Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

War Texting Lets Hackers Unlock Car Doors Via SMS

timothy posted more than 2 years ago | from the could-come-in-handy-when-locks-fail dept.

Communications 128

alphadogg writes "Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things, according to computer security researchers at iSec Partners. Don Bailey and fellow iSec researcher Mathew Solnik say they've figured out the protocols that some of these software makers use to remote control the cars, and they've produced a video showing how they can unlock a car and turn the engine on via a laptop. According to Bailey, it took them about two hours to figure out how to intercept wireless messages between the car and the network and then recreate them from his laptop. Bailey will discuss the research at next week's Black Hat conference in Las Vegas, but he isn't going to name the products they've hacked — they've looked at two so far — or provide full technical details of their work until the software makers can patch them."

cancel ×

128 comments

Pathetic (5, Insightful)

Anrego (830717) | more than 2 years ago | (#36910840)

I can understand small keychain devices being breakable but with all the power you’ve got available in a cell phone to not be able to come up with a secure challenge/response system seems ridiculous.

Re:Pathetic (1)

MozeeToby (1163751) | more than 2 years ago | (#36910994)

Indeed, how hard would it be to have a one time pad setup? Most banks will give you a secureID fob for $5, similar techniques would make this kind of thing almost impossible. It's just pure laziness in my opinion.

Re:Pathetic (1)

Anrego (830717) | more than 2 years ago | (#36911304)

Most banks will give you a secureID fob for $5

Not here in Canada! :(

Seriously.. anyone knows a bank in Canada (that services NS) that does this chime in! Paypal does it.. WoW does it.. why the hell won't the banks here do it!

RBC will do it if you are a corporate customer.. which is even more baffling. "We have it implemented... just not for you".

Re:Pathetic (1)

AJH16 (940784) | more than 2 years ago | (#36912120)

Honestly it is even easier than that since you can use a challenge response mechanism that the car always asks a slightly different question so that the previous answer is worthless. It's effectively an automated version of the same concept that the secureIDs provide by verifying that a valid private key is held by the device requesting authentication.

Re:Pathetic (0)

Anonymous Coward | more than 2 years ago | (#36912152)

Well, that would be a perfect solution, as long as you only planned using the car once.

Re:Pathetic (0)

Anonymous Coward | more than 2 years ago | (#36911236)

This reminds me of a time back in the late 90s when I borrowed a friend's Corvette. He had one of those IR keyfobs for unlocking the doors and I was able to capture the signal from it using my old Palm III and a programmable universal TV remote application. He was pretty surprised when I showed him I could open his car.

Re:Pathetic (0)

Anonymous Coward | more than 2 years ago | (#36911248)

What, do you think that hmac-sha1 grows on trees? You cannot just go out and make up a new pass code you know.

Re:Pathetic (1)

mlts (1038732) | more than 2 years ago | (#36911324)

With some alarm systems having two-way remotes, it would be nice if more car makers just went with a cryptographically sound setup. It isn't that hard -- pairing could be done via some type of NFC communication, and the communication could be three way -- remote sends a request for a challenge ID, car sends a nonce, remote sends the command the user wants and the nonce, both signed with the remote's key. Of course the downside of this method is having to have a remote with the CPU power to deal with RSA, especially larger keys, because the compute power to sign/decode goes up by the cube of the keylength (which means a 2048 bit key takes eight times as long to do stuff than a 1024 bit key.)

Re:Pathetic (1)

Anrego (830717) | more than 2 years ago | (#36911412)

Of course the downside of this method is having to have a remote with the CPU power to deal with RSA, especially larger keys, because the compute power to sign/decode goes up by the cube of the keylength (which means a 2048 bit key takes eight times as long to do stuff than a 1024 bit key.)

This is why it was excusable for keychain devices running off watch batteries to lack such measures. Any cell phone however could easily handle this.

Re:Pathetic (2)

mlts (1038732) | more than 2 years ago | (#36911642)

What is ironic is that if one looks at cell phone CPUs, anything since the old TI OMAP chips almost certainly have special instructions to deal with the needs of array shifting (for AES), or for exponentiation (for RSA).

Maybe the CPU in the car might be different, but common sense says that dropping a low power ARM chip in to handle this would be the best thing for car makers.

In these days where security is actually being tried by blackhats constantly, it is inexcusable to not take reasonable measures.

Re:Pathetic (1)

TheLink (130905) | more than 2 years ago | (#36912358)

But how many car thieves steal cars in "clever" ways? Would such measures actually reduce the theft rates and decrease the average cost (factoring risk * impact of theft etc)? Think more expensive locks, more expensive calls to locksmiths when they can't break into their own cars coz they lost or forgot the "keys" ;).

So far thieves use bricks, and/or they just tow the entire car away (or put in a truck). Or hijack the car (either directly confronting you, or by crashing into your car so that you get out).

Thieves could resort to this: http://www.youtube.com/watch?v=2r9VW0nTTrk [youtube.com]

But I doubt most would even bother.

Re:Pathetic (1)

mlts (1038732) | more than 2 years ago | (#36912680)

Very true. A thief can always chuck a brick through a car window and get in. However, a lot of European cars have deadlocking mechanisms where a thief is going to have to try to scramble in and out through the broken window... while the inside alarm is blasting at 120+ dB.

However, the thing with car remotes is that a method of compromise merely means a thief just hits the remote, locks pop open, and all items in the vehicle are theirs.

Another thing is that if there is zero signs of forced entry, insurance is not going to cover stolen goods. With forced entry (and a police report to go with it), one has a lot higher chance of getting their claim approved and money back, as opposed to just a story with no real evidence that something was there, then it isn't. This is the same reason why it is important to use high security locks -- so if an intruder gets in, there are telltale signs left.

That's all well and good, but... (1)

theillien (984847) | more than 2 years ago | (#36910856)

what does war sexting unlock?

Re:That's all well and good, but... (2, Funny)

Anonymous Coward | more than 2 years ago | (#36910954)

Your mom.

Re:That's all well and good, but... (1)

kingsqueak (18917) | more than 2 years ago | (#36911172)

Pay toilets...but keep your stance narrow my friend.

Re:That's all well and good, but... (1)

dragon-file (2241656) | more than 2 years ago | (#36911260)

Caught an episode of modern marvels about toilets and they discussed the pay toilets of new york. They actually didn't seem that bad, but then again, i don't have a smell-o-vision.

Re:That's all well and good, but... (1)

theillien (984847) | more than 2 years ago | (#36913610)

I think I saw that. It had a pay toilet with one-way glass for walls in the middle of a city. It allows people to see out, but people can't see in.

Re:That's all well and good, but... (1)

dragon-file (2241656) | more than 2 years ago | (#36914760)

was the rest of it made from what looked like brushed stainless steel? Than yes, that was it.

Stealing a car? There's an app for that! (1)

leetrout (855221) | more than 2 years ago | (#36910894)

How long until someone makes an app for that? Shouldn't be hard to work up an antenna for i* 30 pin port...

Apologize, to, the, CARRRRRRR (0)

Anonymous Coward | more than 2 years ago | (#36910908)

only took 2 hrs (1)

luther349 (645380) | more than 2 years ago | (#36910914)

and my brick takes a second.

Re:only took 2 hrs (0)

Anonymous Coward | more than 2 years ago | (#36910956)

2 hours...the first time. And your brick is slightly more conspicuous.

Re:only took 2 hrs (1)

Anonymous Coward | more than 2 years ago | (#36910984)

and my brick takes a second.

I've love to see you start the engine with your brick

Re:only took 2 hrs (1)

bws111 (1216812) | more than 2 years ago | (#36911072)

Other than wasting some fuel, what good does starting the engine do?

Re:only took 2 hrs (0)

Anonymous Coward | more than 2 years ago | (#36911158)

It's rather a necessity if the vehicle doesn't happen to be exactly where you want it. For example few drivers park inside of the chop shop.

Re:only took 2 hrs (1)

bws111 (1216812) | more than 2 years ago | (#36911600)

Nowhere did they say they could drive the car, just start the engine. My car has a remote start key fob. You can start the engine with it. Theoretically, someone else could also start the engine if they have the correct code. However, if you don't have the physical key in the ignition, as soon as you touch any control, including the brake pedal, the engine shuts off. It does no good to start the engine if you can't actually use it to move the vehicle.

Re:only took 2 hrs (1)

spamking (967666) | more than 2 years ago | (#36911944)

That might be the case where vehicles are equipped with remote start, but what about those with the push button start? Once you get them started do you need the fob to actually put it in gear?

Re:only took 2 hrs (1)

Cramer (69040) | more than 2 years ago | (#36913236)

YES. And the electronic ignition system won't leave idle.

Re:only took 2 hrs (1)

peragrin (659227) | more than 2 years ago | (#36913664)

depends on the system. With Nissan's the answer is no. the FOB doesn't need to be present that way you can use the valet key. however it will then only restart with the valet key unless you walk out and walk back into range.

Re:only took 2 hrs (1)

Thud457 (234763) | more than 2 years ago | (#36912052)

I drive a stick, you insensitive clod!
that's OK, I didn't really want my car stolen anyway...

Re:only took 2 hrs (1)

kelemvor4 (1980226) | more than 2 years ago | (#36912856)

Nowhere did they say they could drive the car, just start the engine. My car has a remote start key fob. You can start the engine with it. Theoretically, someone else could also start the engine if they have the correct code. However, if you don't have the physical key in the ignition, as soon as you touch any control, including the brake pedal, the engine shuts off. It does no good to start the engine if you can't actually use it to move the vehicle.

That would take some getting used to. I always hit the brake before I turn the key. Habit, I guess.

Re:only took 2 hrs (1)

bws111 (1216812) | more than 2 years ago | (#36913144)

Yeah, me too. I manage to kill the engine just about every time I use the remote start.

Re:only took 2 hrs (1)

dwreid (966865) | more than 2 years ago | (#36912632)

You can warm up your car in the winter before going out to sit in an unbearably cold car. Orrrrr.... you can waste your cheating wife by putting her drugged self in the car in the garage and then taking the train downtown. Start up the car once your alibi is established and voila... suicide. Just saying...

Re:only took 2 hrs (0)

Anonymous Coward | more than 2 years ago | (#36911230)

If the things they are hacking use the remote start feature built into most modern cars, it will start the car to warm up, but you can't actually drive it without the key. Without the key, as soon as you step on the brakes to shift into gear, the engine shuts off.

It's not a good thing that they are so weak they were broken quickly, but this isn't "everybody panic, you car is going to be stolen" time.

Re:only took 2 hrs (1)

shoehornjob (1632387) | more than 2 years ago | (#36911746)

Laugh my motha fkkin a$$ off. That was funny. Sorry I don't have any more mod points.

War texting? (0)

Anonymous Coward | more than 2 years ago | (#36910918)

How does texting figure into this?

How? (1)

Qwell (684661) | more than 2 years ago | (#36910990)

How would a manufacturer force people to upgrade the unlock mechanism in the cars?

Re:How? (1)

Tekfactory (937086) | more than 2 years ago | (#36911016)

Send a Recall Notice, you make an appointment, you go back to the dealer and they update the Firmware.

Re:How? (2)

Qwell (684661) | more than 2 years ago | (#36911334)

They won't send such a notice unless they're told to by a court (or the lawsuit vs. recall formula).

Re:How? (2)

Abstrackt (609015) | more than 2 years ago | (#36911030)

How would a manufacturer force people to upgrade the unlock mechanism in the cars?

"If you don't upgrade your car will be a lot easier to steal."?

Re:How? (1)

Anonymous Coward | more than 2 years ago | (#36911376)

The real fix....

Insurance won't cover out of date security measures.

Re:How? (1)

Cramer (69040) | more than 2 years ago | (#36913572)

And how exactly would they know? They aren't going to waste the money in sending an agent out to actually check the car. (which is the only way to be 100% sure.)

Re:How? (0)

Anonymous Coward | more than 2 years ago | (#36914276)

They aren't going to waste the money in sending an agent out to actually check the car. (which is the only way to be 100% sure.)

Seems the quote slashdot decided to show me just beneath your comment disagrees. It said "I say we take off; nuke the site from orbit. It's the only way to be sure."

Not surprised (1)

Anonymous Coward | more than 2 years ago | (#36911020)

Is there anybody that saw this "feature" and didn't immediately assume it was implemented in a really stupid and easily hackable way?

Re:Not surprised (1)

Tekfactory (937086) | more than 2 years ago | (#36911096)

No, I saw the commercial with the two guys calling the guy's wife on the plane and asking for her to unlock the car with OnStar from her iPhone. I immediately thought that my wife does not have an iPhone, or a smartphone of any kind. And that I would not be able to do it until they wrote an app for my Droid.

I was passed a story on something like this a monthy ago, and was reminded of the kids in the 90s using Palm Pilots to copy and replay InfaRed signals from people remotes to steal cars.

So the real assumption is all consumer electronics are hackable, you get dissappointed less that way.

How long before someone bricks an expensive car (3, Funny)

djl4570 (801529) | more than 2 years ago | (#36911086)

Hacking these features to steal cars is one possibility. How long before some vindictive prat uses this tech to brick the cars on the lot at a dealership.

Re:How long before someone bricks an expensive car (1)

Anonymous Coward | more than 2 years ago | (#36911402)

Substantially less time, now that you've published the idea. It's all your fault!! I can't believe you gave away the secret!! The password is Swordfish!!

Re:How long before someone bricks an expensive car (5, Interesting)

DeadCatX2 (950953) | more than 2 years ago | (#36911582)

Or someone bricks your car on the highway while you're driving it because you cut them off.

Re:How long before someone bricks an expensive car (4, Funny)

MacGyver2210 (1053110) | more than 2 years ago | (#36911950)

This. I want this. Must shutdown asshole drivers.

Re:How long before someone bricks an expensive car (2)

BitterOak (537666) | more than 2 years ago | (#36912332)

Or someone bricks your car on the highway while you're driving it because you cut them off.

Is that necessarily a bad thing?

Re:How long before someone bricks an expensive car (1)

Anonymous Coward | more than 2 years ago | (#36912364)

I probably wouldn't want to brick any cars who JUST cut me off...

It would be much safer to brick cars that YOU just cut off...

Re:How long before someone bricks an expensive car (0)

Anonymous Coward | more than 2 years ago | (#36912424)

I dunno, how often does someone needs to get out of their car, lock the door, and need to unlock their door to get back in-- while on the highway.

Re:How long before someone bricks an expensive car (1)

SleazyRidr (1563649) | more than 2 years ago | (#36912866)

That's the beauty of it, they don't even realise anything's wrong until hours later! You're then lost among the thousands of people who've been close enough to the car to do it.

Re:How long before someone bricks an expensive car (1)

Amouth (879122) | more than 2 years ago | (#36913338)

add this to northstar - where remotely they can turn the engine on and off - then it gets interesting.

Re:How long before someone bricks an expensive car (1)

AmberBlackCat (829689) | more than 2 years ago | (#36914156)

If the car's system has a way to completely shut down the car while you're driving at high speed then they have bigger problems than people figuring out the protocol they used.

Re:How long before someone bricks an expensive car (1)

DeadCatX2 (950953) | more than 2 years ago | (#36914568)

I think you and some other commenters misunderstand my point. Bricking is not a "feature" of hardware, it's a bug that is exploited by an attacker. Of course the hardware engineers designing this tech aren't going to include a "click here to brick your car!" button.

Have you ever heard of the CAN bus? CAN stands for "Controller Area Network". It's how all the MCUs in a car talk to each other. For instance, the door lock's MCU communicates with other MCUs in the car using the CAN bus.

A malicious attacker could exploit a flaw in the door lock's MCU to shut down the CAN or even potentially reprogram the ECU. Cruise control could be turned on and told to accelerate to max speed. Windows could be put down or up. Windshield washers could be told to activate. An automatic engine could be told to switch to first gear. etc.

Re:How long before someone bricks an expensive car (1)

djl4570 (801529) | more than 2 years ago | (#36914714)

Your thoughts are along the lines of my original comment. I don't know all the bits of the technology, only that someone who does know will eventually hack the equivalent of root access to the technology. This access could be used for theft or just to annoy owners by reprogramming the radio presets or temperature controls to bricking the electronics by corrupting the firmware.

Re:How long before someone bricks an expensive car (0)

silas_moeckel (234313) | more than 2 years ago | (#36912692)

Can I just auto brick the drivers that tailgate me. Bricking the car that just cut me off seems like a bad idea. Smart4two (or whatever ya call those tiny things) think that 6 feet is enough distance when I'm doing 75 down hill between the 3.5 ton me/vehicle and a semi in front of me, I disagree with there assumption.

Re:How long before someone bricks an expensive car (1)

Dan541 (1032000) | more than 2 years ago | (#36914102)

That really is a tempting idea.

New 2011+ Chevy owners beware... (1)

madhatter256 (443326) | more than 2 years ago | (#36911128)

Chevy's (GM) OnStar system provides an app for Android/Iphone that lets you start your car halfway around the world if you have their premium service....

I'm sure Chevy will release a TSB out to all their dealerships once they have a patch...

When SkyNet comes... (0)

Anonymous Coward | more than 2 years ago | (#36911178)

It will be worse than in fiction.

Predicted by Star Trek (1)

devjoe (88696) | more than 2 years ago | (#36911242)

An episode of Star Trek (I think it was on Voyager) has them end up on then-present-day Earth and when they need it, they steal a car this way. Anybody remember which one?

Re:Predicted by Star Trek (1)

Marc Madness (2205586) | more than 2 years ago | (#36911428)

Didn't they also do this in Gone in 60 Seconds (the modern Nicholas Cage version). Sometimes truth is stranger than fiction.

Re:Predicted by Star Trek (1)

MacGyver2210 (1053110) | more than 2 years ago | (#36912000)

I recall they did something similar in an episode of Enterprise when Tepal and Archer needed to steal a car. Unfortunately, I think the car was like a '70s Challenger or something that would never have had automatic locks, much less iPhone control.

Re:Predicted by Star Trek (0)

Anonymous Coward | more than 2 years ago | (#36912324)

It was a Dodge Ram, '96 or '97 model. (The episode was ST:VOY 308 "Future's End".)

They did this in Enterprise's time-travel episodes too.

I still don't get the point of the thing, though. How is pulling out your phone, tapping "car", entering a password, etc. any more convenient than "stick key in lock, turn"? It's more expensive, there's more to go wrong, it's harder to fix when it does go wrong, there's no clear benefit, there are many possible downsides. This is what mechatronics profs used to call "bad engineering".

Feature bloat vs. the KISS principle... (0)

taiwanjohn (103839) | more than 2 years ago | (#36911270)

While unlocking my car with a txt msg is nifty and cool, I don't see the point. If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??

Sure, you can imagine a weird scenario where this would be useful... you locked your keys in the car, etc... but every time they add a new convenience (electric locks, electric windows) that's another failure point to deal with. Is it even possible to buy a new car without electric windows these days?

It's bad enough when the nifty features are analog devices, but when they cross the line into network-aware digital tech, the hazards increase exponentially.

Re:Feature bloat vs. the KISS principle... (2)

ilo.v (1445373) | more than 2 years ago | (#36911390)

If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??

My car doesn't have a key, just a button to press. (Volkswagon, not a Ferrari or something else fancy). It just has a fob that needs to be in range for the "start" button to be enabled. This would be more convenient if my cell phone could be the fob, but only if it can't be hacked like this.

Re: (1)

taiwanjohn (103839) | more than 2 years ago | (#36911538)

Interesting, I've heard about these, but haven't used one yet. Still, one could argue that the "fob" is a key of sorts. In any case, you still need to "be there" to drive the car, and if a thief can open the door with a cell phone, he could probably drive away as well.

I wouldn't mind having a keypad/PIN-code system to use the car, but I'd want it to have at least an 8-digit password, and definitely NOT be accessible by wireless.

Re:Feature bloat vs. the KISS principle... (2)

Compaqt (1758360) | more than 2 years ago | (#36911648)

Speaking of KISS, it's hard to understand what the need for the new press a button thing on cars was supposed to be. (Fulfill a nonexistent need?)

Were there people crying out they were unable to start their cars with keys?

And the dead simple and foolproof way of turning the engine off if you need to? Now it's hold for 3 seconds to turn off?

High tech twist on ancient KISS (1)

Quila (201335) | more than 2 years ago | (#36912316)

Long ago on cars you didn't have to fumble with keys, you cranked the car.

Then came self-starters. You turned a key to enable the ignition system, then pushed a starter button. Key-as-starter-button came much later.

This goes back to the old time, simply push the starter button. Only now the key is high-tech wireless and you don't even have to insert or turn it, just have it in your pocket.

Re:Feature bloat vs. the KISS principle... (1)

nabsltd (1313397) | more than 2 years ago | (#36912350)

Speaking of KISS, it's hard to understand what the need for the new press a button thing on cars was supposed to be. (Fulfill a nonexistent need?)

The advantage isn't so much in being able to start the car, but to unlock the doors without even having to touch your key (which is useful if your hands are full, especially in bad weather). That feature was then extended to starting without the key in the ignition (the "no turn" interlock on the ignition switch is disabled by the proximity of the key). This then led to the completely useless push-button start.

The reason push-button start is useless is that you still need the other features of the ignition switch (steering wheel lock, accessory position, etc.), which means that a push-button doesn't reduce complexity in any way.

Re:Feature bloat vs. the KISS principle... (1)

Cramer (69040) | more than 2 years ago | (#36913766)

The steering lock is a solenoid -- or at the most basic, turning off the power steering. The ACC position is a matter of pushing the start button without touching the break.

My VW (traditional key) has no "ACC". If you want the radio on with the car off, simply trurn it on. (it'll run for about an hour and shutoff again.) The windows / sunroof won't work without the key in the run position -- or you can use the open/close trick with the key in the door lock.

Re:Feature bloat vs. the KISS principle... (1)

SleazyRidr (1563649) | more than 2 years ago | (#36912914)

The start buttons are just cool. That's all the reason you need.

Re:Feature bloat vs. the KISS principle... (1)

Cramer (69040) | more than 2 years ago | (#36913852)

I've thought about the same thing with my hybrid. Everything about the car is computer controlled... steering is electric assist (without that motor, you aren't driving), breaks are electronic (mechanical if you push them all the way to the floor), accelerator 100% electronic, transmission 100% electronic... it's one rogue program away from driving itself around the neighborhood. (and with the parking sensors, it can avoid people.) Killing the car requires getting in the trunk and pulling the big orange plug.

Re:Feature bloat vs. the KISS principle... (0)

Anonymous Coward | more than 2 years ago | (#36911408)

What if you wanted to kill yourself from carbon monoxide poisoning? An unventilated garage and a sms sent via laptop to the car and ohh no!
Then sue the manufacturer for creating an unsafe product.
Win.

Re:Feature bloat vs. the KISS principle... (1)

Jeng (926980) | more than 2 years ago | (#36911888)

Would have to be a rather old car, modern emission systems don't put out enough carbon monoxide to kill you.

Re:Feature bloat vs. the KISS principle... (0)

Anonymous Coward | more than 2 years ago | (#36913680)

I didn't know you can sue after you died of carbon monoxide poisoning.

Re:Feature bloat vs. the KISS principle... (0)

Anonymous Coward | more than 2 years ago | (#36911460)

While unlocking my car with a txt msg is nifty and cool, I don't see the point. If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??

It would be my guess that the vehicles that support this technology also support the new way of starting the engine: a push button. The assumption is that once you're in, you don't need any further "authorization."

Re:Feature bloat vs. the KISS principle... (1)

bws111 (1216812) | more than 2 years ago | (#36911828)

Bad assumption. You still need a physical 'key' to drive the car (the key may be a chip on your keyring in your pocket, but it still needs to be there).

Re:Feature bloat vs. the KISS principle... (0)

Anonymous Coward | more than 2 years ago | (#36911468)

You don't live somewhere cold. Remote car starters are nice but they don't have enough range. In addition, you don't have to walk back to your desk to get your keys to start your car when you have a cell phone with you.

I don't know from personal experience. My car is 15 years old and doesn't even have power locks.

Re:somewhere cold (1)

taiwanjohn (103839) | more than 2 years ago | (#36912018)

Not at the moment, but I grew up in Iowa, so I know all about cold winters. But I never thought it was that big a deal to run out and fire up the engine. Chances are you're going to have to scrape the windows anyway, so that's plenty of time to get the heater working. It might not be "toasty" in such a short time, but it'll be a lot better than being outside.

For that matter, what if it's so cold that your car doesn't start on the first try? Does it retry on its own, or do you have to send it another text msg? As you no doubt know, an older car often needs a little TLC to get started... does the software handle that for you?

My friend has an SUV with a phone-enabled car alarm system that calls him whenever the alarm gets tripped. Unfortunately, the alarm is so sensitive it often goes off whenever a heavy vehicle like a dump truck rumbles past. They've taken it to the dealer several times to get the thing adjusted, but it never seems to work.

I acknowledge that this "feature" would be useful for some people sometimes, but implementing it via SMS just screams all kinds of stupid.

Re:Feature bloat vs. the KISS principle... (0)

Anonymous Coward | more than 2 years ago | (#36911800)

You can steal things from inside the car when it's unlocked though. And if you're unlocking it with a phone, you're far less conspicuous than breaking the window, and look like the owner of the car legitimately grabbing something you need from the back seat.

Re:Feature bloat vs. the KISS principle... (1)

NonSequor (230139) | more than 2 years ago | (#36913006)

I've seen a commercial for this and the way they presented it was as a means of letting a teenager to use the car, but requiring them to request permission to unlock and start it.

Not black hat at all (0)

Anonymous Coward | more than 2 years ago | (#36911392)

but he isn't going to name the products they've hacked or provide full technical details of their work until the software makers can patch them.

Well that's not black hat at all.

Car & Hacker insurance? (1)

BetaDays (2355424) | more than 2 years ago | (#36911524)

When I bought my last car in 2008 the insurance company guy asked me if it had anti-theft devices in the car. I said yes, it has a microchip in the key. So he says I get a discount because of it. Great news in my mind a discount. But now does this mean I go to buy my next car will I not get a discount because I will have to buy Car Hacker insurance? Or will I have to LoJack it too.

Re:Car & Hacker insurance? (1)

statusbar (314703) | more than 2 years ago | (#36912566)

No, it means when a your anti-theft device is compromised via a hack and your care is stolen, the insurance company will not believe you and will tell you that you are trying to defraud the insurance company by faking a theft - since the anti-theft device is, by their analysis, "unbreakable". There is already precedence for this.

--jeffk++

Re:Car & Hacker insurance? (0)

Anonymous Coward | more than 2 years ago | (#36913146)

There is already precedence for this.

[citation needed]

Re:Car & Hacker insurance? (1)

Cramer (69040) | more than 2 years ago | (#36913922)

That anti-theft devices do nothing to stop someone from pulling your car onto a low-boy and hauling it away. (Repo men do this every day.)

Old news. (1)

Anonymous Coward | more than 2 years ago | (#36911530)

I remember in the early unencrypted days of this a client of mine looking particularly smug when he showed me how he could start his car with his remote keychain back when starting cars without being in them was all the rage. He waxed poetic about how bleeding edge he was, and while I let him have his epeen hard-on, I pointed my pda out the window and turned off his engine, promptly wiping the smug off his face.

Replay attack? (2)

Lord Grey (463613) | more than 2 years ago | (#36911760)

From TFA:

With these mobile car apps, the phone connects to a server that then sends secret numerical keys to the car in order to authenticate itself, but the iSec researchers figured out ways to get around this by looking at the messages sent between the server and the car over the mobile network, Bailey said in an interview. "We reverse-engineer the protocol and then we build our own tools to use that protocol to contact that system," he said.

Without knowing the details, this sounds a lot like a replay attack. Or possibly a version of one of the attacks used against ATMs, back when ATMs were new and relatively unguarded. You could tap into an ATM line and basically send commands like, "eject five $20 bills" over and over again, without too much trouble.

I have a 2010 Camaro SS, which has the older version of the OnStar firmware that is not compatible with their mobile app. Now I'm relatively happy about that. One less attack vector to worry about.

Re:Replay attack? (1)

gv250 (897841) | more than 2 years ago | (#36913956)

From TFA:

With these mobile car apps, the phone connects to a server that then sends secret numerical keys to the car in order to authenticate itself,

So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Security Researchers (0)

Anonymous Coward | more than 2 years ago | (#36912370)

I have always wondered how many hackers and bad guys get their info from what security researchers reveal.

Well, it looks like (1)

Khyber (864651) | more than 2 years ago | (#36912450)

downloading a car is now possible!

I don't understand. (1)

ahecht (567934) | more than 2 years ago | (#36912658)

This article seems to technical. Can someone summarize using a car analogy?

Copyright Infringement and Cars (1)

tekrat (242117) | more than 2 years ago | (#36913092)

So, whenever there's a debate on Slashdot about "piracy" or copyright infringement, SOMEONE always makes the tired analogy about "stealing your car", and then someone else always corrects them about COPYING your car, leaving your original car behind.

Well now the pirates *can* steal your car!

And when the technology improves, there will be an app to COPY your car! And when anyone can COPY a car, what dinosour business model with the car manufacturers be forced into? Suing their own customers like the RIAA?

What a world!

Re:Copyright Infringement and Cars (0)

Anonymous Coward | more than 2 years ago | (#36914366)

Yo dawg, we herd you like cars so we put rapid prototyping in your car so your car can make cars that also make cars.

Re:Copyright Infringement and Cars (0)

Anonymous Coward | more than 2 years ago | (#36914550)

I really want to mod this redundant.

Anti theft device (1)

PPH (736903) | more than 2 years ago | (#36914148)

My car has an anti theft device that is nearly foolproof. Its a knob on the dashboard labeled 'Choke'. If you don't know what to do with it (and most people with no business on my lawn don't) that car isn't going anywhere. Heck, kids these days are stopped cold attempting to carjack a stickshift.

WHITE HAT SCUM (0)

Anonymous Coward | more than 2 years ago | (#36914430)

"or provide full technical details of their work until the software makers can patch them."

If those people claim to be blackhats they are doing it wrong.

Only two hours? (1)

RapmasterT (787426) | more than 2 years ago | (#36914936)

It only took them two hours to figure out how to open the car with a laptop? And that's more frightening than the old fashioned way that takes 2 seconds with a brick?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...