Full Report
In this edition, Thor shares how a week off with a new car turned into a crash course in modern vehicle tech. Surprisingly, it offers many parallels to cybersecurity usability.
Analysis Summary
# Main Topic
The analysis draws parallels between the usability challenges and intrusive nature of modern vehicle technology (specifically mandatory Advanced Vehicle Systems) and issues of cybersecurity usability, highlighting how security measures that increase friction or confuse the user can lead to attempted circumvention or reduced efficacy.
## Key Points
- **Usability vs. Security Trade-off:** Modern automotive safety systems (lane-keeping, intelligent speed assistance) that are difficult to disable or consistently re-enable can become distractions themselves, mirroring user frustration with overly aggressive security controls like MFA.
- **System Intrusiveness:** EU regulations mandate features like driver drowsiness warnings and intelligent speed assistance, leading to constant, often confusing, alerts that prompt user intervention (disabling/consulting manuals).
- **Persistence of Settings:** Vehicle systems often re-enable safety features upon restart, requiring repeatable, complex sequences to disable, reducing user control.
- **System Fallibility:** Vehicle sensor systems (cameras for speed signs) are prone to errors (reading wrong signs, being fooled by visual obstructions), justifying the user urge to disable them for functional reasons, not just non-compliance.
- **Attribution to Cybersecurity:** The author noted that the experience provided unexpected empathy for users who bypass strict security MFA protocols when security measures create excessive friction (e.g., using apps to automatically accept push notifications).
- **Educational Investigation:** The author began investigating vehicle attack surfaces, including Controller Area Network (CAN) bus wiring, protocols, network gateways, and tools like SavvyCAN and Kali Linux's CARsenal (formerly CAN Arsenal).
## Threat Actors
- **Not Directly Applicable:** No specific threat actors or campaigns related to the vehicle usability analogy were detailed, other than potential "drivers" trying to physically block sensors or bypass electronics.
- **Subsequent Mention:** The report later pivots to mention North Korean-aligned threat actor ***Famous Chollima***, but this is separate from the main vehicle usability narrative.
## TTPs
- **Vehicle Systems Interaction:**
- Convoluted sequence of clicks required to disable features (e.g., six menu clicks for speed assistant).
- Systems designed to resist user-initiated disabling (re-enabling alerts on restart).
- Potential physical circumvention methods (stickers on windshields, gluing speakers).
- Investigation using tools to map the CAN bus network.
- **Security Analogy (MFA Bypass):** Users may accept authentication pushes automatically to reduce friction.
## Affected Systems
- **New Vehicles:** Subject to EU regulation requiring Advanced Vehicle Systems (driver drowsiness warnings, lane-keeping, intelligent speed assistance).
- **Vehicle Systems:** Sensor/camera inputs, GPS data interpretation, CAN bus network components, and alert speaker/radio volume controls.
## Mitigations
- **For Vehicle Usability Frustration (Author's Experience):**
- Consulting the owner's manual to learn necessary button sequences.
- Investigating the underlying **CAN bus** architecture (for educational purposes).
- **For Cybersecurity Usability (Author's Reflection):**
- Reducing friction in security deployments (e.g., implementing SSO).
- Ensuring users understand *why* security barriers are necessary.
## Conclusion
The report uses the frustrating experience with modern automotive safety features to illustrate a core principle applicable to cybersecurity: Security controls must balance efficacy with usability. Systems that are too intrusive, difficult to manage, or prone to error generation create friction that drives users toward workarounds or circumvention, undermining intended security goals. Future security deployments should prioritize low-friction methods to maintain user adoption and compliance.