The researchers could have achieved the exact same results (albeit with fewer clicks) by conducting this experiment in a remote parking lot or a private road. Heck, if the writer had contacted the cops, they could have given him an escort to make sure nothing bad happens.
If you ask me, it is this kind of behavior that makes the work of real researchers harder, as the media is quick to paint all security researchers as clueless nerds who will put people at risk.
> The researchers could have achieved the exact same results (albeit with fewer clicks) by conducting this experiment in a remote parking lot or a private road.
According to the article, the researchers already did as early as 2013. Auto manufacturers ignored the reports while continuing to pretend that their vehicles are secure.
It still demonstrated the same root problem: that the computerized systems on cars today have very little in way of basic safeguards. And there was indeed quite a bit of cracking UConnect and wirelessly spying on Dodges and Chryslers throughout the country before the experiment.
If I were an auto manufacturer, I wouldn't wait until someone finds a wireless exploit (at which point it's too late to do anything about it before people die or are maimed unless I'm lucky enough for the zero-day to be found by a white-hat or grey-hat). I'd see those earlier reports, say "holy shit if we have one wireless bug, the whole car could be pwned", and start working on a better isolation of critical systems from internet-connected systems immediately.
You don't think there's a difference between exploiting physical access, and remote network exploits? Given physical access to a computer, you can break into it almost trivially; but you don't see people sweating about that.
> Given physical access to a computer, you can break into it almost trivially; but you don't see people sweating about that.
Sure you do. This is why large businesses (smart ones, anyway) require employees' smartphones to be locked with a password or PIN. This is why standards like HIPAA require secure data to be encrypted at rest. This is why laptops being stolen from government agencies leads to things like millions of confidential records disclosed (true story).
And you're still missing my point: that the likes of Toyota and Ford are relying on their wireless systems being secure. That's reckless, since now their wireless systems are the single point of security failure. The lack of even basic safeguards, access levels, etc. should a breach occur is the point of this article, more so than the specific UConnect breach. Having only one layer between "secure" and "pwned" is by no measure a good idea.
The researchers could have achieved the exact same results (albeit with fewer clicks) by conducting this experiment in a remote parking lot or a private road. Heck, if the writer had contacted the cops, they could have given him an escort to make sure nothing bad happens.
If you ask me, it is this kind of behavior that makes the work of real researchers harder, as the media is quick to paint all security researchers as clueless nerds who will put people at risk.