Hacker, you can drive my car

Tech blogger for nzherald.co.nz.·NZ Herald·

28 Jul, 2015 09:30 PM4 mins to read

Two security researchers have shown that hackers can take control over a Jeep's wipers, radio, transmission, brakes and steering.

Last year, I wrote about Charlie Miller and Chris Valasek, two security researchers intent on showing that while modern cars have all sorts of crash safety features, a driven person can get into their networks - and potentially wreak havoc.

That was in August, and almost year later, Miller and Valasek teamed up with Wired's Andy Greenberg for a practical experiment that showed hackers can indeed take control over a Jeep's wipers, radio, transmission, brakes and steering.

Miller and Valasek forced Greenberg's Jeep into a ditch which frankly sounds like a nightmare that shouldn't ever be possible.

It was though, despite publicity around the issue a year ago, and now some 1.4 million cars are being recalled to patch the software flaw in their control computers.

Let me repeat that: a year after the vulnerability, that could be used to kill people, Chrysler recalls the affected cars.

Miller and Valasek reported the issue to Chrysler to give the car maker time to come up with a patch before the Wired story went live.

The patch of course had to be thoroughly tested to ensure that it didn't contain any dangerous bugs, but still, issuing it a year after the vulnerability was first outed seems complacent.

The cat's well and truly out of the bag now, and bad people know that some newer cars can be tampered with remotely.

We don't know which ones yet, but if you have a car with wireless connectivity of some sort, even Bluetooth, that could be linked to internal systems if it's not isolated on its own network, I'd ask the service people at the garage about it.

The car industry seriously needs to think about what it's doing here, and look at not just the security of the electronics it is putting into vehicles, but also how to fix problems with software updates.

Chrysler has pretty much failed with the latter, because the software patch has to be applied manually, via a USB stick as it can't be done remotely.

If this sounds really quite idiotic, you're not alone.

Super geek and internet researcher Geoff Huston at the Asia-Pacific Network Information Centre wrote a great blog post about the "Internet of Stupid Things" which is quite technical, but explains rather well why it's dangerous and irresponsible to network millions of insecure devices.

Car makers could start by reading Huston's blog post, ideally before someone's killed.
Holey Android, this is a bad one.

Speaking of security issues, there's a new, serious vulnerability discovered for Google's Android mobile device operating system.

As is the custom these days, the vulnerability has a catchy name: Stagefright. And, it seems to be really, really bad.

The technical details of Stagefright will be presented at the Black Hat security conference next month, but the researcher who found the hole in Android says all it takes is an MMS SMS message, with a malicious file and boom, your device could be hacked.

Lots of Android devices are affected by the flaw - almost a billion, estimates say.

What's worse is that many will never be patched against the bug.

Is your Android phone about a year and half old? If so, it'll probably be unsupported by the manufacturer, and remain vulnerable to Stagefright (and other vulnerabilities).

This is of course completely unacceptable, and I second security researcher Adam Boileau's advice which is to follow the Consumer Guarantees Act and take the device back to the point of sale because it's not secure and therefore not fit for its purpose.

If that's what it takes to make vendors pay attention and fix flaws, do it.

Businesses are unfortunately left in the lurch on this one.