evil person (or worse, a malicious foreign government) to demonstrate the need for better security. Even if they start now, it will be decades before cars are secure, given how long they stay on the roads. How many people do you think will take their Jeep in to get updated for the current set of vulnerabilities?

 

Hackers are A$$h0le$ that thrive on screwing up a good thing. Unfortunately everybody and their brother want to screw things up for everybody else, just because they can. What a great life philosophy
To top things off, car manufacturer's now want to make new cars that are hotspots for wireless which of course is a new frontier for these idiots to screw up.
Just like everything else in life, technology and politicians, etc. started off as a good thing but there is always somebody that needs to do their best to destroy it. Ok, I'm removing my soapbox now, LOL.

 

Yes, why would you even want to hack a car unless you are stealing it. I am sorry, it makes no sense. The average driver has enough to contend with, much less some little idiot hacking your vehicle simply because they can.

I can see some young mother with little kids in the car, then the car starts doing weird things. How stupid can we get?

Or the police grab the car off the streets by hacking into the cars computer ( wait a minute, if you have OnStar, they can do this already).

Telematics can make it so a buy here- Pay here dealer can get his car back by turning the car "off" then GPS tells them where to sent the wrecker. No hacking necessary.

It's a fun time we live in, ladies and gentlemen. Cars being hacked by people with entirely too much time on their hands.

LG-D851 ?

 

The 'feature' that allows this on a Jeep is that they can remote start from a cell phone. Displaying from your OBDII to your infotainment center is safe. Changing your OBDII from your infotainment center will never be safe.

 

Do remember that these guys worked for days, perhaps weeks, to do the hack on the Jeep. They did it first to see if it was possible. They -are- responsible hackers, as they notified the manufacturers that they had a potential problem -before- they posted it. Long before. And they didn't post -exactly- how to do it. Just that it can be done. Of course the manufacturers did not thank them for the warning.

The problem has been "fixed", and recalls are to be issued.

I doubt any "script kiddies" will be playing with our cars.

But it sure made for a good news story.

Oh, and the driver is -still- in command. While it -may- be possible to mess with the hydraulic brake system remotely, the p-brake is fully manual. And I doubt the "on/off" control would be compromised.