The Internet of criminal things

Posted Oct 2, 2015 13:54 UTC (Fri) by raven667 (subscriber, #5198)
In reply to: The Internet of criminal things by tao
Parent article: The Internet of criminal things

I think you are probably wrong here in your estimate of how widespread car owners messing up their ECU is and will be, and we can use currently existing reality to make that estimate. You already drive on a road where people "chip" their cars with dodgy ECU software for decades now, the small number of people who are really interested in modifying their cars in this way already do so, leaving the firmware open to the owner isn't introducing any new risks. I don't see any new factor that is going to substantially change peoples feelings about messing up their cars, a small number of "tuners" will do so while the vast majority will be unwilling to take the risk, people take their cars more seriously than their computers, I don't think you can broadly generalize the likelihood of downloading malware from computer malware to cars the way you seem to be doing.

The Internet of criminal things

Posted Oct 2, 2015 16:10 UTC (Fri) by BlueLightning (subscriber, #38978) [Link]

I think the ultimate counter-argument to this is that you can already trivially put whatever liquid you like into your fuel tank (or even worse, the oil filler on top of the engine or indeed the brake or steering fluid reservoir), and somehow most of us still manage not to pour things in there that put our cars or indeed our lives at risk, and nobody is clamouring for padlocks or security caps to be fitted. (Yes, I'm aware that some cars have internalised or removed some of these filler caps, I don't think I would buy such a vehicle.)

Sure, that's not nearly as complicated or perhaps as subtle as modifying code in the ECU - but that's part of the point - it's trivially easy to do the wrong thing here and yet most people don't even have the inclination to try something they shouldn't.

The Internet of criminal things

Posted Oct 4, 2015 7:16 UTC (Sun) by marcH (subscriber, #57642) [Link] (1 responses)

> leaving the firmware open to the owner isn't introducing any new risks.

... while trying to close it could reduce risks. Worst case it will make little difference.

> a small number of "tuners" will do so while the vast majority will be unwilling to take the risk, people take their cars more seriously than their computers,

As a member of this vast majority I very much welcome an easy, convenient, "secure boot like" way to easily prove any random officer that I did not "jailbreak/root" my car and have no responsibility whatsoever in its abnormal level of emission/risk/etc. and that it was all Volkswagen's fault.

Since car manufacturers ironically wish the same thing, it will happen more and more. Get over it.

And once again: absolutely nothing here incompatible with open-source and transparency.

The Internet of criminal things

Posted Oct 5, 2015 1:35 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> Since car manufacturers ironically wish the same thing, it will happen more and more. Get over it.

This seems incredibly short sighted to me, if you don't bake ownership control in at the beginning, like was done with Secure Boot, you will end up where the manufacturers have always wanted, where it is only possible to get service of any kind at an authorized shop where that manufacturer can take a cut of the revenue (maybe all of the profit).

> As a member of this vast majority I very much welcome an easy, convenient, "secure boot like" way to easily prove any random officer that I did not "jailbreak/root" my car and have no responsibility whatsoever in its abnormal level of emission/risk/etc. and that it was all Volkswagen's fault.

That is a massive red herring and completely confused, in no way to you have to take extreme technical measures to lock the owner out of modifying their own car for the courts to be able to figure out where liability lies when something goes wrong. There are hundreds, maybe thousands of years of precedent on how liability works when a person purchases a good made by someone else, this is not fundamentally different just because computers are involved.