Cordial Deconstruction

I’d like to Cordially Deconstruct just a couple of items from and article I read today titled, “Cars: The next hacking frontier” by Elinor Mills.  The article is about the potential of hacking in today’s increasingly computerized and networked automobiles.  It’s generally a decently written article, but there’s a couple points I want to address.  The first is statement from a report by a team that managed to hack a wireless tire pressure monitoring system of a vehicle.  The article author included the following quote from the report:

“While spoofing low-tire-pressure readings does not appear to be critical at first, it will lead to a dashboard warning and will likely cause the driver to pull over and inspect the tire,” said the report. “This presents ample opportunities for mischief and criminal activities, if past experience is any indication.”

Listen, I don’t dispute that the lack of security in the TPMS displays a seriously concerning lack of attention to the concept of wireless communication security by automotive system designers, but I think the study is over blowing the seriousness of this particular vulnerability to make their point.  I seriously doubt that many drivers would pull over if this light displays on their dashboard.  Most drivers don’t even know what the light means.  I certainly dispute the notion that it “will likely cause the driver to pull over and inspect the tire”.  46% of people surveyed didn’t even know the icon was supposed to be  tire treads, and anyone who knows what the indicator is will likely know they don’t need to worry about it until they get to a service station.  Every time it gets cold, the pressure in my tires decreases in accordance with the ideal gas law, and the indicator lights up on my dashboard.  If my experience is remotely typical, many drivers with cars new enough to have the indicator are already accustomed to ignoring it until they have a convenient moment to deal with it, and certainly wouldn’t pull over right away to inspect their tires.

The article then goes on to mention another report where researchers

“tested how easy it would be to compromise a system by connecting a laptop to the onboard diagnostics port that they then wirelessly controlled via a second laptop in another car.”

Surprise, they were able to control all sorts of computer controlled functions like the anti-lock brakes, engine computer, speedometer display, etc.  The article author concedes,

“Granted, the researchers needed to have physical access to the inside of the car to accomplish the attack. Although that minimizes the likelihood of an attack, it’s not unthinkable to imagine someone getting access to a car dropped off at the mechanic or parking valet.”

OK, and it’s also possible they could plant a GPS tracker, wireless microphone, or bomb in your car, or cut the brake lines and cut a notch in your fan belt as well if they have physical access to the vehicle, all without touching the car’s computer or network system, what’s the point?  The real security concern is the wireless (hands off) vulnerability; just stick with that topic, please.

One area where I think the article author actually underplays a concern is when she writes,

“The threat is primarily theoretical at this point for a number of reasons. First, there isn’t the same financial incentive to hacking cars as there is to hacking online bank accounts.”

Actually, there is a financial incentive in hacking cars; if you could successfully hack a GM car’s On Star system, you could potentially not only disable the alarm, but also unlock and start the vehicle and disable the ability of GM to track and disable the vehicle via On Star, so there’s a minor fail in the other direction for the article.

It was a generally well written article, but a few points were a little sub par.  It may seem like nitpicking, but I usually feel that stretching points and using unnecessary hyperbole to enhance an  article degrades the overall quality of an article, and I needed something to blog about today.