Monday, July 27, 2015
The Wireless-Car-Hack Recall: A Real-Life Drama in Three Acts
As automakers begin to build in more wireless technology to enable not only hands-free mobile phone use from their cars but streaming audio services and navigational and safety aids as well, some researchers at UC San Diego and the University of Washington look into the possibility that these new two-way communication paths can be used to hack into a car's computer for nefarious purposes. After months of work, they manage to use a wireless connection to disable the brakes on a particular car, which to this day remains anonymous. Rather than releasing the maker's name in their research publication in 2011, the researchers suppress it, and instead go privately to the car's manufacturers and warn them of the vulnerability. Also in 2010, more than 100 car owners in the Austin, Texas area whose vehicles were linked into a system that can disable a car if the owner gets behind in his payments, found that their cars wouldn't start. Only, they weren't deadbeats—one of the enforcement company's employees got mad at his boss and intentionally disabled the cars.
Two freelance computer security specialists, Charlie Miller and Chris Valasek, read about the UCSD/University of Washington wireless-car-hack study and decide to investigate the issue further. They apply for and receive an $80,000 grant from the U. S. Defense Advanced Research Projects Agency (DARPA), with which they buy a Ford Escape and a Toyota Prius. With this hardware, they teach themselves the intricacies of the automakers' internal software and as a first step, develop a wired approach to hacking into a vehicle's control systems. This allows them to plug a connector into the car's diagnostic port and operate virtually any system they wish. However, when they show this ability at Defcon 2013, a hacker's convention, representatives of automakers are not impressed, pointing out that they needed a physical connection to do the hacking. That inspires Miller and Valasek to go for the ultimate hack: wireless Internet control of a car, and demonstration of same to a journalist.
After reading dozens of mechanics' manuals and evaluating over twenty different models, the pair decide that the model most vulnerable to an online hack is the Jeep Cherokee. Miller buys one in St. Louis and the pair begin searching for bugs and vulnerabilities in software. Finally, in June of 2015, Valasek issues a command from his home in Pittsburg and Miller watches the Cherokee respond in his driveway in St. Louis. They have succeeded in hacking remotely into the car's CAN bus, which controls virtually all essential functions such as brakes, throttle, transmission, wipers, and so on.
After the lukewarm reception they received from automakers a couple of years earlier, they have decided a stronger stimulus is needed to get prompt action. When they informed Fiat Chrysler Autos of their hacking work into the firm's Cherokee back in October of 2014, the response was minimal. Accordingly, they invite Wired journalist Andy Greenberg to drive the Cherokee on an interstate highway, telling him only in general terms that they will do the hack while he's driving, and surprise him with particular demonstrations of what they can do.
Greenberg must have felt like he was in a bad sci-fi flick about aliens taking over. As he recalled the ride, "Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass." During the finale, the hackers disabled the transmission, throwing it into neutral and causing a minor backup on the interstate.
Greenberg's article appears on Wired's website on July 21. On July 24, Fiat Chrysler Autos announces a recall of 1.4 million vehicles to fix software flaws that allow their cars to be hacked remotely via the UConnect Internet connection that Miller and Vasalek used. It is the first recall ever due to a demonstrated flaw that lets hackers access a car through its Internet connection.
. . . Back in December of 2014, I blogged on the possibility that someone would figure out how to use the Internet to hack into a car's controls. At the time, I reported that several automakers had formed an Information Sharing Advisory Center to pool knowledge of problems along these lines. And I hoped that nobody would use a remote hack for unethical reasons. What Miller and Vasalek have done has ruffled some feathers, but falls short of truly illegal activity.
Instead, it's in the tradition of what might be called "white-hat" hacking, in which security experts pretend to be bad guys and do their darndest to hack into a system, and then let the system designers know what they've done so they can fix the bug. According to press reports, pressure from the National Highway Traffic Safety Administration prompted Fiat Chrysler Autos to issue the hacking recall as promptly as they did, only three days after the Wired article appeared. The annals of engineering ethics show that a little adverse publicity can go a long way in stimulating action by a large organization such as a car company.
You might ask why Fiat Chrysler's own software engineers couldn't have done what Miller and Vasalek did, sooner and more effectively. That is a complex question that involves the psychology of automotive engineers and what motivates them. Budgeting for someone to come along and thwart the best efforts of your software engineers to protect a system is not a high priority in many firms. And even if an engineer with Fiat Chrysler had concerns, chances are that his superiors would have belittled them, as they did Miller and Vasalek's demo of the wired hack in 2013. To do anything more would have required a whistleblower to go outside the company to the media, which would have probably cost him his job.
But this way, Miller and Vasalek get what they wanted: real action on the part of automakers to do something about the problem. They also become known as the two Davids who showed up the Goliath of Fiat Chrysler, and this can't do their consulting business any harm. Best of all, millions of owners of Cherokees and other vehicles can scratch one small worry off their list: the fear that some geek somewhere will pick their car out of a swarm on a GPS display somewhere and start messing with the radio—or worse.
Sources: The Associated Press article on the Fiat Chrysler Auto recall appeared in many news outlets, including ABC News on July 24 at http://abcnews.go.com/Technology/wireStory/fiat-chrysler-recalls-14m-vehicles-prevent-hacking-32665419. The Wired article by Andy Greenberg describing the Cherokee hack is at http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. My latest previous blog on this subject appeared on Dec. 1, 2014 at engineeringethicsblog.blogspot.com/2014/12/will-remote-car-hacking-stop-before-it.html.