In 2011, a team of researchers from two different universities demonstrated that they could wirelessly disable a car’s door locks and brakes.
Car manufacturers ignored them.
In 2013, a team of hackers demonstrated that they could hack almost every activity of a car, including turning off the engine, if they were wired in to the car.
Car manufacturers dismissed the demonstration because it required inside access to the vehicle.
This year, those same hackers have now completed the work they started. Here are the alarming aspects of their demonstration:
- It was done wirelessly, over the Internet, from a basement ten miles away from where the car was being driven.
- It could target vehicles anywhere in the United States via the vehicle’s cellular connection.
- It took complete control of the car, including wipers, radio station and volume, brakes, steering wheel, and engine.
Let that one sink in a bit. If you are driving one of the newer cars for which this hack has been developed, it is possible for someone three states away to take control of your car, while you are driving it, and cut both your engine and your brakes while yanking your steering wheel to one side. Imagine that happening while you’re on a curvy mountain road, or when you have just pulled out in traffic for a left turn onto a busy highway. The guinea pig in this demonstration certainly found it alarming.
(A Jeep Cherokee rests in a ditch after hackers took control of it. Photo from Wired.)
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.
“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.
I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.
There is a very real potential for carnage here. And car manufacturers have been ignoring the warnings, because staying ahead of the risks would involve investing money and hiring specialized computer experts for an activity they can’t monetize. There’s no market advantage (yet) for the boast that “we are serious about security in your vehicle.” Manufacturers would rather focus on making their cars more and more connected—but it’s those very connections that make the hacks possible. The entertainment panel in new cars is the vehicular equivalent of Adobe Flash on computers: vulnerable to hackers and a security nightmare, but irresistible to manufacturers who are competing with other manufacturers offering the same thing.
The hackers—who were working under an $80,000 research grant from the Defense Advanced Research Projects Agency (DARPA)—had tried to warn manufacturers, but their warnings fell on deaf ears and eyes full of dollar signs. They even shared their research with Chrysler for nine months. Chrysler’s response?
On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. […] Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.
Fortunately, the hackers were not depending on the ethics of Chrysler. They went to Wired magazine. Three days after their visceral, very public demonstration was published in a riveting article, Chrysler recalled 1.4 million vehicles to install the patch.
It is abundantly clear that car manufacturers will not do the right thing until they are strong-armed into it. Which is why the hackers will publish their work at this year’s Black Hat conference in Las Vegas, minus only the part of their attack that rewrites the car’s firmware. It is a risky move, because the firmware rewrite might be reverse-engineered by enterprising hackers with fewer morals. But upping the stakes is the only way to force car manufacturers to invest in our safety.