OSD 203: Siri, brick my target’s car
Where is the stable equilibrium between attackers and defenders?
A security researcher posted a report last week about vulnerabilities in modern cars’ software. The whole thing is worth a read. Here are some highlights:
Kia, Honda, Infiniti, Nissan, Acura
Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
Ability to lock users out of remotely managing their vehicle, change ownership
For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car
Hyundai, Genesis
Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address
Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address)
Ability to lock users out of remotely managing their vehicle, change ownership
Porsche
Ability to send retrieve vehicle location, send vehicle commands, and retrieve customer information via vulnerabilities affecting the vehicle Telematics service
There are a few interesting things going on here:
The increasingly-close-to-home capacity for software hacks to affect the physical world.
The internet remains the cypherpunk wild west we all pine for, you just have to know where to look.
Wait, take a step back — these vulnerabilities are crazily severe. How is this possible?
Let’s focus on #3. (This will eventually tie into guns, promise.)
Take two premises. First, that software has a set of properties. Fast, flexible, a bit chaotic, etc. Second, that software is eating the world. If both are true (and that seems pretty unambiguously the case), then as software eats the world — i.e. as more of the world is software — then the world will start to take on the properties of software. The actual physical world. Like, say, your car.
In some domains, this happened decades ago. You don’t read about breaches like this at Google, because Google’s products have been software for 24 years (from birth) and so all the low-hanging vulnerability fruit is long gone. But it was an iterative process to get there. E.g. Facebook only started defaulting to https in 2012.
Nissan’s products have only been software for … well, they still aren’t. Kind of. They’re simultaneously software (as evidenced by the fact that you can brick them remotely with just the VIN) and not software (as evidenced by the fact they’re 4000 lbs. of atoms). Cars are at a moment in time when they’re software-like enough to get hacked, but so new to it that there’s low-hanging fruit everywhere you look.
Eventually this reaches a mostly stable equilibrium, where defenders have the upper hand and all the easy, high-leverage attacks are gone. That’s not to say they’re impossible. And maintaining the equilibrium does requires large ongoing investment from defenders. But the investment pretty much works, and that’s where things stabilize.
Using this as a lens into guns, belief in gun rights is implicitly a belief in the conclusion above — that the stable equilibrium when everyone has force multipliers (access to a computer, in the example above) will favor defenders. So the thing that makes sense is to get to that equilibrium as fast as possible.
When people reject gun rights, the underlying assumption is that the world above would settle on an equilibrium that favors attackers. So in that framing, the logical conclusion is to take away force multipliers.
The history of security research (granted, with some exceptions) doesn’t bear that out. But it’s useful to understand the premises people are working from.
This week’s links
T.Rex Talk podcast: What the gun industry can learn from Coca-Cola
Isaac uses “OSD 145: Guns, Andy Warhol, and Coca-Cola” as a jumping-off point (and does a much better job explaining the ideas than we did!) to predict where the industry is ripest for innovation.
Third Circuit agrees to go en banc on a case that will decide whether it’s constitutional to strip nonviolent felons of their gun rights
In deciding to rehear the case en banc, the court vacates their previous panel ruling that had upheld this law.
Federal judge strikes down much of New Jersey’s post-Bruen gun control law and blocks enforcement of its “sensitive places” restrictions
Coverage from Stephen Gutowski at The Reload.
Jeremy Renner’s life may have been saved by the tourniquet his neighbor applied
The neighbor, a doctor, applied the tourniquet to Renner’s leg after the actor was run over with a snowplow.
Based on the statistical likelihood of it saving a life, tourniquet EDC should be at least as common as gun EDC.
Merch
Top-quality hats, t-shirts, and patches.
OSD office hours
If you’re a new gun owner, thinking about becoming one, or know someone who is, come to OSD office hours. It’s a free 30-minute video call with an OSD team member to ask any and all your questions.
Support
Like what we’re doing? You can support us at the link below.