by trashbat » Thu Jul 23, 2015 5:43 pm
It's pretty bad.
Vehicle systems are kind of a perfect storm for security problems.
The actual exploit - buffer overflow - is very old. You flood software with more data than it expects, and the extra data ends up in places where it gets used by other, normally unexposed bits of the software. The net effect is you're essentially able to rewrite the software on the fly.
This is widely known about, and if you were writing safety critical software, or even something you felt had security requirements, you would probably consider it. You possibly wouldn't consider it, however, if you felt it was guarded against by someone else (like the operating system) or if what you were doing seemed innocuous. Like, say, you're ACME Inc and you're making a satnav. Who cares about securing that, right?
And at the other end of it, when you're Wonka Industries and you've designed an electric steering controller and you need to link it to other unspecified car systems, because of course everyone wants automatic parking, well of course you'd use CANBUS, and that's an open, unsecured standard right, so the responsibility for protecting it must be someone else's problem, like the integrator.
And then when you're Chrysler and you come to build a car with these different companies' products, and the satnav needs to talk to the speedometer, of course you use CANBUS for that too, and surely you don't need to worry about security because what harm can come of a satnav or that little link you just made, and anyway surely ACME thought about this when they made it anyway.
But the satnav connects to your phone and now you can use that to steer the car. Whoops.
Rob - IAM F1RST, Alfa Romeo 156 JTS