S4 in January is a great way to start off a new year. This year I had a session entitled “Remote Control Automobiles” where I analyzed an OBD-II dongle from Progressive that is designed to track vehicle usage for insurance purposes. It’s a cellular enabled embedded device that connects directly to a vehicle’s CANBus (the vehicle control network). The video from the talk is below.

https://vimeo.com/118408316

I want to acknowledge and point you to the work of Ron Ofir and and Ofer Kapora of Argus Cyber Security who are also doing research in the automotive dongle / remote space. Their results are similar. There is a lot of FUD surrounding this topic so I’ll say this: The disparate systems, communications, and vehicle software makes attacks specialized and non-trivial. It is unlikely that we will see attacks like the extreme ones often used as examples, but the concern is real because the possibility is there. These dongles are cellular enabled and directly connected to your CANBus via OBD-II; an attacker who controls the dongle can control your car.

The main point of the talk was in line with the theme of the conference: what can an attacker do to a process when in control? What now? What are the ramifications of the Internet of Things, of adding network connectivity to a bunch of Insecure by Design systems?

“A system is *good* if it does what it’s supposed to do and it’s *secure* if it doesn’t do anything else.”

– Dr. Eugene Spafford, Purdue

Vendors are solving problems and making *good* systems that aim to improve the quality of life. Vendors are not always putting in the effort to make *secure* systems. Let’s stop using microkernels that were made without anyone uttering the acronyms SDL or TDD. Let’s incorporate technologies like cryptographic authentication. Let’s see some well designed AND secure systems. The engineers of these systems have accomplished a difficult task in making systems do what they are supposed to do. We just have to, at the same time, also be creating systems that don’t do anything else.