Don't trust your online vehicle or for that matter your license plate.

[wanderingfool2]

Recently a group of ethical web hackers put their focus on car companies and set out to see what they did.  As it turns out lots of the legacy auto-motive groups have put in features without properly securing their web-interfaces, as a result the team was able to access admin portals, track users, unlock cars all with very little information.  To highlight it all, there is the new California approved e-license plates where it was trivial for them to figure out how to set the license plate as stolen, and grab GPS data.  The idea of an electronic license plate was already a bad idea, but connecting it to the internet and with a GPS in it...that's asking for trouble.

 

A very quick breakdown of the larger flaws found within the last few months:

1) Reviver - License plates: GPS Data of users, plates can be listed as stolen, access to dealers portals (cause of hack, they could switch the customer field to an admin field to become an admin)

2) Kia, Honda, Infiniti, Nissan, Acura:  All you needed was the VIN to get, remote start, open, engine start, engine stop

3) Hyundai: Remote start, open, etc.

4) Ford: Account takeover 

5) Porsche: GPS location, and sending vehicle commands

6) Mercedes: GIT was access, full compromise of site (they got pushback from Mercedes originally because Mercedes didn't realize how serious it was)

 

https://samcurry.net/web-hackers-vs-the-auto-industry/

Quote

During the fall of 2022, a few friends and I took a road trip from Chicago, IL to Washington, DC to attend a cybersecurity conference and (try) to take a break from our usual computer work.

While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered across the campus and couldn't resist poking at the scooter's mobile app. To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight.

 

When everything eventually settled down, we sent a report over to the scooter manufacturer and became super interested in trying to more ways to make more things honk. We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.

At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.

 

This speaks to the fact that as car companies add more tech into their vehicles they really need to update with the times and get serious about security.  This includes beginning bounty programs, as from what I gather not many have one that offers a good incentive to find bugs.

 

The scary thing about all of this is that this level of compromise is often overlooked by non-tech people and until we have a major incident (like all cars getting unlocked) there is very little incentive for the companies to fix the problem.  These are the problems that were found in the web-interfaces as well, there are untold amounts still in the vehicles themselves (which many don't have the option for OTA updates).

 

I don't think I've found a single person who though electronic plates though were a good thing, and this really does say why you should avoid them at all costs, aside from when they mess up and you get fined for not having a working license plate,  you now have to contend with potentially being tracked or hacked (while paying monthly for the luxury of potentially getting hacked)

[Radium_Angel]

Car companies: Security by Obscurity

 

[Arika]

This is one reason why I never want to buy an Internet connected car

[wanderingfool2]

8 minutes ago, Arika S said:

This is one reason why I never want to buy an Internet connected car

Good luck finding one without some connectivity

[starsmine]

37 minutes ago, wanderingfool2 said:

Good luck finding one without some connectivity

looks at the massive used market which is where 90% of the fleet is. 

[Arika]

13 hours ago, wanderingfool2 said:

Good luck finding one without some connectivity

very easy when i refuse to buy new cars.

[Fasterthannothing]

4 hours ago, wanderingfool2 said:

Good luck finding one without some connectivity

Actually not that hard at all if you look for specific vehicles. I bought a 2018 vehicle fully loaded that didn't even have a touchscreen or anything remotely connected. It also has a manual absolutely no one is touching my car without me knowing

 

[Taf the Ghost]

Cell-Delete is going to be a thing with cars going forward.  Almost wholly for the blatantly obvious reasons. 

 

Though I also feel these hacks have been in the wild & in use for a bit. And I can't wait to see the Italian Super Car maker's concept of security. That should be endless humor.

[IkeaGnome]

27 minutes ago, Fasterthannothing said:

Actually not that hard at all if you look for specific vehicles. I bought a 2018 vehicle fully loaded that didn't even have a touchscreen or anything remotely connected. It also has a manual absolutely no one is touching my car without me knowing

 

I'm still waiting for the day some kid tries to steal my Toyota. Jokes on you, it's in neutral in 4 places.

Spoiler

 

[SansVarnic]

Just unplug the gps and any 4/5g antennas. Done.

[StDragon]

Physical key, not a remote fob, is what's needed. But if you must, be sure to keep your keys in a faraday bag or box to mitigate against replay attacks. You can find them for under 15 bucks.

 

But this web hack takes the cake. Nothing you can do about it.

[Kisai]

15 hours ago, wanderingfool2 said:

 

 

I don't think I've found a single person who though electronic plates though were a good thing, and this really does say why you should avoid them at all costs, aside from when they mess up and you get fined for not having a working license plate,  you now have to contend with potentially being tracked or hacked (while paying monthly for the luxury of potentially getting hacked)

They're a good thing in only two contexts:

- Bad Weather areas (such as 99% of Canada), where you can't read the plate in snow or fog, and the plate will be buried in snow even when driving, let alone parked.

- Luxury or Fleet cars.

 

Like if your vehicle is abandoned in the winter because you can't drive it, you don't want it being towed away and unable to find it. Not that this happens that frequently, but every winter there are cars stuck in ditches and such. It would be less of a pain in the ass to track down their owners if the towing company or the city could just read the plate without having to wait for a cop with access to the database to show up.

 

That could also apply for areas that get hurricanes/tornados and their cars end up in places they don't belong.

 

Luxury cars on the other hand should be de-facto electronic plates because of the high potential for theft of the vehicle, and how many luxury vehicles are owned by completely inept drivers, or only keep them in their garage most of the time. 

 

But in general, the tracking mechanism is probably not beneficial enough from the status quo. Countries and states want them however for the same reason that electricity companies want smart meters. They reduce the paperwork burden. Tolls can be paid without another dongle sitting in the car. But right now it seems like an opt-in thing.

 

You'll actually see they're being sold in only like three states:

https://reviver.com/

 

So right now it seems like these are things that actual users want, and not being forced on the public. Yet. That reviver plate is a $20/mo cloud service. Yuck.

 

 

 

[mr moose]

15 hours ago, Arika S said:

This is one reason why I never want to buy an Internet connected car

And people don't understand why I want to keep both my 23 year old cars running as long as I can.

 

Software update? That's when I put a new radio in it.

[GoodBytes]

On 1/13/2023 at 8:33 PM, SansVarnic said:

Just unplug the gps and any 4/5g antennas. Done.

But then you won't be able to enjoy the 1500$ terrible map package, and slide show like experience when navigation. You'll need to use your smartphone like poor people who have to suffer through fast and responsive experience.

[vetali]

Problem is, when auto makers ramp up security it just turns into an anti right to repair money grab for the makers. I have to pay on top of a 5,000 USD scan tool (plus 800 in yearly updates), a subscription to Stellantis to communicate with any of their vehicles thanks to the Jeep hacking fiasco a while ago. I am also locked out of any newer Fords recently, though I haven't inquired with the scan tool manufacturer to figure out why.

 

Also, just unplugging or disabling telematics will cause certain functions of the vehicle, or the vehicle inoperable.

[wanderingfool2]

21 hours ago, Kisai said:

They're a good thing in only two contexts:

- Bad Weather areas (such as 99% of Canada), where you can't read the plate in snow or fog, and the plate will be buried in snow even when driving, let alone parked.

- Luxury or Fleet cars.

 

Like if your vehicle is abandoned in the winter because you can't drive it, you don't want it being towed away and unable to find it. Not that this happens that frequently, but every winter there are cars stuck in ditches and such. It would be less of a pain in the ass to track down their owners if the towing company or the city could just read the plate without having to wait for a cop with access to the database to show up.

You still would need to wait until the city or cop accesses the database to identify who it belongs to (unless you are like the hacker and compromise the system).  With luxury vehicles, you should already have an option to track your vehicle...same thing with fleet vehicles...actually in this day and age you could just slap a hidden air-tag into the car as well and get reasonable identification where the car is.

 

The only reason I can think of really that justifies the cost would be if you wanted it for the aspect of being able to switch the style of the plate.

 

1 hour ago, vetali said:

Problem is, when auto makers ramp up security it just turns into an anti right to repair money grab for the makers

This is a server side aspect that was exploited, and ramping up security doesn't mean anti right to repair (or at least it doesn't have to mean that)...anyways, I'd rather harder to repair than the potential that there is an exploit that can be used to steal the vehicle.

 

2 hours ago, GoodBytes said:

But then you won't be able to enjoy the 1500$ terrible map package, and slide show like experience when navigation. You'll need to use your smartphone like poor people who have to suffer through fast and responsive experience.

Or have to listen to the radio...unless you are in a Mazda [Mazda screen's got bricked by a radio channel before]

 

On 1/13/2023 at 5:34 PM, StDragon said:

Physical key, not a remote fob, is what's needed. But if you must, be sure to keep your keys in a faraday bag or box to mitigate against replay attacks. You can find them for under 15 bucks.

 

But this web hack takes the cake. Nothing you can do about it.

I actually prefer the newer keycard to entry ones...you can keep them in a wallet with a simple protection and they aren't prone to lockpicking like many older model vehicles (Multiple stories of someone using the wrong key in a car and having it actually work...just because some of the key entries have that bad tolerances)

[vetali]

7 minutes ago, wanderingfool2 said:

This is a server side aspect that was exploited, and ramping up security doesn't mean anti right to repair (or at least it doesn't have to mean that)...anyways, I'd rather harder to repair than the potential that there is an exploit that can be used to steal the vehicle.

Yes it will due to the way the auto industry works. Reminder the Jeep exploit was only physical access to the vehicles systems. Now we have to pay and authenticate with Stellantis' servers to see why a check engine light is on.

[Kisai]

1 hour ago, wanderingfool2 said:

You still would need to wait until the city or cop accesses the database to identify who it belongs to (unless you are like the hacker and compromise the system).  With luxury vehicles, you should already have an option to track your vehicle...same thing with fleet vehicles...actually in this day and age you could just slap a hidden air-tag into the car as well and get reasonable identification where the car is.

 

If you're the owner you could just straight up send the location to the towing place too. Again, like I said, the utility of such a plate doesn't particularly give any advantage over features the car might already have.

 

Like to me it seems like the "smart plate" is intended to give functionality to cars that do not have any of that functionality (such as cheap American cars that do not have infotainment systems.) But why would you want to pay more for it unless you're really into some kind of vanity plate nonsense?

 

[wanderingfool2]

On 1/15/2023 at 12:12 AM, vetali said:

Yes it will due to the way the auto industry works. Reminder the Jeep exploit was only physical access to the vehicles systems. Now we have to pay and authenticate with Stellantis' servers to see why a check engine light is on.

Which Jeep exploit are you talking about?

 

There are certain things which I think are valid in terms of putting in "restrictions".  I'd rather a car that has bad "right to repair" over a car that has an exploit where anyone can plug in, reprogram the key fob and drive away with the vehicle.