3275 stories
·
6 followers

Gaat Volkswagen Porsche automodellen van de markt halen vanwege de EU cybersecurity regels?

1 Share

Nieuwe EU-regels voor cyberbeveiliging zorgen ervoor dat autofabrikanten oude modellen mijden, las ik bij Deutsche Welle (DW). Het verhaal duikt op meerdere plekken op: De Volkswagen Up en T6.1, en bij Porsche de Macan, Boxter en Cayman-modellen, worden stopgezet zonder een directe opvolger “vanwege strengere EU-cyberveiligheidseisen”. Hoe zit dat?

Het klopt dat zowel Volkswagen als Porsche modellen niet langer in productie houden, en daarbij cybersecurity als reden citeren:

VW brand chief Thomas Schäfer told dpa [Deutsche Presse-Agentur, AE] the measures were necessary due to the high compliance costs. “Otherwise, we would have to integrate a completely new electronic architecture [in the car model], which would simply be too expensive,” he said.
Dit klinkt natuurlijk een beetje als “we worden met onze populaire auto’s weggepest vanwege rare cybersecurity-regels uit het bureaucratische Brussel waar ze geen verstand hebben van innovatie”, een ondertoon waar ik steeds meer een hekel aan begin te krijgen.

Het grappige is wel dat het niet eens gáát om Europese regels – dus wie aan de Cyber Resilience Act of NIS2 dacht, heeft het mis. Helemaal onderaan het DW artikel wordt het correct genoemd: het is UN R155/R156, de Cyber security and cyber security management system definitie van de UNECE. Die regels zijn er al even, maar het is 1 juli 2024 dat problematisch gaat worden:

From July 2022, manufacters in the EU, obtaining approval for new vehicle types, must comply with this Regulation. The obligation will extend to all the new vehicles sold in this territory from July 1st, 2024.

To obtain the cybersecurity certification, manufacturers must show that their models are cyber protected against 70 vulnerabilities. This list of risks to avoid includes potential cyber-attacks during the whole process: development, production, and post-production of the vehicle, so those models that get the certification will be protected throughout their entire life cycle.

De kern is dus dat Volkswagen en Porsche het bij deze modellen sinds 2021 (inwerkingtreding R155) niet waardevol genoeg vonden om te investeren in een adequate cybersecurity, en daarom per 1 juli 2024 moeten stoppen met deze modellen. Dat is ook weer wat kort door de bocht (haha), want in de standaard staat letterlijk:
However, for type approvals prior to 1 July 2024, if the vehicle manufacturer can demonstrate that the vehicle type could not be developed in compliance with the CSMS, then the vehicle manufacturer shall demonstrate that cybersecurity was adequately considered during the development phase of the vehicle type concerned.
Hieruit haal ik dat VW en Porsche met deze oudere modellen alleen hoeven te laten zien dat er adequaat nagedacht is over cybersecurity ten tijde van het ontwerp (2007 voor de Up, 2014 voor Porsche). Mogelijk dat zaken als die sleutelhack uit 2016 hierin meewogen.

Arnoud

 

 

 

 

Het bericht Gaat Volkswagen Porsche automodellen van de markt halen vanwege de EU cybersecurity regels? verscheen eerst op Ius Mentis.

Read the whole story
Sjon
23 days ago
reply
Share this story
Delete

How Nestlé gets children hooked on sugar in lower-income countries

1 Share

Article URL: https://stories.publiceye.ch/nestle-babies/

Comments URL: https://news.ycombinator.com/item?id=40067575

Points: 228

# Comments: 125

Read the whole story
Sjon
57 days ago
reply
Share this story
Delete

A MySQL compatible database engine written in pure Go

1 Share

Article URL: https://github.com/dolthub/go-mysql-server

Comments URL: https://news.ycombinator.com/item?id=39983490

Points: 277

# Comments: 54

Read the whole story
Sjon
64 days ago
reply
Share this story
Delete

1.18k drawings of plant root systems

1 Share

Article URL: https://images.wur.nl/digital/collection/coll13/search

Comments URL: https://news.ycombinator.com/item?id=39974646

Points: 233

# Comments: 58

Read the whole story
Sjon
66 days ago
reply
Share this story
Delete

Backdoor in upstream xz/liblzma leading to SSH server compromise

1 Share

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian’s package, but it turns out to be upstream.

↫ Andres Freund

I don’t normally report on security issues, but this is a big one not just because of the severity of the issue itself, but also because of its origins: it was created by and added to upstream xz/liblzma by a regular contributor of said project, and makes it possibly to bypass SSH encryption. It was discovered more or less by accident by Andres Freund.

I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access. Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.

↫ Andres Freund

The exploit was only added to the release tarballs, and not present when taking the code off GitHub manually. Luckily for all of us, the exploit has only made it way to the most bloodiest of bleeding edge distributions, such as Fedora Rawhide 41 and Debian testing, unstable and experimental, and as such has not been widely spread just yet. Nobody seems to know quite yet what the ultimate intent of the exploit seems to be.

Of note: the person who added the compromising code was recently added as a Linux kernel maintainer.

Read the whole story
Sjon
76 days ago
reply
Share this story
Delete

Radios, how do they work?

1 Share

Article URL: https://lcamtuf.substack.com/p/radios-how-do-they-work

Comments URL: https://news.ycombinator.com/item?id=39813679

Points: 197

# Comments: 16

Read the whole story
Sjon
77 days ago
reply
Share this story
Delete
Next Page of Stories