With a discovery that is likely to have a significant impact on the nascent Internet of Things, a couple of cyber-security researchers have successfully demonstrated that they can hack cars’ computer systems, and affect their performance. At the annual Black Hat and Def Con hacking conferences in Las Vegas next month, they plan to unveil the details.
This disclosure appears just when it seemed that drivers would see insurance rates dip as cars took more of the burden of driving out of operator’s hands. Now, it looks like another risk must be factored into insurance rates- losing vehicle control by remote, unseen means. The landscape for auto owners and manufacturers alike just got muddier.
For the past two years, two well-respected security researchers, Charles Miller, and Chris Valasek have been hacking away at various cars, attempting to control them remotely. They have achieved startling and alarming success. Using the internet, they were able to track cars down by their location. They could then determine things such as their speed and remotely control their lights, locks, wipers, radios, GPS, and in some cases, even the braking and steering.
Their work on a Jeep led to a wider discovery that could affect hundreds of thousands of vehicles manufactured by Fiat Chrysler Automotive (FCA). The Jeep they bought last year came with a car stereo head unit that not only displayed traffic and navigation but could also be accessed through wireless and cellular networks. That chip proved pivotal in allowing them to hack into other cars’ head stereo systems and run their code.
At first, their remote controlling was limited to changing radio stations and air-conditioning settings, they soon parlayed that small success into more daunting control processes such as mentioned above. It appeared that every car made by Fiat Chrysler was fair game for the hackers- not just Jeeps. As long as the head stereo systems were compatible, it was off to the races. They just scanned the internet for vulnerable vehicle’s identification number and were able to affect cars nationally from their remote location.
Fiat Chrysler, understandably, was not amused by Miller’s and Valasek’s antics and quickly developed and delivered a patch last week. They were quick to criticize the researcher’s efforts, deeming them to be irresponsible as stated by spokesperson Alye Tadajewski:
“Under no circumstance does F.C.A. condone or believe it’s appropriate to disclose ‘how-to information’ that would encourage, or help hackers to gain unauthorized and unlawful access to vehicle systems.”
The hack prompts the obvious question of why hack into cars. Miller’s response was simple. “I’ve been in security for ten years, and I’ve worked on computers and phones. This time I wanted to do something that my grandmother would understand. If I tell her, ‘I can hack into your car’, she knows what that means.” Maybe so, but it is likely that the auto-hackers have opened a Pandora’s box that can lead to devastating consequences down the road. It’s not like cyber criminals need any encouragement to ply their nefarious trade.
On the other hand, as evidenced by FCA’s measured, rapid response to the hack, maybe hacks like these will compel companies to be more vigilant and creative in future car design. Two things are certain: the genie is out of the lamp, and it’s game on for both hackers and security experts.