Why not improve the security with an arms race? Keep it legal and the responsibility of the manufacturer to make a secure vehicle.
this post was submitted on 10 Feb 2024
748 points (99.1% liked)
Technology
58144 readers
3820 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
and recall every car they ever made that can be opened with a remote?
Isn't that what happened with the KIA and Hyundai cars?
Right? That's the thing. Car thieves don't care if the tool is illegal; they're already planning on stealing a car.
If you make the tool illegal, you're just making it harder for security experts who do care about the law.
The whole "these can be used for high scale crimes" argument is straight up fearmongering. One or two people have reverse engineered the remote protocol on one or two specific models of Volkswagen car, and, after listening to the car being locked and unlocked several times using a laptop and $500 SDR, can reconstruct a signal to unlock the car. When a cybersecurity professional figures out this is possible at all, it makes the news.
If your car can get broken into by any random script kiddie with a Flipper Zero, sue the car company for gross negligence.
Exactly. If the car can be broken into that easily, it's the car company's fault.
It's a multi faceted blame. Yes, you blame the hardware that's helped used to commit the crime, then you blame the people using it to commit the crime, then you blame the people still allowing it to be done. Look at America for example. People use guns to kill children in schools. Then you blame the person for committing the crime, then you blame the politicians who refuse to make it harder to get a gun
I don't get these arguments. These tools aren't weapons, and limiting legal access to pentesting tools will decrease corp's and individuals' ability to be proactive about security.
These devices can be manufactured relatively easily and making them illegal will essentially mean the only people doing security tests are criminals. Large tech companies, correctly, run bug bounties where independent security researchers can make income by reporting reproducible and exploitable bugs. The concept here is called offensive security and it's extremely important for building better and more secure platforms. This situation will never be improved by limiting legal access to useful testing tools.
The responsibility should be on automakers and other companies that have massively insecure products, not on open source developers who are making products for security researchers.
The problem is where does the line end? I can use a Mason jar, metal bits, and some simple household chemicals to make a shrapnel bomb like they used in the Boston Bombing. Should we ban Mason jars? I can additionally buy a dozen consumer drones and then attach those shrapnel bombs and fly them into a crowd at eye level - making the Boston Bombing look tame in comparison.
Are we to ban drones? I can use basic household cleaners to make mustard gas, I can get cyanide from regular items, I can take my car and drive it into a group of children waiting for the bus.
If someone wants to commit a crime, they are going to find a way. There's a line where we have to look and say - the costs of living in a free society means that individuals have the capacity to commit crimes. If we get rid of the capacity to commit crimes entirely, we would have also necessarily gotten rid of the free society.
It seems like maybe the problem is that automakers were able to widely market vehicles that use wireless protocols that are relatively easy targets for attack. This was never properly secure.
Automakers should absolutely be held to higher standards (in general) than they are, and it's not likely that banning specific devices is going to have any measurable outcome here. It's pretty well known that people buy and sell malware, and people can just... make devices similar to a Flipper with cheaply and readily available hardware.
This is just dumb posturing to avoid holding automakers and tech companies accountable for yet another dumb, poorly thought out, design feature.
And obviously it doesn't stop at cars. It seems pretty clear that snooping on any feature using RFID or NFC tech is only going to become more widespread. Novel idea: what about using... actual keys as the primary method of granting physical access? Lock picking is obviously possible but a properly laid out disc-detainer lock is pretty goddamn hard to bypass even with the proper tools, and that skill can't just be acquired in the same way as with electronic methods of bypass.
view more: next ›