linux-works
Active Member
I recall a car that was being pen-tested (admittedly by a top-notch red team in our company) and they got into ours from the outside, eventually getting to CANbus and getting root in a gateway. (damn!). we found and fixed the flaw but it goes to show, even when you take pains to try to secure things, experts (and script kiddies, if it ever gets to that) will be able to get in; there are so many vectors that you would not believe until you see it done before your eyes.
btw, this is why users will never get true api access to cars. vendors are not security experts and too much is at risk, so they will be turning all dangerous write-access off, and the smarter ones will even disable read access (due to side effects). I hate that, as I like to remotely control things, but having been on the vendor side, I understand their view and actually agree with it. CANbus will eventually be encrypted, networking, when the chipsets are ready for broad-r-reach PHY/MAC based encryption, tapping into your car will be a thing of the past.
but I still will assume that data-at-rest is still not properly secured and that temp files are truly deleted (securely), even if they do start to lock the car down bit by bit, over time (which again, I hope every car maker does).
btw, this is why users will never get true api access to cars. vendors are not security experts and too much is at risk, so they will be turning all dangerous write-access off, and the smarter ones will even disable read access (due to side effects). I hate that, as I like to remotely control things, but having been on the vendor side, I understand their view and actually agree with it. CANbus will eventually be encrypted, networking, when the chipsets are ready for broad-r-reach PHY/MAC based encryption, tapping into your car will be a thing of the past.
but I still will assume that data-at-rest is still not properly secured and that temp files are truly deleted (securely), even if they do start to lock the car down bit by bit, over time (which again, I hope every car maker does).