[HN Gopher] CAN Injection: Keyless car theft
___________________________________________________________________
CAN Injection: Keyless car theft
Author : kotaKat
Score : 431 points
Date : 2023-04-05 12:28 UTC (10 hours ago)
(HTM) web link (kentindell.github.io)
(TXT) w3m dump (kentindell.github.io)
| blobbers wrote:
| Is this the sort of thing that works on any CAN bus car, or are
| older cars immune to it since their ignition might not be on this
| same system?
|
| Is my 11 year old car a little more "steal" proof to these
| elegant methods?
| potatochup wrote:
| Age doesn't really matter in this case. This is laziness on
| Toyotas part by not authenticating the messages between the
| "Smart Key" ECU and the main engine control microcontroller.
| tonymillion wrote:
| If you have push button ignition then yes there's a chance your
| car is vulnerable.
|
| Any CAN bus? No, it takes time to sniff the bus and get all the
| control messages, older cars may be especially vulnerable since
| they likely don't have as many security precautions in place.
|
| CAN has been in cars for quite a long time, the infiltration
| systems haven't due to high-cost/lack of electronics.
|
| On a side note, the hack talked about in the article could be
| performed by a Arduino UNO and a $5 can bus transceiver.
| emptybits wrote:
| I worry that industry solutions involving more proprietary layers
| and/or encryption on buses will make our vehicles and appliances
| even less modifiable, diagnosable, and serviceable by anyone
| except factory authorized techs.
|
| In keeping thieves out, we're locking ourselves out.
|
| Steering wheel locks and primitive offline immobilizers had their
| advantages...
| bri3d wrote:
| For what it's worth, most European cars have much more robust
| immobilizer systems that use actual cryptographic primitives to
| both obfuscate and authenticate start-release messages.
|
| This is for a variety of reasons - a legal and insurance company
| focus on immobilizer technology through companies like Thatcham
| Research as well as a more active threat model geopolitically.
|
| There are, of course, weaknesses in these cryptosystems, but the
| documented attack describes an _extremely_ poor system by modern
| standards.
| solarkraft wrote:
| You mean on the CAN bus? Then why doesn't the article mention
| it?
| droopyEyelids wrote:
| What do you think about how the article listed devices being
| available for all the European manufacturers?
| bri3d wrote:
| I would love to see a story about one! I don't work in
| automotive RE, it's only a hobby, so I don't have budget to
| go find and buy "emergency start" tools like these security
| vendors do.
|
| As far as I am aware: there are All Keys Lost (AKL)
| immobilizer bypasses for, for example, Volkswagen Immo 5, but
| not "Emergency Start" bypasses. The difference is the level
| of access required: AKL bypasses require involved, long term
| physical access to a car, for example at a shop. They're
| useful for independent or fly-by-night shops and in a post-
| theft scenario, but they're not going to boost a car out of a
| driveway. Meanwhile, Emergency Start bypasses are plain-and-
| simple theft tools like the fake Bluetooth speaker from the
| article.
|
| All of the VW Immo 5 exploits which I am aware are of the AKL
| style and revolve around being able to extract cryptographic
| material (CS/MAC/ImoDat_noKeyMst/ImoDat_noKeySecu depending
| on who you ask what it's called) from a control module by
| physically removing it from the vehicle.
|
| This is a far cry from tapping the CAN bus at a headlight and
| injecting an unauthenticated CAN message.
| avree wrote:
| What? This is a CAN bus hack, which is a standard that has
| been in EU cars for longer than US cars. I've worked with
| KeylessRide and also built my own hardware
| immobilizer/CANBUS device at a previous startup, and there
| is zero difference between European cars and American cars
| for this...
|
| By design, all nodes on a CAN network receive all frames,
| which is the root of the problem. There are some
| differences in ECU validation, plus whether or not the
| vehicle supports UDS diagnostics, but these are differences
| by manufacturer and have nothing to do with the continent
| the car is being used on.
| bri3d wrote:
| Calling something a "CAN bus hack" is like calling
| something an "Ethernet hack." It's just a bus, it's
| what's on the bus that matters.
|
| European, American, and Japanese cars have completely
| different immobilizer module cryptography
| implementations. In this case, the real weakness was that
| the immobilizer protocol allowed the car to start without
| message authentication, the CAN-related message injection
| thing was a sideshow.
|
| Generally, European cars have stronger immobilizer
| implementations. For example, in VW Immo 5, immobilizer
| messages are encrypted and authenticated using AES with a
| PRNG-based MAC. At a high level, participating modules
| need knowledge of a secret AES key in order to encrypt
| random number seed material. It's symmetric so it's still
| not perfect, but this type of simple "send one message
| through a headlight" attack would not be possible on
| these cars.
|
| Update: ah, I see you edited your comment. Yes, it has
| nothing to do with where the cars are _used_. My point
| was that European _manufacturers_ tend to have more
| secure immobilizer implementations, and I will stand by
| that point.
| avree wrote:
| You know that Toyota, the manufacturer here, is a
| Japanese company, right? European versus American
| regulations have literally nothing to do with this, which
| was your original point.
| mynameisvlad wrote:
| Their original point does not talk about American
| regulations at all, but rather that European regulations
| are stricter and therefore European cars will have
| tighter security.
|
| You're the one that chose to interpret that as "stricter
| than American".
| Nextgrid wrote:
| I suspect older immo bypasses used an engine ECU
| read/write primitive to read & rewrite the firmware over
| the diagnostics port (K-Line or CAN). Those primitives
| are usually based on undocumented commands used during a
| legitimate firmware update process (loading new
| "calibrations" as it's called in the industry) - there's
| a chance those same undocumented routines exist in newer
| ECUs, in which case you don't actually need to break the
| cryptography if you can rewrite the firmware to skip the
| check or seed it with your own key material.
| bri3d wrote:
| I did find an older VW "emergency start" product that
| claims to only work with Bosch MED17 and MED9, and I
| suspect it's using a memory-access primitive (either UDS
| or CCP) to release the immobilizer.
|
| It's trivial to disable an immobilizer in software by re-
| flashing the ECU, yes, but modern ECUs have two strong
| protections against this:
|
| * Cryptographic signature checking against update/re-
| flash payloads (I've done extensive research on these on
| VW Continental ECUs - https://github.com/bri3d/VW_Flash )
|
| and an even better and more obvious protection:
|
| * The ECU application software won't descend into the re-
| flash software (Customer Bootloader) unless the
| immobilizer is free (a valid key is present).
|
| This is a lot of what helps to reduce surface area from
| an "emergency start" style attack to an AKL attack - now
| that the Customer Bootloader won't start without the
| Immobilizer being unlocked, an attacker needs to remove
| the control unit to flash it with a Supplier Bootloader
| exploit ( https://github.com/bri3d/simos18_sboot ) or
| physical access (BDM/JTAG).
| Nextgrid wrote:
| Can't the AKL process effectively be turned into an
| "emergency start" attack anyway?
|
| At least in the US, there are portals for non-official
| repair technicians to buy access to reprogram
| ECUs/keys/etc for a given car (keyed by VIN) - I can see
| this being abused (it can't be that hard to buy access
| under a false identity), not to mention that professional
| car theft gangs might convince/coerce an insider to give
| them even deeper access to the signing service if not the
| raw private keys.
|
| Once you have access to the signing service in one way or
| another and a valid network connection, can't you just
| perform the AKL process in the field by simulating a
| legitimate AKL procedure that a dealership might do?
| Presumably writing custom software to automate all that
| (vs having to manually click through a slow scan tool or
| the often-terrible official software) would cut down the
| required time to a couple minutes.
| bri3d wrote:
| In short: Yes. This is a big threat model that
| manufacturers try to guard against.
|
| However, there are a few protections here:
|
| * Most manufacturers do fairly aggressive KYC / risk
| protection for their online programming services. The VW
| one is called FAZIT/GeKo, you can find the subscription
| process online and it is similar to opening a business
| bank account. Still, you're right, aftermarket account
| sharing is a big thing and as always, a cat and mouse
| game that manufacturers are usually losing. You can
| easily rent VW online coding accounts by the hour on
| shady websites.
|
| There's also second layer of protection for official AKL
| specifically which is harder to defeat, though:
|
| * Most European manufacturers do not allow an All Keys
| Lost process to be carried out entirely online. For
| example, for VW, dealers or aftermarket vendors need to
| buy specific, physical "dealer keys" for a given VIN.
| These physical key fobs are seeded with some key material
| and registered with the shop and VIN in the backend /
| FAZIT database. The signing server backend for ODIS
| (GeKo) will not adapt keys to a car unless the key
| material matches and the VIN was already associated with
| the key in the backend. Of course, there are social
| engineering attacks here still, but it's basically 2FA
| for key programming, with a lead time of "they ship the
| key to you," and it prevents the attack you describe from
| being plausible by legitimate means.
|
| HOWEVER, this is also one of the major weaknesses in the
| VW Immo 5 cryptosystem architecturally - since the actual
| message authentication is symmetric (MAC based), _if_ the
| secret AES key material can be extracted from the
| immobilizer system, aftermarket tools (Abrites, Autel,
| VVDI /XHorse, etc.) can create and adapt a "Dealer Key"
| without prior authorization. So we get back to the
| current state of these systems - because authentication
| is symmetric, with long-term physical access to the car,
| specific control units can be removed and secret key
| material extracted and used for reprogramming. However,
| drive-by quick-and-dirty "plug two wires from outside"
| attacks are very challenging.
| Nextgrid wrote:
| Very interesting, thanks! Glad to hear there's at least
| an attempt at actual due diligence and theft prevention
| as opposed to merely making it difficult/expensive for
| independent shops or car owners.
| bri3d wrote:
| The longer and more involved I get in automotive
| diagnostics and programming as a hobby, the less I
| believe there is any particular conspiracy against
| independent shops and owners in the automotive industry
| (versus in the heavy equipment and ag industry, where
| there absolutely _is_ a conspiracy).
|
| The threat model most automotive systems are designed
| against (when they are designed against anything at all)
| is absolutely not "we want to screw over those damn
| independent shops trying to run diagnostic routines!" -
| it's "how do we lock down the immobilizer, the ADAS, and
| protect ourselves from tuning-related warranty fraud."
| Independent shops and individual enthusiasts are just
| caught in the crossfire between thieves, ADAS tampering,
| and manufacturers/insurance/regulators.
| Gordonjcp wrote:
| Even in the mid-1990s the key-to-BECM protocols used in old
| Range Rovers was frankly massively overengineered, with a
| 48-bit rolling code key based off the vehicle's VIN and a
| 24-bit key code. The actual encryption routine is just a bunch
| of shifts, adds, and XORs, but so far it has resisted any
| attempt at spoofing keys.
|
| There's a somewhat simple trick to get the engine to start
| without the immobiliser (but it requires special tools), but if
| the body ECU is immobilised most of the vehicle electrics will
| be locked out too.
| aaronbeekay wrote:
| I work in the space and I have not been impressed by the
| quality of Thatcham's requirements once you get past the
| physical domain (door handle pull force, steering column locks,
| etc).
| cjbprime wrote:
| Great article. But:
|
| > And part of the problem is that this isn't a vulnerability
| disclosure and so the processes that Toyota does have in place
| are not appropriate.
|
| I didn't follow this part. I hear that the authors think their
| "you can use CAN fault injection followed by a spoofed unlock
| command to steal cars" technical writeup is not a vulnerability
| disclosure. But why not? (Other than because they said so.)
|
| The fact that the vulnerability is exploited in the wild doesn't
| prevent it from being appropriate to report it as a vulnerability
| -- quite the opposite. They even provide several fix suggestions.
|
| (I'm not personally arguing that it is wrong to disclose the
| vulnerability without coordination. I'm arguing that it's weird
| to make a choice like that while claiming you aren't making one.)
| rwmj wrote:
| He's definitely letting Toyota off the hook there. This
| absolutely is a vulnerability and whatever the size of the
| company they should have a way to promptly deal with
| vulnerabilities.
|
| (Of course it also doesn't surprise me in the least that Toyota
| isn't taking it seriously)
| qup wrote:
| According to his disclaimer, it's most of the manufacturers
| with the exact same vulnerability.
| cjbprime wrote:
| I can't tell whether they _attempted_ to disclose it to
| Toyota through normal vulnerability disclosure channels,
| though. The article implies to me that they didn 't.
| mynameisvlad wrote:
| > Ian has tried to get in touch with Toyota to discuss the
| CAN Injection attack, and to offer help, but hasn't had
| much success.
|
| That certainly sounds like a yes.
| cjbprime wrote:
| I read that as more "we cold emailed people looking for a
| potential contact" than "we submitted this vulnerability
| to their PSIRT". The fact that they say this is not a
| vulnerability disclosure situation suggests that they did
| not use the vulnerability disclosure communication
| methods.
| mynameisvlad wrote:
| I read it as "we tried contacting them through their
| standard processes, and were told it didn't fit in" but I
| can see your reading now that I've gone back and reread
| that specific section again. It's indeed quite vague as
| if they were the ones that made the decision or Toyota.
| MagicMoonlight wrote:
| How about instead of keyless entry we just keep using keys.
|
| You wouldn't have a password being loudly screamed out of a
| speaker 24/7, so why would you design a car key to work that way?
| outworlder wrote:
| Keys, those things that rely on pins getting pushed by a piece
| of metal?
|
| Not much of an improvement. Without a transponder in the key
| they are no more difficult to bypass than a light switch.
| Spivak wrote:
| Keys wouldn't stop this attack, they're simulating the key the
| way a screwdriver would in the ignition of an older car.
|
| This is "keyless theft" meaning "you can steal the car without
| the keys" not "you steal the car leveraging keyless entry."
| gambiting wrote:
| The thing that has always bothered me about stuff like this is
| that there must be some _incredbly_ skilled software and hardware
| engineers out there who can put this sort of thing together, and
| they basically decide to use their skills to steal peoples
| cars(or well, enable others to do that). On one hand I get it, on
| the other I really don 't. I would love to read an interview with
| any of them and see what drives them.
| Nextgrid wrote:
| Could you link to a job post or something that would be willing
| to hire for these skills and pay decently? Because even expert-
| level embedded software engineers don't actually get paid that
| much, and the guys who designed this may not be able to pass a
| typical interview (unlike the job, building this car theft tool
| doesn't require _expertise_ in anything - mere logic, trial and
| error and learning as you go will get you there).
| whimsicalism wrote:
| > building this car theft tool doesn't require expertise in
| anything - mere logic, trial and error and learning as you go
| will get you there
|
| Are you joking? This involves expertise, maybe just not
| certified through formally-mediated channels.
| Nextgrid wrote:
| You effectively get unlimited trial & error attempts, and
| nobody judges you on how you got to the end result (as long
| as the end result is working). Compare that to an interview
| (which sets a baseline level of knowledge necessary, not to
| mention trick questions and/or leetcode) and then the
| actual job (where you are under time pressures that may not
| allow unlimited time for a non-expert to get there by trial
| and error, and there are certain code quality standards to
| follow).
| l33t233372 wrote:
| I just find it hard to believe that someone could do this
| and not do other involved tasks.
|
| Sure it's technically _possible_ someone who is terrible
| at other tasks and isn't very bright put this
| together...but I doubt it.
| DrewADesign wrote:
| Most of these lines of reasoning assume the people involved
| have the same amount of agency as any other developer/engineer,
| and I'm sure they're right in many cases-- plenty of talented
| American software developers have worked at companies making
| scummy malware even having other options. But I'll bet that a
| big chunk of it is difficulty getting legitimate work if you've
| already been convicted of a felony.
|
| I'm not making excuses; there _are_ plenty of ways that someone
| with these skills could make money legally with a felony
| conviction, like online freelance work. But, life choices so
| often come down to the path of least resistance, and if you add
| in a language fluency barrier, intermittent or slow internet
| access, or some other resistance, I 'll bet it's a lot easier
| to say "Screw it. I've already got a record-- what do I have to
| lose?"
| IIAOPSW wrote:
| Subversive itch man. Its not about the money. Its about being
| above the rules.
|
| Disclaimer: I've personally not stolen a car.
| Cthulhu_ wrote:
| If I were to guess, money. Good scratch to be made selling
| these tools, or even just working for a contractor and never be
| found making the tools themselves - just a one-off sell of
| information on how to build a device like these.
|
| But yeah, morals are flexible, a lot of people don't care what
| their work is used for (whether they're directly aware or not).
| I mean personally I've worked for investment banking and the
| tobacco industry (websites/shops for e-smoking products), I've
| heard of others that have worked for gambling or "adult
| entertainment", and how many of you here work on either crypto
| or Amazon?
|
| What's morally right, wrong and justifiable is flexible, is all
| I'm saying.
| eimrine wrote:
| I have an opinion that dealing with non-FOSS creates an ability
| to do this. And the ability creates the market. This is a cycle
| of stupidity where a client (most of it) does not want to learn
| anything and a vendor happily supplies shit. Appearing of that
| kind of "skilled engineers" reminds me water-and-dum supremacy
| where water is a kind of opportunist actor and dam is a shitty
| security software. A dam made of shit will fall in a matter of
| time.
| edent wrote:
| As opposed to the incredibly skilled engineers who... steal
| your personal data (or enable others to do that)?
|
| I would love to read an interview with someone who applied to
| work for, say, Facebook. After all the news about their
| complicity in trying to set the world on fire - what drives
| them?
| asdff wrote:
| Why stop there? On HN you no doubt have engineers whose line
| of work is in mass death.
| l33t233372 wrote:
| Could you be more specific?
|
| Military industrial complex?
| markus_zhang wrote:
| Money (and a chance to apply what he learned at a much larger
| scale)? It pays very well and you can FIRE in less than 10
| years. Especially when FB is much more legal than say
| stealing cars.
| whimsicalism wrote:
| I don't think critics of Facebook have even decided what they
| want their critique of Facebook to be.
|
| My opinion is most of the negative reaction that people have
| to Facebook is intrinsic to websites where lots of people
| socialize online.
| adolph wrote:
| The whole supply chain of exporting stolen vehicles (and any
| other large scale illicit activity) is probably filled with
| people with great talent and skill: sales, logistics, banking,
| HR, information security, ... Someone in one of the importing
| countries might even get hired to develop the system for export
| to the US.
|
| Imagine if you were someone with specific knowledge that was
| not remunerated and someone else with ill intent noticed.
| https://xkcd.com/2347/
| ridgered4 wrote:
| Maybe they have felony convictions, dubious immigration status
| or personality problems that make traditional legal employment
| difficult or impossible for them. Or maybe it just pays well.
| bobleeswagger wrote:
| > see what drives them
|
| Failure of the establishment is their primary driver. It's the
| free market in action, crime pays.
| jnwatson wrote:
| This doesn't look particularly sophisticated. It takes
| understanding of basic circuit design and embedded programming.
| The genius bit is leveraging a Bluetooth speaker. That's a
| clever choice.
|
| In many countries, engineering (especially hardware) don't get
| paid a lot. I could imagine the pull of illicit sources of
| income being strong.
| heffer wrote:
| > what drives them
|
| Don't know. A stolen car presumably?
| olabyne wrote:
| Money ? (and a low bar of ethics) They sell the device 5000$,
| and it costs them almost nothing (a cheap bluetooth speaker,
| and a few $ of components).
| redder23 wrote:
| Are there any modern cars that have good modern mechanical parts
| but have no computers in them whatsoever?
| rconti wrote:
| nope, wouldn't pass emissions.
| rasz wrote:
| Computer is not a problem here, bad design is. Ancient fully
| mechanical cars can be started by simply push starting.
| user945234 wrote:
| Throwaway account. I have actually worked on this sort of stuff.
| These topics are well known in the industry and have been for a
| surprising amount of time (decades).
|
| Some premium brands will have the immobilizer await proper crypto
| from the key reader. In this case the key reader is just there to
| read the key and pass on the message, there is no decision being
| made outside of the immobilizer.
|
| Some premium brands will also have immobilizers in other places,
| like the gearbox. It too will await proper crypto to shift into
| gear.
|
| Some premium brands will have signed CAN/FlexRay/Ethernet frames
| that will prevent message spoofing, though that isn't only for
| this situation.
|
| Most of the time the Gateway module has a static firewall -
| basically fixed routing tables so only modules that need to will
| be allowed to talk to each other.
|
| Finally some premium brands will have an HSM both in the key and
| in the immobilizers to keep the material safe.
|
| There is a lot more to this topic obviously but the reason some
| brands don't have this (and other countermeasures) is simple:
| cost.
| drtz wrote:
| > Most of the time the Gateway module has a static firewall -
| basically fixed routing tables so only modules that need to
| will be allowed to talk to each other.
|
| This was exactly my thought. If the headlights, and any other
| easily access CAN bus wiring, were properly isolated from
| critical security ECUs via a properly configured gateway, this
| attack would be impossible.
| bri3d wrote:
| I don't think that segmenting CAN wiring is a good solution
| to this problem. The Powertrain CAN will always be accessible
| externally for some definition of "externally" (on older GM
| cars it ran across the bottom of the car to reach the
| transmission, for example), and even a separate "immobilizer"
| CAN would probably be accessible somewhere.
|
| The solution, as implemented by many automakers already, is
| just to authenticate immobilizer messages. It works, and
| there's not a great excuse for not doing this in 2023.
| lamontcg wrote:
| > These topics are well known in the industry and have been for
| a surprising amount of time (decades).
|
| I always assumed that immobilizers were already using
| cryptography to talk to the ECU otherwise this kind of attack
| would be obvious.
| timeless102 wrote:
| Do manufacturer's advertise these features? Some manufacturers
| don't even include immobilizers. It would be nice to know which
| include extra features. Seems like it could be a selling point.
| user945234 wrote:
| On the contrary unfortunately, it's all secret for the
| average consumer.
|
| People that never worked in the industry greatly
| underestimate how much it really costs in R&D and production
| to make a car. Adding "authentication" and "encryption" in
| this environment is way more complex and has more
| implications than importing yet another library in a web app.
|
| Even so a few manufacturers go to a great deal of effort to
| secure their stuff while others are using 20y old
| architecture because it works and it saves money.
|
| I want to say that "premium" brands are much better, but
| there are a lot of exceptions. However cars with lower
| margins and lower overall cost will be worse.
| asdff wrote:
| Can you recommend any manufacturers or models that are
| following the best practices?
| physPop wrote:
| I too would be interested in any web resources people
| know about detailing these things.
| mthomasmw wrote:
| Without working in the industry, how could someone vet for the
| internal cybersecurity of an upcoming car purchase? None of
| these security features seem to be publicly documented
| anywhere. I have spent a long time looking.
| AlotOfReading wrote:
| You can't. Heck, it's sometimes hard to tell even when you
| work inside and have all the docs. The best information you
| have is to look at the manufacturer's past history as
| evidence for their future security competence.
|
| Manufacturers also aren't building every piece of software on
| a given vehicle. Many components will be done by suppliers
| that range from "meh" to "wtf" when it comes to security.
| Even the best reviewers will struggle to catch everything a
| sufficiently incompetent implementation screws up.
| quake wrote:
| I've also worked in this space for a few years and the amount
| of HN-style overconfident "we can fix this in hardware like the
| old days, the computers are coming for us!" comments without
| understanding the automotive industry or how cars are wired is
| pretty hilarious.
|
| Something that should be noted for anyone who actually reads
| this is that the level of vulnerability is wildly different
| between automakers. No universal solution exists.
| aaronbeekay wrote:
| Yep - and not just between automakers, the security model
| varies wildly between different electrical architectures from
| the same manufacturer. Like any industry, there are hard
| problems, some of which are technically difficult, and some
| of which are self-inflicted from history/culture/insularity.
| No sector with any significant value or market competition
| has only the latter.
| redblacktree wrote:
| How does a person with a CAN tool and an insatiable curiosity
| for knowledge about his own car find detailed documentation for
| his own edification? Any leads?
| CamperBob2 wrote:
| There are one or two well-populated subreddits for car
| hacking, so that might be one place to start.
| myself248 wrote:
| The DIY-autonomous-car folks have assembled a wealth of
| knowledge.
| bobleeswagger wrote:
| Comma.ai is another great example of CANBUS hacking. I'm a bit
| worried there are a bunch of zero days sitting out there on CAN
| implementations. It's such a complicated system.
| ziziyO wrote:
| Newer Toyotas (Rav4 Prime and 2022+ Model years) are not
| compatible with Comma due to encryption, I would guess that
| probably also defeats this attack.
| rasz wrote:
| OF course it doesnt, Toyota locked out sensors and actuators
| used by Comma, not the immobilizer.
| crazysim wrote:
| On a RAV4 Prime (or RAV4 PHEV for those outside of North
| America), these ECUs reportedly have "ECU Security Key" (A
| SecOC implementation) or signed/authenticated CAN bus
| commands since replacing them requires a check in with a
| Toyota server to "Update ECU Security Key" :
|
| ECM
|
| Hybrid vehicle control ECU
|
| Forward recognition camera
|
| No. 2 skid control ECU (brake actuator assembly)
|
| Rack and pinion power steering gear assembly
|
| Clearance warning ECU assembly
|
| Steering sensor
|
| Central gateway ECU (network gateway ECU)
|
| Combination meter assembly
|
| Airbag sensor assembly
|
| ---
|
| There's nothing about smart key in here specifically. Not
| sure on later "ECU Security Key" vehicles though. If someone
| were to look up replacement instructions for the Smart Key
| ECU on Toyota's TechInfo, and if it has ECU Security Key
| update as a step or not, that could answer this.
| kaftoy wrote:
| SecOC is based on symmetric key cryptography. If an ECU is
| replaced and has a new key, this key will have to be taught
| to all other ECU's in the vehicle communicating with it.
| baldeagle wrote:
| I believe either the data from the adaptive cruise radar, or
| the data to control the steering is encrypted. I don't know
| if lock controls are. It was a small but important subset
| RockRobotRock wrote:
| Would love if they could add a keyless unlock feature to their
| devices.
| Thaxll wrote:
| At that point if you have a recent car you need a steering wheel
| lock.
| gambiting wrote:
| Having owned some expensive cars and spent time with other
| owners, there are two schools of thoughts to this:
|
| 1) add every alarm, immobilizer, hidden kill switch, steering
| wheel lock, driveway bollard you can possibly afford and keep
| the keys in a signal blocking pouch at night.
|
| OR
|
| 2)Make sure the car is as easy to start and drive away as
| physically possible - don't add anything extra fancy to keep it
| safe other than what's already there from factory, keep the
| keys on a shelf right in front of the main door of your
| property, easily and clearly visible should anyone enter.
|
| The reason is simple - for owners of fancy/exotic cars, if
| someone is coming to steal your car, they _will_ take it. If
| you make it difficult, if you hide the keys and put locks on
| the steering wheel, they will come into your house and ask that
| you unlock it for them. And putting aside the idea of any
| heroics with self defense, the last thing you want the thieves
| to do is harm you or your family to take what is essentially
| just an object. Cars are replacable. Insurance will pay for the
| loss and therapy for you and your family - but insurance will
| do nothing about losing your life because you decided to stand
| up to someone with a weapon coming to take your car. Let them
| find and take the keys and fuck off as quickly as possible.
|
| I was in group 1 when I started, now I'm in group 2 - the risks
| to me and my family are just not worth it.
| Spivak wrote:
| #2 is why people in my area generally leave their cars
| unlocked. If it's locked thieves will break your window or
| pry your door which is way more expensive than the $10 phone
| charger they'll get.
| markus_zhang wrote:
| I guess there are a third option: buy low cost cars.
| toyg wrote:
| That helps only to a point. There are effectively three
| types of vehicle theft: to resell the car (whole or in
| parts), to use it for crime acts (robberies etc), or to
| joyride it. Category n.2 explicitly targets cheap cars,
| easy to steal but also easy to go unnoticed on the streets
| afterwards.
| aix1 wrote:
| My thoughts:
|
| (1) having a cheap car stolen incurs a smaller loss than
| having an expensive car stolen; and
|
| (2) the pool of cheap cars is larger, reducing the
| probability of a given car getting stolen (unless the
| "demand", so to speak, is also higher?)
|
| Overall, it seems that the _expected_ loss (actual loss
| times the probability) should be quite a bit lower for
| cheap cars than for expensive cars.
|
| Having said that, if one has enough money to buy an
| expensive car, they presumably have enough money to
| insure it from theft, rendering this whole line of
| argument moot (they just pay higher premia and spread the
| risk across a population of car owners)...
| vidanay wrote:
| > 2)Make sure the car is as easy to start and drive away as
| physically possible - don't add anything extra fancy to keep
| it safe other than what's already there from factory, keep
| the keys on a shelf right in front of the main door of your
| property, easily and clearly visible should anyone enter.
|
| Back in the early 90's when I first met my not-yet-wife, she
| drove a rusted out '85 Datsun (not Nissan). There was a rust
| hole right in the door panel where you could reach your
| fingers in and manipulate the mechanical locking rod to
| unlock the door. One time someone "broke in" to her car and
| rummaged around in all her crap, didn't take anything, and
| was polite enough to re-lock the door when they were done.
| dagw wrote:
| _if someone is coming to steal your car, they will take it._
|
| Not if stealing your neighbours car is easier. Unless you own
| something very exotic and the thief has essentially been
| hired to steal your specific car, no one want to steal _your_
| car. They want to steal N reasonably nice cars as quickly and
| safely as possible and get out of there before anybody
| notices anything.
| gambiting wrote:
| >> Unless you own something very exotic and the thief has
| essentially been hired to steal your specific car,
|
| That's the entire point of my post, sorry if it wasn't
| completely clear. Having been in the community of people
| who own very expensive/exotic vehicles, these cars almost
| never get stolen by opportunistic thieves. If someone is
| coming to steal your ferrari, they are coming to steal your
| ferrari. They don't care what your neighbour has(they
| probably know already and they decided to steal yours
| first).
| deanc wrote:
| In my home town (UK) my father leaves his keys by the front
| door. We've had multiple neighbours with higher-end cars
| (think Range Rovers and upwards, presumably stolen to order)
| broken into, and threatened with knives and guns as the
| thieves couldn't find the keys.
| bsder wrote:
| Wait, what?
|
| Your car thieves are willing to step up from car theft to
| attempted murder rather than steal a different car? What's
| the incentive for that?
| gambiting wrote:
| Exactly, I'm in the UK as well and I've heard many of such
| stories.
| sebzim4500 wrote:
| >The reason is simple - for owners of fancy/exotic cars, if
| someone is coming to steal your car, they will take it.
|
| This doesn't seem to be true, given that as soon as it became
| hard to steal cars the number of car thefts dropped
| massively.
| toyg wrote:
| That just means you have fewer actors, but it also means
| they are more focused and determined, more willing to go
| the extra mile. In the case of this post, it involved
| attacking the car twice; in other scenarios, it involves
| actual home-intruding. Depending on where you live, the
| chances of this happening might be very low, but there is a
| chance.
| gambiting wrote:
| I don't see how these two facts are related?
| dwighttk wrote:
| I'm in group 3... my car is 23yo
| Thaxll wrote:
| From what I understand they just don't waste time trying to
| remove a physical lock, it's like bikes, it's a deterent.
| gambiting wrote:
| Yes, but like I said - if you have a Lamborghini or a
| Ferrari sitting in your driveway and someone comes to steal
| it, they didn't just happen to be walking past - they are
| there to take your car. Either on order, or it's been
| targeted through long time observation already. If there is
| a lock on the wheel they will come into your house, put a
| gun to your head and "ask" for you to take it off. There is
| no deterrent you can use because they are not there to be
| deterred - wheel locks work against opportunistic thieves
| because then yes, like with bikes - a thief will just move
| on to the next easier target.
| s1mplicissimus wrote:
| may i ask in which region of the world you live where
| people have ferraris in their driveway but it's also
| dangerous enough for people to invade your home and put a
| gun to your head to steal it from you?
| gambiting wrote:
| Very common(relatively speaking) in the UK if you live in
| London/Birmingham/Manchester and drive a fancy car. There
| was a time couple years ago when no insurance agency
| wanted to insure any Range Rover in London because they
| were being stolen at such incredible rates. Break-ins
| specifically to steal car keys and subsequently the car
| is one of the most common types of burglaries in the UK
| still.
| cjrp wrote:
| I'd say relay attacks were more common than break-ins
| though.
| datpiff wrote:
| Why? Break-in seems much easier. Plus you get a set of
| keys in case you need re-start the engine.
| cjrp wrote:
| You do need the equipment for a relay attack, but then
| it's just waving an antenna near the door and seeing if
| it unlocks. Breaking in is riskier for a burglar.
| wkearney99 wrote:
| Many (most?) vehicles have more than one CAN bus and messages for
| other networks are NOT bridged across them.
| kaftoy wrote:
| Not sure what you mean by "not bridged across them", but
| devices on different communication busses (CAN, Flexray,
| Ethernet...) do communicate with each other through these
| devices called "Gateways".
| [deleted]
| StephenAmar wrote:
| FYI, you can temporarily disable keyless entry on Toyotas fairly
| easily:
|
| Hold down the lock button Hit the unlock button twice
| m3kw9 wrote:
| Not sure why they are still using a 1000 year protocol when you
| have Ethernet as a faster alternative. Even commercial airliners
| uses tech based on Ethernet for their controls
| genmud wrote:
| I'm not sure if you know, but canbus is used all over the
| place, even in aviation. The main selling point is simplicity
| of wiring and circuitry, as well as the fact that many lower
| end / cheap microcontrollers have it built in.
|
| Ethernet is great, don't get me wrong... but it is _complex_ to
| implement in a system like a car. Each device needs to speak
| ethernet, be switched and likely have an IP stack. If you are
| lucky enough to have a built in MAC / PHY into your micro
| (which most don't), then you still need to put in transformers
| and protection circuits.
|
| 10BASE-T1S is the future IMHO, it is much simpler than
| traditional 10BASE-T, requires only 1 pair and can also provide
| power. For simple setups, only 2 resistors + 2 caps are
| necessary to implement and you can have multiple devices on a
| bus without requiring a switch.
| zelos wrote:
| I believe manufacturers are starting to switch to automotive
| Ethernet.
| kaftoy wrote:
| They are including Eth, not switching to it completely. They
| will keep the CAN buss there as long as it makes sense.
| Instrument clusters with graphical display output do use the
| Eth more and more because the amount of data beats the
| capacity of a CAN bus by far, but devices without big data
| transfer needs will stay on CAN. For example, what need is
| ther for Eth for an electronic gear lever? Not much data
| being exchanged.
| shandor wrote:
| Cost, reliability, real-time operation characteristics, and
| simplicity of wiring (which means less weight and less cost)
| blueflow wrote:
| Ethernet is actually older than the CAN bus, even if not by
| much margin.
| sebstefan wrote:
| >Modern cars are protected against thefts by using a smart key
| that talks to the car and exchanges cryptographic messages so
| that the key proves to the car that it's genuine. [...] The
| thieves found a simple way around this: they used a hand-held
| radio relay station that beams the car's message into the home to
| where the keys are kept, and then relays the message from the
| keys back to the car. The car accepts the relayed message as
| valid because it is - the real keys were used to unlock the car.
| Now that people know how a relay attack works generally possible
| to defeat it: car owners keep their keys in a metal box
|
| ? The car talking to the key first? Can't the key just not talk
| to the car at all unless the button is pressed on the key fob or
| shortly thereafter?
| ilikehurdles wrote:
| A lot of cars in the 2010s made available touch-based
| convenience access. ie if I have the fob on my person, the car
| unlocks when I touch the handle of a door, or gesture to open
| the trunk.
|
| In the 2020s, I'm increasingly seeing smartphone (NFC?) keys
| being the sole thing you need to drive off with the thing so no
| fob is even necessary.
| rootusrootus wrote:
| > NFC?
|
| Or bluetooth. I'd rather have a pocket fob than have to take
| my phone out and hold it up to an NFC reader.
|
| The problem with the bluetooth method is reliability. My
| Tesla decides not to unlock for me perhaps once every 20
| times I walk up to it. Sometimes just a few seconds while it
| figures it out, sometimes I have to open the up and hit the
| door unlock button.
|
| My wife's Bolt uses a pocket fob, and so far it has never
| refused to unlock the doors on command.
| throitallaway wrote:
| Interesting. What phone OS do you use? Maybe there's a
| battery optimization setting at play here for the OS or
| app.
| rootusrootus wrote:
| iPhone running iOS 16.4. This is something I've
| experienced for years, since I bought my first Model 3 in
| 2019. I don't think it has much to do with the phone or
| the OS revision.
| nirav72 wrote:
| One day used cars with the least amount of tech are going to be
| worth a lot of money in secondary markets. Especially because of
| the recent move to subscription based feature options some auto
| makers are trying out.
| fy20 wrote:
| To whom exactly? A handful of people wearing tin-foil hats? The
| rest of the world is going to be happy they can pay $9.99 a
| month to be able to remotely turn on the AC in their car.
| nirav72 wrote:
| Sure people will people for convenience and automakers will
| charge a subscription for providing that remote connectivity.
| But that wasn't the point in context of this article - the
| specific exploit detailed in the article can be applied to
| almost any non-connected vehicle in the last decade.
| 1970-01-01 wrote:
| If you live in one of these high-theft areas, you can still use
| security via obscurity. Put a rag between your intake and air
| filter, or remove a critical relay (fuel pump, starter) or unclip
| a critical sensor (crank, cam, etc.) if it's easily accessible.
| Or do all 3. Each takes about one minute.
| mdibiase wrote:
| For ease of use, you could also hide a fuel pump switch inside
| the car that you have to press before going. It's an easy but
| effective solution for protecting your car and needs basic
| tools / wires.
|
| Of course, the important thing is making sure the wiring is
| well done (proper wire gauge) and the switch is actually in a
| hidden spot.
| whimsicalism wrote:
| Crazy that this attack developed in the wild. I'm impressed.
| 0xbadcafebee wrote:
| One look at the basic CAN architecture diagram and you see the
| problem. There's no reason for a secure key exchange to be on the
| same network path as every other device. Wrapping it in magic
| crypto sauce is not a permanent fix, because someone will just
| find a novel way to defeat the cryptosystem, like they always
| have.
|
| If a thief wants to steal the car, make it harder. There should
| be one physical path from the key system to the ECU that allows
| key operations, and it should be protected by a really annoying
| and time-consuming process so that theft is so annoying that most
| people won't ever try it. _After_ that is done, they can start
| sprinkling it with magic crypto sauce. (It 's also very hard to
| get magic crypto sauce right; unless you hire the few really
| talented crypto people, whoever you hire to write crypto will
| make mistakes, and a hacker has unlimited time to find one)
|
| Obviously existing car models won't be changed, but future ones
| should be. Car theft isn't just an inconvenience for the owner;
| it makes committing other crimes easier and harder to trace,
| results in more property damage, increases the black market for
| chopped cars, increases insurance premiums, etc.
| WalterBright wrote:
| Or just go back to having mechanical keys.
| [deleted]
| mdmglr wrote:
| So the device is using the controller on the JBL speaker with a
| modified firmware? And the grafted on components are to interface
| with the CAN bus?
| UncleEntity wrote:
| It's using the battery of the speaker and the obfuscation of
| carrying around a Bluetooth consumer device. To the cops it
| looks innocent enough.
|
| They seem to also pull out the speaker to make room for the add
| on board which does all the magic.
| PanMan wrote:
| It surprised me the hacking toolkit came in a JBL speaker - I
| guess they reverse engineered that as well, flashed it with
| custom firmware, and it had most of the hardware needed for this
| hack?
| Cthulhu_ wrote:
| Reminds me of a former colleague of mine who got an alert from
| his phone (I believe he got a call from a BMW support center);
| there was an attempted break-in of his car. He had a BMW that had
| an air pressure sensor in the cabin, which was triggered because
| someone had broken the window.
|
| No trace of course once he got to the car / once the police was
| around, just a broken window. But the would-be burglars made a
| mistake; they went into the frame of the car (between the driver
| and rear passenger doors) through the plastic to disconnect a
| bundle of cables, but didn't fit the plastic back properly.
|
| This bundle of cables went to the antenna that was required for
| the phone home functionality; if he hadn't had that addressed,
| the thieves would have been back a day or a week later to get
| into the car, with the pressure sensor / phone home alarm not
| being able to contact BMW HQ.
|
| Organized crime has enough money, time, opportunity and incentive
| to buy cars and take them apart to find weaknesses.
| asdff wrote:
| I feel like for most car break in's there's nothing you can do.
| The crime can take 10 second and only needs your tshirt wrapped
| around your fist. Or a spark plug. Or the air bladders tow
| truck drivers use that you can find at the hardware store.
|
| Plus when the alarm does indeed go off, people are liable to
| ignore it because these alarms are always going off for
| nothing.
| NKosmatos wrote:
| Typical corporate answer: We regret to inform you that the
| reported vulnerability is not in fact deemed as serious as you
| describe. A hacker/thief having physical access to your car, thus
| able to inject messages into the CAN bus, is not consider a
| serious security threat. Thank you for contacting our security
| department and perhaps you'd be interested in a monthly
| subscription for running a remote security diagnostic of you car!
| adolph wrote:
| The way things really work:
|
| * your "bank deposit" is just an unsecured loan to a company who
| may not manage risk as well as you'd think
|
| * your "car" is a collection of computers operating in an
| insecure data center to which you trust the lives of you and
| your'n
| Veliladon wrote:
| And this is why security parts need to be fucking paired.
| rasz wrote:
| Like battery in an iPhone, right?
| vbezhenar wrote:
| If you don't want your car to be stolen, why not installing
| proper security measures? I don't really understand why someone
| would trust manufacturer to protect a car. In my country nobody
| does that, first thing you do after you bought a new car is you
| install additional security devices to prevent theft.
| 98codes wrote:
| For example?
| 3-cheese-sundae wrote:
| What's an example of the devices you're talking about?
| miohtama wrote:
| "Open sesame" attack
| 93po wrote:
| At first I forgot what I was reading and assumed the vandalism
| was because this guy had annoyingly bright headlights and a
| neighbor was making a point for him to fuck off with that
| TheRealPomax wrote:
| This title should be "CAN injection" in all capitals. It's not a
| verb, it's the acronym for the Controller Area Network. (And is
| used in all caps by the article itself)
| AlphaWeaver wrote:
| Agreed, it seems to have been caught up in the Hacker News
| automatic title reformatting behavior, which prevents words in
| all-caps.
| ChumpGPT wrote:
| If you have a vehicle that you don't want stolen, perhaps a kill
| switch for the fuel relay is needed. Easy to install and hide.
| Will prevent the fuel pump from coming on. Something else to
| consider is a steering lock although it can be defeated, just
| more work for the would be thief.
|
| Sometimes simple hardware can be a good solution is for a
| software problem.
| msisk6 wrote:
| I often dream of going back to a car without any electronics at
| all.
|
| Of course, I've had those and they have their own problems.
| Carburetors and point ignition systems have their issues.
|
| So I instead live in a world where even my chainsaw has a CAN
| bus.
| gambiting wrote:
| Just a reminder(I remember those times too) that before the
| advent of immobilisers and electronic ignition locks, any car
| could be started in about 30 seconds with some very basic
| tools. Car theft has been absolutely rampant until the mass
| adoption of immobilisers where it has literally dropped off a
| cliff - it hasn't stopped thieves completely of course, but
| it's very much the case of electronics reducing crime by an
| order of magnitude(at least here in Europe).
| asdff wrote:
| To be fair those cars are trivial to install your own
| immobilizer. Autozone will sell you a switch for cheap and
| you can tuck it under the carpet by the pedals, or install a
| dummy switch in one of the spare slots on your dash.
| sourcecodeplz wrote:
| You could use a basic flat-head screwdriver for both the door
| and ignition ... Unreal really
| Gordonjcp wrote:
| I had an old Mercedes 230TE that could be unlocked and
| started with any flattish piece of metal roughly the same
| size and shape as the key.
|
| Once I went out to the car early one morning to find it
| parked up exactly where I'd left it, with 200 more miles on
| the clock, the petrol tank rather more full, and the engine
| still warm...
| buildbot wrote:
| Very gentleman-thief of them. Maybe Lupin needed your car
| for a bit :)
| ilikehurdles wrote:
| My family once found their car in the parking lot of the
| grocery store with the groceries of someone else already
| inside the car, and a note and contact info left on the
| windshield about how this person unlocked my parents' car
| thinking it was theirs, accidentally loaded their
| groceries into the wrong identical vehicle, closed the
| trunk, and then couldn't unlock it again after noticing
| the mistake.
| cortic wrote:
| I remember those times too, though I've never had any cars
| stolen by car thieves. I have lost 4 cars to the tech. That
| is 4 times the security system bricked my car in a variety of
| different ways;
|
| I suppose the big difference between a person stealing my
| car, and the immobilizer _stealing_ my car is that my
| insurance has to pay out for that first one.
| WheatMillington wrote:
| I find it hard to believe you've had 4 cars bricked by
| faulty electronics.
| mdp2021 wrote:
| > _I have lost 4 cars to the tech_
|
| Could you elaborate? A friend of mine had his car randomly
| not starting the engine, but fixed it through the
| replacement of an electronic board, and some mechanics said
| they could circumvent that.
| Ralo wrote:
| I built a 1994 Toyota pickup and swapped in a OM617a mechanical
| diesel. It's a really fun party trick to unplug the battery and
| have it continue running.
|
| In terms of security, it's my most secure vehicle. Mechanical
| diesel means its gonna need to be glowed which I have it setup
| as a push button and no thief will know this. As well, my
| shutoff switch is a toggle switch under the dash I leave to
| "off". It'll just crank and crank forever. And my biggest
| security feature? It's a manual transmission. Most see that and
| won't even try.
|
| Security by obscurity
| PinguTS wrote:
| I have this. You can drive my truck from 1968 away just with a
| nail. You don't need any key at all. Not even the doors are
| locked and you woudn't need it anyway, because its a
| convertible truck like most of the trucks from that time. Does
| that make it better?
| asdff wrote:
| Hide your own immobilizer switch and leave the nail in the
| ignition for your own convenience.
| berkes wrote:
| I have a Volkswagen T3 from '84 and the most complicated
| "computerized" part is bus of relays.
|
| Yet the car is trivial to break into. Hell, I've locked myself
| out a few times and the Key from another T3, a key from a
| bycicle lock and a nail-file could open the car (but not start
| it).
|
| My countermeasures are mechanical too, though: hidden circuit
| breaker, a lock on the steering wheel, one on the gas-pedal and
| one on the hand-break. All of them easy to circumvent, given
| some time, but that's one thing thieves often don't have: time
| to figure out unknows and weird stuff. Actual "security by
| obscurity" in a way.
| drtz wrote:
| While having fewer computer controls in our cars may beneficial
| in some ways, theft-prevention is certainly not one of them.
|
| My dad had an early-80s Ford pickup when I was a kid. The
| cylinder in its ignition switch was broken in a way that you
| could hop in, turn the ignition switch, start the truck, and
| drive away -- all without a key. The ONLY thing preventing
| extremely easy theft was a few tiny pins in a lock cylinder.
|
| This is an extreme case, but it illustrates how easy it was to
| steal cars before modern theft-prevention: bypass the
| mechanical lock to connect a couple wires together, and drive
| it away.
| msisk6 wrote:
| I think nowadays an old car with a manual choke, a stick
| shift, and a separate coil where you can remove the ignition
| wire between the coil and the distributor would probably
| eliminate all theft outside someone just picking the whole
| thing up with a rollback tow truck. ;)
| r00f wrote:
| just remove some fuse that you know for sure prevents car
| from starting (fuel pump fuse for example) and you don't
| need to disconnect any wires. sure, you will have to spend
| additional 20 seconds removing and putting it back every
| time, but it is simple and safe, unless thieves are willing
| to go full troubleshooting on why car doesn't start in the
| middle of the night
| LeonM wrote:
| > Carburetors and point ignition systems have their issues.
|
| One of which is that if you apply 12V to the coil, you can
| bump-start the car and it will run. Theft of such cars is truly
| trivial.
|
| Modern cars are in fact very hard to steal. Just because the
| car from the article has a flaw that allows you to unlock and
| start it via canbus, doesn't mean that all modern cars can be
| stolen like this.
| UncleEntity wrote:
| > One of which is that if you apply 12V to the coil, you can
| bump-start the car and it will run. Theft of such cars is
| truly trivial.
|
| Bump start?
|
| Just jump the starter solenoid terminals with one of those
| remote start buttons or a screwdriver.
| vbezhenar wrote:
| You can bring ECU from the same car, connect some wires and
| start any modern car just as well. Original ECU won't even
| know what's going on. We call it "spider". It's not as easy
| as just powering on ignition sparks, but similar attack.
| rasz wrote:
| Sure, you will also need to drop transmission to replace
| that ecu too. It all depends on a car.
| nomel wrote:
| How do you "silence" the original ECU? Won't there be bus
| contention?
| eimrine wrote:
| Stealing car is not an only issue in keyless access. A friend
| of mine has lost a little bit because somebody used to open
| the car and steal everything costly what was in salon while
| the car was parked near a mall.
| exabrial wrote:
| CAN network by its nature is supposed to be a "trusted network"
| with no external Inputs available (Air Gapped). But yeah, because
| headlights and blinkers needllessly complicated, cough er, need
| data uplinks.... totally NOT to check with Toyota if you've
| subscribed to their monthly "safety package" for $7.99, yeah,
| we've sort violated the Air Gap principal.
|
| Here's the problem everyone needs to pay attention to: If you
| demand Encrypted OR Signed CAN Bus, you will ABSOLUTELY get it
| from the manufacturers in the name of security. They will
| _gladly_ lock out the CAN bus so no third party accessories or
| diagnostic tools can work with your car.
|
| So be careful what you scream for. We already have enough un-
| repairable items.
| HPsquared wrote:
| That's just the next phase in the dialectic.
| yuuuuyu wrote:
| Agreed. Careful what you wish for. All those enthusiasts out
| their enjoying hacking their vehicles (in the traditional
| meaning of the term) would not like crypto and HSMs on that
| bus.
|
| It's like in the old days when internet traffic was unencrypted
| and so was Wifi. You could have a lot of fun just watching
| what's happening in your home network, and perhaps your
| neighbors (so I heard..legal grey area). Today? Nope.
| Everything is locked down. Wireshark shows you only lots of
| SSL. And that's not even proprietary stuff as the car crypto
| will be. The bad guys will obtain the keys or workarounds
| somehow. The good guys will be locked out.
| drtz wrote:
| Encrypting everything on the CAN would be overkill and probably
| cost-prohibitive for manufacturers. Not all messages need to be
| encrypted -- just the ones that allow you to disable the
| immobilizer.
| leoqa wrote:
| The solution is signing packets with PKI and verifying them
| on receipt. Nothing says you can't flash firmware to add new
| packets etc but the CAN bus couldn't be spoofed unless you
| had the private key.
| AlotOfReading wrote:
| As someone who has (successfully) implemented this at
| multiple manufacturers, it is absolutely not as easy as
| "just signing it".
|
| First off, almost all vehicles are running CANbuses right
| to the edge of their available bandwidth. Making the
| signature data fit is a vehicle-wide refactor unless you've
| designed for it from the beginning.
|
| Secondly, many automotive MCUs don't have hardware crypto
| support or enough spare cycles for signing/verification.
| You have to design for that from the beginning.
|
| Third, key distribution is hard. There are a lot of parties
| outside the OEM that need to flash firmware for various
| reasons during production. Do you give them all private
| keys or do you put up a public image signing service anyone
| can submit binaries to?
|
| There's lots of other issues I could go on about like what
| the key rollover looks like, but I hope it's clear that
| retrofitting cryptography onto complicated systems that
| weren't designed for it is anything but straightforward.
| heleninboodler wrote:
| While I agree with this instinct: this sounds like a simple
| "just use PKI" solution but it's really not simple at all.
| How do the vehicles' or devices' cert keys get provisioned
| and protected? Are they unique per device, per vehicle, or
| per manufacturer? Per device or per vehicle increases
| manufacturing process overhead (read: price) immensely
| [edit: as well as overhead at service departments]. Every
| device that can sign messages needs access to perform
| private key operations, which necessarily either increases
| cost (eg by storing the keys in a device-local HSM or
| adding network-based key operations along with the
| corresponding one-turtle-down auth problems) or decreases
| security of those private keys. What happens when they
| inevitably get extracted and baked into spoofing tools? Can
| the manufacturer rotate the root keys? What happens to
| vehicles that are offline when that happens?
| heleninboodler wrote:
| I think to be feasible from a maintenance and consumer-
| friendliness standpoint, each vehicle should have its own
| local CA and have some sort of open standard for how
| individual devices can have certificates provisioned so
| that they can be installed on a car. A replacement-part-
| pairing function that can only be performed by having
| physical access to a specific secured component (e.g. not
| just bus access) should work without contacting the
| manufacturer. I'm in for this startup idea. :D
| numpad0 wrote:
| Toyota had already introduced message signing for lane-
| keep inputs, just not for theft protection(?)
|
| Ref:
| https://github.com/commaai/openpilot/discussions/19932
| crazysim wrote:
| The list of ECUs for the Rav4 Prime was looked up in
| Toyota TechInfo, but not for future cars that also have
| that system.
| lamontcg wrote:
| I thought it was covered in the article but all the
| devices on the bus would need secret keys that were
| unique across all devices manufactured. This isn't
| impossible though since we've been making unique MAC
| addresses on NICs for many decades, and motherboards
| often come these days with the actual serial number of
| the server flashed into the DMI information, etc. It will
| also take an electron microscope to read the keys out of
| the chips, which is not a very mobile attack to use
| against a parked car on the street.
| heleninboodler wrote:
| First, those unique MACs and serial numbers are not
| currently in storage that requires an electron
| microsocope to read, so that's a pretty big additional
| cost burden. Second, assuming all devices were to be
| given secure key storage parts, you _also_ have the cost
| burden of the pairing process during manufacturing and
| maintenance, as I mentioned above (not to mention the
| design and development of that pairing database and its
| failure /diag/maintenance/factory-reset modes). It's far
| from trivial.
| cryptonector wrote:
| Sensors whose outputs are used to do cruise control and lane
| keeping assistance and so on should also be encrypted.
|
| I don't believe anything in this space is cost-prohibitive in
| the long term, or even in the medium term. It's just dev cost
| amortization, because the chips are cheap once they tape out.
| quake wrote:
| ASIL-critical inputs/outputs should not be encrypted,full
| end stop. Do I really trust that the dinky economy-scale
| micro that GM would pick is always going to hold up that
| encryption when I'm starting to drift off road? Absolutely
| the hell not.
|
| I worked in this space (auto RE, including keyless entry)
| for a while, and there's almost no way this would work at
| scale without a top-down platform redo for automakers.
| cryptonector wrote:
| > Do I really trust that the dinky economy-scale micro
| that GM would pick is always going to hold up that
| encryption when I'm starting to drift off road?
|
| Is your concern that the key management can leave a mess
| of key disagreement? But that's like the sensors failing
| altogether, and that already has to be taken into
| account.
|
| So yes, _I_ would trust "that the dinky economy-scale
| micro that GM would pick is always going to hold up that
| encryption when I'm starting to drift off road" because I
| have to trust that the computers will handle sensor
| failure correctly.
|
| That said I'd only trust that if the crypto is sensible.
| Specifically authenticated encryption is essential. Key
| exchange, pairing -- those are important too. It needn't
| be complicated to set up: trust-on-first-use-after-reset
| (with reset being not trivial to execute) should suffice.
|
| > [...] there's almost no way this would work at scale
| without a top-down platform redo for automakers.
|
| That's possible, but I doubt it.
| rad_gruchalski wrote:
| > But yeah, because headlights and blinkers needllessly
| complicated, cough er, need data uplinks....
|
| Autonomous driving something something, computer controlling
| human actions something something.
| bluGill wrote:
| > hey will _gladly_ lock out the CAN bus so no third party
| accessories or diagnostic tools can work with your car.
|
| No they won't. One the law requires them to allow third part
| diagnostics tool (only for things that are about emissions!).
| Two, the third party tool maters are paying a good chunk of
| money to get documentation on how to do diagnostics.
|
| While new car buys won't care, car makers know that nobody can
| afford to buy a new car except by selling their old car
| (normally done as a trade in), and the buyers of used cars care
| that the car can be fixed so if third party tools don't work
| the car has a lot less value.
| aaronbeekay wrote:
| I work at Ford on vehicle access and security and I'm quite
| familiar with CAN security challenges and solutions. (Of
| course, I don't speak for my employer here.)
|
| Without speaking specifically to Ford's plans, authenticated
| CAN communications are absolutely coming. I don't see many
| approaches that actually encrypt the data on the bus - instead
| a MAC is used for each frame with a shared key on both secure
| ECUs, and some protections against replay attacks and such.
|
| I wouldn't expect all CAN data to be protected by this kind of
| security - it's a pain in the butt, and expensive. Instead,
| certain specific sensitive information (like whether there's a
| key in the ignition!) is protected as needed.
|
| The industry is also moving toward IP-based communications for
| a lot of vehicle networking, which comes with many of the
| benefits of the modern infosec world. Automotive has a lot of
| unique challenges, though - like another poster mentioned, key
| provisioning and management is a huge pain; latency and hard
| timing constraints are way more important in the
| onboard/embedded world; many automotive ICs have limited
| support for e.g., asymmetric encryption, and of course there's
| a lot of pain generated from the way the industry does software
| development generally. It's an interesting space.
| [deleted]
| wlesieutre wrote:
| Encryption isn't needed here, this could be prevented by
| messages from the smart key unit being signed with a key known
| to the immobilizer
| nroets wrote:
| And if anyone is thinking that DSA or RSA is too difficult,
| Carter and Wegman of IBM invented Universal Message
| Authentication Codes in the 1980s
| avidiax wrote:
| Or just have the smart key ECU and the recipient ECU use a
| rolling code or even a 1 time shared secret. The other ECUs
| can learn the rolling code in the factory, or in after-
| service with the left door open, right blinker on, hood open,
| and horn tapped 8 times, and then wait 20 minutes.
|
| Without the key to see what the code is, no injector can
| spoof the frame.
|
| With the after-market procedure making tons of noise and
| spectacle, and a nice long wait for the police to arrive, the
| thieves can't replace the key ECU.
|
| With the system being simple, no key provisioning is needed,
| no non-public information, just an extra page in the manual
| and a software update.
| Nextgrid wrote:
| Or just make the "smart key" controller a dumb passthrough of
| the key's messages and do the actual decoding and
| verification of the key messages in the engine ECU. I'm in
| fact surprised this isn't the case, but then again most
| "security" you see on cars is more about trying to lock out
| the legitimate owner from doing their own repairs or key
| programming as opposed to true security designed to defeat
| skilled attackers.
| wongarsu wrote:
| > But yeah, because headlights and blinkers needllessly
| complicated, cough er, need data uplinks
|
| I can see how they got there. When you're moving getting rid of
| miles of cables that link everything and move your car to a CAN
| bus instead, it makes sense to say that you don't want a
| central blinker-controller that runs separate wires to every
| blinker. Instead you just run CAN and power to each blinker and
| give them their own little controller. Fewer wires, less
| conceptual complexity, at the cost of putting a little PCB in
| each blinker.
|
| But because "analog" blinkers had the accidental feature that
| they blink faster if one blinker is broken, you have to
| replicate that somehow with your new blinkers. And the easiest
| way to do that is to have the blinker write that to the CAN
| bus, since it's already right there.
| eimrine wrote:
| How on Earth adding computer and a little PCB of
| demultiplexor logic instead of multivibrator-controlled relay
| might be considered as less of conceptual complexity?
|
| I do even doubt in length of wires point. You need a full bus
| plus a thick wire from power source per every lamp instead of
| just a one thick wire from relay.
| PragmaticPulp wrote:
| Simple PCBs are extremely cheap to manufacture at scale.
|
| Copper wiring is expensive and heavy.
|
| It's far more efficient to have a simple PCB controlling
| multiple local functions (headlights, high beams, blinkers,
| additional sensors) and a single power/ground pair.
|
| Automotive systems are 12V, which results in high currents.
| High currents require thick wires, especially in automotive
| environments with high under hood temperatures where you
| might have to de-rate wires. It absolutely makes sense to
| reduce high current automotive wiring.
| M95D wrote:
| I don't understand how a PCB+MCU can reduce the copper
| wiring. The bulbs will consume the same amount of power
| requiring the same thickness of copper wiring, no matter
| if it's 10 separate thin wires, one for each bulb, or
| just one wire, but 10 times thicker (by section area and
| weight/meter, not diameter).
|
| Common power wire will still require one or two extra
| wires for CAN, so it would make sense only as replacement
| for bundles of 3 or more wires going to the same place.
| naikrovek wrote:
| you have a single bus in a ring topology instead of a
| star network of wires coming from a central location.
| much less wire and with most indicators and even some
| headlights being LEDs the current carrying capacity of
| the +12V wire can be much smaller. GND is the metal
| substructure and the CAN (or LIN) bus is just two small
| gauge wires.
|
| much cheaper and much less wiring needed if the bulbs (or
| bulb holders) can receive commands themselves.
| bsder wrote:
| Let's think about a headlight assembly.
|
| Without a board: you need a big power wire for low beams,
| a big power wire for high beams, a smaller power wire for
| turn signal. And that's all you can do.
|
| With a board: you need a big power wire for everything.
| And a two tiny wires for CAN--so you're already ahead. If
| your beams can move, or be directed, or have LEDs that
| can be modulated, or have a washer, you start coming out
| _WAY_ ahead.
| tzs wrote:
| Do any cars use higher voltage for power distribution to
| reduce currents and thus reduce the diameter of wire
| needed? I'm thinking something like having a higher
| voltage power distribution network that distributes power
| to nodes that use a DC to DC converter to provide 12 V to
| the lights, sensors, etc near those nodes.
| tonymillion wrote:
| Tesla have been pushing for a standardized 48v supply
| system for some time for exactly the reason that 12v
| 15-30A requires much thicker wiring than a 48v 5A system.
| AlotOfReading wrote:
| 24v and 36v are common in trucks and industrial vehicles
| respectively for exactly this reason, among others. It's
| _really_ expensive to increase voltage though because all
| the different components ' power supplies have to be
| designed for transients and supply voltages anywhere from
| 2-5x nominal in normal operation. Companies will often
| design up to around 200v, for example.
|
| High power systems do exist, particularly in electric
| vehicles. They have different challenges to do with being
| incredibly dangerous to work on.
| nomel wrote:
| Can bus is a _bus_. You don't need a dedicated run of wire
| per device. You can have a single loop that goes around the
| whole car that everything is connected to. Things that are
| "on the way" to others are relatively "free". Compare this
| to an _independent_ point to point wire for everything
| that's under control.
|
| This is trivially observed if you take a moment to compare
| a modern day wiring harness to something older, while
| considering the functionality provided by the later.
| PragmaticPulp wrote:
| > But yeah, because headlights and blinkers needllessly
| complicated, cough er, need data uplinks.... totally NOT to
| check with Toyota if you've subscribed to their monthly "safety
| package" for $7.99,
|
| That's not what's happening. The value in a CAN bus control is
| that you can significantly reduce the wiring requirements.
|
| Old school blinkers and headlights would require separate power
| wires for every function: Blinker, low beams, high beams. Those
| separate wires would each be snaked through long wiring
| harnesses back to relays somewhere else in a central location.
|
| With CAN, you can run a single large gauge power and ground
| pair and use the CAN bus to tell the remote module what to do
| with tiny signal wires. It may not sound like a big deal, but
| cars have a lot of electronic pieces all over. Simplifying
| wiring can add up to a significant weight and cost reduction.
| You now also have the ability to add more monitoring, such as
| simple sensors to detect when a bulb has failed
|
| Vehicle manufacturing is ruthlessly optimized. Vehicle
| manufacturers wouldn't add complexity to common systems if it
| didn't pay off.
| m463 wrote:
| > ruthlessly optimized
|
| One huge problem is that they put the smart key on the same
| bus as other stuff (headlights, body control) to save
| money/wiring.
|
| These kinds of busses should be buried far inside the
| dashboard or some other hard-to-reach area.
| JohnFen wrote:
| > Vehicle manufacturers wouldn't add complexity to common
| systems if it didn't pay off.
|
| I know this stuff "pays off" for the manufacturers, but I
| really wish they'd avoid including unnecessary complexity
| such as those horrific touch screens, call connections, etc.
| That sort of thing is why I won't buy newer cars.
| bambax wrote:
| > _Simplifying wiring can add up to a significant weight and
| cost reduction_
|
| Maybe, but given the explosion of weight and cost of new
| vehicles, it's unclear where these savings went.
| [deleted]
| rpcope1 wrote:
| > Vehicle manufacturing is ruthlessly optimized. Vehicle
| manufacturers wouldn't add complexity to common systems if it
| didn't pay off.
|
| You make it sound as though this intended to be a benefit to
| the consumer or the end product. Having worked on and around
| cars, and being friends with people who do for a living, I am
| really unconvinced that the manufacturers do a lot of this
| for any consumer-friendly reason, rather than simply trying
| to squeeze a buck out of you.
|
| I can absolutely tell you that Volvo, for example, does what
| the GP is talking about, and then some. On an old school GM
| or Toyota, if you break a simple switch or knob, or things
| that really should just be simple devices, you can just pull
| it out, go to the junkyard or a parts retailer, and put the
| new one in and be on your way. Not so for Volvo (and I'm sure
| this has caught on in other manufacturers): if your switch or
| control or whatever fails, and its hooked up to the CAN-bus,
| whatever replacement you find simply won't work until you've
| gone to the dealership (if they even let you use a part that
| didn't come from there at all) and gotten them to flash the
| part and whatever other crap needs flashing like a BCM to get
| them to be compatible (I think just flashing the serial
| number of a BCM or whatever it needs to play nice with to the
| switch), at the tune of a couple hundred or more dollars each
| time.
|
| So in essence, a stupid simple part, that should have been
| $5-10 that the manufacturer likely never would have seen a
| dollar from in the aftermarket, is now a $200+ dollar flash
| at the dealership, using the manufacturer scan tool, and also
| increasingly requires only parts the manufacturer can
| generate. So no, I really am extremely skeptical, given what
| occurs *today* that 95+% of the junk on CAN bus is there for
| any reason other than to boost dealership and manufacturer
| profits for no other reason than the fact they can.
| naikrovek wrote:
| by law you can purchase any tools (computerized or not)
| which you need to repair your car to a fully-operational
| state.
|
| they can be expensive, but you can buy them. you may need
| to visit a dealer to buy them, but you can buy them.
|
| right-to-repair exists for consumer automobiles.
|
| there are no "right to secure CAN buses" laws,
| unfortunately.
| phone8675309 wrote:
| "they can be expensive, but you can buy them" seems to be
| a very surface-level view here.
|
| Say I only need to replace a $5 switch as the parent
| poster suggests. My options then are pay $200 to the
| dealership to flash and install it (if they'll even flash
| a third party part) one time, or I can pay thousands of
| dollars for a tool I'll use once and do it myself.
|
| That isn't a real choice, and the auto makers are
| adhering to the letter of the law but not the spirit of
| the law. Which is legal for them to do, but it doesn't
| make it any less scummy.
| TylerE wrote:
| Or go to an Indy shop that already owns the tool and pay
| them $20...
|
| There's a reason they're called stealerships - and the
| service department is where all the profit is. (Well,
| that and used cars).
| somerandomqaguy wrote:
| GM charges $60 per VIN for 2 years access for flashing. -
| https://www.acdelcotds.com/subscriptions
|
| Chrysler (and probably Stellantis so Jeep, Dodge, Fiat,
| RAM, etc) charges $35 per VIN per year.
| https://kb.fcawitech.com/article/vehicle-reprogramming-
| subsc...
|
| Ford I believe now requires a subscription for
| diagnostics but I haven't seen anything about per VIN
| charges yet. I'm not sure about the British or Japanese
| brands either. This is AFAIK regardless of dealership or
| independent shop.
| neuralRiot wrote:
| Gm is $40 per VIN 1 year, Chrysler is $35 for flashing
| but to do that you need 2 more subscriptions which totals
| about $120 There are aftermarket tools but the
| subscriptions are for a year and about $1000-$4000
|
| The problem is as I always point, that people want
| complexity and technology for everyday but as soon as
| something breaks they want it to be like 1990.
|
| The article complains about CAN bus not being secure but
| this sort of attack is very rare, you need special tools,
| skills, physical access to the network and time. Regular
| car thieves don't go and make a key to steal a car, that
| would be the same as a 1980's one breaking a window and
| start trying to decode the cylinder and then cutting a
| key! How does a towing company get your car in 10
| seconds? That's how they're stolen most of the time.
| olyjohn wrote:
| God damn. I swear if they could , they would make you buy
| a fucking new wrench every time you work on a different
| car. Such bullshit how they tie their tools to a per-vin
| registration.
| naikrovek wrote:
| this is much more about insurance companies only paying
| for cheaper 3rd party parts for repairs than it is
| anything anti-consumer, though I'm sure there's some of
| that, too.
|
| the automotive parts industry is massive and if you allow
| third party parts manufacturers to make parts for your
| car, you are undercutting your own parts replacement
| business. how do you counter that? you require that
| replacement parts come from you. the only way to do that
| is via electronic means, because anything purely
| mechanical can (and is) reverse engineered quickly.
|
| insurance companies fight against this in court because
| 3rd party parts are much cheaper than official parts, and
| usually come with an associated dip in quality as well,
| which is another reason auto makers fight for first-party
| parts businesses.
|
| Honda doesn't want Snake Oil Autoparts stuff installed on
| cars which are still under warranty after a collision,
| for example, but the insurance company paying for those
| repairs _definitely does_.
| aix1 wrote:
| When you say "by law you can..." and "right-to-repair
| exists for consumer automobiles" are you taking about the
| USA or some other jurisdiction?
|
| (Genuinely curious; I had no idea such laws existed for
| cars.)
| cyberax wrote:
| There technically is no a country-wide legislation in the
| US, but Michigan has it, and some other states have
| similar requirements:
|
| And only for regular cars, there is no right to repair
| for commercial vehicles: https://en.wikipedia.org/wiki/Mo
| tor_Vehicle_Owners%27_Right_...
|
| There are also long-standing legal requirements for
| automakers to be separate from car dealers, which also
| translate into making the repair/diagnostics equipment
| available.
| naikrovek wrote:
| yes. the same law (or, rather, the movement at the time
| within congress) is what standardized the OBD-II
| connector and mandated its inclusion in all cars from
| 1996(?) onwards: the idea that consumers should be able
| to repair their own big-ticket items should they choose
| to.
| mayormcmatt wrote:
| I never got the impression the previous poster was saying
| this is a benefit for consumers; he's saying it's for the
| manufacturer, to cut costs. Edit: that being said, all your
| points are completely valid.
| spookthesunset wrote:
| It is a benefit for consumers. Lower weight for better
| fuel. More fancy gizmos on the car for a lower price.
| whoopdedo wrote:
| ... until it breaks and now, as the person above said,
| you've got a three-digit repair bill.
|
| It's often the case that consumers will seek out the
| lowest price no matter how high the cost.
| yuuuuyu wrote:
| > rather than simply trying to squeeze a buck out of you.
|
| Their profit margins will come from _somewhere_. If not
| from savings then from higher pricing.
| ilyt wrote:
| > You make it sound as though this intended to be a benefit
| to the consumer or the end product. Having worked on and
| around cars, and being friends with people who do for a
| living, I am really unconvinced that the manufacturers do a
| lot of this for any consumer-friendly reason, rather than
| simply trying to squeeze a buck out of you.
|
| The "consumer friendly" part is competing on price; they
| don't care about repair cost, in fact parts for repair is
| just recurring revenue on top on (till before pandemic)
| slim margins on selling the car
| kwiens wrote:
| Good example. Do you know of anywhere that Volvo parts
| pairing / programming issue is written up or documented?
|
| I'm working on Right to Repair and we get asked for
| examples like this from various government agencies all the
| time. It would be very helpful, thanks!
| rpcope1 wrote:
| If you're looking for informal evidence, there's plenty
| of posts on SwedeSpeed and Volvo Forums (and probably
| Turbo Bricks, for those masochists that own a post-RWD
| car) bemoaning needing to constantly reprogram tons of
| things like door switches, and the various lengths owners
| and enthusiasts will go to in order to attempt to
| overcome these issues.
|
| If you're looking for something a little more formal, I
| think the factory service manual probably calls out that
| the R&R on a ton of parts will involve reprogramming. I
| no longer own any post-Ford Volvos nor do I have any
| interest in European cars, so unfortunately I don't have
| any newer FSMs. A way you might be able to get at one on
| the cheap is to pick a popular model/year later Volvo
| (maybe like a 2016+ XC60?), and get a subscription to the
| make/model/year on Alldata (which was something like $20
| a year for just a single combination), or hunt for an FSM
| on eBay, if it's old enough to still have a paper FSM.
| exabrial wrote:
| that part was a joke, fyi. CAN is very useful, but tends to
| be overused as well:
| https://www.caranddriver.com/news/a41611379/gmc-hummer-ev-
| ta...
| outworlder wrote:
| > The value in a CAN bus control is that you can
| significantly reduce the wiring requirements.
|
| I'm adding a CAN bus to my 3d printer for this exact reason.
| londons_explore wrote:
| And yet the obvious thing is for someone to be making and
| selling a "can bulb" - a tiny 4 pin bulb with 12V, GND,
| CAN-H/L pins. And all bulbs (led or not) on a car would be
| that. It would turn on/off commanded by the canbus and report
| status info back.
|
| Yet car manufacturers don't do this. CAN transceivers are
| still too expensive to build into every bulb. Instead, a
| single CAN transceiver and microcontroller will control a
| whole set of nearby bulbs (eg. brake, indicator, reversing
| lights). That then makes it vehicle specific, so you don't
| get the economies of scale of just making a single model of
| can-bulb which fits lots of places in many cars from many
| manufacturers.
| m463 wrote:
| I thought there were already CAN bulbs. If you look for LED
| replacement bulbs for your car, many are marked "CAN-bus
| Error Free"
|
| (I'm not sure though - it might be some headlight
| controller fails non incandescent bulbs)
| JohnFen wrote:
| > Yet car manufacturers don't do this.
|
| That sounds like a good thing to me.
| robryk wrote:
| How would the bulb know which one it is?
| londons_explore wrote:
| For the customer-replacement case, you simply tell the
| customer to replace just one bulb at a time - and the
| computer can update the mapping.
|
| In the factory, you fit the bulbs in a certain order
| every time, and the computer knows that order.
| robocat wrote:
| > simply
|
| I'm guessing you've never worked in customer support. The
| failure modes of mistakes would be nasty. Even smart
| people swap bulbs around when diagnosing faults.
|
| Simplicity (good usability) is most always crushingly
| hard to achieve, doubly so for hardware.
|
| Calling things "simple" is often a sign of shallow
| thinking in my experience - something a customer or
| manager might naively say but an engineer cannot (because
| they have to deal with all of the real requirements).
|
| For example, the engineers that build cars can't say "you
| simply push a button to start a car" - as an engineer the
| complexity behind that simple operation is very very
| deep.
| culturestate wrote:
| _> For the customer-replacement case, you simply tell the
| customer to replace just one bulb at a time_
|
| Just _imagining_ the customer support for this is gonna
| give me nightmares.
|
| "Sir, you need to make sure your vehicle's ignition is
| turned to accessory mode. Then wait for the light to
| blink twice, that's the vehicle's confirmation that it
| correctly identified the new light. If it blinks three
| times, it can't confirm the light's location, so you
| should try removing it and re-inserting it. If it blinks
| four times, that means you didn't replace the bulbs in
| the correct order so you need to initiate a manual reset
| procedure by going to the driver's seat and..."
| JohnFen wrote:
| Both of those sound like hopelessly error-prone processes
| likely to lead to visits to the repair shop.
| the__alchemist wrote:
| ID field.
| doublesocket wrote:
| It's more like a class field. All bulbs of class "brake"
| turn themselves on for a brake message etc.
| the__alchemist wrote:
| Gotcha. Embedded in the frame?
| sgtnoodle wrote:
| CAN frames only have space for 8 bytes of payload, unless
| you upgrade to CAN-FD at a significant complexity cost.
| For the sake of a light bulb, you could make it work by
| being sufficiently clever. You could even use all 8 bytes
| for serial number, and then use existence of the message
| itself to turn on the bulb. Have it turn off after 100ms
| of timeout.
|
| It's really not a sustainable approach to try to address
| nodes on a CAN bus by serial number, though. CAN is
| content addressed rather than receiver addressed. Due to
| the way arbitration works on the bus, it's invalid for
| two nodes to transmit to the same CAN identifier. The
| arbitration mechanism breaks down and results in error
| frames, at which point the CAN bus is in a degraded
| state.
|
| That would preclude a CAN enabled bulb from being able to
| send telemetry back, at least until the bulb was
| provisioned an identifier. That could be done by an ECU
| sending a frame with the bulb's serial number and
| assigned identifier. You still need a zero-conf discovery
| protocol, though, and so you're back to transmitting
| before provisioning. You could work around all that, but
| it's a lot of work.
|
| Stepping back a bit, running a car's CAN bus over a light
| bulb socket is going to cause some practical reliability
| problems. Compared to a wire harness going into an ECU, a
| user serviceable bulb socket is going to be much more
| prone to intermittent connections from vibration, as well
| as oxidation and wear. Intermittent connections on
| CAN_H/CAN_L tend to cause a ton of frame errors, and
| significantly degrade the overall bus performance often
| to the point of system failure. When a node encounters
| enough error frames, it is compelled by the standard to
| go into a BUS-OFF state where it isolates itself from the
| bus. Because it's a bus and all the nodes share the same
| two wires, it's pretty much impossible to diagnose where
| an intermittent connection is without trial and error.
| the__alchemist wrote:
| I appreciate the detailed insight! Great point on
| something subtle re individual bulbs that is non-ideal.
| I'm learning CAN now, mainly for use in drones. I have
| got 2 STM32 FDCAN periphs talking to each other; the
| basics seem easy, but the protocols that go on top of it
| seem complicated! I suppose this is due to managing a
| decentralized network. Ie, at first CAN seemed like to
| offer _a bus that simplifies wiring and offers resistance
| to noise_ , but the more subtle and interesting point
| seems to be _a common API where hardware access is
| handled by individual nodes, and communication is through
| this API layer on top of the hardware_. Ie, if you
| control the whole network, it can seem like the first
| case, but the interesting things happen, eg as you
| describe, arise when the nodes are by different
| manufacturers and are swappable.
|
| Ie, with CAN, each node only needs to do reg
| reads/writes/datasheet-spelunking for a narrow part; the
| other nodes just need to know the API that sits on top of
| the hardware.
| jeffreygoesto wrote:
| You are talking about dbc files, defining the binary
| layout per message on the bus? That is typically in the
| hands of the OEMs, not ECU vendors.
|
| See for example https://github.com/commaai/opendbc
|
| Quite old and for Wundows, but a lot of code showing how
| to use a lot of CAN interface boxes is at
| https://github.com/rbei-
| etas/busmaster/tree/master/Sources/B...
| PragmaticPulp wrote:
| > And yet the obvious thing is for someone to be making and
| selling a "can bulb" - a tiny 4 pin bulb with 12V, GND,
| CAN-H/L pins.
|
| No, that's not obvious at all.
|
| Separating the control board and the bulb is obvious. You
| wouldn't want to replace your entire control circuit every
| time you need to replace a bulb, would you? You don't want
| to have to reprogram your ECU to know which bulb serial
| number corresponds to your front headlight because all of
| your bulbs are the same.
|
| Moreover, this is impossible because there isn't a single
| bulb model that goes into a car. High beams, low beams,
| blinkers, and interior lights are all different. They also
| differ from model to model depending on the requirements.
|
| > That then makes it vehicle specific, so you don't get the
| economies of scale of just making a single model of can-
| bulb which fits lots of places in many cars from many
| manufacturers.
|
| Car companies make millions or tens of millions of cars per
| year.
|
| When you're making 10s of millions of something every year
| (or 2X that for parts that come in pairs, like headlights),
| you already have economies of scale.
|
| Automotive equipment manufacturers will also share
| components between car companies, and further upstream you
| have companies that make chips for auto makers who share
| chips across the companies.
|
| Automotive manufacturing is a great example of economies of
| scale. It's not correct to say that auto manufacturers
| aren't leveraging economies of scale while producing 10s of
| millions of common parts per year.
| londons_explore wrote:
| Plenty of vehicles only have production runs of ~10,000.
| At those scales, you really don't get economies of scale.
| In fact, there were only 25 car models that sold more
| than 100,000 units in 2021.
| pdonis wrote:
| Plenty of _particular brands of vehicles_ have smaller
| production runs. But "vehicle" to the manufacturer
| doesn't mean "brand". It means "set of pieces and parts
| that can be the same or nearly so across many brands".
| For example, a "Cadillac" to you is a different "vehicle"
| from a "Chevrolet"; but to GM, the vast majority of the
| pieces and parts and manufacturing processes are shared.
| So the economy of scale to GM when building "Cadillacs"
| is huge even if to you it looks like "Cadillac" has a
| small production run.
| neuralRiot wrote:
| Exactly, and this is one of the reasons modules need
| programming, because it comes "virgin" with only a
| bootloader and the features are loaded according to the
| VIN.
| lcnPylGDnU4H9OF wrote:
| > you will ABSOLUTELY get it from the manufacturers in the name
| of security
|
| Fuckin' good. Then they can give me the damn encryption key so
| I can diagnose it myself. I am absolutely not going to
| subscribe to any sort of narrative like these things are
| mutually exclusive. I'll keep screaming for the security _and_
| the repairability.
| politelemon wrote:
| They will never do that in the same name of security. Their
| aim is appl-ification and johndeerification; it's their
| object but will let you think it's yours as long as it's a
| revenue source.
| efficax wrote:
| > So be careful what you scream for. We already have enough un-
| repairable items.
|
| Couldn't the keys for decryption be stored in a trusted module
| that can only be unlocked with the presence of the actual car
| key? Yes, this means key cloning attacks still get you access
| to the CAN, but if you can clone the key you can drive away
| with the car anyway.
| tantalor wrote:
| > monthly "safety package" for $7.99
|
| Toyota subscription services described here:
| https://www.toyota.com/connected-services/
|
| One of these is "safety connect" that does stuff like SOS
| button and stolen vehicle locator.
|
| It is _not_ for the built-in safety features like collision
| detection and lane departure alert.
| kwhitefoot wrote:
| All new cars in the EU have to have always online SOS
| connectivity so I don't think anyone can charge for it
|
| " eCall is a system used in vehicles across the EU which
| automatically makes a free 112 emergency call if your vehicle
| is involved in a serious road accident. You can also activate
| eCall manually by pushing a button. "
|
| "Compulsory for new car models
|
| If you buy a new model of car, approved for manufacture after
| 31 March 2018, it must have the 112-based eCall system
| installed."
|
| https://europa.eu/youreurope/citizens/travel/security-and-
| em...
| tantalor wrote:
| Okay, that's another way of saying everyone pays for it
| through higher prices or taxes or whatever, and you can't
| opt out of it.
| nerdbert wrote:
| Wait until you hear about seat belts.
| catiopatio wrote:
| Seat belts don't spy on me.
| rasz wrote:
| Seat occupancy sensor for the airbag sure does, it even
| weighs your ass.
| catiopatio wrote:
| The occupancy sensor isn't the problem -- the problem is
| the mandatory cellular uplink that shares the data with
| the manufacturer.
| kwhitefoot wrote:
| That applies to all state mandated stuff I suppose. But
| it does mean the system can benefit from an economy of
| scale.
| mdp2021 wrote:
| It can be disabled - though by the manufacturer only -, as
| expressed in the regulation.
| boomchinolo78 wrote:
| I had a BMW with encrypted CAN or very similar to what that
| would be. Would refuse to use a new module unless you had the
| dealership key. Which my mechanic managed to get from his
| friend at the dealership but still...
|
| Needless to say, never again
___________________________________________________________________
(page generated 2023-04-05 23:00 UTC)