from Hacker News

Web hackers vs. the auto industry

by quicksilver03 on 1/3/23, 11:07 AM with 92 comments

  • by mike_hearn on 1/3/23, 9:45 PM

    A few recurring patterns here:

    - Broken API authentication mechanisms, SSO that doesn't work properly. The frequency with which they could simply register accounts and then make themselves some sort of admin by sending ordinary HTTP requests, without ever once needing to confirm with anyone in person, is quite astounding.

    - Everything being totally exposed on the internet: frontends, backends, all of it. Apparently IP firewalls are history.

    - Stringly typed APIs and protocols in which adding escaped control characters in various places allows bypass of critical comparison logic.

    - And a bit of SQL injection. Apparently only worth looking for on old web apps - progress?

    It feels like the ad-hoc way user accounts were added to the web platform have led to a universe of different implementations and varying exploits. Still, it'd be good to know what their failure rate was. How many companies did they attack without finding any (serious) problem?

  • by stefanoco on 1/3/23, 4:58 PM

    Although all vulnerabilities affect cloud services and/or mobile apps (SaaS and similar areas) looks like this eventually leads to closely interact with the single vehicles. Which raises questions about the recent Cybersecurity UNECE Regulations R155 and R156 that any new vehicles manufacturer must take into account while submitting a new model for approval in Europe and other areas. Those regulations explicitly cover the vehicle itself and not connected cloud services. Should an urgent revision extend coverage?

  • by scohesc on 1/3/23, 7:54 PM

    This is exactly the reason why I'm trying my best to keep my non-smart vehicle running as well as possible for as long as possible.

    I have no idea what exactly will be exposed to the manufacturer's backend, what can be manipulated and hacked on the front-end, and the possible safety repercussions involved with this.

    Who's to say some government/corporate espionage results in a manufacturer getting their back-end hacked and having every online vehicle immediately get their brakes applied? Definitely some Black Mirror-esque stuff...

    Not to mention the convenient ability to surveil any vehicle and their locations with a busted and easily crackable API - why does it take external hackers with a (thankfully good) sense of morals and ethics to bring these things to companies' attention?

    It'll probably take something hitting national/international news before lawmakers or companies take this security seriously.

  • by AlexandrB on 1/3/23, 8:44 PM

    Would love to see a regulatory requirement for a physical off switch for vehicle network connectivity. Probably won't happen though.

  • by bhargav on 1/3/23, 10:00 PM

    Great finds. I always wondered how "White hat" hackers didn't land themselves in legal trouble while probing and toying around with systems like this. How do you ensure you won't be tracked down and legally charged?

  • by pjmlp on 1/4/23, 9:12 AM

    This is a great example why one should not rely on frontend validation and assume all requests are coming from the browser.

    Yep, I see this all the time in junior's code.

  • by ck2 on 1/4/23, 5:51 AM

    Probably impossible on an EV but otherwise unscrew the antenna connections on your car and use the key for the lock.

    My year 2000 car with stick-shift and window cranks seems more valuable now, it even has mechanical accelerator/throttle, lol hack that.

  • by concordDance on 1/4/23, 9:53 AM

    No Tesla on the list? I guess they've probably started remote stuff earlier and thus all the hacks and disclosures happened ages ago.

  • by RektBoy on 1/3/23, 11:10 PM

    How much bounty money did you receive from these multi-billion companies?

  • by MaanuAir on 1/4/23, 7:51 AM

    Looks like another recurring movie where evil/young wizards (car manufacturers) would summon some attractive daemons for their own needs (profit/power) thanks to some new magic spells (IoT tech) without mastering it, leading to unintended consequences (vulnerabilities and bad exploits) that others wiser wizards (security researchers/industry) know for ages.

    Not good, but seems to be the IT curse repeating again and again.

  • by WarOnPrivacy on 1/4/23, 2:43 AM

    The next time someone asks me to name my heroes, I'm sending them a link to this article.

  • by ballenf on 1/3/23, 8:42 PM

    The scary thing with any of these disclosures is the thought that state intelligence would be stupid to not spend a lot more resources than these ethical hackers did to discover the same.