It’s taken quite a few major hacking breaches of big websites for people to start appreciating just how insecure a lot of data is on the web. Most recently, the Hacking Team data dump proved even major security players are susceptible to hacks. And now there’s the Ashley Madison hack, which threatens to expose the customer data of millions of wannabe cheaters.
Hopefully, this feature from WIRED raises enough awareness about the hackability of cars that we don’t have to experience a similar stream of incidents before something is done. Reporter Andy Greenberg recently met with Charlie Miller and Chris Valasek, two automobile hackers who wanted to show off an exploit that allowed them to take nearly complete control of a Jeep Cherokee. From the article:
“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.”
Two years ago, these hacks were only possible with a computer connected to the car’s diagnostic port. But now Miller and Valasek have figured out a way to achieve the same results wirelessly using a vulnerability in Chrysler’s Uconnect function. The two have only tested their work on a Jeep Cherokee, but in theory the hack could work on hundreds of thousands of late model Chrysler vehicles.
Fortunately for the public, Miller and Valasek let Chrysler know about the exploit and the car company released a patch for their vehicles earlier in July. But this is just one vulnerability with one company’s cars figured out by two random guys in Indiana. As cars get “smarter” and connect to the Internet more and more, issues like this are bound to arise.
U.S. lawmakers are working on legislation to ensure digital security standards are met on all cars moving forward. Hopefully there will be a few no-brainer stipulations in there, like keeping everything involved with actually driving the car from being connected to the Internet in any way. But that raises its own problems: any new exploits discovered would then require manual patching. That’s even the case to fix the current Uconnect issue, and by Miller’s count there are as many as 471,000 vehicles on the road that are still vulnerable.
This isn’t a new issue – people have been demonstrating their ability to wirelessly disable a car’s brakes as early as 2011. But since then little has been done to address the growing potential for disaster. Will car manufacturers wake up to the dangers these hacks present, or will it take several high profile hacks and the loss of human life before enough noise is made to warrant change?