Truth is I haven't had a car accident (my fault or others) in my four decades behind the wheel (knock on wood), but I've had five bike crashes that sent me to the ER over the past quarter-century. Maybe I should look into a remote controlled bicycle...? I see Lexus is now offering a $10k bike (another story on the EET home page today), but it is still under manual control.
How do others feel? Do you want a computer to control your car (or bus, or train)? Or would that scare you to death?
There are two talks coming up at DEFCon 21 and BlackHAT in the next couple weeks on car hacking. Both should really help to get people understanding the risks and possibilities in this area and why addressing security should be as important as it is for all other control systems.
I ran across this short YouTube video published recently by one of the speakers, he demos control of steering:
Thanks for your comment. Indeed, it won't be that easy to hack a car. It's not like that car has only one CAN bus that connects to everything. There are always several networks inside a car. And there are gateways.
That said, it isn't a total fantasy, either.
i recommend that you read the original tech paper (mentioned in the story):
For this whole concept of hacking cars to fly there has to be a control path from the wireless portion of the system to the actual vehicle network's internals. If I have a phone connected to the bluetooth of my car radio and the radio is able to send messages over the CAN network to my instrument cluster, this still doesn't mean that someone can remotely attack my CAN bus. The limited functionality that is aforded the radio does not extend to such things. My radio's OS would need to be reprogrammed with a new one that was wired with the approriate sofistication. The command set that my car radio supports via WiFi/Bluetooth won't support reprogramming of the primary OS. A physical connection to the radio's USB port is needed for that. It may happen in the future that a car manufacturer loses all sense and adds cost to a vehicle system that adds no benefit (except to a hacker) but i haven't seen any thus far. A number of vehicle systems I've worked on even have multiple CAN busses but they have no connectivity to each other only to/from the primary controller to the CAN busses. Only certain data patterns are tolerated on the busses with malfunction codes set when limits are exceeded.
I'm not sure what car they're using, but mine certainly obeys pairing protocols, requiring a key and as far as OBD goes, that's a car inside under my steering wheel.
The big differnce between PC's and embedded vehicle computers is that they are design for a specific function and operate in real time, lacking the free form communications available on a TCP network.
I think in the future some accountant at a car company may have too much Bourbon and sign off on a 20% price incease for no user and bottom line benefit, but while they switch suppliers over 10 cents it's unlikely.
Celphones are hackable because they ARE general pupose computers that have ample room for apps and anything can talk to anything because that is required. Car systems (the drive train systems) are quite a different kettle of fish.
I just read the article again, and it seems that they had internal access for some of the strategy which makes the whole thing no different than cutting brakelines.
The NHSA Should act now and dictate that no vehicle drive and safety systems are allowed to be controllable remotely. There's no reason for it and without that functionality the NXP car will never hit the assembly line.
I couldn't agree with you more, Duane. There is always that aspect: engineers are aware of potential vulnerabilities but there is that inevitable marketing force, asking engineers to get the products out sooner.
I am not here to blame anyone, but I would love to have open conversation on this topic within the industry (and consumers).
I agree that the EE/SWE needs to be aware of safety/security. But, when management/marketing push a feature/product despite the insight what the worker (Engineer) warns/suggests then the best that can happen is "meet the deadline and functionality" as they are told.
The need is for the general public to push Marketing to make safety/security part of the product spec so that the Engineer can be justified to do things right.