Friday, November 30, 2007

Are you Sync'd?

I've been intrigued by the new Ford initiative to push Microsoft's "Sync" technology into their cars. On the surface, it sounds really cool, being able to voice-activate your music (iPod or compatible player), your cell phone for voice calls... that's pretty cool.

What bugs me though - is the fact that there is very little information about how secure this all is. Given that this technology is built upon Microsoft's rock-solid security foundation, I can imagine that we're covered... right? I'm jest - but the reality is that we should have some security information for the Sync system. I mean, I don't want someone to be able to connect to my music player, or my car's phone while I'm not paying attention!

I've looked over some of the available documentation, and there is surprisingly little on the "PIN" feature for the BlueTooth connectivity in Sync. The support pagee says that Sync generates a PIN, but it doesn't really tell you whether it's the same PIN all the time, or whether it's a one-time or system-generated "pseudo-random" PIN?

Also - I'd love to delve deeper into the world of "Upgrading your Sync" (click here for more info). As the link provided says, you're supposed to be able to plug your USB device into the Sync, and have it upgrade itself from the provided storage device. I'm guessing that lots of time was NOT given into securing the system from hackers - but what do I know?

I'm wondering whether someone will quickly crack the Sync interface, and install custom apps, voices, etc onto that thing - and whether something nasty may one day end up on the system? What is someone sends a maliciously-crafter text-message that overflows and exploits an unchecked buffer in Sync? What if someone figures out how to either steal or remotely inject stuff into my phone book using BlueTooth? What if the media player has a fault and a crafty-coded MP3 exploits the system to corrupt my address book or hijack my cell phone to constantly dial those 1-900 numbers in the Carribean?

I know one thing though... if they ever decide to plug that entertainment system into anything critical to the operation of the vehicle... I'm going to avoid it like the plague!

If you're interested, Sync's page has some FAQs around security... very skimpy though.. (click here) - this quote is by far my favorite...

What if Sync gets a virus? Could that cause my car to malfunction?
The Sync platform is independent of a vehicle’s engine. Security is vitally important to the Ford Motor Company and Microsoft. Effective measures have been taken to protect Sync from viruses, and we do not share any information on our strategies or tactics.
You just can't make that kind of PR up folks... they're taking great measures to protect your security, they're just not willing to release any of those details ... just in case.

No comments: