Wired’s hack-of-the-day story reports that researchers hacked a Tesla (unlike the Chrysler hack, it required access to the vehicle once, though the Tesla also has a browser vulnerability that might not require direct access).
Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.
The story notes how much more proactive Tesla was in patching this problem than Chrysler was.
The researchers found six vulnerabilities in the Tesla car and worked with the company for several weeks to develop fixes for some of them. Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.
In my understanding, Tesla was able to do this both because it responded right away to implement the fix, and because it had the technical ability to distribute the update in such a way that was usable for end users. Chrysler deserves criticism for the former (though at least according to Chrysler, it did start to work on a fix right away, it just didn’t implement it), but the latter is a problem that will take some effort to fix.
Which is one reason I think a better comparison with Tesla’s quick fix is Google’s delayed fix for the Stagefright vulnerability. As the researcher who found it explained, Google address the vulnerability internally immediately, just like Tesla did.
Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.
The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilitiesallow an attacker to send a media file over a MMS message targeting the device’s media playback engine, Stagefright, which is responsible for processing several popular media formats.
Attackers can steal data from infected phones, as well as hijacking the microphone and camera.
Android is currently the most popular mobile operating system in the world — meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.
Joshua Drake, mobile security expert with Zimperium, reports
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification…Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
Zimperium say that “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”
But with Android the updates need to go through manufacturers, which creates a delay — especially given fairly crummy updating regimes by a number of top manufacturers.
The experience with this particular vulnerability may finally be pushing Android-based manufacturers to fix their update process.
It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerabilitycalled Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.
But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.
I make this comparison for two reasons. One, if Google — the customers of which have the hypothetical ability to send out remote patches, even if they’ve long neglected that ability — still doesn’t have this fixed, it’s unsurprising that Chrysler doesn’t yet.
But some of the additional challenges that Chrysler has that Tesla has fewer of stem from the fragmented industry. Chrysler’s own timeline of its vulnerability describes a “third party” discovering the vulnerability (not the hackers), and a “supplier” fixing it.
In January 2014, through a penetration test conducted by a third party, FCA US LLC (“FCA US”) identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.
A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.
The supplier began to work on security improvements immediately after the penetration testing results were known in January 2014.
But it’s completely unclear whether that “third party” is the “supplier” in question. Which means it’s unclear whether this was found in the supplier’s normal testing process or in something else.
One reason cars are particularly difficult to test are because so many different suppliers provide parts which don’t get tested (or even adequately specced) in an integrated fashion.
Then, if you need to fix something you can’t send out over a satellite or Internet network, you’re dealing with the — in many cases — archaic relationships car makers have with dealers, not to mention the limitations of dealer staff and equipment to make the fix.
I don’t mean to excuse the automotive industry — they’re going to have to fix these problems (and the same problems lie behind fixing some of the defects tied to code that doesn’t stem from hacks, too, such as Toyota’s sudden acceleration problem).
It’s worth noting, however, how simplified supply and delivery chains make fixing a problem a lot easier for Tesla than it is for a number of other entities, both in and outside of the tech industry.
UPDATE — 4:30 PM EDT —
Hey, it’s Rayne here, adding my countervailing two cents (bitcoins?) to the topic after Marcy and I exchanged a few emails about this topic. I have a slightly different take on the situation since I’ve done competitive intelligence work in software, including open source models like Android.
Comparing Fiat Chrysler’s and Google’s Android risks, the size and scale of the exposures are a hell of a lot different. There are far more Android devices exposed than Chrysler car models at risk — +1 billion Android devices shipped annually around the globe as of 4Q2014.
Hell, daily activations of Android devices in 2013 were 1.2 million devices per day — roughly the same number as all the exposed Chrysler vehicles on the road, subject to recall.
Google should have a much greater sense of urgency here due to the size of the problem.
Yet chances of a malware attack on an Android device actually causing immediate mortal threat to one or more persons is very low, compared to severity of Chrysler hack. Could a hacker tinker with household appliances attached via Android? It’s possible — but any outcome now is very different from a hacker taking over and shutting down a vehicle operating at high speed in heavy traffic, versus shutting off a Phillips remote-controlled Hue lamp or a Google Nest thermostat, operating in the Internet of Things. The disparity in annoyance versus potential lethality may explain why Google hasn’t acted as fast as Tesla — but it doesn’t explain at all why Chrysler didn’t handle announcing their vulnerability differently. Why did they wait nearly a year to discuss it in public? Continue reading
Dianne Feinstein just gave a long speech on the Senate floor supporting the Cyber Information Sharing Act.
She listed off a list of shocking hacks that happened in the last year or so — though made no effort (or even claim) that CISA would have prevented any of them.
She listed some of the 56 corporations and business organizations that support the bill.
Most interestingly, she boasted that yesterday she received a letter from GM supporting the bill. We should pass CISA, Feinstein suggests, because General Motors, on August 4, 2015, decided to support the bill.
I actually think that’s reason to oppose the bill.
As I have written elsewhere — most recently this column at the DailyDot — one of my concerns about the bill is the possibility that by sharing data under the immunity afforded by the bill, corporations might dodge liability where it otherwise might serve as necessary safety and security leverage.
Immunizing corporations may make it harder for the government to push companies to improve their security. As Wyden explained, while the bill would let the government use data shared to prosecute crimes, the government couldn’t use it to demand security improvements at those companies. “The bill creates what I consider to be a double standard—really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals,” Wyden said, “but information about the companies supplying that information generally may not be used to police those companies.”
Financial information-sharing laws may illustrate why Wyden is concerned. Under that model, banks and other financial institutions are obligated to report suspicious transactions to the Treasury Department, but, as in CISA, they receive in return immunity from civil suits as well as consideration in case of sanctions, for self-reporting. “Consideration,” meaning that enforcement authorities take into account a financial institution’s cooperation with the legally mandated disclosures when considering whether to sanction them for any revealed wrongdoing. Perhaps as a result, in spite of abundant evidence that banks have facilitated crimes—such as money laundering for drug cartels and terrorists—the Department of Justice has not managed to prosecute them. When asked during her confirmation hearing why she had not prosecuted HSBC for facilitating money laundering when she presided over an investigation of the company as U.S. Attorney for the Eastern District of New York, Attorney General Loretta Lynch said there was not sufficient “admissible” evidence to indict, suggesting they had information they could not use.
In the same column, I pointed out the different approach to cybersecurity — for cars at least — of the SPY Act — introduced by Ed Markey and Richard Blumenthal — which affirmatively requires certain cybersecurity and privacy protections.
Increased attention on the susceptibility of networked cars—heightened by but not actually precipitated by the report of a successful remote hack of a Jeep Cherokee—led two other senators, Ed Markey and Richard Blumenthal, to adopt a different approach. They introduced the Security and Privacy in Your Car Act, which would require privacy disclosures, adequate cybersecurity defenses, and additional reporting from companies making networked cars and also require that customers be allowed to opt out of letting the companies collect data from their cars.
The SPY Car Act adopts a radically different approach to cybersecurity than CISA in that it requires basic defenses from corporations selling networked products. Whereas CISA supersedes privacy protections for consumers like the Electronic Communications Privacy Act, the SPY Car Act would enhance privacy for those using networked cars. Additionally, while CISA gives corporations immunity so long as they share information, SPY Car emphasizes corporate liability and regulatory compliance.
I’m actually not sure how you could have both CISA and SPY Act, because the former’s immunity would undercut the regulatory limits on the latter. (And I asked both Markey and Blumenthal’s offices, but they blew off repeated requests for an answer on this point.)
Which brings me back to GM’s decision — yesterday!!! — to support CISA.
The hackers that remotely hacked a car used a Jeep Cherokee. But analysis they did last year found the Cadillac Escalade to be the second most hackable car among those they reviewed (and I have reason to believe there are other GM products that are probably even more hackable).
So … hackers reveal they can remotely hack cars on July 21; Markey introduced his bill on the same day. And then on August 4, GM for the first time signs up for a bill that would give them immunity if they start sharing data with the government in the name of cybersecurity.
Now maybe I’m wrong in my suspicion that CISA’s immunity would provide corporations a way to limit their other liability for cybersecurity so long as they had handed over a bunch of data to the government, even if it incriminated them.
But we sure ought to answer that question before we go immunizing corporations whose negligence might leave us more open to attack.
Other companies whose customers’ data have been exposed also disclosed breaches in 8-Ks, including Target, TJX Companies, Heartland Payment, EMC and Google. (Firms NASDAQ, Citigroup and Amazon have not.)
Disclosure of known cybersecurity threats or attacks with potential material risks allows investors to make informed decisions. Stock share pricing will fluctuate and reflect the true market value once risk has been factored by investors — and not remain artificially high.
Yet to date no filing with the SEC has been made, disclosing this specific cyber risk to investors, customers, and the public.
The SEC’s Disclosure Guidance, though, is just that — guidance. There aren’t any firm rules yet in place, and the guidance itself was published in October 2011. A lot has happened and changed about technology and cybersecurity risks since then; the guidance has not reflected the increasing threats and attacks to business’ data.
Nor does the SEC’s guidance distinguish between cybersecurity threats to service products (like banking services), versus hardlines or manufactured goods (like automobiles which offer software as an additional, non-essential feature). The software industry’s chronic security patching confuses any distinction; should software companies likewise include all security patches in their SEC filings, or continue as they have without doing so? It’s easy to see how revelations about Adobe Flash after Hacking Team was hacked have materially hurt Adobe and all companies relying on Flash — yet Adobe hasn’t released a statement at its website. (Only a statement addressing the 2013 threat to customer accounts is posted.)
Are financial services firms any more obligated than software firms? Are automobile companies, which claim ownership of on-board software, any more obligated than software companies? Continue reading
This morning, Wired reports that the hackers who two years ago hacked an Escape and a Prius via physical access have hacked a Jeep Cherokee via remote (mobile phone) access. They accessed the vehicle’s Electronic Control Unit and from that were able to get to ECUs controlling the transmission and brakes, as well as a number of less critical items. The hackers are releasing a report [correction: this is Markey’s report], page 86 of which explains why cars have gotten so much more vulnerable (generally, a combination of being accessible via external communication networks, having more internal networks, and having far more ECUs that might have a vulnerability). It includes a list of the most and least hackable cars among the 14 they reviewed.
Today Ed Markey and Richard Blumenthal are releasing a bill meant to address some of these security vulnerabilities in cars.
Meanwhile — in a remarkably poorly timed announcement — Apple announced yesterday that it had hired Fiat Chrysler’s former quality guy, the guy who would have overseen development of both the hackable Jeep Cherokee and the safer Dodge Viper.
Doug Betts, who led global quality at Fiat Chrysler Automobiles NV until last year, is now working for the Cupertino, Calif.-based electronics giant but declined to comment on the position when reached Monday. Mr. Betts’ LinkedIn profile says he joined Apple in July and describes his title as “Operations-Apple Inc.” with a location in the San Francisco Bay Area but no further specifics.
Along with Mr. Betts, whose expertise points to a desire to know how to build a car, Apple recently recruited one of the leading autonomous-vehicle researchers in Europe and is building a team to work on those systems.
In 2009, when Fiat SpA took over Chrysler, CEO Sergio Marchionne tapped Mr. Betts to lead the company’s quality turnaround, giving him far-reaching authority over the company’s brands and even the final say on key production launches.
Mr. Betts abruptly left Fiat Chrysler last year to pursue other interests. The move came less than a day after the car maker’s brands ranked poorly in an influential reliability study.
Note, the poor quality ratings that preceded Betts’ departure from Fiat Chrysler pertained especially to infotainment systems, which points to electronics vulnerabilities generally.
As they get into the auto business, Apple and Google will have the luxury that struggling combustion engine companies don’t have — that they’re not limited by tight margins as they try to introduce bells and whistles to compete on the marketplace. But they’d do well to get this quality and security issue right from the start, because the kind of errors tech companies can tolerate — largely because they can remotely fix bugs and because an iPhone that prioritized design over engineering can’t kill you — will produce much bigger problems in cars (though remote patching will be easier in electric cars).
So let’s hope Apple’s new employee takes this hacking report seriously.
The woman in the photo at the right has big titanium ovaries — not malleable brass or rusting iron. Do I know Mary Barra personally to attest to this fact? No. But I have a pretty damned good idea where GM’s new CEO has been, and it takes a pretty tough set of specifications to survive the road she’s traveled.
Like her I grew up in the I-75 corridor in Michigan, where much of the automotive industry’s OEM facilities and Tiers 1 through 3 suppliers could be found. Like her father, my father worked in the automotive business; if her household was like mine, there were copies of Car and Driver, Road & Track, machinist, tool-and-die, and metalforming magazines cluttering coffee tables or in dad’s man-cave. The smell of machine oil and the grit of metal chips are familiar, as are an ever-present collection of safety glasses, hearing protection, and greasy jumpsuits. Picture a garage like that in Clint Eastwood’s movie Gran Torino; I’ll lay good money her dad probably spent a lot of his free time between shifts in a home shop like that, and where she might have been found as well if he needed a hand or she needed a tool to fix something.
It was in her blood, I’m sure; I’ll bet she could taste it. I’m pretty certain this is why she went into engineering, and likely why she went to that particular private engineering school.
After working for a couple years as a high school engineering co-op student I had been accepted at the same school, but I went a different road, preferring business and then-nascent computing technology over engineering. My daughter, though, is at that school now. She could taste it, too; we have pictures of her at age nine, wearing safety glasses, proudly holding her first aluminum machined part. She’s the first person her dad asks for help when working on the cars at home.
I wish now I’d taken pictures of her the time she was so damned mad at her brother and his friend for accidentally breaking the sibling-shared PlayStation 2 console. She ripped it down, diagnosed it using internet research, fixed and reassembled it on her own in an afternoon.
Driven to identify and solve the problem — that’s what it takes to choose engineering as a career, particularly if you are a woman.
Sure, men too must be driven to pursue the same field, but they don’t face the hurdles that women faced then or even now, 30 years after General Motors’ new CEO first started college at the former General Motors Institute. Nobody ever questions a boy’s right to pursue engineering, or a man’s right to practice that discipline. Nobody ever questions the gender of a man with an engineering degree when he makes it to the pinnacle of the corporate ladder. Continue reading
In tandem with the release of his book, Who Owns the Future?, Jaron Lanier’s interview with Salon generated a lot of hand-wringing across social media. It seems Lanier, one of our so-called intellectual visionaries, believes that the collapse of Kodak and its 140,000 jobs, and the rise of Instagram and its 13 jobs, exemplifies the killing field of the internet. Lanier theorizes good paying jobs that once supported a thriving middle class have disappeared as internet-enabled firms replaced them. As these jobs vaporized, so did necessary benefits. Here’s a key excerpt from the interview:
“Here’s a current example of the challenge we face,” he writes in the book’s prelude: “At the height of its power, the photography company Kodak employed more than 140,000 people and was worth $28 billion. They even invented the first digital camera. But today Kodak is bankrupt, and the new face of digital photography has become Instagram. When Instagram was sold to Facebook for a billion dollars in 2012, it employed only 13 people. Where did all those jobs disappear? And what happened to the wealth that all those middle-class jobs created?”
What a crock of decade-late shit.
Where the hell was Lanier in the late 1990s and early 2000s, when the U.S. manufacturing sector nose-dived due to government policies created by corporate-acquired elected officials and appointees?
It wasn’t the internet that killed the middle class. The apathy of intellectuals and the technology elite did; too few bothered to point out the potential repercussions of NAFTA and other domestic job-depleting policies. In the absence of thought leaders, corporatists sold the public and their electeds on job creation anticipated from globalizing policies; they just didn’t tell us the jobs created wouldn’t be ours.
It wasn’t the rise of digitization that killed the middle class. It was the insufficiency of protests among U.S. brain power, including publicly-funded academics, failing to advocate for labor and home-grown innovation; their ignorance about the nature of blue collar jobs and the creative output they help realize compounded the problem.
Manufacturing has increasingly reduced man hours in tandem with productivity-increasing technological improvements. It wasn’t the internet that killed these jobs, though technology reduced some of them. The inability to plan for the necessary shift of jobs to other fields revealed the lack of comprehensive, forward-thinking manufacturing and labor policies.
It all smells of Not-My-Problem, i.e., “I’m educated, technology-enabled, white collar; those stupid low-tech blue collar folks’ jobs aren’t my problem.”
Until suddenly it is. Continue reading
But I don’t know how anyone thought a bankster–and particularly this bankster–could say this and still wield any credibility.
From Washington’s point of view, divesting its remaining shares will end an uncomfortable and distinctly un-American period of government ownership in a major industrial company.
Sure. Rattner places this sentiment in “Washington’s point of view.” Still, consider the messenger.
After all, he barely mentions here–as he did in his book–that this was not just a bailout of some industrial companies. It was also a bailout of two finance companies, Chrysler Finance and GMAC (he mentions that the government still owns Ally/GMAC, but still calls the scorecard, “nearly complete”). As such, it was also the bailout of the Private Equity firm, Cerberus, that had spent the previous years stripping Chrysler in the hopes of retaining just the finance arms.
He also neglects to mention that the government still pursues the un-American policy of treating banks according to a different set of rules, not only providing them free money, but seemingly exempting them from all laws.
Finally, he shows no self-awareness of his own history, including paying kickbacks so his firm could make big money off of New York State (for which he, like all banksters, got a mere wrist-slap).
I’m not saying the government should hold onto its GM stake forever (though unlike Rattner, executive compensation is the last reason I’d cite to applaud this sale). But having someone like Rattner call government intervention in purportedly capitalist companies un-American only perpetuates the idea that industrial companies should have to abide by so-called rules of capitalism that the titans of capitalism, the banksters, have all but discarded.
I was interested to read this post from Matt Yglesias, which purports to prove that “nothing will bring back manufacturing employment.” Yglesias’ logic is that overall manufacturing employment is falling, largely because of more automation, and so we should stop pushing manufacturing in this country because it doesn’t get us the nice things in life. Here’s his key graf, which I’ll return to.
If you think about what the typical American family needs more of, it’s not manufactured goods. People need cures for illness and educational opportunities for their kids. They need more time to spend on leisure activities and with their family. They need jobs they enjoy. The idea of promoting more widespread affordability of health care services by boostering the share of the population that works in factories is a bizarre Rube Goldberg mechanism compared to directly focusing on improving the health care sector’s ability to deliver useful treatment to people.
Before I get there, though, compare the graphic he uses for his post:
And the one in the McKinsey report he claims supports his argument:
See what he left out? The bit where his chosen source says,
Manufacturing contributes disproportionately to exports, innovation, and productivity growth.
That is, Yglesias stripped McKinsey’s title describing how important manufacturing is to a successful economy, including one that (if workers have some kind of workplace power, which is a big if) contributes to them having time to spend with their families and enjoyable jobs.
It has been a very long week. Time to let loose. For a change, we open up with with the Formula One circus. For the first time since the not much loved race in Indianapolis gave up the Brickyard ghosts in 2007, Grand Prix returns to the United States. The setting is the newly constructed Circuit Of The Americas in Austin Texas.
This is pretty exciting stuff. Grand Prix needs to be in the US, but has not had a venue that felt right since leaving Long Beach due to a tizzie between Bernie Ecclestone and the local promoters over the licensing fee. The US venues since then, including Detroit, Las Vegas, Indianapolis and, yes, even a forgettable three year stint here in Phoenix, just never felt right. But there is a ten year agreement to stage the race at Circuit of the Americas, and the hope is for stability.
The promoters and F1 have trotted out Mario Andretti to rave about the new facility but, from what I saw of it during practice yesterday, it looks butt ugly to me. Coming two weeks after a stop at the opulent and gorgeous Abu Dhabi Yas Marina Circuit, the dustbowl cheap blight of COTA is embarrassing. Austin is a great city, maybe COTA will grow into something worth while with a little age, let’s hope so.
As for the race, so far – as expected – the Red Bulls are fast. Vettel, Hamilton and Alonso, in that order, seem to be ahead of the pack early. The final practice is live on Speed starting at 10 am EST and qualifying starting at 1 pm EST, also on Speed. Coverage of the actual race starts at 1:30 pm Sunday, again on Speed. I will say this much, while the facilities and surrounding land look a little Continue reading
Because he just lost this race.
Our country hates hates hates industrial policy. But industrial policy just re-elected a President.