this post was submitted on 05 Dec 2023
207 points (97.7% liked)
Technology
59708 readers
5514 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The existing standards OBD-II and CAN Bus just aren't fit for purpose for ICE cars let alone EVs. Too many keyless cars get hacked by the thief hacking into either system and overriding the lack of a key, even if it means cutting a hole in the boot lid to expose the CAN Bus connection as with some Range Rovers.
Its become a significant problem for a lot of cars. It used to be that they would break into your house to steal your key, then steal the car but now they do not need to do that. It can be done in a couple of minutes on some cars that do not properly protect the CAN Bus cable.
What we really need is a proper public/private key pair for the cars so that all comms is only authorised via the physical key fob. This needs to be touch authorised to prevent snoop attacks. Sticking it on the key would then mean right to repair is not blocked, if the main dealer has it then its a big blocker for right to repair.
It's not that simple. The CAN bus isn't just about unlocking doors and rolling down windows. It also controls airbags and other systems that are time-sensitive. If you're rolling down the window at the same time you get in a crash, the airbag message has to override the window rolling message and inflate those bags in right-the-fuck-now time.
Adding encryption to the mix greatly increases the engineering required, even if it's not used for every kind of message.
Decent encryption can be pretty quick and transparent these days.
Besides, things related to windows, doors, ignition, etc. could be required to be encrypted, while split-second things like air bags could be unencrypted.
This means an attacker who, e.g. bashes your fancy LED headlight to get to the CAN bus within can only do things like trigger your air bags, which isn't very productive for them.
Yes I am aware of that, however the current way that is being looked at addressing the problem is moving the cabling to further within the car, which is just pathetic, like thieves wont just adapt to that.
Encryption really isnt as big a performance impact if it is done correctly, sure it is not cost neutral but ask Range Rover how much reputational damage they had with their piss poor security. They are still having 1 in a 300 brand new defenders stolen after adding what is pretty a traditional immobiliser and tracker.
As an example: https://iopscience.iop.org/article/10.1088/1742-6596/2006/1/012071
"Done correctly" is the trick. This takes careful analysis and design. You don't just pour on encryption and hope everything will be fine.