[HN Gopher] CAN Injection: Keyless car theft ___________________________________________________________________ CAN Injection: Keyless car theft Author : kotaKat Score : 431 points Date : 2023-04-05 12:28 UTC (10 hours ago) (HTM) web link (kentindell.github.io) (TXT) w3m dump (kentindell.github.io) | blobbers wrote: | Is this the sort of thing that works on any CAN bus car, or are | older cars immune to it since their ignition might not be on this | same system? | | Is my 11 year old car a little more "steal" proof to these | elegant methods? | potatochup wrote: | Age doesn't really matter in this case. This is laziness on | Toyotas part by not authenticating the messages between the | "Smart Key" ECU and the main engine control microcontroller. | tonymillion wrote: | If you have push button ignition then yes there's a chance your | car is vulnerable. | | Any CAN bus? No, it takes time to sniff the bus and get all the | control messages, older cars may be especially vulnerable since | they likely don't have as many security precautions in place. | | CAN has been in cars for quite a long time, the infiltration | systems haven't due to high-cost/lack of electronics. | | On a side note, the hack talked about in the article could be | performed by a Arduino UNO and a $5 can bus transceiver. | emptybits wrote: | I worry that industry solutions involving more proprietary layers | and/or encryption on buses will make our vehicles and appliances | even less modifiable, diagnosable, and serviceable by anyone | except factory authorized techs. | | In keeping thieves out, we're locking ourselves out. | | Steering wheel locks and primitive offline immobilizers had their | advantages... | bri3d wrote: | For what it's worth, most European cars have much more robust | immobilizer systems that use actual cryptographic primitives to | both obfuscate and authenticate start-release messages. | | This is for a variety of reasons - a legal and insurance company | focus on immobilizer technology through companies like Thatcham | Research as well as a more active threat model geopolitically. | | There are, of course, weaknesses in these cryptosystems, but the | documented attack describes an _extremely_ poor system by modern | standards. | solarkraft wrote: | You mean on the CAN bus? Then why doesn't the article mention | it? | droopyEyelids wrote: | What do you think about how the article listed devices being | available for all the European manufacturers? | bri3d wrote: | I would love to see a story about one! I don't work in | automotive RE, it's only a hobby, so I don't have budget to | go find and buy "emergency start" tools like these security | vendors do. | | As far as I am aware: there are All Keys Lost (AKL) | immobilizer bypasses for, for example, Volkswagen Immo 5, but | not "Emergency Start" bypasses. The difference is the level | of access required: AKL bypasses require involved, long term | physical access to a car, for example at a shop. They're | useful for independent or fly-by-night shops and in a post- | theft scenario, but they're not going to boost a car out of a | driveway. Meanwhile, Emergency Start bypasses are plain-and- | simple theft tools like the fake Bluetooth speaker from the | article. | | All of the VW Immo 5 exploits which I am aware are of the AKL | style and revolve around being able to extract cryptographic | material (CS/MAC/ImoDat_noKeyMst/ImoDat_noKeySecu depending | on who you ask what it's called) from a control module by | physically removing it from the vehicle. | | This is a far cry from tapping the CAN bus at a headlight and | injecting an unauthenticated CAN message. | avree wrote: | What? This is a CAN bus hack, which is a standard that has | been in EU cars for longer than US cars. I've worked with | KeylessRide and also built my own hardware | immobilizer/CANBUS device at a previous startup, and there | is zero difference between European cars and American cars | for this... | | By design, all nodes on a CAN network receive all frames, | which is the root of the problem. There are some | differences in ECU validation, plus whether or not the | vehicle supports UDS diagnostics, but these are differences | by manufacturer and have nothing to do with the continent | the car is being used on. | bri3d wrote: | Calling something a "CAN bus hack" is like calling | something an "Ethernet hack." It's just a bus, it's | what's on the bus that matters. | | European, American, and Japanese cars have completely | different immobilizer module cryptography | implementations. In this case, the real weakness was that | the immobilizer protocol allowed the car to start without | message authentication, the CAN-related message injection | thing was a sideshow. | | Generally, European cars have stronger immobilizer | implementations. For example, in VW Immo 5, immobilizer | messages are encrypted and authenticated using AES with a | PRNG-based MAC. At a high level, participating modules | need knowledge of a secret AES key in order to encrypt | random number seed material. It's symmetric so it's still | not perfect, but this type of simple "send one message | through a headlight" attack would not be possible on | these cars. | | Update: ah, I see you edited your comment. Yes, it has | nothing to do with where the cars are _used_. My point | was that European _manufacturers_ tend to have more | secure immobilizer implementations, and I will stand by | that point. | avree wrote: | You know that Toyota, the manufacturer here, is a | Japanese company, right? European versus American | regulations have literally nothing to do with this, which | was your original point. | mynameisvlad wrote: | Their original point does not talk about American | regulations at all, but rather that European regulations | are stricter and therefore European cars will have | tighter security. | | You're the one that chose to interpret that as "stricter | than American". | Nextgrid wrote: | I suspect older immo bypasses used an engine ECU | read/write primitive to read & rewrite the firmware over | the diagnostics port (K-Line or CAN). Those primitives | are usually based on undocumented commands used during a | legitimate firmware update process (loading new | "calibrations" as it's called in the industry) - there's | a chance those same undocumented routines exist in newer | ECUs, in which case you don't actually need to break the | cryptography if you can rewrite the firmware to skip the | check or seed it with your own key material. | bri3d wrote: | I did find an older VW "emergency start" product that | claims to only work with Bosch MED17 and MED9, and I | suspect it's using a memory-access primitive (either UDS | or CCP) to release the immobilizer. | | It's trivial to disable an immobilizer in software by re- | flashing the ECU, yes, but modern ECUs have two strong | protections against this: | | * Cryptographic signature checking against update/re- | flash payloads (I've done extensive research on these on | VW Continental ECUs - https://github.com/bri3d/VW_Flash ) | | and an even better and more obvious protection: | | * The ECU application software won't descend into the re- | flash software (Customer Bootloader) unless the | immobilizer is free (a valid key is present). | | This is a lot of what helps to reduce surface area from | an "emergency start" style attack to an AKL attack - now | that the Customer Bootloader won't start without the | Immobilizer being unlocked, an attacker needs to remove | the control unit to flash it with a Supplier Bootloader | exploit ( https://github.com/bri3d/simos18_sboot ) or | physical access (BDM/JTAG). | Nextgrid wrote: | Can't the AKL process effectively be turned into an | "emergency start" attack anyway? | | At least in the US, there are portals for non-official | repair technicians to buy access to reprogram | ECUs/keys/etc for a given car (keyed by VIN) - I can see | this being abused (it can't be that hard to buy access | under a false identity), not to mention that professional | car theft gangs might convince/coerce an insider to give | them even deeper access to the signing service if not the | raw private keys. | | Once you have access to the signing service in one way or | another and a valid network connection, can't you just | perform the AKL process in the field by simulating a | legitimate AKL procedure that a dealership might do? | Presumably writing custom software to automate all that | (vs having to manually click through a slow scan tool or | the often-terrible official software) would cut down the | required time to a couple minutes. | bri3d wrote: | In short: Yes. This is a big threat model that | manufacturers try to guard against. | | However, there are a few protections here: | | * Most manufacturers do fairly aggressive KYC / risk | protection for their online programming services. The VW | one is called FAZIT/GeKo, you can find the subscription | process online and it is similar to opening a business | bank account. Still, you're right, aftermarket account | sharing is a big thing and as always, a cat and mouse | game that manufacturers are usually losing. You can | easily rent VW online coding accounts by the hour on | shady websites. | | There's also second layer of protection for official AKL | specifically which is harder to defeat, though: | | * Most European manufacturers do not allow an All Keys | Lost process to be carried out entirely online. For | example, for VW, dealers or aftermarket vendors need to | buy specific, physical "dealer keys" for a given VIN. | These physical key fobs are seeded with some key material | and registered with the shop and VIN in the backend / | FAZIT database. The signing server backend for ODIS | (GeKo) will not adapt keys to a car unless the key | material matches and the VIN was already associated with | the key in the backend. Of course, there are social | engineering attacks here still, but it's basically 2FA | for key programming, with a lead time of "they ship the | key to you," and it prevents the attack you describe from | being plausible by legitimate means. | | HOWEVER, this is also one of the major weaknesses in the | VW Immo 5 cryptosystem architecturally - since the actual | message authentication is symmetric (MAC based), _if_ the | secret AES key material can be extracted from the | immobilizer system, aftermarket tools (Abrites, Autel, | VVDI /XHorse, etc.) can create and adapt a "Dealer Key" | without prior authorization. So we get back to the | current state of these systems - because authentication | is symmetric, with long-term physical access to the car, | specific control units can be removed and secret key | material extracted and used for reprogramming. However, | drive-by quick-and-dirty "plug two wires from outside" | attacks are very challenging. | Nextgrid wrote: | Very interesting, thanks! Glad to hear there's at least | an attempt at actual due diligence and theft prevention | as opposed to merely making it difficult/expensive for | independent shops or car owners. | bri3d wrote: | The longer and more involved I get in automotive | diagnostics and programming as a hobby, the less I | believe there is any particular conspiracy against | independent shops and owners in the automotive industry | (versus in the heavy equipment and ag industry, where | there absolutely _is_ a conspiracy). | | The threat model most automotive systems are designed | against (when they are designed against anything at all) | is absolutely not "we want to screw over those damn | independent shops trying to run diagnostic routines!" - | it's "how do we lock down the immobilizer, the ADAS, and | protect ourselves from tuning-related warranty fraud." | Independent shops and individual enthusiasts are just | caught in the crossfire between thieves, ADAS tampering, | and manufacturers/insurance/regulators. | Gordonjcp wrote: | Even in the mid-1990s the key-to-BECM protocols used in old | Range Rovers was frankly massively overengineered, with a | 48-bit rolling code key based off the vehicle's VIN and a | 24-bit key code. The actual encryption routine is just a bunch | of shifts, adds, and XORs, but so far it has resisted any | attempt at spoofing keys. | | There's a somewhat simple trick to get the engine to start | without the immobiliser (but it requires special tools), but if | the body ECU is immobilised most of the vehicle electrics will | be locked out too. | aaronbeekay wrote: | I work in the space and I have not been impressed by the | quality of Thatcham's requirements once you get past the | physical domain (door handle pull force, steering column locks, | etc). | cjbprime wrote: | Great article. But: | | > And part of the problem is that this isn't a vulnerability | disclosure and so the processes that Toyota does have in place | are not appropriate. | | I didn't follow this part. I hear that the authors think their | "you can use CAN fault injection followed by a spoofed unlock | command to steal cars" technical writeup is not a vulnerability | disclosure. But why not? (Other than because they said so.) | | The fact that the vulnerability is exploited in the wild doesn't | prevent it from being appropriate to report it as a vulnerability | -- quite the opposite. They even provide several fix suggestions. | | (I'm not personally arguing that it is wrong to disclose the | vulnerability without coordination. I'm arguing that it's weird | to make a choice like that while claiming you aren't making one.) | rwmj wrote: | He's definitely letting Toyota off the hook there. This | absolutely is a vulnerability and whatever the size of the | company they should have a way to promptly deal with | vulnerabilities. | | (Of course it also doesn't surprise me in the least that Toyota | isn't taking it seriously) | qup wrote: | According to his disclaimer, it's most of the manufacturers | with the exact same vulnerability. | cjbprime wrote: | I can't tell whether they _attempted_ to disclose it to | Toyota through normal vulnerability disclosure channels, | though. The article implies to me that they didn 't. | mynameisvlad wrote: | > Ian has tried to get in touch with Toyota to discuss the | CAN Injection attack, and to offer help, but hasn't had | much success. | | That certainly sounds like a yes. | cjbprime wrote: | I read that as more "we cold emailed people looking for a | potential contact" than "we submitted this vulnerability | to their PSIRT". The fact that they say this is not a | vulnerability disclosure situation suggests that they did | not use the vulnerability disclosure communication | methods. | mynameisvlad wrote: | I read it as "we tried contacting them through their | standard processes, and were told it didn't fit in" but I | can see your reading now that I've gone back and reread | that specific section again. It's indeed quite vague as | if they were the ones that made the decision or Toyota. | MagicMoonlight wrote: | How about instead of keyless entry we just keep using keys. | | You wouldn't have a password being loudly screamed out of a | speaker 24/7, so why would you design a car key to work that way? | outworlder wrote: | Keys, those things that rely on pins getting pushed by a piece | of metal? | | Not much of an improvement. Without a transponder in the key | they are no more difficult to bypass than a light switch. | Spivak wrote: | Keys wouldn't stop this attack, they're simulating the key the | way a screwdriver would in the ignition of an older car. | | This is "keyless theft" meaning "you can steal the car without | the keys" not "you steal the car leveraging keyless entry." | gambiting wrote: | The thing that has always bothered me about stuff like this is | that there must be some _incredbly_ skilled software and hardware | engineers out there who can put this sort of thing together, and | they basically decide to use their skills to steal peoples | cars(or well, enable others to do that). On one hand I get it, on | the other I really don 't. I would love to read an interview with | any of them and see what drives them. | Nextgrid wrote: | Could you link to a job post or something that would be willing | to hire for these skills and pay decently? Because even expert- | level embedded software engineers don't actually get paid that | much, and the guys who designed this may not be able to pass a | typical interview (unlike the job, building this car theft tool | doesn't require _expertise_ in anything - mere logic, trial and | error and learning as you go will get you there). | whimsicalism wrote: | > building this car theft tool doesn't require expertise in | anything - mere logic, trial and error and learning as you go | will get you there | | Are you joking? This involves expertise, maybe just not | certified through formally-mediated channels. | Nextgrid wrote: | You effectively get unlimited trial & error attempts, and | nobody judges you on how you got to the end result (as long | as the end result is working). Compare that to an interview | (which sets a baseline level of knowledge necessary, not to | mention trick questions and/or leetcode) and then the | actual job (where you are under time pressures that may not | allow unlimited time for a non-expert to get there by trial | and error, and there are certain code quality standards to | follow). | l33t233372 wrote: | I just find it hard to believe that someone could do this | and not do other involved tasks. | | Sure it's technically _possible_ someone who is terrible | at other tasks and isn't very bright put this | together...but I doubt it. | DrewADesign wrote: | Most of these lines of reasoning assume the people involved | have the same amount of agency as any other developer/engineer, | and I'm sure they're right in many cases-- plenty of talented | American software developers have worked at companies making | scummy malware even having other options. But I'll bet that a | big chunk of it is difficulty getting legitimate work if you've | already been convicted of a felony. | | I'm not making excuses; there _are_ plenty of ways that someone | with these skills could make money legally with a felony | conviction, like online freelance work. But, life choices so | often come down to the path of least resistance, and if you add | in a language fluency barrier, intermittent or slow internet | access, or some other resistance, I 'll bet it's a lot easier | to say "Screw it. I've already got a record-- what do I have to | lose?" | IIAOPSW wrote: | Subversive itch man. Its not about the money. Its about being | above the rules. | | Disclaimer: I've personally not stolen a car. | Cthulhu_ wrote: | If I were to guess, money. Good scratch to be made selling | these tools, or even just working for a contractor and never be | found making the tools themselves - just a one-off sell of | information on how to build a device like these. | | But yeah, morals are flexible, a lot of people don't care what | their work is used for (whether they're directly aware or not). | I mean personally I've worked for investment banking and the | tobacco industry (websites/shops for e-smoking products), I've | heard of others that have worked for gambling or "adult | entertainment", and how many of you here work on either crypto | or Amazon? | | What's morally right, wrong and justifiable is flexible, is all | I'm saying. | eimrine wrote: | I have an opinion that dealing with non-FOSS creates an ability | to do this. And the ability creates the market. This is a cycle | of stupidity where a client (most of it) does not want to learn | anything and a vendor happily supplies shit. Appearing of that | kind of "skilled engineers" reminds me water-and-dum supremacy | where water is a kind of opportunist actor and dam is a shitty | security software. A dam made of shit will fall in a matter of | time. | edent wrote: | As opposed to the incredibly skilled engineers who... steal | your personal data (or enable others to do that)? | | I would love to read an interview with someone who applied to | work for, say, Facebook. After all the news about their | complicity in trying to set the world on fire - what drives | them? | asdff wrote: | Why stop there? On HN you no doubt have engineers whose line | of work is in mass death. | l33t233372 wrote: | Could you be more specific? | | Military industrial complex? | markus_zhang wrote: | Money (and a chance to apply what he learned at a much larger | scale)? It pays very well and you can FIRE in less than 10 | years. Especially when FB is much more legal than say | stealing cars. | whimsicalism wrote: | I don't think critics of Facebook have even decided what they | want their critique of Facebook to be. | | My opinion is most of the negative reaction that people have | to Facebook is intrinsic to websites where lots of people | socialize online. | adolph wrote: | The whole supply chain of exporting stolen vehicles (and any | other large scale illicit activity) is probably filled with | people with great talent and skill: sales, logistics, banking, | HR, information security, ... Someone in one of the importing | countries might even get hired to develop the system for export | to the US. | | Imagine if you were someone with specific knowledge that was | not remunerated and someone else with ill intent noticed. | https://xkcd.com/2347/ | ridgered4 wrote: | Maybe they have felony convictions, dubious immigration status | or personality problems that make traditional legal employment | difficult or impossible for them. Or maybe it just pays well. | bobleeswagger wrote: | > see what drives them | | Failure of the establishment is their primary driver. It's the | free market in action, crime pays. | jnwatson wrote: | This doesn't look particularly sophisticated. It takes | understanding of basic circuit design and embedded programming. | The genius bit is leveraging a Bluetooth speaker. That's a | clever choice. | | In many countries, engineering (especially hardware) don't get | paid a lot. I could imagine the pull of illicit sources of | income being strong. | heffer wrote: | > what drives them | | Don't know. A stolen car presumably? | olabyne wrote: | Money ? (and a low bar of ethics) They sell the device 5000$, | and it costs them almost nothing (a cheap bluetooth speaker, | and a few $ of components). | redder23 wrote: | Are there any modern cars that have good modern mechanical parts | but have no computers in them whatsoever? | rconti wrote: | nope, wouldn't pass emissions. | rasz wrote: | Computer is not a problem here, bad design is. Ancient fully | mechanical cars can be started by simply push starting. | user945234 wrote: | Throwaway account. I have actually worked on this sort of stuff. | These topics are well known in the industry and have been for a | surprising amount of time (decades). | | Some premium brands will have the immobilizer await proper crypto | from the key reader. In this case the key reader is just there to | read the key and pass on the message, there is no decision being | made outside of the immobilizer. | | Some premium brands will also have immobilizers in other places, | like the gearbox. It too will await proper crypto to shift into | gear. | | Some premium brands will have signed CAN/FlexRay/Ethernet frames | that will prevent message spoofing, though that isn't only for | this situation. | | Most of the time the Gateway module has a static firewall - | basically fixed routing tables so only modules that need to will | be allowed to talk to each other. | | Finally some premium brands will have an HSM both in the key and | in the immobilizers to keep the material safe. | | There is a lot more to this topic obviously but the reason some | brands don't have this (and other countermeasures) is simple: | cost. | drtz wrote: | > Most of the time the Gateway module has a static firewall - | basically fixed routing tables so only modules that need to | will be allowed to talk to each other. | | This was exactly my thought. If the headlights, and any other | easily access CAN bus wiring, were properly isolated from | critical security ECUs via a properly configured gateway, this | attack would be impossible. | bri3d wrote: | I don't think that segmenting CAN wiring is a good solution | to this problem. The Powertrain CAN will always be accessible | externally for some definition of "externally" (on older GM | cars it ran across the bottom of the car to reach the | transmission, for example), and even a separate "immobilizer" | CAN would probably be accessible somewhere. | | The solution, as implemented by many automakers already, is | just to authenticate immobilizer messages. It works, and | there's not a great excuse for not doing this in 2023. | lamontcg wrote: | > These topics are well known in the industry and have been for | a surprising amount of time (decades). | | I always assumed that immobilizers were already using | cryptography to talk to the ECU otherwise this kind of attack | would be obvious. | timeless102 wrote: | Do manufacturer's advertise these features? Some manufacturers | don't even include immobilizers. It would be nice to know which | include extra features. Seems like it could be a selling point. | user945234 wrote: | On the contrary unfortunately, it's all secret for the | average consumer. | | People that never worked in the industry greatly | underestimate how much it really costs in R&D and production | to make a car. Adding "authentication" and "encryption" in | this environment is way more complex and has more | implications than importing yet another library in a web app. | | Even so a few manufacturers go to a great deal of effort to | secure their stuff while others are using 20y old | architecture because it works and it saves money. | | I want to say that "premium" brands are much better, but | there are a lot of exceptions. However cars with lower | margins and lower overall cost will be worse. | asdff wrote: | Can you recommend any manufacturers or models that are | following the best practices? | physPop wrote: | I too would be interested in any web resources people | know about detailing these things. | mthomasmw wrote: | Without working in the industry, how could someone vet for the | internal cybersecurity of an upcoming car purchase? None of | these security features seem to be publicly documented | anywhere. I have spent a long time looking. | AlotOfReading wrote: | You can't. Heck, it's sometimes hard to tell even when you | work inside and have all the docs. The best information you | have is to look at the manufacturer's past history as | evidence for their future security competence. | | Manufacturers also aren't building every piece of software on | a given vehicle. Many components will be done by suppliers | that range from "meh" to "wtf" when it comes to security. | Even the best reviewers will struggle to catch everything a | sufficiently incompetent implementation screws up. | quake wrote: | I've also worked in this space for a few years and the amount | of HN-style overconfident "we can fix this in hardware like the | old days, the computers are coming for us!" comments without | understanding the automotive industry or how cars are wired is | pretty hilarious. | | Something that should be noted for anyone who actually reads | this is that the level of vulnerability is wildly different | between automakers. No universal solution exists. | aaronbeekay wrote: | Yep - and not just between automakers, the security model | varies wildly between different electrical architectures from | the same manufacturer. Like any industry, there are hard | problems, some of which are technically difficult, and some | of which are self-inflicted from history/culture/insularity. | No sector with any significant value or market competition | has only the latter. | redblacktree wrote: | How does a person with a CAN tool and an insatiable curiosity | for knowledge about his own car find detailed documentation for | his own edification? Any leads? | CamperBob2 wrote: | There are one or two well-populated subreddits for car | hacking, so that might be one place to start. | myself248 wrote: | The DIY-autonomous-car folks have assembled a wealth of | knowledge. | bobleeswagger wrote: | Comma.ai is another great example of CANBUS hacking. I'm a bit | worried there are a bunch of zero days sitting out there on CAN | implementations. It's such a complicated system. | ziziyO wrote: | Newer Toyotas (Rav4 Prime and 2022+ Model years) are not | compatible with Comma due to encryption, I would guess that | probably also defeats this attack. | rasz wrote: | OF course it doesnt, Toyota locked out sensors and actuators | used by Comma, not the immobilizer. | crazysim wrote: | On a RAV4 Prime (or RAV4 PHEV for those outside of North | America), these ECUs reportedly have "ECU Security Key" (A | SecOC implementation) or signed/authenticated CAN bus | commands since replacing them requires a check in with a | Toyota server to "Update ECU Security Key" : | | ECM | | Hybrid vehicle control ECU | | Forward recognition camera | | No. 2 skid control ECU (brake actuator assembly) | | Rack and pinion power steering gear assembly | | Clearance warning ECU assembly | | Steering sensor | | Central gateway ECU (network gateway ECU) | | Combination meter assembly | | Airbag sensor assembly | | --- | | There's nothing about smart key in here specifically. Not | sure on later "ECU Security Key" vehicles though. If someone | were to look up replacement instructions for the Smart Key | ECU on Toyota's TechInfo, and if it has ECU Security Key | update as a step or not, that could answer this. | kaftoy wrote: | SecOC is based on symmetric key cryptography. If an ECU is | replaced and has a new key, this key will have to be taught | to all other ECU's in the vehicle communicating with it. | baldeagle wrote: | I believe either the data from the adaptive cruise radar, or | the data to control the steering is encrypted. I don't know | if lock controls are. It was a small but important subset | RockRobotRock wrote: | Would love if they could add a keyless unlock feature to their | devices. | Thaxll wrote: | At that point if you have a recent car you need a steering wheel | lock. | gambiting wrote: | Having owned some expensive cars and spent time with other | owners, there are two schools of thoughts to this: | | 1) add every alarm, immobilizer, hidden kill switch, steering | wheel lock, driveway bollard you can possibly afford and keep | the keys in a signal blocking pouch at night. | | OR | | 2)Make sure the car is as easy to start and drive away as | physically possible - don't add anything extra fancy to keep it | safe other than what's already there from factory, keep the | keys on a shelf right in front of the main door of your | property, easily and clearly visible should anyone enter. | | The reason is simple - for owners of fancy/exotic cars, if | someone is coming to steal your car, they _will_ take it. If | you make it difficult, if you hide the keys and put locks on | the steering wheel, they will come into your house and ask that | you unlock it for them. And putting aside the idea of any | heroics with self defense, the last thing you want the thieves | to do is harm you or your family to take what is essentially | just an object. Cars are replacable. Insurance will pay for the | loss and therapy for you and your family - but insurance will | do nothing about losing your life because you decided to stand | up to someone with a weapon coming to take your car. Let them | find and take the keys and fuck off as quickly as possible. | | I was in group 1 when I started, now I'm in group 2 - the risks | to me and my family are just not worth it. | Spivak wrote: | #2 is why people in my area generally leave their cars | unlocked. If it's locked thieves will break your window or | pry your door which is way more expensive than the $10 phone | charger they'll get. | markus_zhang wrote: | I guess there are a third option: buy low cost cars. | toyg wrote: | That helps only to a point. There are effectively three | types of vehicle theft: to resell the car (whole or in | parts), to use it for crime acts (robberies etc), or to | joyride it. Category n.2 explicitly targets cheap cars, | easy to steal but also easy to go unnoticed on the streets | afterwards. | aix1 wrote: | My thoughts: | | (1) having a cheap car stolen incurs a smaller loss than | having an expensive car stolen; and | | (2) the pool of cheap cars is larger, reducing the | probability of a given car getting stolen (unless the | "demand", so to speak, is also higher?) | | Overall, it seems that the _expected_ loss (actual loss | times the probability) should be quite a bit lower for | cheap cars than for expensive cars. | | Having said that, if one has enough money to buy an | expensive car, they presumably have enough money to | insure it from theft, rendering this whole line of | argument moot (they just pay higher premia and spread the | risk across a population of car owners)... | vidanay wrote: | > 2)Make sure the car is as easy to start and drive away as | physically possible - don't add anything extra fancy to keep | it safe other than what's already there from factory, keep | the keys on a shelf right in front of the main door of your | property, easily and clearly visible should anyone enter. | | Back in the early 90's when I first met my not-yet-wife, she | drove a rusted out '85 Datsun (not Nissan). There was a rust | hole right in the door panel where you could reach your | fingers in and manipulate the mechanical locking rod to | unlock the door. One time someone "broke in" to her car and | rummaged around in all her crap, didn't take anything, and | was polite enough to re-lock the door when they were done. | dagw wrote: | _if someone is coming to steal your car, they will take it._ | | Not if stealing your neighbours car is easier. Unless you own | something very exotic and the thief has essentially been | hired to steal your specific car, no one want to steal _your_ | car. They want to steal N reasonably nice cars as quickly and | safely as possible and get out of there before anybody | notices anything. | gambiting wrote: | >> Unless you own something very exotic and the thief has | essentially been hired to steal your specific car, | | That's the entire point of my post, sorry if it wasn't | completely clear. Having been in the community of people | who own very expensive/exotic vehicles, these cars almost | never get stolen by opportunistic thieves. If someone is | coming to steal your ferrari, they are coming to steal your | ferrari. They don't care what your neighbour has(they | probably know already and they decided to steal yours | first). | deanc wrote: | In my home town (UK) my father leaves his keys by the front | door. We've had multiple neighbours with higher-end cars | (think Range Rovers and upwards, presumably stolen to order) | broken into, and threatened with knives and guns as the | thieves couldn't find the keys. | bsder wrote: | Wait, what? | | Your car thieves are willing to step up from car theft to | attempted murder rather than steal a different car? What's | the incentive for that? | gambiting wrote: | Exactly, I'm in the UK as well and I've heard many of such | stories. | sebzim4500 wrote: | >The reason is simple - for owners of fancy/exotic cars, if | someone is coming to steal your car, they will take it. | | This doesn't seem to be true, given that as soon as it became | hard to steal cars the number of car thefts dropped | massively. | toyg wrote: | That just means you have fewer actors, but it also means | they are more focused and determined, more willing to go | the extra mile. In the case of this post, it involved | attacking the car twice; in other scenarios, it involves | actual home-intruding. Depending on where you live, the | chances of this happening might be very low, but there is a | chance. | gambiting wrote: | I don't see how these two facts are related? | dwighttk wrote: | I'm in group 3... my car is 23yo | Thaxll wrote: | From what I understand they just don't waste time trying to | remove a physical lock, it's like bikes, it's a deterent. | gambiting wrote: | Yes, but like I said - if you have a Lamborghini or a | Ferrari sitting in your driveway and someone comes to steal | it, they didn't just happen to be walking past - they are | there to take your car. Either on order, or it's been | targeted through long time observation already. If there is | a lock on the wheel they will come into your house, put a | gun to your head and "ask" for you to take it off. There is | no deterrent you can use because they are not there to be | deterred - wheel locks work against opportunistic thieves | because then yes, like with bikes - a thief will just move | on to the next easier target. | s1mplicissimus wrote: | may i ask in which region of the world you live where | people have ferraris in their driveway but it's also | dangerous enough for people to invade your home and put a | gun to your head to steal it from you? | gambiting wrote: | Very common(relatively speaking) in the UK if you live in | London/Birmingham/Manchester and drive a fancy car. There | was a time couple years ago when no insurance agency | wanted to insure any Range Rover in London because they | were being stolen at such incredible rates. Break-ins | specifically to steal car keys and subsequently the car | is one of the most common types of burglaries in the UK | still. | cjrp wrote: | I'd say relay attacks were more common than break-ins | though. | datpiff wrote: | Why? Break-in seems much easier. Plus you get a set of | keys in case you need re-start the engine. | cjrp wrote: | You do need the equipment for a relay attack, but then | it's just waving an antenna near the door and seeing if | it unlocks. Breaking in is riskier for a burglar. | wkearney99 wrote: | Many (most?) vehicles have more than one CAN bus and messages for | other networks are NOT bridged across them. | kaftoy wrote: | Not sure what you mean by "not bridged across them", but | devices on different communication busses (CAN, Flexray, | Ethernet...) do communicate with each other through these | devices called "Gateways". | [deleted] | StephenAmar wrote: | FYI, you can temporarily disable keyless entry on Toyotas fairly | easily: | | Hold down the lock button Hit the unlock button twice | m3kw9 wrote: | Not sure why they are still using a 1000 year protocol when you | have Ethernet as a faster alternative. Even commercial airliners | uses tech based on Ethernet for their controls | genmud wrote: | I'm not sure if you know, but canbus is used all over the | place, even in aviation. The main selling point is simplicity | of wiring and circuitry, as well as the fact that many lower | end / cheap microcontrollers have it built in. | | Ethernet is great, don't get me wrong... but it is _complex_ to | implement in a system like a car. Each device needs to speak | ethernet, be switched and likely have an IP stack. If you are | lucky enough to have a built in MAC / PHY into your micro | (which most don't), then you still need to put in transformers | and protection circuits. | | 10BASE-T1S is the future IMHO, it is much simpler than | traditional 10BASE-T, requires only 1 pair and can also provide | power. For simple setups, only 2 resistors + 2 caps are | necessary to implement and you can have multiple devices on a | bus without requiring a switch. | zelos wrote: | I believe manufacturers are starting to switch to automotive | Ethernet. | kaftoy wrote: | They are including Eth, not switching to it completely. They | will keep the CAN buss there as long as it makes sense. | Instrument clusters with graphical display output do use the | Eth more and more because the amount of data beats the | capacity of a CAN bus by far, but devices without big data | transfer needs will stay on CAN. For example, what need is | ther for Eth for an electronic gear lever? Not much data | being exchanged. | shandor wrote: | Cost, reliability, real-time operation characteristics, and | simplicity of wiring (which means less weight and less cost) | blueflow wrote: | Ethernet is actually older than the CAN bus, even if not by | much margin. | sebstefan wrote: | >Modern cars are protected against thefts by using a smart key | that talks to the car and exchanges cryptographic messages so | that the key proves to the car that it's genuine. [...] The | thieves found a simple way around this: they used a hand-held | radio relay station that beams the car's message into the home to | where the keys are kept, and then relays the message from the | keys back to the car. The car accepts the relayed message as | valid because it is - the real keys were used to unlock the car. | Now that people know how a relay attack works generally possible | to defeat it: car owners keep their keys in a metal box | | ? The car talking to the key first? Can't the key just not talk | to the car at all unless the button is pressed on the key fob or | shortly thereafter? | ilikehurdles wrote: | A lot of cars in the 2010s made available touch-based | convenience access. ie if I have the fob on my person, the car | unlocks when I touch the handle of a door, or gesture to open | the trunk. | | In the 2020s, I'm increasingly seeing smartphone (NFC?) keys | being the sole thing you need to drive off with the thing so no | fob is even necessary. | rootusrootus wrote: | > NFC? | | Or bluetooth. I'd rather have a pocket fob than have to take | my phone out and hold it up to an NFC reader. | | The problem with the bluetooth method is reliability. My | Tesla decides not to unlock for me perhaps once every 20 | times I walk up to it. Sometimes just a few seconds while it | figures it out, sometimes I have to open the up and hit the | door unlock button. | | My wife's Bolt uses a pocket fob, and so far it has never | refused to unlock the doors on command. | throitallaway wrote: | Interesting. What phone OS do you use? Maybe there's a | battery optimization setting at play here for the OS or | app. | rootusrootus wrote: | iPhone running iOS 16.4. This is something I've | experienced for years, since I bought my first Model 3 in | 2019. I don't think it has much to do with the phone or | the OS revision. | nirav72 wrote: | One day used cars with the least amount of tech are going to be | worth a lot of money in secondary markets. Especially because of | the recent move to subscription based feature options some auto | makers are trying out. | fy20 wrote: | To whom exactly? A handful of people wearing tin-foil hats? The | rest of the world is going to be happy they can pay $9.99 a | month to be able to remotely turn on the AC in their car. | nirav72 wrote: | Sure people will people for convenience and automakers will | charge a subscription for providing that remote connectivity. | But that wasn't the point in context of this article - the | specific exploit detailed in the article can be applied to | almost any non-connected vehicle in the last decade. | 1970-01-01 wrote: | If you live in one of these high-theft areas, you can still use | security via obscurity. Put a rag between your intake and air | filter, or remove a critical relay (fuel pump, starter) or unclip | a critical sensor (crank, cam, etc.) if it's easily accessible. | Or do all 3. Each takes about one minute. | mdibiase wrote: | For ease of use, you could also hide a fuel pump switch inside | the car that you have to press before going. It's an easy but | effective solution for protecting your car and needs basic | tools / wires. | | Of course, the important thing is making sure the wiring is | well done (proper wire gauge) and the switch is actually in a | hidden spot. | whimsicalism wrote: | Crazy that this attack developed in the wild. I'm impressed. | 0xbadcafebee wrote: | One look at the basic CAN architecture diagram and you see the | problem. There's no reason for a secure key exchange to be on the | same network path as every other device. Wrapping it in magic | crypto sauce is not a permanent fix, because someone will just | find a novel way to defeat the cryptosystem, like they always | have. | | If a thief wants to steal the car, make it harder. There should | be one physical path from the key system to the ECU that allows | key operations, and it should be protected by a really annoying | and time-consuming process so that theft is so annoying that most | people won't ever try it. _After_ that is done, they can start | sprinkling it with magic crypto sauce. (It 's also very hard to | get magic crypto sauce right; unless you hire the few really | talented crypto people, whoever you hire to write crypto will | make mistakes, and a hacker has unlimited time to find one) | | Obviously existing car models won't be changed, but future ones | should be. Car theft isn't just an inconvenience for the owner; | it makes committing other crimes easier and harder to trace, | results in more property damage, increases the black market for | chopped cars, increases insurance premiums, etc. | WalterBright wrote: | Or just go back to having mechanical keys. | [deleted] | mdmglr wrote: | So the device is using the controller on the JBL speaker with a | modified firmware? And the grafted on components are to interface | with the CAN bus? | UncleEntity wrote: | It's using the battery of the speaker and the obfuscation of | carrying around a Bluetooth consumer device. To the cops it | looks innocent enough. | | They seem to also pull out the speaker to make room for the add | on board which does all the magic. | PanMan wrote: | It surprised me the hacking toolkit came in a JBL speaker - I | guess they reverse engineered that as well, flashed it with | custom firmware, and it had most of the hardware needed for this | hack? | Cthulhu_ wrote: | Reminds me of a former colleague of mine who got an alert from | his phone (I believe he got a call from a BMW support center); | there was an attempted break-in of his car. He had a BMW that had | an air pressure sensor in the cabin, which was triggered because | someone had broken the window. | | No trace of course once he got to the car / once the police was | around, just a broken window. But the would-be burglars made a | mistake; they went into the frame of the car (between the driver | and rear passenger doors) through the plastic to disconnect a | bundle of cables, but didn't fit the plastic back properly. | | This bundle of cables went to the antenna that was required for | the phone home functionality; if he hadn't had that addressed, | the thieves would have been back a day or a week later to get | into the car, with the pressure sensor / phone home alarm not | being able to contact BMW HQ. | | Organized crime has enough money, time, opportunity and incentive | to buy cars and take them apart to find weaknesses. | asdff wrote: | I feel like for most car break in's there's nothing you can do. | The crime can take 10 second and only needs your tshirt wrapped | around your fist. Or a spark plug. Or the air bladders tow | truck drivers use that you can find at the hardware store. | | Plus when the alarm does indeed go off, people are liable to | ignore it because these alarms are always going off for | nothing. | NKosmatos wrote: | Typical corporate answer: We regret to inform you that the | reported vulnerability is not in fact deemed as serious as you | describe. A hacker/thief having physical access to your car, thus | able to inject messages into the CAN bus, is not consider a | serious security threat. Thank you for contacting our security | department and perhaps you'd be interested in a monthly | subscription for running a remote security diagnostic of you car! | adolph wrote: | The way things really work: | | * your "bank deposit" is just an unsecured loan to a company who | may not manage risk as well as you'd think | | * your "car" is a collection of computers operating in an | insecure data center to which you trust the lives of you and | your'n | Veliladon wrote: | And this is why security parts need to be fucking paired. | rasz wrote: | Like battery in an iPhone, right? | vbezhenar wrote: | If you don't want your car to be stolen, why not installing | proper security measures? I don't really understand why someone | would trust manufacturer to protect a car. In my country nobody | does that, first thing you do after you bought a new car is you | install additional security devices to prevent theft. | 98codes wrote: | For example? | 3-cheese-sundae wrote: | What's an example of the devices you're talking about? | miohtama wrote: | "Open sesame" attack | 93po wrote: | At first I forgot what I was reading and assumed the vandalism | was because this guy had annoyingly bright headlights and a | neighbor was making a point for him to fuck off with that | TheRealPomax wrote: | This title should be "CAN injection" in all capitals. It's not a | verb, it's the acronym for the Controller Area Network. (And is | used in all caps by the article itself) | AlphaWeaver wrote: | Agreed, it seems to have been caught up in the Hacker News | automatic title reformatting behavior, which prevents words in | all-caps. | ChumpGPT wrote: | If you have a vehicle that you don't want stolen, perhaps a kill | switch for the fuel relay is needed. Easy to install and hide. | Will prevent the fuel pump from coming on. Something else to | consider is a steering lock although it can be defeated, just | more work for the would be thief. | | Sometimes simple hardware can be a good solution is for a | software problem. | msisk6 wrote: | I often dream of going back to a car without any electronics at | all. | | Of course, I've had those and they have their own problems. | Carburetors and point ignition systems have their issues. | | So I instead live in a world where even my chainsaw has a CAN | bus. | gambiting wrote: | Just a reminder(I remember those times too) that before the | advent of immobilisers and electronic ignition locks, any car | could be started in about 30 seconds with some very basic | tools. Car theft has been absolutely rampant until the mass | adoption of immobilisers where it has literally dropped off a | cliff - it hasn't stopped thieves completely of course, but | it's very much the case of electronics reducing crime by an | order of magnitude(at least here in Europe). | asdff wrote: | To be fair those cars are trivial to install your own | immobilizer. Autozone will sell you a switch for cheap and | you can tuck it under the carpet by the pedals, or install a | dummy switch in one of the spare slots on your dash. | sourcecodeplz wrote: | You could use a basic flat-head screwdriver for both the door | and ignition ... Unreal really | Gordonjcp wrote: | I had an old Mercedes 230TE that could be unlocked and | started with any flattish piece of metal roughly the same | size and shape as the key. | | Once I went out to the car early one morning to find it | parked up exactly where I'd left it, with 200 more miles on | the clock, the petrol tank rather more full, and the engine | still warm... | buildbot wrote: | Very gentleman-thief of them. Maybe Lupin needed your car | for a bit :) | ilikehurdles wrote: | My family once found their car in the parking lot of the | grocery store with the groceries of someone else already | inside the car, and a note and contact info left on the | windshield about how this person unlocked my parents' car | thinking it was theirs, accidentally loaded their | groceries into the wrong identical vehicle, closed the | trunk, and then couldn't unlock it again after noticing | the mistake. | cortic wrote: | I remember those times too, though I've never had any cars | stolen by car thieves. I have lost 4 cars to the tech. That | is 4 times the security system bricked my car in a variety of | different ways; | | I suppose the big difference between a person stealing my | car, and the immobilizer _stealing_ my car is that my | insurance has to pay out for that first one. | WheatMillington wrote: | I find it hard to believe you've had 4 cars bricked by | faulty electronics. | mdp2021 wrote: | > _I have lost 4 cars to the tech_ | | Could you elaborate? A friend of mine had his car randomly | not starting the engine, but fixed it through the | replacement of an electronic board, and some mechanics said | they could circumvent that. | Ralo wrote: | I built a 1994 Toyota pickup and swapped in a OM617a mechanical | diesel. It's a really fun party trick to unplug the battery and | have it continue running. | | In terms of security, it's my most secure vehicle. Mechanical | diesel means its gonna need to be glowed which I have it setup | as a push button and no thief will know this. As well, my | shutoff switch is a toggle switch under the dash I leave to | "off". It'll just crank and crank forever. And my biggest | security feature? It's a manual transmission. Most see that and | won't even try. | | Security by obscurity | PinguTS wrote: | I have this. You can drive my truck from 1968 away just with a | nail. You don't need any key at all. Not even the doors are | locked and you woudn't need it anyway, because its a | convertible truck like most of the trucks from that time. Does | that make it better? | asdff wrote: | Hide your own immobilizer switch and leave the nail in the | ignition for your own convenience. | berkes wrote: | I have a Volkswagen T3 from '84 and the most complicated | "computerized" part is bus of relays. | | Yet the car is trivial to break into. Hell, I've locked myself | out a few times and the Key from another T3, a key from a | bycicle lock and a nail-file could open the car (but not start | it). | | My countermeasures are mechanical too, though: hidden circuit | breaker, a lock on the steering wheel, one on the gas-pedal and | one on the hand-break. All of them easy to circumvent, given | some time, but that's one thing thieves often don't have: time | to figure out unknows and weird stuff. Actual "security by | obscurity" in a way. | drtz wrote: | While having fewer computer controls in our cars may beneficial | in some ways, theft-prevention is certainly not one of them. | | My dad had an early-80s Ford pickup when I was a kid. The | cylinder in its ignition switch was broken in a way that you | could hop in, turn the ignition switch, start the truck, and | drive away -- all without a key. The ONLY thing preventing | extremely easy theft was a few tiny pins in a lock cylinder. | | This is an extreme case, but it illustrates how easy it was to | steal cars before modern theft-prevention: bypass the | mechanical lock to connect a couple wires together, and drive | it away. | msisk6 wrote: | I think nowadays an old car with a manual choke, a stick | shift, and a separate coil where you can remove the ignition | wire between the coil and the distributor would probably | eliminate all theft outside someone just picking the whole | thing up with a rollback tow truck. ;) | r00f wrote: | just remove some fuse that you know for sure prevents car | from starting (fuel pump fuse for example) and you don't | need to disconnect any wires. sure, you will have to spend | additional 20 seconds removing and putting it back every | time, but it is simple and safe, unless thieves are willing | to go full troubleshooting on why car doesn't start in the | middle of the night | LeonM wrote: | > Carburetors and point ignition systems have their issues. | | One of which is that if you apply 12V to the coil, you can | bump-start the car and it will run. Theft of such cars is truly | trivial. | | Modern cars are in fact very hard to steal. Just because the | car from the article has a flaw that allows you to unlock and | start it via canbus, doesn't mean that all modern cars can be | stolen like this. | UncleEntity wrote: | > One of which is that if you apply 12V to the coil, you can | bump-start the car and it will run. Theft of such cars is | truly trivial. | | Bump start? | | Just jump the starter solenoid terminals with one of those | remote start buttons or a screwdriver. | vbezhenar wrote: | You can bring ECU from the same car, connect some wires and | start any modern car just as well. Original ECU won't even | know what's going on. We call it "spider". It's not as easy | as just powering on ignition sparks, but similar attack. | rasz wrote: | Sure, you will also need to drop transmission to replace | that ecu too. It all depends on a car. | nomel wrote: | How do you "silence" the original ECU? Won't there be bus | contention? | eimrine wrote: | Stealing car is not an only issue in keyless access. A friend | of mine has lost a little bit because somebody used to open | the car and steal everything costly what was in salon while | the car was parked near a mall. | exabrial wrote: | CAN network by its nature is supposed to be a "trusted network" | with no external Inputs available (Air Gapped). But yeah, because | headlights and blinkers needllessly complicated, cough er, need | data uplinks.... totally NOT to check with Toyota if you've | subscribed to their monthly "safety package" for $7.99, yeah, | we've sort violated the Air Gap principal. | | Here's the problem everyone needs to pay attention to: If you | demand Encrypted OR Signed CAN Bus, you will ABSOLUTELY get it | from the manufacturers in the name of security. They will | _gladly_ lock out the CAN bus so no third party accessories or | diagnostic tools can work with your car. | | So be careful what you scream for. We already have enough un- | repairable items. | HPsquared wrote: | That's just the next phase in the dialectic. | yuuuuyu wrote: | Agreed. Careful what you wish for. All those enthusiasts out | their enjoying hacking their vehicles (in the traditional | meaning of the term) would not like crypto and HSMs on that | bus. | | It's like in the old days when internet traffic was unencrypted | and so was Wifi. You could have a lot of fun just watching | what's happening in your home network, and perhaps your | neighbors (so I heard..legal grey area). Today? Nope. | Everything is locked down. Wireshark shows you only lots of | SSL. And that's not even proprietary stuff as the car crypto | will be. The bad guys will obtain the keys or workarounds | somehow. The good guys will be locked out. | drtz wrote: | Encrypting everything on the CAN would be overkill and probably | cost-prohibitive for manufacturers. Not all messages need to be | encrypted -- just the ones that allow you to disable the | immobilizer. | leoqa wrote: | The solution is signing packets with PKI and verifying them | on receipt. Nothing says you can't flash firmware to add new | packets etc but the CAN bus couldn't be spoofed unless you | had the private key. | AlotOfReading wrote: | As someone who has (successfully) implemented this at | multiple manufacturers, it is absolutely not as easy as | "just signing it". | | First off, almost all vehicles are running CANbuses right | to the edge of their available bandwidth. Making the | signature data fit is a vehicle-wide refactor unless you've | designed for it from the beginning. | | Secondly, many automotive MCUs don't have hardware crypto | support or enough spare cycles for signing/verification. | You have to design for that from the beginning. | | Third, key distribution is hard. There are a lot of parties | outside the OEM that need to flash firmware for various | reasons during production. Do you give them all private | keys or do you put up a public image signing service anyone | can submit binaries to? | | There's lots of other issues I could go on about like what | the key rollover looks like, but I hope it's clear that | retrofitting cryptography onto complicated systems that | weren't designed for it is anything but straightforward. | heleninboodler wrote: | While I agree with this instinct: this sounds like a simple | "just use PKI" solution but it's really not simple at all. | How do the vehicles' or devices' cert keys get provisioned | and protected? Are they unique per device, per vehicle, or | per manufacturer? Per device or per vehicle increases | manufacturing process overhead (read: price) immensely | [edit: as well as overhead at service departments]. Every | device that can sign messages needs access to perform | private key operations, which necessarily either increases | cost (eg by storing the keys in a device-local HSM or | adding network-based key operations along with the | corresponding one-turtle-down auth problems) or decreases | security of those private keys. What happens when they | inevitably get extracted and baked into spoofing tools? Can | the manufacturer rotate the root keys? What happens to | vehicles that are offline when that happens? | heleninboodler wrote: | I think to be feasible from a maintenance and consumer- | friendliness standpoint, each vehicle should have its own | local CA and have some sort of open standard for how | individual devices can have certificates provisioned so | that they can be installed on a car. A replacement-part- | pairing function that can only be performed by having | physical access to a specific secured component (e.g. not | just bus access) should work without contacting the | manufacturer. I'm in for this startup idea. :D | numpad0 wrote: | Toyota had already introduced message signing for lane- | keep inputs, just not for theft protection(?) | | Ref: | https://github.com/commaai/openpilot/discussions/19932 | crazysim wrote: | The list of ECUs for the Rav4 Prime was looked up in | Toyota TechInfo, but not for future cars that also have | that system. | lamontcg wrote: | I thought it was covered in the article but all the | devices on the bus would need secret keys that were | unique across all devices manufactured. This isn't | impossible though since we've been making unique MAC | addresses on NICs for many decades, and motherboards | often come these days with the actual serial number of | the server flashed into the DMI information, etc. It will | also take an electron microscope to read the keys out of | the chips, which is not a very mobile attack to use | against a parked car on the street. | heleninboodler wrote: | First, those unique MACs and serial numbers are not | currently in storage that requires an electron | microsocope to read, so that's a pretty big additional | cost burden. Second, assuming all devices were to be | given secure key storage parts, you _also_ have the cost | burden of the pairing process during manufacturing and | maintenance, as I mentioned above (not to mention the | design and development of that pairing database and its | failure /diag/maintenance/factory-reset modes). It's far | from trivial. | cryptonector wrote: | Sensors whose outputs are used to do cruise control and lane | keeping assistance and so on should also be encrypted. | | I don't believe anything in this space is cost-prohibitive in | the long term, or even in the medium term. It's just dev cost | amortization, because the chips are cheap once they tape out. | quake wrote: | ASIL-critical inputs/outputs should not be encrypted,full | end stop. Do I really trust that the dinky economy-scale | micro that GM would pick is always going to hold up that | encryption when I'm starting to drift off road? Absolutely | the hell not. | | I worked in this space (auto RE, including keyless entry) | for a while, and there's almost no way this would work at | scale without a top-down platform redo for automakers. | cryptonector wrote: | > Do I really trust that the dinky economy-scale micro | that GM would pick is always going to hold up that | encryption when I'm starting to drift off road? | | Is your concern that the key management can leave a mess | of key disagreement? But that's like the sensors failing | altogether, and that already has to be taken into | account. | | So yes, _I_ would trust "that the dinky economy-scale | micro that GM would pick is always going to hold up that | encryption when I'm starting to drift off road" because I | have to trust that the computers will handle sensor | failure correctly. | | That said I'd only trust that if the crypto is sensible. | Specifically authenticated encryption is essential. Key | exchange, pairing -- those are important too. It needn't | be complicated to set up: trust-on-first-use-after-reset | (with reset being not trivial to execute) should suffice. | | > [...] there's almost no way this would work at scale | without a top-down platform redo for automakers. | | That's possible, but I doubt it. | rad_gruchalski wrote: | > But yeah, because headlights and blinkers needllessly | complicated, cough er, need data uplinks.... | | Autonomous driving something something, computer controlling | human actions something something. | bluGill wrote: | > hey will _gladly_ lock out the CAN bus so no third party | accessories or diagnostic tools can work with your car. | | No they won't. One the law requires them to allow third part | diagnostics tool (only for things that are about emissions!). | Two, the third party tool maters are paying a good chunk of | money to get documentation on how to do diagnostics. | | While new car buys won't care, car makers know that nobody can | afford to buy a new car except by selling their old car | (normally done as a trade in), and the buyers of used cars care | that the car can be fixed so if third party tools don't work | the car has a lot less value. | aaronbeekay wrote: | I work at Ford on vehicle access and security and I'm quite | familiar with CAN security challenges and solutions. (Of | course, I don't speak for my employer here.) | | Without speaking specifically to Ford's plans, authenticated | CAN communications are absolutely coming. I don't see many | approaches that actually encrypt the data on the bus - instead | a MAC is used for each frame with a shared key on both secure | ECUs, and some protections against replay attacks and such. | | I wouldn't expect all CAN data to be protected by this kind of | security - it's a pain in the butt, and expensive. Instead, | certain specific sensitive information (like whether there's a | key in the ignition!) is protected as needed. | | The industry is also moving toward IP-based communications for | a lot of vehicle networking, which comes with many of the | benefits of the modern infosec world. Automotive has a lot of | unique challenges, though - like another poster mentioned, key | provisioning and management is a huge pain; latency and hard | timing constraints are way more important in the | onboard/embedded world; many automotive ICs have limited | support for e.g., asymmetric encryption, and of course there's | a lot of pain generated from the way the industry does software | development generally. It's an interesting space. | [deleted] | wlesieutre wrote: | Encryption isn't needed here, this could be prevented by | messages from the smart key unit being signed with a key known | to the immobilizer | nroets wrote: | And if anyone is thinking that DSA or RSA is too difficult, | Carter and Wegman of IBM invented Universal Message | Authentication Codes in the 1980s | avidiax wrote: | Or just have the smart key ECU and the recipient ECU use a | rolling code or even a 1 time shared secret. The other ECUs | can learn the rolling code in the factory, or in after- | service with the left door open, right blinker on, hood open, | and horn tapped 8 times, and then wait 20 minutes. | | Without the key to see what the code is, no injector can | spoof the frame. | | With the after-market procedure making tons of noise and | spectacle, and a nice long wait for the police to arrive, the | thieves can't replace the key ECU. | | With the system being simple, no key provisioning is needed, | no non-public information, just an extra page in the manual | and a software update. | Nextgrid wrote: | Or just make the "smart key" controller a dumb passthrough of | the key's messages and do the actual decoding and | verification of the key messages in the engine ECU. I'm in | fact surprised this isn't the case, but then again most | "security" you see on cars is more about trying to lock out | the legitimate owner from doing their own repairs or key | programming as opposed to true security designed to defeat | skilled attackers. | wongarsu wrote: | > But yeah, because headlights and blinkers needllessly | complicated, cough er, need data uplinks | | I can see how they got there. When you're moving getting rid of | miles of cables that link everything and move your car to a CAN | bus instead, it makes sense to say that you don't want a | central blinker-controller that runs separate wires to every | blinker. Instead you just run CAN and power to each blinker and | give them their own little controller. Fewer wires, less | conceptual complexity, at the cost of putting a little PCB in | each blinker. | | But because "analog" blinkers had the accidental feature that | they blink faster if one blinker is broken, you have to | replicate that somehow with your new blinkers. And the easiest | way to do that is to have the blinker write that to the CAN | bus, since it's already right there. | eimrine wrote: | How on Earth adding computer and a little PCB of | demultiplexor logic instead of multivibrator-controlled relay | might be considered as less of conceptual complexity? | | I do even doubt in length of wires point. You need a full bus | plus a thick wire from power source per every lamp instead of | just a one thick wire from relay. | PragmaticPulp wrote: | Simple PCBs are extremely cheap to manufacture at scale. | | Copper wiring is expensive and heavy. | | It's far more efficient to have a simple PCB controlling | multiple local functions (headlights, high beams, blinkers, | additional sensors) and a single power/ground pair. | | Automotive systems are 12V, which results in high currents. | High currents require thick wires, especially in automotive | environments with high under hood temperatures where you | might have to de-rate wires. It absolutely makes sense to | reduce high current automotive wiring. | M95D wrote: | I don't understand how a PCB+MCU can reduce the copper | wiring. The bulbs will consume the same amount of power | requiring the same thickness of copper wiring, no matter | if it's 10 separate thin wires, one for each bulb, or | just one wire, but 10 times thicker (by section area and | weight/meter, not diameter). | | Common power wire will still require one or two extra | wires for CAN, so it would make sense only as replacement | for bundles of 3 or more wires going to the same place. | naikrovek wrote: | you have a single bus in a ring topology instead of a | star network of wires coming from a central location. | much less wire and with most indicators and even some | headlights being LEDs the current carrying capacity of | the +12V wire can be much smaller. GND is the metal | substructure and the CAN (or LIN) bus is just two small | gauge wires. | | much cheaper and much less wiring needed if the bulbs (or | bulb holders) can receive commands themselves. | bsder wrote: | Let's think about a headlight assembly. | | Without a board: you need a big power wire for low beams, | a big power wire for high beams, a smaller power wire for | turn signal. And that's all you can do. | | With a board: you need a big power wire for everything. | And a two tiny wires for CAN--so you're already ahead. If | your beams can move, or be directed, or have LEDs that | can be modulated, or have a washer, you start coming out | _WAY_ ahead. | tzs wrote: | Do any cars use higher voltage for power distribution to | reduce currents and thus reduce the diameter of wire | needed? I'm thinking something like having a higher | voltage power distribution network that distributes power | to nodes that use a DC to DC converter to provide 12 V to | the lights, sensors, etc near those nodes. | tonymillion wrote: | Tesla have been pushing for a standardized 48v supply | system for some time for exactly the reason that 12v | 15-30A requires much thicker wiring than a 48v 5A system. | AlotOfReading wrote: | 24v and 36v are common in trucks and industrial vehicles | respectively for exactly this reason, among others. It's | _really_ expensive to increase voltage though because all | the different components ' power supplies have to be | designed for transients and supply voltages anywhere from | 2-5x nominal in normal operation. Companies will often | design up to around 200v, for example. | | High power systems do exist, particularly in electric | vehicles. They have different challenges to do with being | incredibly dangerous to work on. | nomel wrote: | Can bus is a _bus_. You don't need a dedicated run of wire | per device. You can have a single loop that goes around the | whole car that everything is connected to. Things that are | "on the way" to others are relatively "free". Compare this | to an _independent_ point to point wire for everything | that's under control. | | This is trivially observed if you take a moment to compare | a modern day wiring harness to something older, while | considering the functionality provided by the later. | PragmaticPulp wrote: | > But yeah, because headlights and blinkers needllessly | complicated, cough er, need data uplinks.... totally NOT to | check with Toyota if you've subscribed to their monthly "safety | package" for $7.99, | | That's not what's happening. The value in a CAN bus control is | that you can significantly reduce the wiring requirements. | | Old school blinkers and headlights would require separate power | wires for every function: Blinker, low beams, high beams. Those | separate wires would each be snaked through long wiring | harnesses back to relays somewhere else in a central location. | | With CAN, you can run a single large gauge power and ground | pair and use the CAN bus to tell the remote module what to do | with tiny signal wires. It may not sound like a big deal, but | cars have a lot of electronic pieces all over. Simplifying | wiring can add up to a significant weight and cost reduction. | You now also have the ability to add more monitoring, such as | simple sensors to detect when a bulb has failed | | Vehicle manufacturing is ruthlessly optimized. Vehicle | manufacturers wouldn't add complexity to common systems if it | didn't pay off. | m463 wrote: | > ruthlessly optimized | | One huge problem is that they put the smart key on the same | bus as other stuff (headlights, body control) to save | money/wiring. | | These kinds of busses should be buried far inside the | dashboard or some other hard-to-reach area. | JohnFen wrote: | > Vehicle manufacturers wouldn't add complexity to common | systems if it didn't pay off. | | I know this stuff "pays off" for the manufacturers, but I | really wish they'd avoid including unnecessary complexity | such as those horrific touch screens, call connections, etc. | That sort of thing is why I won't buy newer cars. | bambax wrote: | > _Simplifying wiring can add up to a significant weight and | cost reduction_ | | Maybe, but given the explosion of weight and cost of new | vehicles, it's unclear where these savings went. | [deleted] | rpcope1 wrote: | > Vehicle manufacturing is ruthlessly optimized. Vehicle | manufacturers wouldn't add complexity to common systems if it | didn't pay off. | | You make it sound as though this intended to be a benefit to | the consumer or the end product. Having worked on and around | cars, and being friends with people who do for a living, I am | really unconvinced that the manufacturers do a lot of this | for any consumer-friendly reason, rather than simply trying | to squeeze a buck out of you. | | I can absolutely tell you that Volvo, for example, does what | the GP is talking about, and then some. On an old school GM | or Toyota, if you break a simple switch or knob, or things | that really should just be simple devices, you can just pull | it out, go to the junkyard or a parts retailer, and put the | new one in and be on your way. Not so for Volvo (and I'm sure | this has caught on in other manufacturers): if your switch or | control or whatever fails, and its hooked up to the CAN-bus, | whatever replacement you find simply won't work until you've | gone to the dealership (if they even let you use a part that | didn't come from there at all) and gotten them to flash the | part and whatever other crap needs flashing like a BCM to get | them to be compatible (I think just flashing the serial | number of a BCM or whatever it needs to play nice with to the | switch), at the tune of a couple hundred or more dollars each | time. | | So in essence, a stupid simple part, that should have been | $5-10 that the manufacturer likely never would have seen a | dollar from in the aftermarket, is now a $200+ dollar flash | at the dealership, using the manufacturer scan tool, and also | increasingly requires only parts the manufacturer can | generate. So no, I really am extremely skeptical, given what | occurs *today* that 95+% of the junk on CAN bus is there for | any reason other than to boost dealership and manufacturer | profits for no other reason than the fact they can. | naikrovek wrote: | by law you can purchase any tools (computerized or not) | which you need to repair your car to a fully-operational | state. | | they can be expensive, but you can buy them. you may need | to visit a dealer to buy them, but you can buy them. | | right-to-repair exists for consumer automobiles. | | there are no "right to secure CAN buses" laws, | unfortunately. | phone8675309 wrote: | "they can be expensive, but you can buy them" seems to be | a very surface-level view here. | | Say I only need to replace a $5 switch as the parent | poster suggests. My options then are pay $200 to the | dealership to flash and install it (if they'll even flash | a third party part) one time, or I can pay thousands of | dollars for a tool I'll use once and do it myself. | | That isn't a real choice, and the auto makers are | adhering to the letter of the law but not the spirit of | the law. Which is legal for them to do, but it doesn't | make it any less scummy. | TylerE wrote: | Or go to an Indy shop that already owns the tool and pay | them $20... | | There's a reason they're called stealerships - and the | service department is where all the profit is. (Well, | that and used cars). | somerandomqaguy wrote: | GM charges $60 per VIN for 2 years access for flashing. - | https://www.acdelcotds.com/subscriptions | | Chrysler (and probably Stellantis so Jeep, Dodge, Fiat, | RAM, etc) charges $35 per VIN per year. | https://kb.fcawitech.com/article/vehicle-reprogramming- | subsc... | | Ford I believe now requires a subscription for | diagnostics but I haven't seen anything about per VIN | charges yet. I'm not sure about the British or Japanese | brands either. This is AFAIK regardless of dealership or | independent shop. | neuralRiot wrote: | Gm is $40 per VIN 1 year, Chrysler is $35 for flashing | but to do that you need 2 more subscriptions which totals | about $120 There are aftermarket tools but the | subscriptions are for a year and about $1000-$4000 | | The problem is as I always point, that people want | complexity and technology for everyday but as soon as | something breaks they want it to be like 1990. | | The article complains about CAN bus not being secure but | this sort of attack is very rare, you need special tools, | skills, physical access to the network and time. Regular | car thieves don't go and make a key to steal a car, that | would be the same as a 1980's one breaking a window and | start trying to decode the cylinder and then cutting a | key! How does a towing company get your car in 10 | seconds? That's how they're stolen most of the time. | olyjohn wrote: | God damn. I swear if they could , they would make you buy | a fucking new wrench every time you work on a different | car. Such bullshit how they tie their tools to a per-vin | registration. | naikrovek wrote: | this is much more about insurance companies only paying | for cheaper 3rd party parts for repairs than it is | anything anti-consumer, though I'm sure there's some of | that, too. | | the automotive parts industry is massive and if you allow | third party parts manufacturers to make parts for your | car, you are undercutting your own parts replacement | business. how do you counter that? you require that | replacement parts come from you. the only way to do that | is via electronic means, because anything purely | mechanical can (and is) reverse engineered quickly. | | insurance companies fight against this in court because | 3rd party parts are much cheaper than official parts, and | usually come with an associated dip in quality as well, | which is another reason auto makers fight for first-party | parts businesses. | | Honda doesn't want Snake Oil Autoparts stuff installed on | cars which are still under warranty after a collision, | for example, but the insurance company paying for those | repairs _definitely does_. | aix1 wrote: | When you say "by law you can..." and "right-to-repair | exists for consumer automobiles" are you taking about the | USA or some other jurisdiction? | | (Genuinely curious; I had no idea such laws existed for | cars.) | cyberax wrote: | There technically is no a country-wide legislation in the | US, but Michigan has it, and some other states have | similar requirements: | | And only for regular cars, there is no right to repair | for commercial vehicles: https://en.wikipedia.org/wiki/Mo | tor_Vehicle_Owners%27_Right_... | | There are also long-standing legal requirements for | automakers to be separate from car dealers, which also | translate into making the repair/diagnostics equipment | available. | naikrovek wrote: | yes. the same law (or, rather, the movement at the time | within congress) is what standardized the OBD-II | connector and mandated its inclusion in all cars from | 1996(?) onwards: the idea that consumers should be able | to repair their own big-ticket items should they choose | to. | mayormcmatt wrote: | I never got the impression the previous poster was saying | this is a benefit for consumers; he's saying it's for the | manufacturer, to cut costs. Edit: that being said, all your | points are completely valid. | spookthesunset wrote: | It is a benefit for consumers. Lower weight for better | fuel. More fancy gizmos on the car for a lower price. | whoopdedo wrote: | ... until it breaks and now, as the person above said, | you've got a three-digit repair bill. | | It's often the case that consumers will seek out the | lowest price no matter how high the cost. | yuuuuyu wrote: | > rather than simply trying to squeeze a buck out of you. | | Their profit margins will come from _somewhere_. If not | from savings then from higher pricing. | ilyt wrote: | > You make it sound as though this intended to be a benefit | to the consumer or the end product. Having worked on and | around cars, and being friends with people who do for a | living, I am really unconvinced that the manufacturers do a | lot of this for any consumer-friendly reason, rather than | simply trying to squeeze a buck out of you. | | The "consumer friendly" part is competing on price; they | don't care about repair cost, in fact parts for repair is | just recurring revenue on top on (till before pandemic) | slim margins on selling the car | kwiens wrote: | Good example. Do you know of anywhere that Volvo parts | pairing / programming issue is written up or documented? | | I'm working on Right to Repair and we get asked for | examples like this from various government agencies all the | time. It would be very helpful, thanks! | rpcope1 wrote: | If you're looking for informal evidence, there's plenty | of posts on SwedeSpeed and Volvo Forums (and probably | Turbo Bricks, for those masochists that own a post-RWD | car) bemoaning needing to constantly reprogram tons of | things like door switches, and the various lengths owners | and enthusiasts will go to in order to attempt to | overcome these issues. | | If you're looking for something a little more formal, I | think the factory service manual probably calls out that | the R&R on a ton of parts will involve reprogramming. I | no longer own any post-Ford Volvos nor do I have any | interest in European cars, so unfortunately I don't have | any newer FSMs. A way you might be able to get at one on | the cheap is to pick a popular model/year later Volvo | (maybe like a 2016+ XC60?), and get a subscription to the | make/model/year on Alldata (which was something like $20 | a year for just a single combination), or hunt for an FSM | on eBay, if it's old enough to still have a paper FSM. | exabrial wrote: | that part was a joke, fyi. CAN is very useful, but tends to | be overused as well: | https://www.caranddriver.com/news/a41611379/gmc-hummer-ev- | ta... | outworlder wrote: | > The value in a CAN bus control is that you can | significantly reduce the wiring requirements. | | I'm adding a CAN bus to my 3d printer for this exact reason. | londons_explore wrote: | And yet the obvious thing is for someone to be making and | selling a "can bulb" - a tiny 4 pin bulb with 12V, GND, | CAN-H/L pins. And all bulbs (led or not) on a car would be | that. It would turn on/off commanded by the canbus and report | status info back. | | Yet car manufacturers don't do this. CAN transceivers are | still too expensive to build into every bulb. Instead, a | single CAN transceiver and microcontroller will control a | whole set of nearby bulbs (eg. brake, indicator, reversing | lights). That then makes it vehicle specific, so you don't | get the economies of scale of just making a single model of | can-bulb which fits lots of places in many cars from many | manufacturers. | m463 wrote: | I thought there were already CAN bulbs. If you look for LED | replacement bulbs for your car, many are marked "CAN-bus | Error Free" | | (I'm not sure though - it might be some headlight | controller fails non incandescent bulbs) | JohnFen wrote: | > Yet car manufacturers don't do this. | | That sounds like a good thing to me. | robryk wrote: | How would the bulb know which one it is? | londons_explore wrote: | For the customer-replacement case, you simply tell the | customer to replace just one bulb at a time - and the | computer can update the mapping. | | In the factory, you fit the bulbs in a certain order | every time, and the computer knows that order. | robocat wrote: | > simply | | I'm guessing you've never worked in customer support. The | failure modes of mistakes would be nasty. Even smart | people swap bulbs around when diagnosing faults. | | Simplicity (good usability) is most always crushingly | hard to achieve, doubly so for hardware. | | Calling things "simple" is often a sign of shallow | thinking in my experience - something a customer or | manager might naively say but an engineer cannot (because | they have to deal with all of the real requirements). | | For example, the engineers that build cars can't say "you | simply push a button to start a car" - as an engineer the | complexity behind that simple operation is very very | deep. | culturestate wrote: | _> For the customer-replacement case, you simply tell the | customer to replace just one bulb at a time_ | | Just _imagining_ the customer support for this is gonna | give me nightmares. | | "Sir, you need to make sure your vehicle's ignition is | turned to accessory mode. Then wait for the light to | blink twice, that's the vehicle's confirmation that it | correctly identified the new light. If it blinks three | times, it can't confirm the light's location, so you | should try removing it and re-inserting it. If it blinks | four times, that means you didn't replace the bulbs in | the correct order so you need to initiate a manual reset | procedure by going to the driver's seat and..." | JohnFen wrote: | Both of those sound like hopelessly error-prone processes | likely to lead to visits to the repair shop. | the__alchemist wrote: | ID field. | doublesocket wrote: | It's more like a class field. All bulbs of class "brake" | turn themselves on for a brake message etc. | the__alchemist wrote: | Gotcha. Embedded in the frame? | sgtnoodle wrote: | CAN frames only have space for 8 bytes of payload, unless | you upgrade to CAN-FD at a significant complexity cost. | For the sake of a light bulb, you could make it work by | being sufficiently clever. You could even use all 8 bytes | for serial number, and then use existence of the message | itself to turn on the bulb. Have it turn off after 100ms | of timeout. | | It's really not a sustainable approach to try to address | nodes on a CAN bus by serial number, though. CAN is | content addressed rather than receiver addressed. Due to | the way arbitration works on the bus, it's invalid for | two nodes to transmit to the same CAN identifier. The | arbitration mechanism breaks down and results in error | frames, at which point the CAN bus is in a degraded | state. | | That would preclude a CAN enabled bulb from being able to | send telemetry back, at least until the bulb was | provisioned an identifier. That could be done by an ECU | sending a frame with the bulb's serial number and | assigned identifier. You still need a zero-conf discovery | protocol, though, and so you're back to transmitting | before provisioning. You could work around all that, but | it's a lot of work. | | Stepping back a bit, running a car's CAN bus over a light | bulb socket is going to cause some practical reliability | problems. Compared to a wire harness going into an ECU, a | user serviceable bulb socket is going to be much more | prone to intermittent connections from vibration, as well | as oxidation and wear. Intermittent connections on | CAN_H/CAN_L tend to cause a ton of frame errors, and | significantly degrade the overall bus performance often | to the point of system failure. When a node encounters | enough error frames, it is compelled by the standard to | go into a BUS-OFF state where it isolates itself from the | bus. Because it's a bus and all the nodes share the same | two wires, it's pretty much impossible to diagnose where | an intermittent connection is without trial and error. | the__alchemist wrote: | I appreciate the detailed insight! Great point on | something subtle re individual bulbs that is non-ideal. | I'm learning CAN now, mainly for use in drones. I have | got 2 STM32 FDCAN periphs talking to each other; the | basics seem easy, but the protocols that go on top of it | seem complicated! I suppose this is due to managing a | decentralized network. Ie, at first CAN seemed like to | offer _a bus that simplifies wiring and offers resistance | to noise_ , but the more subtle and interesting point | seems to be _a common API where hardware access is | handled by individual nodes, and communication is through | this API layer on top of the hardware_. Ie, if you | control the whole network, it can seem like the first | case, but the interesting things happen, eg as you | describe, arise when the nodes are by different | manufacturers and are swappable. | | Ie, with CAN, each node only needs to do reg | reads/writes/datasheet-spelunking for a narrow part; the | other nodes just need to know the API that sits on top of | the hardware. | jeffreygoesto wrote: | You are talking about dbc files, defining the binary | layout per message on the bus? That is typically in the | hands of the OEMs, not ECU vendors. | | See for example https://github.com/commaai/opendbc | | Quite old and for Wundows, but a lot of code showing how | to use a lot of CAN interface boxes is at | https://github.com/rbei- | etas/busmaster/tree/master/Sources/B... | PragmaticPulp wrote: | > And yet the obvious thing is for someone to be making and | selling a "can bulb" - a tiny 4 pin bulb with 12V, GND, | CAN-H/L pins. | | No, that's not obvious at all. | | Separating the control board and the bulb is obvious. You | wouldn't want to replace your entire control circuit every | time you need to replace a bulb, would you? You don't want | to have to reprogram your ECU to know which bulb serial | number corresponds to your front headlight because all of | your bulbs are the same. | | Moreover, this is impossible because there isn't a single | bulb model that goes into a car. High beams, low beams, | blinkers, and interior lights are all different. They also | differ from model to model depending on the requirements. | | > That then makes it vehicle specific, so you don't get the | economies of scale of just making a single model of can- | bulb which fits lots of places in many cars from many | manufacturers. | | Car companies make millions or tens of millions of cars per | year. | | When you're making 10s of millions of something every year | (or 2X that for parts that come in pairs, like headlights), | you already have economies of scale. | | Automotive equipment manufacturers will also share | components between car companies, and further upstream you | have companies that make chips for auto makers who share | chips across the companies. | | Automotive manufacturing is a great example of economies of | scale. It's not correct to say that auto manufacturers | aren't leveraging economies of scale while producing 10s of | millions of common parts per year. | londons_explore wrote: | Plenty of vehicles only have production runs of ~10,000. | At those scales, you really don't get economies of scale. | In fact, there were only 25 car models that sold more | than 100,000 units in 2021. | pdonis wrote: | Plenty of _particular brands of vehicles_ have smaller | production runs. But "vehicle" to the manufacturer | doesn't mean "brand". It means "set of pieces and parts | that can be the same or nearly so across many brands". | For example, a "Cadillac" to you is a different "vehicle" | from a "Chevrolet"; but to GM, the vast majority of the | pieces and parts and manufacturing processes are shared. | So the economy of scale to GM when building "Cadillacs" | is huge even if to you it looks like "Cadillac" has a | small production run. | neuralRiot wrote: | Exactly, and this is one of the reasons modules need | programming, because it comes "virgin" with only a | bootloader and the features are loaded according to the | VIN. | lcnPylGDnU4H9OF wrote: | > you will ABSOLUTELY get it from the manufacturers in the name | of security | | Fuckin' good. Then they can give me the damn encryption key so | I can diagnose it myself. I am absolutely not going to | subscribe to any sort of narrative like these things are | mutually exclusive. I'll keep screaming for the security _and_ | the repairability. | politelemon wrote: | They will never do that in the same name of security. Their | aim is appl-ification and johndeerification; it's their | object but will let you think it's yours as long as it's a | revenue source. | efficax wrote: | > So be careful what you scream for. We already have enough un- | repairable items. | | Couldn't the keys for decryption be stored in a trusted module | that can only be unlocked with the presence of the actual car | key? Yes, this means key cloning attacks still get you access | to the CAN, but if you can clone the key you can drive away | with the car anyway. | tantalor wrote: | > monthly "safety package" for $7.99 | | Toyota subscription services described here: | https://www.toyota.com/connected-services/ | | One of these is "safety connect" that does stuff like SOS | button and stolen vehicle locator. | | It is _not_ for the built-in safety features like collision | detection and lane departure alert. | kwhitefoot wrote: | All new cars in the EU have to have always online SOS | connectivity so I don't think anyone can charge for it | | " eCall is a system used in vehicles across the EU which | automatically makes a free 112 emergency call if your vehicle | is involved in a serious road accident. You can also activate | eCall manually by pushing a button. " | | "Compulsory for new car models | | If you buy a new model of car, approved for manufacture after | 31 March 2018, it must have the 112-based eCall system | installed." | | https://europa.eu/youreurope/citizens/travel/security-and- | em... | tantalor wrote: | Okay, that's another way of saying everyone pays for it | through higher prices or taxes or whatever, and you can't | opt out of it. | nerdbert wrote: | Wait until you hear about seat belts. | catiopatio wrote: | Seat belts don't spy on me. | rasz wrote: | Seat occupancy sensor for the airbag sure does, it even | weighs your ass. | catiopatio wrote: | The occupancy sensor isn't the problem -- the problem is | the mandatory cellular uplink that shares the data with | the manufacturer. | kwhitefoot wrote: | That applies to all state mandated stuff I suppose. But | it does mean the system can benefit from an economy of | scale. | mdp2021 wrote: | It can be disabled - though by the manufacturer only -, as | expressed in the regulation. | boomchinolo78 wrote: | I had a BMW with encrypted CAN or very similar to what that | would be. Would refuse to use a new module unless you had the | dealership key. Which my mechanic managed to get from his | friend at the dealership but still... | | Needless to say, never again ___________________________________________________________________ (page generated 2023-04-05 23:00 UTC)