[EAS]The Wired Car

pjk pjk at design.eng.yale.edu
Thu Jun 28 17:19:16 EDT 2001 

Subject:   The Wired Car

Dear Colleages -

Today's car is already a complex mechatronic system, suitable as a
good framework for an introductory course in engineering principles
and "systems thinking." Entering freshmen are often particularly poor
in the latter. By that I mean the envisioning of larger technological
constructs as an interconnected set of smaller building blocks with
causal attributes, not the mathematical tools applicable to describing
those attributes.

Well, your car is becoming part of a larger systems environment. In a
recent article <http://dlis.gseis.ucla.edu/people/pagre/car.html>,
well annotated with links,  Phil Agre of UCLA describes this evolution
and the, as usual, often surprising and undesirable consequences. As
the local area networks (LANs) within your car become part of larger
networks, aspects of your car and car ownership become liable to
hacking, all the more so since automotive engineers, who have
networked into a LAN the 20 or more microcontrollers of a modern car,
have led a rather sheltered life when it comes to larger security
issues, as suggested by the item appended below (also via Phil).

I feel fairly confident that the car, as an omnipresent intersection
of high technology and very direct personal safety concerns, has the
makings of an entire legal subspecialty in product liability.

    --PJK

---------------------------------------------------------------------
Date: 6/26/01 12:31 AM
To: pjk
From: Phil Agre
[The world is full of exceedingly smart people who know all about the
subject matter of their profession, be it medicine, transportation,
or what-have-you, who are now wandering into the world of computers.
These people are smart enough to make computers work in some narrow
sense, but in many cases they are not acculturated enough into the
world of computers to avoid severe design errors, particularly in the
area of security.  The fact that many people in the computer industry
commit the same errors, whether through ignorance, arrogance, or
deadlines, doesn't help either.  The problem can be funny when
it affects other people, but it stops being funny once we imagine
automobiles on the highway being attacked with scripts.  The enclosed
message is forwarded by permission, and has been reformatted to 70
columns and slightly edited.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
You are welcome to send the message along to others but please do not use
the "redirect" option.  For information about RRE, including instructions
for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Mon, 25 Jun 2001 17:39:34 -0600
From: << a long-time RRE subscriber who prefers to remain anonymous >>

Very interesting article/paper.  I work for << well, let's just say
he knows what he's talking about -- PA >>.  As a result, I have an
anecdote and a particular point which may be of interest to you.

Client Anecdote:

        High-end vehicles (automobiles) contain three electrical
busses: one for the engine and drivetrain (requiring real-time
mechanisms), one for non-driveline-related controls (e.g. climate,
locks, window controls), and one for entertainment/non-critical
systems.  There are numerous variations one these (see SAE, Intel,
and Motorola for gory details) but the basic situation is that (IMO)
it's apppropriate to characterize them as fast, medium, and slow,
or critical, important, and who-cares.  At the moment, most vehicles
have only the fast and medium busses, and they're not interconnected
at the data and control-message level.

While discussing the evolution of these systems with vehicle engineers
at a large mfr., it came out that they intended to interconnect these
three systems in such a way that it would be possible to transfer
data and control messages from one bus to another.  My background
as a software designer and part-time system security geek led me
to suggest to them several scenarios in which such a system might be
intentionally hacked.  Their responses were frightening, to say the
least.  Roughly, here is what they said:

  o First - no one can (is capable) of doing that
  o Two - even if they were, why would they? -or- Why would they want to?
  o Three - even if they could and did, we can build unhackable systems.

These were very bright guys, mind you, who clearly had real talent
in designing automotive systems, but the gap between what they
thought and the mind of the average hacker (and I use that term
in the classical sense of "someone who mungs technology for kicks")
was astonishing.  We pointed out that ignition systems were already
being hacked to improve performance.  "But that's different!" they
replied, without being able to muster a reasonable explanation of the
"differences".  We pointed out that the fast and medium busses were
basically Ethernet-style mechanisms and therefore subject to similar
problems.  "Oh", they said after a few minutes thought, "but it's
*not* like that at all.  Ours is *simpler*."  Doh!

In a few more minutes we (one of the original architects of the
TCP/IP protocol and I) were able to conjure up several likely lines of
attack, all of which were deemed non-implementable by the automotive
engineers despite their having not a single general-purpose-software
expert among them.  They were *literally* unable to conceive of
the hacking possibilities they were about to offer us.  The closest
they got to admitting they had a problem was to suggest that they
would solve their bus data security problem by en/decrypting all the
packets.  Right...and how much more processing power would you need
for that, even assuming you could get enc/dec hardware fast enough to
run a modern engine?

In retrospect, I'm sure the conversation was just as frustrating for
them as it was for us.  It never occurred to them that *some kinds of
data are intrinsically valuable* and that software people as a class
tend to want to poke at things for *no other reason* than that it's
fun.

Point:
        Intelligent Traffic Systems seem to me to be yet another
attempt to replace human initiated first order errors (driving
mistakes) with human-initiated second order errors (software
problems).  In addition, the infrastructures typically described
eliminate three types of alternative transport: motorcyles,
motorscooters, and human-powered vehicles.  In Western US cities
especially, motor-driven cycles are practical on a year-round basis
and lower population densities make the construction of dedicated
bicycle trails afforable.  In Alburquerque, NM, for instance, they've
paved many of the access paths along the storm drains and irrigation
system, thus making it possible to ride tens of miles without
venturing onto surface streets.

Fortunately, we live in a nation that can't even get traffic light
sensors to detect a 500# motorcycle, so I'm not too worried about ITS
being deployed any time soon.

More information about the EAS-INFO mailing list