China will remove its tariffs on Canadian agriculture — including on canola products — if Canada scraps its levies on Chinese electric vehicles, that country’s ambassador says.
There are a few good defcon talks where it has been shown that the engine control and body control can be accessed and modified via the “infotainment” system (the one I saw specifically was Jeeps).
Once you’re inside a car that’s on, there really isn’t any security*. The OBD2 port that every remotely modern car has is perfectly capable of accessing all the diagnostics and data streams the car has, and can also control/reconfigure the various computers.
IMO that doesn’t really matter, since the system isn’t powered until the key is in the ignition and the car turned on. You can’t do anything with the key off, and if your passenger wanted to sabotage the car, they’d just yank the wheel as you drive down the highway.
That said, yes OTA updates are a travesty. Specifically because cars have so little security, having any access to their computers from the outside is a massive risk… And if there’s a potential that the country the manufacturer is in turns hostile, that risk certainly isn’t reduced.
* A handful of manufacturers have “added” security to their systems by… (drumroll pls) restricting access to the systems and requiring a subscription for full access. That’s fucking evil and doesn’t even do anything (at least for a mechanic or tinkerer like me) since you can just google “FCA bypass cable” and skip right past the firewall.
Modern cars expose the engine/body control CAN bus through the fucking headlights. You don’t need to be in the car and it doesn’t need to be on for you to have the same or more access than the OBDII port.
It doesn’t matter what the country of origin is, someone is gonna find a way to break OTA updates, gain access via exposed wireless networks or just pop off a CAN bus controlled light and plug in. How long before someone pushes a malicious update that causes the ABS to disable or degrade braking to near 0%, or just throw the electronic power steering full left whenever the speed exceeds 101km/h?
It’s in dodge vehicles now, the other manufactures will follow soon. It saves a fuck ton of wising when you only need to run a single power wire and data bus to each light cluster instead of power for high beams, low beams, fog lights, indicators and vanity wank lights.
Yes, but it is a different CAN bus than anything critical to the operation of the powertrain. A typical BMW will have five or six different, and completely separate, CAN bus.
But that would be silly, because the easiest way to kill someone without consequence is to get behind the wheel and run them over. People could also be putting bombs in product boxes and poison in medicine. A coherent society doesn’t have these problems.
There are a few good defcon talks where it has been shown that the engine control and body control can be accessed and modified via the “infotainment” system (the one I saw specifically was Jeeps).
This happened for real at the weekend:
https://arstechnica.com/cars/2025/10/software-update-bricks-some-jeep-4xe-hybrids-over-the-weekend/
shocked_kirk.gif
Once you’re inside a car that’s on, there really isn’t any security*. The OBD2 port that every remotely modern car has is perfectly capable of accessing all the diagnostics and data streams the car has, and can also control/reconfigure the various computers.
IMO that doesn’t really matter, since the system isn’t powered until the key is in the ignition and the car turned on. You can’t do anything with the key off, and if your passenger wanted to sabotage the car, they’d just yank the wheel as you drive down the highway.
That said, yes OTA updates are a travesty. Specifically because cars have so little security, having any access to their computers from the outside is a massive risk… And if there’s a potential that the country the manufacturer is in turns hostile, that risk certainly isn’t reduced.
* A handful of manufacturers have “added” security to their systems by… (drumroll pls) restricting access to the systems and requiring a subscription for full access. That’s fucking evil and doesn’t even do anything (at least for a mechanic or tinkerer like me) since you can just google “FCA bypass cable” and skip right past the firewall.
Modern cars expose the engine/body control CAN bus through the fucking headlights. You don’t need to be in the car and it doesn’t need to be on for you to have the same or more access than the OBDII port.
It doesn’t matter what the country of origin is, someone is gonna find a way to break OTA updates, gain access via exposed wireless networks or just pop off a CAN bus controlled light and plug in. How long before someone pushes a malicious update that causes the ABS to disable or degrade braking to near 0%, or just throw the electronic power steering full left whenever the speed exceeds 101km/h?
Only Toyota was dumb enough to have a CAN bus run to the headlights. Edit: and use the same bus the keyless system runs on.
It’s in dodge vehicles now, the other manufactures will follow soon. It saves a fuck ton of wising when you only need to run a single power wire and data bus to each light cluster instead of power for high beams, low beams, fog lights, indicators and vanity wank lights.
Yes, but it is a different CAN bus than anything critical to the operation of the powertrain. A typical BMW will have five or six different, and completely separate, CAN bus.
And bmw makes up 3% of the north american market. The big players will continue to cut corners and crank out cars with minimal or non-existant security. Not that it matters, manufactures are bricking their own products: https://www.thestack.technology/jeep-software-update-bricks-vehicles-leaves-owners-stranded/
BMW is the largest US exporter of vehicles.
But that would be silly, because the easiest way to kill someone without consequence is to get behind the wheel and run them over. People could also be putting bombs in product boxes and poison in medicine. A coherent society doesn’t have these problems.
Forgot about wanacrypt, stuxnet or the Ashley Madison breach? indiscriminate harm is the norm not the exception.