How long before cars are zero-day susceptible to remote wireless hacks that can endanger lives of the passengers?
I have seen conspiracy theories about acceleration and brakes being tampered with, but those allude to the tampering while the car was stationary.
When a vehicle has so much code in it, control systems are fly-by-wire, and there is bluetooth and wifi access, it is not a stretch to imagine a malicious entity driving on the highway and taking over nearby vehicles.
They are not that separated. Some modern cars have the entertainment system take note of the speed of the engine and adjust the volume accordingly. Some flip the infotainment display to a backup camera when the transmission is indicated to be in reverse.
This is in addition to some cars adjusting the side mirrors when in reverse. I remember reading of an exploit that took advantage of the fact that the security system was on the same network in a particular car and thieves were able to crack off a side mirror and inject an "unlock" command. Does anybody have a reference for that?
These things not always work very reliably. A guy from a supplier once held a security talk at our university. They basically filter out unwanted messages, but the manufacturer often don't configure them very restrictive, but use black list approaches.
They probably are completely separate, but the use of wireless protocols is not necessarily confined to the entertainment system. For example, wireless tyre pressure/temperature sensors are installed in many cars and can be read with SDR hardware[1]. It's not too much of a leap to assume that false readings could be injected.
This shouldn't come as a surprise to anyone, and probably not worthy of promotion on Hacker News. Consider the counterfactual: if Merc hadn't used these open source libraries, they would have had to roll their own implementations of PNG, ZIP, an XML parser... now that would be a story!
Similar hilariously long lists can be found on many web-connected devices, from BMWs to iPhones.
(Pages 3 to 6 are the interesting ones though -- it shows that a majority of these libraries/codebases apply to the brand new S-Class. And the most noteworthy inclusion is AOSP, i.e. Android.)
Entertainment and navigation systems in cars use Android lately. They normally use the base operating system and APIs while the UI is always heavily customized, so you might not recognize it, but it's of course very convenient instead of developing a full OS for your cars.
These are mostly used for diagnosing/debugging the newer head units. They rely on BT and standard networking. GCC is pretty standard for any embedded device, I would say.
For a work to be in placed in public domain, the author(s) must waive all rights to the work. So the "license" part of the readme is actually "The author disclaims copyright to this source code." You can actually obtain a "real" license for sqlite since some jurisdictions do not recognize public domain at all.
Plus, the author should be dead in France for 70 years. "L'article L. 123-1 du Code de la propriété intellectuelle précise : « L'auteur jouit, sa vie durant, du droit exclusif d'exploiter son œuvre sous quelque forme que ce soit et d'en tirer un profit pécuniaire. Au décès de l'auteur, ce droit persiste au bénéfice de ses ayants droit pendant l'année civile en cours et les soixante-dix années qui suivent. »" Notably, the authors are prevented to waive all rights to the work, because this obliterate the rights of his heirs, present and future.
The other interesting takeaway is that obviously open source is widely used in embedded systems such as cars. 108 distinct licenses means that they're using at least as many libraries/projects, likely many many more that fall under the big ones.
Why would it be impossible to comply with GPLv3, and allow people to change or replace one program with a new one?
US car manufacturers are legally forced to provide documentation so car owners can repair their car and replace parts. If a car owner want to change or replace the car's breaks, they are legally allowed to do so. Why should it matter that the software that then controls the break is made of 1 and 0 and not of steel and plastic?
Do we really need a Motor Vehicle Owners' Right to Repair software Act? Do we need one more law that says "we got that one previous act, lets copy paste that one and add the word "software" to it".
I suspect it's similar to the reasons why many wireless drivers require binary blobs (either firmware, or the entire driver) -- you can change the software to let you operate outside of the limits allowed by federal regulators, because those limits are enforced in software.
Same goes for the physical breaks on the car. If someone install custom breaks on their cars that is found to be unsafe, it is illegal. This doesn't however make installing custom breaks on your car illegal. On the opposite, the law explicitly allows you to do so, and enforces the car manufacturers to give you documentation so you can do it.
Why should federal regulators differential between someone installing custom physical breaks on your car, or someone installing custom software that controls the breaks. Whats the difference?
Surely the device could contain GPLv3 software which isn't statically linked, or which is simply running on the computer. A lot of these devices use Linux, and may include GPLv3 utilities.
GPLv3 contains the "Anti-TiVo" clause which requires that GPLv3 software be able to be swapped out with its equivalent from-source build by the end-user.
Most car manufacturers are very hesitant to give users access to swap out their car's software, often for warranty and safety reasons.
I can take a car to a repair shop of my choice, and replace the breaks. This is not illegal, nor does it invalidate some kind of "warranty". If the break is found to cause safety risk, it is not the car manufacturer that is going to get into trouble.
Why would there be a special warranty or safety concern replacing the software that control the break, but no warranty or safety concern replacing the physical breaks with custom ones?
I agree that there should be nothing illegal about modifying software, and that modifying software can't (or at least shouldn't) blanket-void a warranty.
My point was that since the burden is on the manufacturer to prove that they're denying a warranty claim due to a user's negligence or damage, manufacturers hate users modifying control software.
It's a lot easier to make a software change, damage a car, and reverse the change than it is to make a physical change, damage the car, and swap the part back before taking the part back to the dealer.
Plus, errors in software are much harder to spot. If I get a brake caliper bracket with a giant crack in it, I see the issue while I'm installing it and can send it back. If I download BillyJoe's Flash V1.65, I have to go to a lot more work to figure out if it's going to hurt me.
If the car crashes, I don't see how it would be easier to replace the offending physical part, or replacing the offending digital part.
However, its true that you might have a easier time to see a giant crack, but would you see material fatigue? would you see improper engineered breaks? Would you notice if instead of using steel in a critical point, they happened to use a more weaker metal like aluminum?
I guess the big difference is in user behavior. No one would go and buy BillyJoe's breaks from some alleyway, especially if it looked like they manufactured the stuff out of paste. However, some people might happily install breaks from an email attachment, sent by fishy Joes Nigeria email service. Especially if it said "Cheep UpGrade to the car braks!".
Im not sure if that should matter in the long run. It shouldn't require that government create a new law, like a Motor Vehicle Owners' Right to Repair software Act.
A cursory search of the net returns the license pdf, but no source code, list of source code used or offer of source. Is this the sort of thing that comes with the actual car?
Edit: My bad. The offer is in the pdf. Anyone actually looked at the provided disk? What's on it?
I don't think they provide downloads, but the document includes an offer to obtain the source:
Components of the software used in the vehicle may be free and open source software licensed under the terms of license of the GNU General Public License, Version 2 (GPLv2), GNU Lesser General Public License, Version 2.1 (LGPLv2.1) or GNU Library General Public License, Version 2 (LGPLv2). Upon request, we will supply the source code of the components licensed under the GPLv2, LGPL v2.1 and LGPLv2 on a data-medium (please specify the designation of your vehicle). Please direct your request to the following address within three years after vehicle delivery:
The copyright holders usually do not provide any warranty and assume no liability whatsoever for the free and open source software components. Note that any modificati- on to the vehicle of any kind can void any warranty claim.
Anyone has a clue what is the difference between those and what it has to do with China? The license terms are exactly the same except for the name of the software. Also, NF Browser redirects to NetFront on Wikipedia (https://en.wikipedia.org/w/index.php?title=NF_Browser&redire...).
I was originally looking at their library to help me programmatically generate self-signed certificates via C# (that are Apache / openssl / mod_ssl compatible), but ended up trying to use some native interop code and Windows crypto-api, and could only get it 80% of the way, so I gave up and moved on.
Interesting to see GTween in there, HTML animation lib simular to the AS3 API used in the S-Class. So I guess the dash must have some browser in it. Seems inefficient for something I imagine has a finite scope, such as open a car door animation, or tween the temperate bar etc.
Although optional, the S-class features tablet-like computers (with a browser and internet connection) for the rear-seated passengers. They also feature google maps navigation in the front and back.
libpcap can sniff Bluetooth and the S-class has Bluetooth?
Otherwise I'm guessing it's probably all just part of their standard tool chain and someone said "give me a list of all open source software you used while developing the software for the S-class".
Bluetooth is certainly one possibility, although libpcap can be used for a broad range of protocols, including USB and CAN, which are other candidates in a system like this.
I notice there's a license in there for Android which is only used on the S-Class. I'm guessing most of those licenses on this model are a derivative of it's use.
I have seen conspiracy theories about acceleration and brakes being tampered with, but those allude to the tampering while the car was stationary.
When a vehicle has so much code in it, control systems are fly-by-wire, and there is bluetooth and wifi access, it is not a stretch to imagine a malicious entity driving on the highway and taking over nearby vehicles.