This year at Defcon, the car hacking village is bigger than ever, with more cars, car hacking adapters and giant snarls of tiny exposed wires tied to demo stations with car parts screwed to plywood stands than ever before. It’s car hacking 101 here, and class is in full force.
The first thing you notice is the tools are getting better. They’re simpler, easier to buy, and they even have a car hacking badge you can buy that is sort of shaped like a car and has an ODB-II interface on one end (those sold our pretty fast) in case you want to dig in.
And lots of folks do – this place is packed. Last year there was a smattering of workstations and a somewhat smaller snarl of wires – not so this year.
This year the automotive sophistication is increasing, but only a little. Basically most critical messages that your car digests to run its critical systems are in a plain, unencrypted form that are digested by default and then run the part of your car they’re responsible for. Except for a couple of mobile systems like the odometer, much of the rest of the car has the “implicit availability” model baked in, meaning the modules will almost always listen and act, but do very little to determine if the message is legitimate.
But the car folks have at least started to notice the legitimacy issue in a sort of formal way, drafting up some secure car specs they hope will eventually find their way into real cars. For now it’s just a design goal. If you bought a car today, it doesn’t have this. If you already have a car, it really doesn’t have this, or anything close.
“THE PROBLEM IS THAT SECURITY COSTS MONEY AND THE CAR FOLKS ARE HYPER SENSITIVE TO INCREASING PRODUCTION COSTS.”
The problem is that security costs money and the car folks are hyper sensitive to increasing production costs. On your home router you feel like if it costs less than $50, you don’t care. Car manufacturers would care about $50 per car. A lot. Multiply every dollar spent by a million units and you start to understand.
The good news is that authentication can be handled in software, it’s just that as of yet, it hasn’t been in large-scale production. So this means the costs can (eventually) be low, once the non-recoverable expense of designing and implementing the system has been recovered. Even then, seemingly simple changes or additions to a car are ridiculously expensive to implement. This is because cars, in general, have different design goals than more traditional electronic doodads.
Consider how upset you’d be if your $50 router failed. Hint: Not very. How about if you’re $50,000 full-size SUV failed while carrying your kids to school. Very unhappy. Like lawsuit unhappy. So while car companies have taken heat for not being earlier to the game, there is an implicit expectation for the devices they produce to basically last forever, whereas you’d be happy if your router lasted more than a couple of years.
Still, if you were a cybersecurity expert who knows a lot about the nuts and bolts of cars, you’d basically have guaranteed employment unless you did something grossly inappropriate – and maybe even then. Automotive security isn’t going away. Neither are the prognostications of automotive gloom and doom. But the industry is making progress. We hope next year at Defcon there will be even more folks trying to figure out how to secure the platform and share constructively with the auto industry so we’ll all be safe.