Viraj's Weblog

Today at work GM brought in a couple of Chevy Volts for us to test drive. Aside from looking like GM made a parking lot look like a car dealership (helpfully including many other types of cars other than the Volt), the sales pitch was instantly given to us. One of the 'features' is for police to shutdown your car through OnStar. The way it works is, presumably during a car chase, OnStar makes your car flash its lights and honk its horn. The cop then verifies, yes it's the right car. Then comes the kill switch, shutting off acceleration. The salesman was quick to point out that hitting the break automatically could be dangerous, and this is the safer way.

I just read Bruce Schneier's book and I'm already seeing how bad this is. He wrote about it here, here, and here. I encourage you to read those. This is similar to Apple, Sony, or whoever trying to disable their devices remotely. Is this the type of control you want a company to have on a device that you shelled out 41k for?

The salesman then showed on is iPad how customers can go to a website to start their car and unlock it. Yeah that's right, a website. How soon do you think this will be hacked? Imagine someone getting control over every OnStar vehicle with this 'feature'. Oh wait, that was done already.

Granted these are all good intentions, but I'm wondering whether they even considered the security implications. Is the cop always going to be right in shutting down your car? From Schneier:

Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class.

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.