SAN FRANCISCO – Don’t send your old clunker of a retro-mobile to the automotive junk yard just yet. It may be the safest machine on the road.
In an article published Tuesday, Wired magazine reports on how it engaged two hackers to see if they could take control of a Jeep Cherokee from the comfort of their living room while writer Andy Greenberg sat nervously at the wheel while the SUV cruised the highway at 70 mph.
Mission accomplished, terrifyingly so. The security experts, Charlie Miller and Chris Valasek, accessed the Jeep’s computer brain through its Uconnect infotainment system and rewrote the firmware to plant their malicious code. Once in, the duo began blasting hip-hop through the stereo system, turned the AC to maximum and, ultimately, killed the transmission and brakes.
Greenberg was unharmed in the demonstration, which took place on a highway in St. Louis, but eventually wound up stranded in a ditch. But the experiment highlights a concern that often isn’t addressed head-on in the growing excitement over the prospect of roads dominated by either autonomous or heavily driver-assisted vehicles.
If the frequent attacks on myriad retail and financial institutions tell us anything, it’s that there isn’t a digitally connected network that is completely safe from hackers. And while it’s one thing to have to change credit cards due to a breach, it’s another to be trapped in a speeding hunk of metal when the crippling intrusion happens.
Says Miller, a security researcher for Twitter and a former National Security Agency hacker: “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone.”
Miller and Valasek, who have been exploring the automobile’s growing digital vulnerabilities for a number of years, plan to report most of the details of the hack at Black Hat, the security conference that begins in Las Vegas Aug. 1. They’ll leave out enough key elements so other hackers won’t be able to replicate their mischief, the magazine reports.
Coincidentally, at Tuesday’s Senate Commerce Committee hearing on the Internet of Things, senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) announced legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy.
“Connected cars represent tremendous social and economic promise, but in the rush to roll out the next big thing automakers have left the doors unlocked to would-be cybercriminals,” Blumenthal said in a statement. “This common-sense legislation would ensure that drivers can trust the convenience of wireless technology, without having to fear incursions on their safety or privacy by hackers and criminals.”
Most automakers today offer infotainment systems that leverage a driver’s smartphone to connect to the Internet. The idea is to offer consumers easy access to their favorite apps and services while driving, but the feature it turn opens the digital doors to hackers seeking access to the automobile’s controls.
Wired‘s story, titled “Hackers Remotely Kill a Jeep on the Highway – With Me In It,” notes that Miller and Valasek have been sharing their information with Jeep-maker Chrysler (part of the Fiat Chrysler Automobiles group) for nine months. The hackers say the models vulnerable to their software bug are all Chrysler models with Uconnect from late 2013 to early 2015. That collaboration led to a July 16 memo to owners from Chrysler noting that a patch was available to help protect the vehicles from attack; it has to be downloaded via a USB stick or by a dealer.
Charlie Miller, left, a security researcher at Twitter, and Chris Valasek, director of Vehicle Security Research at IOActive, have exposed the security vulnerabilities in automobiles by hacking into cars remotely, controlling the cars’ various controls from the radio volume to the brakes. (Photo: Whitney Curtis, Wired)
Chrysler told Wired that while they “appreciate” the security pros’ assistance, they were less enthusiastic about them lecturing about many of the hack’s nuances at the upcoming Black Hat gathering. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” Chrysler’s statement reads.
One immediate fix involves automakers thinking more like software makers: offer over-the-air updates to operating systems in response to vulnerabilities. Ford and BMW both recently took this route to correct glitches in their systems in the past months.
After quoting an Internet of Things security expert saying that he hopes automakers will become enlightened to the security threats facing connected cars “in the next three to five years,” writer Greenberg offers a literary shudder.
“As I drove the Jeep back toward Miller’s house from downtown St. Louis, however, the notion of car hacking hardly seemed like a threat that will wait three to five years to emerge. In fact, it seemed more like a matter of seconds; I felt the vehicle’s vulnerability, the nagging possibility that Miller and Valasek could cut the puppet’s strings again at any time,” he writes.
“The hackers holding the scissors agree. ‘We shut down your engine—a big rig was honking up on you because of something we did on our couch,’ Miller says, as if I needed the reminder. ‘This is what everyone who thinks about car security has worried about for years. This is a reality.’l
Follow USA TODAY tech reporter Marco della Cava on Twitter: @marcodellacava