A high court judge has ruled that a computer scientist cannot publish an academic paper over fears that it could lead to vehicle theft.
Flavio Garcia, from the University of Birmingham, has cracked the algorithm behind Megamos Crypto—a system used by several luxury car brands to verify the identity of keys used to start the ignition. He was intending to present his results at the Usenix Security Symposium.
But Volkswagen’s parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands, asked the court to prevent the scientist from publishing his paper. It said that the information could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car."
The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online.
Instead, they protested that "the public have a right to see weaknesses in security on which they rely exposed," adding that otherwise, "industry and criminals know security is weak but the public do not."
The judge, Colin Birss, ultimately sided with the car companies, despite saying he "recognized the importance of the right for academics to publish."
Courtesy Dan Goodin, ArsTechnica
Enlarge / Unsafe at any speed: The speedometer of a 2010 Toyota Prius that has been hacked to report an incorrect reading.
Just about everything these days ships with tiny embedded computers that are designed to make users’ lives easier. High-definition TVs, for instance, can run Skype and Pandora and connect directly to the Internet, while heating systems have networked interfaces that allow people to crank up the heat on their way home from work. But these newfangled features can often introduce opportunities for malicious hackers. Witness "Smart TVs" from Samsung or a popular brand of software for controlling heating systems in businesses.
Now, security researchers are turning their attention to the computers in cars, which typically contain as many as 50 distinct ECUs—short for electronic control units—that are all networked together. Cars have relied on on-board computers for some three decades, but for most of that time, the circuits mostly managed low-level components. No more. Today, ECUs control or finely tune a wide array of critical functions, including steering, acceleration, braking, and dashboard displays. More importantly, as university researchers documented in papers published in 2010 and 2011, on-board components such as CD players, Bluetooth for hands-free calls, and "telematics" units for OnStar and similar road-side services make it possible for an attacker to remotely execute malicious code.
The research is still in its infancy, but its implications are unsettling. Trick a driver into loading the wrong CD or connecting the Bluetooth to the wrong handset, and it’s theoretically possible to install malicious code on one of the ECUs. Since the ECUs communicate with one another using little or no authentication, there’s no telling how far the hack could extend.
Later this week at the Defcon hacker conference, researchers plan to demonstrate an arsenal of attacks that can be performed on two popular automobiles: a Toyota Prius and a Ford Escape, both 2010 models. Starting with the premise that it’s possible to infect one or more of the ECUs remotely and cause them to send instructions to other nodes, Charlie Miller and Chris Valasek have developed a series of attacks that can carry out a range of scary scenarios. The researchers work for Twitter and security firm IOActive respectively.
Among the attacks: suddenly engaging the brakes of the Prius, yanking its steering wheel, or causing it to accelerate. On the Escape, they can disable the brakes when the SUV is driving slowly. With an $80,000 grant from the DARPA Cyber Fast Track program, they have documented the cars’ inner workings and included all the code needed to make the attacks work in the hopes of coming up with new ways to make vehicles that are more resistant to hacking.
Enlarge / The door is not really ajar.
"Currently, there is no easy way to write custom software to monitor and interact with the ECUs in modern automobiles," a white paper documenting their work states. "The fact that a risk of attack exists but there is not a way for researchers to monitor or interact with the system is distressing. This paper is intended to provide a framework that will allow the construction of such tools for automotive systems and to demonstrate the use on two modern automobiles."
The hacking duo reverse-engineered the vehicles’ CAN, or controller area networks, to isolate the code one ECU sends to another when requesting it take some sort of action, such as turning the steering wheel or disengaging the brakes. They discovered that the network has no mechanism for positively identifying the ECU sending a request or using an authentication passcode to ensure a message sent to a controller is coming from a trusted source. These omissions make it easy for them to monitor all messages sent over the network and to inject phony messages that masquerade as official requests from a trusted ECU.
"By examining the CAN on which the ECUs communicate, it is possible to send proprietary messages to the ECUs in order to cause them to take some action, or even completely reprogram the ECU," the researchers wrote in their report. "ECUs are essentially embedded devices, networked together on the CAN bus. Each is powered and has a number of sensors and actuators attached to them."
Using a computer connected to the cars’ On-Board Diagnostic System, Miller and Valasek were able to cause the vehicles to do some scary things. For instance, by tampering with the so-called Intelligent Park Assist System of the Prius, which helps drivers parallel park, they were able to jerk the wheel of the vehicle, even when it’s moving at high speeds. The feat takes only seconds to perform, but it involved a lot of work to initially develop, since it required requests made in precisely the right sequence from multiple ECUs. By replaying the request in the same order, they were able to control the steering even when the Prius wasn’t in reverse, as is usually required when invoking the park assist system. They developed similar techniques to control acceleration, braking, and other critical functions, as well as ways to change readings displayed by speedometers, odometers, and other dashboard features.
For a video demonstration of the hacks, see this segment from Monday’s The Today Show. In it, both Toyota and the Ford Motor company emphasize that the manipulations Miller and Valasek carry out require physical access to the car’s computer systems. That’s a fair point, but it’s also worth remembering the previous research showing that there are often more stealthy ways to commandeer a vehicle’s on-board computers. The aim behind this latest project wasn’t to develop new ways to take control but to show the range of things that are possible once that happens.
When combined with the previous research into hacking cars’ Bluetooth and other interfaces, the proof-of-concept exploits should serve as a wake-up call not only to automobile manufacturers, but to anyone designing other so-called Internet-of-things devices. If Apple, Microsoft, and the rest of the computing behemoths have to invest heavily to ensure their products are hack-resistant, so too will those embedding tiny computers into their once-mundane wares. A car, TV, or even your washing machine that interacts with Internet-connected services is only nifty until someone gets owned.
Courtesy Cyrus Farivar, ArsTechnica
A team from the University of Texas spoofed the GPS receiver on a live superyacht in the Ionian Sea.
One of the world’s foremost academic experts in GPS spoofing—University of Texas assistant professor Todd Humphreys—released a short video on Monday showing how he and his students decieved the GPS equipment aboard an expensive superyacht.
Humphreys conducted the test in the Ionian Sea in late June 2013 and early July 2013 with the full consent of the “White Rose of Drachs” yacht captain. His work shows just how vulnerable and relatively easy it is to send out a false GPS signal and trick the on-board receiver into believing it.
“What we did was out in the open, it was against a live vehicle, a vessel—an $80 million superyacht, controlling it with a $2,000 box,” he told Ars. “This is unprecedented. This has never been shown in this kind of demonstration. That’s what so sinister about the attack that we did. There were no alarms on the bridge. The GPS receiver showed a strong signal the whole time. You just need to have approximate line of sight visibility. Let’s say you had an unmanned drone, you could do it from 20 to 30 kilometers away or on the ocean you could do two to three kilometers.”
In this case, Humphreys’ student sent out the spoofed signal from on-board the ship itself. All GPS signals are sent from satellites to Earth without any authentication or encryption. So Humphreys is using a small software radio device to essentially fool the on-board receiver into listening to his fake signal, rather than the authentic one. GPS, in its civilian form, is provided for free, globally, by the American military GPS Directorate. The agency did not immediately respond to Ars’ request for comment.
We be jammin’
Humphreys has warned against the possibility of such attacks for some time now. He even demonstrated at last year’s South by Southwest conference that GPS on board a flying drone could be spoofed too. In October 2012, a Carnegie Mellon team also showed how to exploit existing software bugs to disrupt a GPS receiver rather than simply feed it false information.
“We’re only overpowering by two to three times [what the GPS satellite should produce], you can’t tell with a signal to noise or jamming to noise detector—it’s very quiet,” Humphreys added. He noted that traditional jammers overpower a bona fide signal by orders of magnitude. “We spent an extra year or two to make sure our signals were aligned [exactly with what the receiver would see]. You might be seeing 10 of them at any given moment. We receive those signals too, and we generate signals that aren’t just perfect replicas, but they’re perfectly aligned—it makes the takeover perfectly seamless. There isn’t even a hiccup.”
Humphreys said he could use this same technique on a GLONASS or Galileo navigation system. So what would a worst-case scenario look like for a malicious attack? The Texas professor writes, in an as-yet-unpublished report:
What would a spoofing attack look like in practice? Suppose the spoofer’s goal is to run the target vessel aground on a shallow underwater hazard. After taking control of the ship’s GPS unit, the spoofer induces a false trajectory that slowly deviates from the ship’s desired trajectory. As cross-track error accumulates, the ship’s autopilot or officer of the watch maneuvers the ship back into apparent alignment with the desired trajectory. In reality, however, the ship is now off course. After several such maneuvers, the spoofer has forced the ship onto a parallel track hundreds of meters from its intended one. Now as the ship moves into shallow waters, the ECDIS display and the down-looking depth sounder may indicate plenty of clearance under the keel when in truth a dangerous shoal lies just underwater dead ahead. Maybe the officer of the watch will notice the strange offset between the radar overlay and the underlying electronic charts. Maybe, thinking quickly, he will reason that the radar data are more trustworthy than the ship’s GPS-derived position icon displayed on the ECDIS. And maybe he will have the presence of mind to deduce the ship’s true location from the radar data, recognize the looming danger, and swing clear of the shoal to avert disaster. Or maybe not.
18th century technology to the rescue?
In another as-yet-unpublished paper, Humphreys has written about how to counter his attack vector.
“The most effective defenses that we’ve found are the most costly and the least practical,” he told Ars. “[You’d need to add] digital signatures that would introduce unpredictable features that would make it challenging for a spoofer. It wouldn’t require any new hardware, but it would require some change to the message that they’re sending out, so you can include digital signatures, unpredictability is the key. Conceptually, it’s fairly straightforward.”
Humphreys also said that for now, it’s hard for a boat captain to know if he or she is being spoofed while at sea.
“There’s not much they can do out in open ocean, at that point, only GPS is available to them,” he said. “Nobody knows how to use a sextant, and US discontinued the LORAN system two years ago.”
Courtesy Adam Clarke Estees, Gizmodo
On Friday, the secret court that oversees cases related to the Foreign Intelligence Surveillance Act renewed the order that enables the NSA to compel telecom companies to hand over records whenever it wants. Translation: No end in sight to the NSA spying on phone records.
The existing order was set to expire at 5pm on Friday, but the FISA court handed down the decision right under the wire. Normally these details are kept top secret, but the government decided to declassify the details in light of the increased scrutiny over the NSA’s so called telephony metadata program. If broadcasting the fact that you’re going to keep doing the thing that’s making America mad sounds kind of counterintuitive, that’s because it is.
In general, it doesn’t look like the government’s going to pull back on the spying any time soon. Earlier on Friday, the Obama administration responded to one of the lawsuits filed after Edward Snowden’s leak six weeks ago and said it would keep collecting phone records as long as it was in the "public interest." It added that the NSA program doesn’t violate Americans’ constitutional rights, and even if you thought it did, it can’t be challenged in court. While the administration these things is very different than a judge saying them, it does take the wind out of privacy advocates sails a bit. At the very least, it shows that they’re facing an uncompromising foe.
And that’s where this whole thing continues be upsetting. It’s unfortunate when government programs pit American citizens against their leaders. This is not an isolated issue that affects a few people. We recently learned that the NSA surveillance covered not only individuals with potential terrorists but also everybody they know and everybody that they know. Poor Kevin Bacon probably hasn’t had a truly private conversation in a decade.
There is some good news to this week’s happenings. We now know more than ever before exactly how the NSA’s telephony metadata program works. Unfortunately, the more we learn, the less it seems we can do. [RT, Wired]
To see the full image click here:
Courtesy Robert Sorokanich, Gizmodo
Disney Research, a partnership between the mouse-eared entertainment juggernaut and universities around the globe, is on a virtual reality roll. Its latest development, an algorithm that turns 2D photographs into 3D landscapes, can transform a regular photo into a video game-style environment, using consumer-grade computer hardware.
The program senses the depth of objects in a photograph by analyzing patterns of light and darkness. With multiple photos from different viewpoints, the program can fill in background details obstructed by objects in the foreground. The result is a crisp, detailed 3D rendering that definitely messes around with your perception when you see it move.
Virtual reality only immerses two of your senses: sight and hearing. Not that we’re dying for smell and taste in video games (bleh! Imagine… Read…
Perhaps most surprisingly, Disney researchers say the system was built to run on a "standard graphics processing unit" rather than the heavy-duty machinery required for most graphics work. This could make the rendering program useful beyond gaming—the research team suggests uses in art and archaeology, just to name two fields that could benefit. Imagine how much cooler your family photo album would be if those old, flat pictures were 3D renderings. Between this and Disney Research’s tactile feedback rig, it won’t be long before you’re not just telling kids how you walked to school uphill both ways in the snow—you’re making them experience it in three dimensions. [Disney Research viaPolygon]
Courtesy Greg Kumparek, techCrunch
Hello, and welcome back to today’s episode of “Why? LOL BECAUSE WE CAN.”
Tired of your dumb old microwave that justshoots friggin’ radio waves at food to cook it? Stupid thing probably can’t even play animated GIFs or send Snapchats or download the Fergie. What’s the point?
In the coolest mod I’ve seen in ages, developerNathan Broadbent has hacked away at his microwave to add stuff that any self-respecting microwave manufacturer of the year 2013 should have probably added themselves. Voice commands! Barcodes that pre-set cooking times! A SELF SETTING CLOCK.
Meet the Raspberry Picrowave. As you might’ve gathered from the name, it’s a Microwave mashed up with a Raspberry Pi, the $25 micro-computer adored by modders, hackers, and geeks ’round the world
Here’s what it can do so far:
- Clock sets/updates itself across the Internet
- A barcode scanner pulls cooking instructions from an online database. Such a database didn’t actually exist, so he’s building one himself, adding directions as he goes.
- Voice Commands, like “Microwave, Twenty seconds, Low.” (Alas, Nathan says his kitchen’s acoustics screw this up a bit.)
- Custom sound effects (because beeps are for chumps).
- You can control the microwave from your phone. The only uses I can think of for this are: when you know you’ll want microwaved popcorn later and can preload a bag, or when you want to convince your friends that you’re the biggest geek on the planet because you have a microwave that you can control with your phone.
- It tweets when it’s done cooking, because of course it does.
If nothing else, man oh man do I want that self-setting clock. My (two-year old) microwave uses the most ridiculous and impossibly obfuscated series of button presses for clock setting, so a power outage at my house generally means at least three months of the microwave swearing that it’s blink-thirty.
Stuffing a Pi into your microwave is cool and all, but the scale of the project gets a whole lot more impressive once he starts getting into the deeper details, from wiring the Pi into the microwave’s power supply, to designing a new control panel, to etching and producing a custom PCB that fits in the place of the original.