{"id":10311,"date":"2022-02-18T17:44:14","date_gmt":"2022-02-18T17:44:14","guid":{"rendered":"http:\/\/TheNextWeb=1380889"},"modified":"2022-02-18T17:44:14","modified_gmt":"2022-02-18T17:44:14","slug":"your-car-is-a-computer-on-wheels-and-its-code-can-be-hacked","status":"publish","type":"post","link":"https:\/\/www.londonchiropracter.com\/?p=10311","title":{"rendered":"Your car is a computer on wheels \u2014 and its code can be hacked"},"content":{"rendered":"\n<p><span>We aren\u2019t joking when we talk about <a href=\"https:\/\/thenextweb.com\/topic\/vehicle\" target=\"_blank\" rel=\"noopener noreferrer\">cars<\/a> as big fat data generating computer centers on wheels. If you go on <\/span><a href=\"https:\/\/www.glassdoor.com\/Interview\/How-many-lines-of-code-does-a-Tesla-car-have-QTN_2753567.htm\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>Glassdoor,<\/span><\/a><span> there\u2019s even an interview question, \u201cHow many lines of code does a Tesla have?\u201d<\/span><\/p>\n<p><span>I\u2019m not entirely sure, but even <\/span><a href=\"https:\/\/spectrum.ieee.org\/this-car-runs-on-code\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>a decade ago<\/span><\/a><span>, premium cars contained 100 microprocessor-based electronic control units (ECUs), which collectively executed over 100 million lines of code. Then there\u2019s telematics, driver-assist software, and infotainment system, to name but a few other components that require code.<\/span><\/p>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-1365806 size-featured_img js-lazy\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-796x498.jpeg\" alt=\"The Subaru Solterra EV\" width=\"796\" height=\"498\" sizes=\"(max-width: 796px) 100vw, 796px\" data-srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-796x498.jpeg 796w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-280x175.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-216x135.jpeg 216w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-432x270.jpeg 432w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-1536x960.jpeg 1536w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-1592x995.jpeg 1592w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200.jpeg 1920w\"><figcaption><a href=\"https:\/\/thenextweb.com\/news\/security#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fshift%2F2022%2F02%2F18%2Fsecurity%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Your car\u2019s infotainment system is just one way that the security of your car can be attacked. Image: Subaru\" data-title=\"Share Your car\u2019s infotainment system is just one way that the security of your car can be attacked. Image: Subaru on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Your car\u2019s infotainment system is just one way that the security of your car can be attacked. Image: Subaru on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"><\/i><\/a>Your car\u2019s infotainment system is just one way that the security of your car can be attacked. Image: <a href=\"https:\/\/www.subaru.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Subaru<\/a><\/figcaption><noscript><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-1365806 size-featured_img\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-796x498.jpeg\" alt=\"The Subaru Solterra EV\" width=\"796\" height=\"498\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-796x498.jpeg 796w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-280x175.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-216x135.jpeg 216w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-432x270.jpeg 432w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-1536x960.jpeg 1536w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200-1592x995.jpeg 1592w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/09\/EV_Vehicle_Interior_Night_1920x1200.jpeg 1920w\"><\/noscript><\/figure>\n<p><span>What I do know is that as cars\u2019 digital and <a href=\"https:\/\/thenextweb.com\/news\/can-tesla-get-autonomous-vehicles-to-go-mainstream-before-robotaxi-makers\" target=\"_blank\" rel=\"noopener noreferrer\">autonomous<\/a> capabilities increase, the integrity of that code will matter even more \u2014 especially its security.&nbsp;<\/span><\/p>\n<p><span>Every car comes with many components, and each of these might have a different codebase, which, if poorly tested or secured, is vulnerable to bugs, errors, or malicious code. But what if we could secure cars before they leave the factory floor?<\/span><\/p>\n<p><span>I recently spoke to Matt Wyckhouse, founder and CEO of <\/span><a href=\"https:\/\/finitestate.io\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>Finite State<\/span><\/a><span>, to find out how the heck automakers secure all that code.&nbsp; He also owns a Tesla so he\u2019s personally invested in car security.&nbsp;<\/span><\/p>\n<p><span>It\u2019s common to build security into the entire development lifecycle. However, Finite State pushes security \u201cas far to the right as possible.\u201d This ensures that the code of the final build is secure, to ensure nothing changes between testing and the car going to its customers.<\/span><\/p>\n<h2><strong>What are some of the most common security flaws?&nbsp;<\/strong><\/h2>\n<p><span>Poorly written code is vulnerable to security risks or malicious activity. Those millions of lines of code within a car\u2019s microprocessors all have their own origin. For example, embedded system firmware, including the firmware used in connected vehicles, is composed of 80-95% third-party and open-source components.&nbsp;<\/span><\/p>\n<p><span>And, once you start using software from other parties who may not share your security vigilance, the risk increases. Some common examples:<\/span><\/p>\n<h2><strong>Log4J vulnerability<\/strong><\/h2>\n<p><span>An example of the recent <\/span><a href=\"https:\/\/thenextweb.com\/news\/log4j-bug-internet-open-source-contributors-analysis\" target=\"_blank\" rel=\"noopener noreferrer\"><span>Log4j vulnerability<\/span><\/a><span> \u2014 a zero-day vulnerability in the Apache Log4j Java-based logging library.&nbsp;<\/span><\/p>\n<p><span>The main developer might have pulled in the Log4j software as part of their development practice. Or it might be wrapped in a third, fourth, or fifth party component built in Java that lands in the final software.&nbsp;<\/span><\/p>\n<p><span>This jeopardizes the security of any auto server using the library. The data is collected and stored in different places over time. This increases the risk of impact on the vehicle software.&nbsp;<\/span><\/p>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img decoding=\"async\" loading=\"lazy\" class=\"size-featured_img wp-image-1361924 js-lazy\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-796x478.jpeg\" alt=\"Tesla Model S second place for best-selling used EV in the US\" width=\"796\" height=\"478\" sizes=\"(max-width: 796px) 100vw, 796px\" data-srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-796x478.jpeg 796w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-280x168.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-450x270.jpeg 450w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-225x135.jpeg 225w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models.jpeg 1000w\"><figcaption><a href=\"https:\/\/thenextweb.com\/news\/security#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fshift%2F2022%2F02%2F18%2Fsecurity%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Why hack one Tesla when you can hack 25? Image: Tesla\" data-title=\"Share Why hack one Tesla when you can hack 25? Image: Tesla on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Why hack one Tesla when you can hack 25? Image: Tesla on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"><\/i><\/a>Why hack one Tesla when you can hack 25? Image: Tesla<\/figcaption><noscript><img decoding=\"async\" loading=\"lazy\" class=\"size-featured_img wp-image-1361924\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-796x478.jpeg\" alt=\"Tesla Model S second place for best-selling used EV in the US\" width=\"796\" height=\"478\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-796x478.jpeg 796w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-280x168.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-450x270.jpeg 450w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models-225x135.jpeg 225w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/07\/models.jpeg 1000w\"><\/noscript><\/figure>\n<p><span>In January, cybersecurity researcher David Columbo <a href=\"https:\/\/thenextweb.com\/news\/dutch-car-thieves-ingeniously-hacked-their-way-into-this-bmw\" target=\"_blank\" rel=\"noopener noreferrer\">gained remote entry<\/a> to <\/span><a href=\"https:\/\/medium.com\/@david_colombo\/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>over 25 Teslas<\/span><\/a><span> due to a security flaw discovered in third-party software used by Tesla drivers. <\/span><\/p>\n<p><span>It didn\u2019t enable him to \u2018drive\u2019 the cars. But he could lock and unlock windows and doors, disable the cars\u2019 security systems, honk the horns, and turn the cars\u2019 radios on and off.<\/span><\/p>\n<blockquote class=\"twitter-tweet\" readability=\"9.1878172588832\">\n<p dir=\"ltr\" lang=\"en\">So, I now have full remote control of over 20 Tesla\u2019s in 10 countries and there seems to be no way to find the owners and report it to them\u2026<\/p>\n<p>\u2014 David Colombo (@david_colombo_) <a href=\"https:\/\/twitter.com\/david_colombo_\/status\/1480632304045330433?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">January 10, 2022<\/a><\/p>\n<\/blockquote>\n<h2><strong>The security problem of hardcoded credentials<\/strong><\/h2>\n<p><span>Another example is <\/span><a href=\"https:\/\/owasp.org\/www-community\/vulnerabilities\/Use_of_hard-coded_password\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>hardcoded credentials<\/span><\/a><span>. This is where plain text passwords and secret data are placed in source code. It provides a backdoor for product testing and debugging.&nbsp;<\/span><\/p>\n<p><span>Left in the final code, an attacker can read and modify configuration files and change user access. If the same password is in use as a default across multiple devices, then you have an even bigger problem.&nbsp;<\/span><\/p>\n<p><span>In 2019, hardcoded credentials left in the <\/span><a href=\"https:\/\/cyware.com\/news\/hard-coded-credentials-in-mycar-mobile-app-leave-thousands-of-cars-vulnerable-to-attacks-faab436e\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>MyCar mobile app<\/span><\/a><span> made it possible for attackers to access consumer data and gain unauthorized physical access to a target\u2019s vehicle.<\/span><\/p>\n<h2><strong>So, how do you secure software against vulnerabilities and attacks?<\/strong><\/h2>\n<p><span>Finite State\u2019s work starts at the testing phase, focusing on the final binary copy and builds. They work backwards, automating the reverse engineering of code, disassembling, decompiling, and testing for weaknesses and vulnerabilities. They then share these with the client\u2019s security team.<\/span><\/p>\n<p><span>Wyckhouse explained that end testing enables them to see how a software artifact has changed over time: <\/span><\/p>\n<blockquote readability=\"7\">\n<p><span>And if there\u2019s an unintended change that\u2019s not traceable back to an action by the dev team, that\u2019s a reason to investigate further.<\/span><\/p>\n<\/blockquote>\n<p><span>When we think of <a href=\"https:\/\/thenextweb.com\/news\/ev-charging-is-a-security-disaster\" target=\"_blank\" rel=\"noopener noreferrer\">cybersecurity and mobility<\/a> really, we\u2019re only just beginning. But according to Wyckhouse, automakers are continually investing in security, not only to comply with <\/span><a href=\"https:\/\/www.iso.org\/standard\/70918.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>industry standards<\/span><\/a><span>&nbsp;but also to gain reputational and competitive advantages over rivals who repeatedly suffer from security breaches.&nbsp;<\/span><\/p>\n<p><span>Still, not a week goes by without yet another report of an attack or a vulnerability found by white-hat researchers. And as car automation increases, the risks only get greater.<\/span><\/p>\n<p> <a href=\"https:\/\/thenextweb.com\/news\/security\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We aren\u2019t joking when we talk about cars as big fat data generating computer centers on wheels. If you go on Glassdoor, there\u2019s even an interview question, \u201cHow many lines of code&#8230;<\/p>\n","protected":false},"author":1,"featured_media":10312,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts\/10311"}],"collection":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10311"}],"version-history":[{"count":0,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts\/10311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/media\/10312"}],"wp:attachment":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}