Sorry the picture is sideways, I was trying to be incognito whilst I shot it.

Yes, he was buying beer.


And vodka.

I was initially just ribbing you when I was asking about Chrysler's CEO. You know every time something gets hacked I am going to stack crap on you from here on out.

But regarding your last comment, I am quite sure that they have industry best practices in place. That's usually case in these situations. It is easy for someone that has no deep experience in technology to hold up a standard and say "Do this, it will be safe." That just isn't the case however.

Your comment about running networks with different communications protocols doesn't fly. There is no alternative to communicating through mobile towers. You are at the mercy of the protocols available on the mobile infrastructure. You can run a higher layer protocol above that, and you darn well Chrysler Fiat was already doing that. Secondly, the Chrysler Fiat UConnect system opens itself as a mobile WiFi hotspot. There is only one realistic suite of protocols for WiFi. You can't just go proprietary, because nothing could connect to the hotspot which defeats the entire purpose of creating a hotspot. Lastly, a proprietary protocol will almost certainly have more holes than a well vetted public protocol -- unless you are Cisco -- because you don't employ an army of the right type of engineers to deliver a highly secure proprietary protocol if you are a car manufacturer (nor should you -- you build cars, not security protocols).

Further, regarding protocols, saying to "run networks with a different communications protocol" is analogous to saying "just throw away your millions in R&D and start from scratch". It flies in the face of understanding how much work and research goes into bringing a product to market. A great deal of time and money goes into vetting and selecting hardware from vendors -- of which the embedded systems have quality built-in security libraries. However, no matter which product you select, there is a high likelihood that they have undiscovered security flaws. Couple that with the fact that the applications that you write on top of those embedded platforms will introduce new, higher layer holes and the reality is that having a 100% secure device is practically impossible.

Regarding stateful firewalls, I don't know if the Chrysler Fiat UConnect system is stateful or not (and I suspect neither do you), but they certainly utilize a firewall as the whole point of that system is to expose a WiFi hotspot. I'd bet it's already stateful at minimum at the lower levels of the OSI model. Whether it was stateful at the application layer or not is probably proprietary. But stateful or not, a firewall is no panacea, as Chrysler Fiat just found out.

It seems the popular opinion on here is that nobody will hack cars because there is no money in it. Really? There were Russian hackers (IMHO amateurs compared with the Chinese) that would install a trojan on your computer and then hold that computer "hostage" until you pay them a ransom. Many people paid them off.

Think about having your car shut down on a highway, unable to move it, until you pay $100 to some nefarious criminal to have the trojan removed. If you don't pay the $100, your alternative is to have it towed to a dealer and have them wipe it. That will cost way more than the $100. So what will people do? I think a bunch of people will pay that $100 just to get their car rolling again, and reward a bunch of hackers handsomely.

Wu, first and foremost, it's not the protocol, it's the framework.

Now, here is something serious, why wifi in a car, anyway? Do we need it? We've put wifi in toasters, I don't get it. And if wifi in a car is so important, why allow any of your systems, be it engine, radio, transmission, lights be controlled remotely? It serves no purpose. Well, short of some clown being able to tell you how "connected" he is and how "tech savvy" he and his car is.

Any good that you can gain from putting wifi in a car can be gained by building systems that cannot be controlled remotely.

I was with my wife at Bed Bath and Beyond, they had a wifi electric skillet???. Now if they would just invent a wifi toilet...

Next!

I get the fact that you were ribbing me, but I want to point out to you that people invest in securities to build value. That being said, their lack of compliance and poor quality create a reputational risk for them. Let's say that there are 60 million people who would consider buying a Chrysler. Take it a little further and say that 50 percent of them would consider buying a Chrysler for perceived engineering and quality reasons (Chrysler invented the hemi engine, torsion bar suspension and automatic transmission). Let's say of the 30 million, even 10 percent of them were persuadable or on the fence. The perception that is currently being created by their actions is that Chrysler uses sub-standard products (like plastic gas tanks) and will not inform purchasers of their products if there is a pending safety recall.

If that influences ten percent of the buying public to conclude that Chrysler's cars are substandard, that's 3 million people who have changed their minds about Chryslers, which translates into lost sales and market share. It works the same way for the car owners. Of the million or so cars that Chrysler is now recalling, if 10 percent conclude their car is a piece of junk and they tell 10 others that their car is a piece of junk, then you have potentially another million people thinking Chryslers are junk.

It's going to cost a lot of money to buy back the loyalty of that 4 million people.

Note that this does not count the cost of the 500,000 trucks they may have to potentially repurchase as a result of this action.

Second regarding communications protocols. The following are supported by 4G LTE (ref: http://lteworld.org/lte-protocols-specifications):

LTE Protocols

Air Interface Physical Layer

GPRS Tunnelling Protocol User Plane (GTP-U)

GTP-U Transport

Medium Access Control (MAC)

Non-Access-Stratum (NAS) Protocol

Packet Data Convergence Protocol (PDCP)

Radio Link Control (RLC)

Radio Resource Control (RRC)

S1 Application Protocol (S1AP)

S1 layer 1

S1 Signalling Transport

X2 Application Protocol (X2AP)

X2 layer 1

Lastly, the firewalls in this case are meant to be in the DMZ or at the boundary. The hack that Wired performed was from a laptop, I'm going to assume that it was done through a corporate network. The stateful firewalls at the DMZ or boundary between the corporate network and the UConnect system should have a rule to drop traffic that is using the protocol of the UConnect network. That's the whole reason to have an SDN, so as to allow the UDP (IoT) and TCP (corporate) architectures to talk to each other. The stateful firewall SHOULD be examining packets crossing the boundary and have a rule on the TCP side to drop UDP imbedded traffic or on the UDP side to drop TCP imbedded traffic, but for whatever reason it probably was not doing this (perhaps a lack of firewall rules). Allowing imbedded traffic to slip through to either side might allow malicious activity. I'm going to assume that malicious UDP commands were imbedded in traffic that was not dropped at the firewall, was passed to the UDP network and executed in that environment.

Crap. A wifi toilet...

:)

For easy connectivity to your mobile phone, iPads, and laptops. It allows your kids/passengers to use their iPads on the Internet while you are driving without requiring 3G/4G. Your phone is likely to have lots of music you like to listen to, and can broadcast through the car's audio system. Your laptop may have movies you want to allow your kids to watch on the DVD in the car's headrests so that they will shut the heck up. Theoretically, your GPS system could get up to the minute information on accidents and bad weather ahead and which alternate routes would be ideal.[/quote]

Well, yes and no. Accident and weather updates wouldn't be available. But the idea for the WiFi isn't so much to control your car (other than the entertainment system), rather to allow your devices to have Internet access. I am guessing (pure speculation) they took advantage of the existing WiFi to allow their diagnostics system to be easier to access (thus allowing access to the car's critical controls). If I'm right, that sounds like a bad long term bet. Better to decouple those systems entirely and have only hardwired access to the diagnostics, if you want it to be secure.

BINGO! I don't have any experience with UConnect, but my ex-wife's car had OnStar and it would send us emails with our current tire pressure, oil life, etc. So I bet UConnect was doing the same thing. And from there it's probably easier to make that the "port of entry" for technicians to get all the diagnostic info from the car. So I agree with you KW, bad long term bet.

Not trying to pick a fight with you KW, but...

You mean like we have been able to do for years, by using a cell phone as the hotspot?

And those automotive wifi systems still require 3G/4G, because they are operating on the same hardware/networks as the cell providers. It is not as if GM, FCA, and Ford are building wifi towers themselves; they are using existing networks via contract.

You mean like wirelessly streaming music between cell phone and car audio system via Bluetooth, as we've been able to do for years?

I think you're in front of the curve at hand here with that idea. Besides, same thing could hypothetically be done via cables, since - ya know - car interiors have something like 25 or 30 "square feet" of footprint. Not like the computer and the TV monitor are across the house.

They've done some of this for years using stereo waves, I believe. Regardless of the broadcast medium, this idea is not new and has been in application.

If you really needed the diagnostic tools data sent to the manufacturer, they could build a wifi system in the car that only sent data. Communication back could be done via email or text. You isolate the car from being hacked. The rest of the connectivity is redundant, I have Foxfi on my Android device, unlimited data (grandfathered in on old Verizon plan) and everyone tethers. On roadtrips, I download movies to my Galaxy tablet. I can't confirm whether or not I use this app, but those with Android devices can download Popcorn Time, not on the Android Market, and download movies for free. Torrent file sharing and free, much like the old Napster. Okay, I don't use it, my wife is anti-piracy, but you can do it.

I don't understand your response in the form of an argument at all. He asked why they made a WiFi hotspot avaliable. The answer is it makes all of those things easier. You are correct about all of the history too. There is no argument regarding any of it.

WiFi is replacing all of those technologies now because the price of those (WiFi) chipsets have fallen astronomically making a single solution technology affordable from a manufacturing perspective and the end result is it's a lot easier and cheaper for the end user. Easier because all of your devices connect to a single device, consistently across all devices. Cheaper because you don't need quasi-redundant hardware across many devices (bluetooth, wired ethernet, firewire, USB).

Again I am not opining whether it's a good or bad idea ... I was just answering his question.

Yes, they could enforce that data is outbound only on an isolated network, but that would require redundant transceiving hardware and it's far too easy to convince yourself that you can save some money and make the system secure enough to use the interface you are already have installed -- just by properly configuring an embedded firewall (which is how you would go about that enforcement policy).

I think you are right. They should physically isolate those systems and add the redundant hardware. Not sure that you can get past it being bidirectional if you want Onstar capabilities though.

Is it time for me to quit driving? I don't want to be watched, monitored or spied upon. I'm just a gun totin' huckleberry. Time for me to get off the grid.

Not if you own a '68 Mustang GT 350 Convertible with a gun rack and an anti-radar license plate cover. Not sure where you'd put the gun rack.

If you have a new car, it's probably too late. The new thing is Usage Based Insurance (UBI), that monitors your driving habits, mileage and time of day. All through your 'smart car'. Progressive is marketing this as 'snapshot' currently, using a dongle they provide, but according to Deloite and Touche, you will soon be able to use your cell phone (via Bluetooth) to send details from the sensors and imbedded telematics information to your insurance carrier (if you sign up).

Mine (Ford) tells me where the cheapest gas is, can produce a status report on my mechanicals (and send it to my cell phone), tells me where the traffic problems are, provides navigation and places my phone calls on my blue-tooth enabled cell-phone. It also has sensors to tell me when my tires are low. I'm also thinking it has sensors that relate to oil change as well.

All at no cost (OnStar generates a billion dollars of revenue per year for GM).