[orik]

If I recall correctly the part of the system this is running on is independant from anything important and only does media controls. It also speaks to the rest of the car over a network interface.

But still not quite for the faint of heart.

[nekomancer]

There have actually been a ton of examples over the years of researchers hacking into car systems wirelessly, some of which used the media system as the attack vector.

Even if the media subsystem is running on dedicated hardware, the fact that it's networked with the rest of the car means that there's still a risk of it being used to gain access to other components.

[jokr004]

>Even if the media subsystem is running on dedicated hardware, the fact that it's networked with the rest of the car means that there's still a risk of it being used to gain access to other components.

I don't think anyone was claiming anything contrary to that, just that replacing the software running the media dash isn't going to fubar your car.

[nickysielicki]

I wouldn't be so sure.

I don't know enough about CAN bus to speak authoritatively about this, nor do I know the specifics of what the dashboard has access to, but given that the dash displays information like charge level and speed, I'd guess that the dash is getting that information directly from the CAN.

And I do know that CAN bus is very vulnerable. [1][2]... So you may be able to kill someone through /dev/can0, via a small program running in that chroot.

Eg: In Python

    from canard import can
    from canard.file import jsondb
    from canard.hw import socketcan

    # create and start device
    dev = socketcan.SocketCanDev("/dev/can0")
    dev.start()

    # create our DoS frame
    frame = can.Frame(id=0)
    frame.dlc = 8

    # load tesla can spec, eg: from [4]
    # CAN3, ID 0x0256
    b = parser.parse('tesla.json')

    while True:
      rec = dev.recv()
      speedo = b.parse_frame(rec)
      # assassinate passengers
      if (speedo.speed > 60):
        while True:
          dev.send(frame) 

[1]: https://www.blackhat.com/docs/asia-15/materials/asia-15-Even...

[2]: http://security.stackexchange.com/questions/88724/is-there-a...

[3]: https://github.com/ericevenchick/CANard

[4]: http://skie.net/uploads/TeslaCAN/Tesla%20Model%20S%20CAN%20D...

[regularfry]

Sensible cars have a device bridging high and low security networks, forwarding data from one to the other, specifically so that a misbehaving media device or light system can't clobber the brakes or ECU. No idea if the Tesla does this or not, but it's a fairly standard approach.

[Hemera-]

Yes, it has a gateway between the high level stuff and the low level stuff. It's fairly secure too. You can't just make calls to the can bus all willy-nilly either.

[nickysielicki]

> You can't just make calls to the can bus all willy-nilly either.

What do you mean by that? I would think that once you get UID=0 nothing can stop you from doing whatever you want to that device.

[tacticus]

though wasn't the chrysler attack through one of these gateways?

[deegles]

But it might fubar your warranty...

"Your honor, we were not responsible for that AutoPilot crash because the driver did an unauthorized modification of the car's software!"

[jeena]

This should be handled like we handle replacing the breaks in your car if you do it yourself.

[fludlight]

How is that handled?

[arohner]

This is part of the Magnuson Moss Warranty Act: https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...

In effect, the manufacturer can only deny warranty claims for a specific part iff the consumer's aftermarket repair/modifications were responsible for the warrantied part failing. i.e. "I tinted the windows, and now the brakes are failing" does not result in warranty claims on the brakes being denied. However, "I replaced the brake pads [with faulty pads], and now the brake rotors are failing" can result in a denied warranty claim.

[msandford]

I don't know, but if you decide to tint your windows it doesn't somehow magically invalidate your powertrain warranty.

[radiorental]

Which is worse, proprietary closed system from car manufacturer or OSS system.

There's as many pros on one side as cons on the other.

[nisa]

False dichotomy - I think it should be similar to Kerckhoffs's principle in the long run. OSS yes, but it's signed and audited when it's able to run. Maybe like an open source version of microcode updates for CPUs. You could file a pull request because you spotted a bug but you can't fuck around your car (bad, but not so bad) and other cars (very bad).

If the Toyota code would be public we'd hear a lot of guys screaming and if you own the car and have the knowledge I guess you are keen on looking. Sure lots of noise for manufactures and likely new attack vectors but in the end public universities could look at it. On the other hand you'll end up with OpenSSL for cars.

However it should be still safe when public that what should be the design goal. However what you read about embedded stuff in cars and airplanes...OSS would be likely an improvement. I for one would like to file a pull request against the A380 firmware :)

[radiorental]

Does the fact that most of the code in your car is autogenerated from tools like Modelica change your view on how likely this can/should be opened?

That is, the 'model' is the truth and the IP. The generated code is spaghetti, the vendors components are black boxes, and their 'code' is nothing more than another locked subsystem in the model.

Let's say in an ideal world, these mission critical systems must be opened - what do you propose everyone's business model should be? If everyone must see each others models... where is the free market competitive advantage to be gained?

[mtgx]

How exactly is it separated?

I imagine the ideal solution would be using two airgapped computers, one for the main car system, one for the media stuff, and then keep the servers from which they receive updates, and the authorization for those servers completely separated as well, with the updates done by different people, too.

But I imagine the vast majority of car makers don't do anything close to that, and probably not even Tesla does it like that. BMW wasn't even sending its OTA updates over HTTPS until 2 years ago.

I imagine most right now, if they even isolate the media and the main systems at all, probably do it through virtualization to "cut costs", so they don't even use two different chips. Heck, they may even use "containers" to cut costs even further.

And this is why I won't be a self-driving car beta tester in the first 10 years. You just can't trust these guys when up until now they didn't even have a clue about software security, to do this properly. And it's probably why "Silicon Valley car makers" will end up winning over the traditional car makers eventually, too.

[Hemera-]

It's incredibly complicated, but pretty secure. The CAN bus is isolated from the network. I have root access on the CID and the IC (both separate tegra systems). You can even reboot the CID while you're driving and you only lose media and air conditioning and such. Accessing the CAN bus requires going through a pretty secure gateway system, so you can only basically make requests. Even then, I haven't even really looked into that area much.

[striking]

It's a chroot'd environment. Yeah, you could theoretically crash the underlying kernel, but doing so would probably be pretty difficult. You'd have to give that environment access to things that can crash the kernel on purpose.

[unexistance]

exactly WHY I'll wait for it to mature first, if at all...

The only software I actually can trust my life with are the ones used by NASA, if any of the car company abide / follows NASA's guidelines, they would already use that as part of the PR

so none yet