The problem is that there is an increasing overlap between physical vehicle control systems, cabin controls and displays, and remote communications. For example, how do you design a system that can automatically call for help in the event of an accident without giving that system access to the sensors that also trigger airbag deployment and similar safety features? How do you build "self-driving" automation (or even less ambitious driver aids that are already in widespread use) without relying on sensors observing the environment around the vehicle, which may be subject to interference or deliberate deception?
All the use cases you described are already implemented in today's cars, bus segregation doesn't mean zero communication.
Gateways can allow for certain messages to pass-through, the point is that they preserve the garantee that certain safety-critical messages can only originate from within a specific network. It's basically a crude MITM mitigation.
> All the use cases you described are already implemented in today's cars, bus segregation doesn't mean zero communication.
That's the problem, though. Once bidirectional communication exists, you can pretty much guarantee there's an exploitable hole in it that can be used to break the firewall.
Data diodes exist and have been used in high security or other risky cases when one circuit or bus absolutely has to be isolated except for one way communication.
In practice it's not typically necessary to go quite that far if a trusted communication processor is able to pass messages or set registers but only ever takes logic control flow input from the "safe" side. Plenty of equipment that wants to broadcast state over radio but never accepts any sort of input back beyond acks or whatever has done this for a long time.
I was talking about two-way communications. Maybe you can securely isolate a bus that has the insecure->secure side reduced to super trivial communication. But I won't trust anything that runs multi-layer software stack and a complex communications protocol; from what I've learned about software security, there's always a bug or a backdoor that can be exploited to elevate access or just break the secure-side components.
(This is, of course, entirely my opinion. I haven't seen the code of these systems, but looking from the outside, nothing I've learned makes me feel like I can trust their security.)
When I saw arbitrary code execution on the NES in Super Mario 3 done with only controller inputs I decided any notion of software security in a system more complex than, say, a microwave oven, wasn't achievable.
I recently heard an "On Star" ad that proclaimed that they can "slow down stolen cars". Consumers are wowed by features that, by definition, are enabled by unwise security decisions. Manufacturers will cash in. IT security in cars will get worse.
Data diodes exist and have been used in high security or other risky cases when one circuit or bus absolutely has to be isolated except for one way communication.
But how can you include adequate firewalls in a car that, for example, receives OTA updates for autonomous driving software? It is inherent in any such system that incoming signals are received and that the software that may be affected by those signals has access to pretty much everything.
These systems are crude but they implement a physical airgap.
You would have to hack a gateway (on-site) or physically access a segregated bus, at which point you could argue that you could also physically tamper with brakes or engine without any software being involved.
Unfortunately, a physical air gap won't prevent a malicious actor from, for example, projecting a misleading image designed to confuse your automated driving systems when they process that image and so prompt an adverse and potentially dangerous reaction. This is not only about the communications channels in the internal architecture, it's a much broader problem than that.
Please read the whole thread, this is going completely off-topic from the original discussion in the start of these comments.
The original claim was that vehicles should never be connected to any network because of unspecified online attacks that could actuate brakes or steering. I explained why this was unfounded.
Adversarial patterns against computer vision based ADAS are only a real issue for system which are not sufficiently redundant . Autonomous systems in particular should also apply a degree of sensor fusion between multiple sources of data such as optical computer vision, radar, long range ultrasound and LIDAR (once it becomes cost effective). If any of those systems provides erroneous data the remaining ones can negate that and allow for a fail-safe behaviour.
If you want my opinion, as someone who has moved away from automotive R&D a few years ago, Tesla's decision of depending too heavily in computer vision systems without addtional sensor redundancy seems like an architectural defect that has already cost lives. Either they are not integrating other sensor data sources or their voting weight appears underestimated.
I really wish people on HN would stop with the "I disagree, so you must have not read everything" comments. I keep seeing these recently, but they are unconstructive, and they are insulting to other participants in the discussion. You might like to consider the alternative possibilities that you weren't clear in your earlier comments and people are responding to what you actually wrote and not what you thought you wrote, or that you might not be fully informed and someone who disagrees with you might simply know something you don't.
The original claim was that vehicles should never be connected to any network because of unspecified online attacks that could actuate brakes or steering. I explained why this was unfounded.
Actually, what you have repeatedly said is that you aren't aware of any vehicles (except the infamous Jeep case) that don't fully isolate infotainment from safety critical systems, which is not the same thing at all.
You also said that the Jeep case was due to a poor architecture that came from the 90s. Even if this is true, the exploit using it to trigger multiple dangerous behaviours remotely was demonstrated in 2015, so apparently the manufacturer was a bit slow on the uptake of what you think they should have been doing for the last 20 years.
Moreover, at least one well-known auto manufacturer is (in)famous for performing OTA updates that can change fundamental car behaviour, so evidently there are still networked vehicles where safety-critical functions and remote communications can not be fully isolated. It doesn't take a genius to extrapolate from this to the not-so-distant future when auto manufacturers are pushing ever more autonomous functionality combined with OTA updates, either.
Then we have all the cars that now have remote controls that do more than just unlock the vehicle, affecting things like environmental controls, or even summoning a driverless vehicle over a short distance (in theory, at least) with some of the newer developments.
Next we have the security systems providing remote access, such as OnStar's Stolen Vehicle Assistance system that someone else already mentioned, which can in some cases interfere with speed or ignition systems remotely.
I think by this point it's safe to say that whatever explanation you think you gave, the evidence doesn't support a conclusion that modern network-connected vehicles are safe because their critical safety-related systems are fully isolated from external influence, which is what really matters here.
Adversarial patterns against computer vision based ADAS are only a real issue for system which are not sufficiently redundant.
And yet not so long ago I read this, which if you're interested in the field you've surely seen as well:
So again, evidently there are systems out there in production that are "not sufficiently redundant". You might have some personal opinions on what should be happening, but that doesn't mean what actually is happening respects your view.
