I remember the anxiety I used to feel parking my car on the curb of my ex's place. Would wake up in the middle of the night just to peek through the window. It's straight piped though so if someone else did start it it'd wake up the whole street.

Fob protection is insufficient. I plan to load a tune to just shut off fuel whenever I leave the car somewhere out of sight/unsafe. Give up remote start and a few minutes of my time, but seems like the best protection outside of it being towed away.

As nice as a tracker is I don't know if I'd want my car back if it was stolen. It'd feel tainted.

 

Not on newer designs. The reason I know this, when we need to get to the buses for legitimate engineering uses on cars its a PITA.

CMA (CAN Message Authentication) which prevents most control hacking is REALLY new (in terms of actually being implemented)

https://cdn.vector.com/cms/content/k...Article_EN.pdf

 

FYI this is what drove the push to secure things, and yes it takes 5-10 years to get everything in automotive to respond to something. A massive industrial base is just slow (this includes Tesla who isn't as far ahead as Elon wants you to think, as hes using the same suppliers and technologies as everyone else. Sometimes it seems like they are better but only because they are critically unsafe)

https://www.wired.com/2015/07/hacker...-jeep-highway/

 

OMG!! What would that do? Hope you woke up just in time to see them attempt something? Statistically that is going to be a longshot. If they did get it started, now what? Put on nightgown and chase after them? I'd pay some money to watch that. So basically, you gave up restful sleep for what? Here is what I can't understand. This is how I see it. I pay insurance so they cover the car for what it is currently worth less my deductible so I don't have to have anxiety. You could also go with something like agreed upon value but it probably will cost more. When my car got totaled, same difference as stolen, I already had a plan for when that car was replaced. Sure, there is the inconvenience of the search but there it is. If it doesn't happen, you have anxiety for nothing. If it does happen, you have anxiety for nothing and have to deal with it. I might as well enjoy my every night's good sleep and deal with it, if and when it happens. IF I can deal with my car being totaled, theft is the same thing except I want them to vanish it. I don't want to have a half broken POS to restore.

So now we are talking of a burden? Maintenance is expected. But if my cars ever became a burden like that, I'd take the bus or buy beater cars before I let it drive me into the nuthouse. It's only a mass produced car and not a sentient being.

What does the tracker do? Think they are going to have a Seal Team standing by to go HALO drop onto the guys soon as you call in their position? More like "I'll definitely pass this along.". By the time they get there, either the car is stripped down or it has been shipped out and the AirTag has nothing to connect to. Either you are going to get your posse together to beat them or you are going to have to take a backseat to the real police emergencies that take priority. Best case scenario, you close in and they have half stripped the car. Now insurance pays you a sum to restore the car. Ever know anyone to be happy with the car after it has been restored from theft? I would say they are few and far between. I would not want to get a sum of money to make it right. I would rather have what the car is worth today and put it towards something newer and nicer. Bottom line? Unless I can get my car back in the shape it was stolen (Maybe a busted window at most), I really don't want it back. What are the odds of that happening vs the car being in pieces?

 

Basically yea. It's irrational sure, but for me the car is a hobby and means a lot to me and drives me to these lengths. Insured yes, but not fully as I don't have all my modifications which have cost probably half the value of the car listed. It's probably different from a stock car or your 4th or 5th sports car. This is my first car I've used to indulge my car loving hobby and have invested a lot of time and money into it. I could build a newer, faster car or even the same exact model with the same exact mods. Would never be the same, and that sir is why I have lost sleep over it.

 

From all I can see, what you linked is a white paper by a company hoping their technology is implemented by one of the vehicle manufacturers... but hoping and reality are a far cry from each other. What manufacturers are using this new authentication method, and which of their vehicles is actually purchasable and on the road? What cars are you working with? What "legitimate engineering uses" are you trying to use? What are you doing to attempt hacking into this new system?

 

Vector FYI is the number one supplier of CAN based equipment in Automotive. In fact one could say Vector, ETAS and Electrobit almost have a monopoly on AUTOSAR components and equipment including the CAN stack. Vector and ETAS also do hardware. The only other large CAN hardware company is Intrepid, and they are actually quite small. That paper was published in 2014 by Vector. CMA is regulatory in the EU (And any markets which use ECE regulations) since July of this year. So any substantially new car that is for sale in that market must have it.

https://unece.org/sites/default/file...5/R155am2e.pdf

I work for Ford (and before that suppliers including the supplier of the EPS on the C7), so I have tons of legitimate engineering uses (data logging to solve SW issues for example). All manufacturers are using CMA and there are a few cars on the road that use it, for us anything "all-new" for 2024 and later is (there are some programs before using it as well but its now a standard thing).

I don't doubt your Cyber Security credentials, but I think your Automotive Industry knowledge is pretty thin.

 

No arguments from here on that one... I attack whatever they throw on my desk, but I've been in a vastly different area for the last two years. Your link was to a two-page addendum to the original regulation. I believe this is the original reg it's referring to, but I didn't do more than a few minutes of searching:
https://unece.org/sites/default/file...%20%282%29.pdf

I did a very fast scan of that reg, and I failed to see where they require CMA on the CANbus. In fact, it seems to be fairly generic/broad, requiring vehicle manufacturers to test/validate their systems from a cybersecurity standpoint, report once a year on those tests, etc., but it doesn't go into any detail as to what specifically they should test against (it almost reads like a self-certification, allowing the vehicle manufacturer to decide what's critical and what's not... "Yeah, we're good, we tested our own stuff and gave it a thumbs up"). Perhaps you intended to link a different doc?

You mentioned that CMA is causing issues with your legitimate access to the info busses... in what way? I don't get the impression you're actively trying to test these systems from a hacker's standpoint... if it's simply because the tools are crappy, that's not really relevant from a security standpoint, that's just poor tool design.

 

Is "agreed upon value" possible? You name your value and they name a price? IDK. Never used it. I had a 91 that was slightly modified. See sig. Almost thought of it but i think there were conditions I didn't like.

In my case, I don't want to keep the car once it gets near 15 years old. Don't want to hear "obsolete" at the parts counter and be forced to dumpster dive for the replacement parts especially electronics. Even when I modified, I never had any attachments besides financial to the car. Always something newer and better.

 

So this table makes CMA or a similar technology (there isn't another on CAN) required, its how you "Authenticate" and protected against Spoofing.

Thing therefore like Vehicle Speed or "Motion" commands are protected. However to test features you frequently do spoof signals, so now to spoof thing you need to have special parts that use "defaults" so you can spoof things. However later in programs everything is "productionized" so using real everything no "defaults" so no "spoofing" But also the physical networks are harder to get to, in prototypes we have special harnesses installed so you can plug in (most software debugging for integration issues in a vehicle is done by looking at CAN traffic to understand where in the interaction between modules is happening.

I'll use the C7 as an example because its old enough and doesn't relate to my current job and I won't be violating any NDAs or Trade Secrets.

In the C7 for example the Steering Angle of the vehicle comes from a sensor (called a SAS) in the steering column. This is a hall effect sensor that can detect the wheel turning. Since steering angle is the same as pinion angle (on the steering rack), the EPS uses this angle to know where the vehicle is headed. The EPS can internally keep track of its own movements (and does) but it has no "straight ahead" reference, hence the SAS. Corvette doesn't have LKS, but similar cars (ATS/CTS use the same SW and ECU for steering as the C7) do and this angle is used to determine if the steering system is doing LKS appropriately (same with Automatic Parking Functions).

The system its self uses Vehicle Speed (which comes from EBCM/ABS) to determine which boost curve you are on (proportional gain, effectively the same as the old hydraulic valve). Its also used to lock out specific safety functions (like the module will deny software flashes over UDS when the vehicle is moving). But the CAN Bus contains all sorts of data (and for each OEM its differently formatted). There are multiple types of CAN Buses, from Low Speed, Medium Speed, High Speed, and in newer cars CAN-FD. Signals are gatewayed by modules between the various buses, some companies like Ford use a central gateway, GM on the C7 has multiple gateways. EBCM does the job from the main HS-CAN to the CE-CAN (which is also HS but CE stands for Chassis Extension).

The **** to switch modes is also another CAN signal.

So imagine you are in an early prototype and some of the other modules have bugs that prevent proper operation. Like lets say mode switching is broke. You can in theory disconnect the switch and spoof the signals to do your testing. You'd use a tool like CANalyzer, CANoe or CANape (all from Vector) to do that, or you can run a more custom solution.

In newer cars these signals (LKS Request, Park Aid Request, Vehicle Speed, and Angle) are all authenticated to prevent spoofing. Since by spoofing some of these signals you can have control of the vehicle or do "unsafe" things like update a module at speed (which can cause a loss of functionality).

The point is that this stuff if also much more terrifying than someone man in the middle attacking your car to steal it. I don't worry about this stuff. So I don't worry about theft.

I also don't worry about what happens if someone working on EPS does their job wrong and has a unintended steer event where the motor goes max torque in one direction (imagine that at 70 MPH). If you don't worry about that stuff, you should also worry less about some thieves copying your key.

 

Collectors Car Insurance (aka Hagerty) is an agreed upon value policy. My C7 is $40k. I don't plan on selling my car ever. Newer isn't always better (in fact we are getting to the point of were cars will be unusable after 15 years with the level of electronics in them). I don't view that as a positive, even working in the industry where we constantly need to sell cars, but at some point the waste can't be handled. Cars need to stay around or be capable of staying around for 20-30 years. I'm hoping some of the older SW and Electronics gets "open sourced" and people can just replicate it.

 

I just put a magnetic "Feel the Bern" sticker on my car when I leave it in a sketchy area.
That way potential thieves will think I'm a nutcase and stay away from my car.

 

For the record the C7 is a "Global A" Architecture

New GM stuff is "Global B"

https://gmauthority.com/blog/gm/gene...logy/global-b/
https://www.sae.org/news/2020/02/new...l-architecture

Ford's stuff - https://fordauthority.com/2020/12/fo...er-for-tuners/
Chrysler's stuff - https://www.stellantis.com/en/techno...igent-vehicles

 

But was older better or was it just a bad when it first came out as new is today? IMO we love the last generation because we worked all the bugs out of it and it is stable, but more important, we are comfortable with it while the new stuff is strange and incomprehensible to us. As to the car being unusable to us after 15 years, so what? We ship older cars because we might be more picky because we can be. 3rd world country might not care enough if the radio doesn't work or the Airbag light is on, it dumps pollutants, etc. Bottom line, while we are rich enough to be picky, they have to choose between a car that works enough for them to get what they need done or nothing.

If it gets shipped to Africa, 3rd world europe, etc and used there, does it count? Site. I'm sure that if it can be made profitable there, someone will.

 

No I mean what you’re saying won’t be possible. You’ll have manual steering, maybe non functional braking (manual non-ABS at best), no cluster (what if the LCD panel
dies), not sure if engines or transmissions will continue working. The complexity of a modern car of now versus even 10 years ago is immense.

 

So what are you thinking? That in 2032 my 2017 F250 gets scrapped? I have to believe that they will find some way to restore some functionality to it to ship it out. Maybe a large depot that will cannibalize parts to get one car working for shipment? Hard to say.

 

Lots of modules now can't be swapped between cars. Once you get CMA in cars they absolutely can't be swapped as they will have vehicle unique protections.

I'm worried more about 2025 cars and later not whats out there now, this is just beginning. We are just now entering the age of the "disposable" vehicle and not in the good way by price, but in the bad way by technology creep.

 

Can't be swapped or can't be swapped easily? Are they married to the ECM and BCM with a once and done or can it be done with a dealership computer?

I don't know. I think we have entered it a long time ago. I believe Audi committed to 12 years. MB has long pulled away from the "forever car" concept. It's been many years since I have seen a Zippo lighter. People switched to disposable. Way of the world. For me, new gadgets are better.

 

Can't be swapped at all. It's hard to explain, but think of it this way every module in the vehicle has a unique set of common hashs that allow them to decode messages between each other. Each module also has a unique hash so that you can modify the vehicle hash (say delete it) but that hash is only known to the supplier of the part. New modules can accept a vehicle hash no issue but once its hashed to change or erase that hash you need a module hash.

These aren't modules married together but sharing common datum from a centralized server. Could you hack the supplier servers and the OEM servers to get the hashs for each unique part serial number and VIN yes, but you can then only compromise one vehicle or part at a time. You'd need the entire list.

Dealer tools can't rehash things, only install vehicle hashs in "green" (aka new) parts. Hashes are stored in these:

https://www.entrust.com/resources/le...curity-modules

https://en.wikipedia.org/wiki/Hardware_security_module

I worry that the days of owning a classic will one day end. I like old things, I need to get my tape deck and my 5 disc CD changer worked on both have issues and are currently inoperable.

 

Very interesting stuff. Going to have to take a bit to digest it all. So, what you seem to be saying is that if we take a bunch of cars across in a few 40 foot containers, you run into problems with what you mentioned. I guess the question is this. What if you could have the manufacturer's blessing? Would that make it easier to mix and match parts from cars that aren't good for much to cars that can be something over there? Would that take care, to some extent, your concern about what to do with the older cars with issues? Sure, to repair it here might not be profitable but over there, could it work? I'm thinking of something like say China. Over here, my $40 shirt cannot be manufactured economically but make enough, throw them in a container and ship it over here and suddenly, everybody makes money.

Never had that worry. I never liked old things. Only kept them because upgrading was economically unjustifiable. I kept the DVD player because I wasn't able to justify the cost of getting the movies to digital.