Act One—2010-2011
As automakers begin to build in more wireless technology
to enable not only hands-free mobile phone use from their cars but streaming
audio services and navigational and safety aids as well, some researchers at UC
San Diego and the University of Washington look into the possibility that these
new two-way communication paths can be used to hack into a car's computer for
nefarious purposes. After months
of work, they manage to use a wireless connection to disable the brakes on a
particular car, which to this day remains anonymous. Rather than releasing the maker's name in their research publication
in 2011, the researchers suppress it, and instead go privately to the car's
manufacturers and warn them of the vulnerability. Also in 2010, more than 100 car owners in the Austin, Texas
area whose vehicles were linked into a system that can disable a car if the
owner gets behind in his payments, found that their cars wouldn't start. Only, they weren't deadbeats—one of the
enforcement company's employees got mad at his boss and intentionally disabled
the cars.
Act Two—2012-2013
Two freelance computer security specialists, Charlie
Miller and Chris Valasek, read about the UCSD/University of Washington
wireless-car-hack study and decide to investigate the issue further. They apply for and receive an $80,000
grant from the U. S. Defense Advanced Research Projects Agency (DARPA), with
which they buy a Ford Escape and a Toyota Prius. With this hardware, they teach themselves the intricacies of
the automakers' internal software and as a first step, develop a wired approach
to hacking into a vehicle's control systems. This allows them to plug a connector into the car's
diagnostic port and operate virtually any system they wish. However, when they show this ability at
Defcon 2013, a hacker's convention, representatives of automakers are not
impressed, pointing out that they needed a physical connection to do the
hacking. That inspires Miller and
Valasek to go for the ultimate hack:
wireless Internet control of a car, and demonstration of same to a
journalist.
Act Three—2014-2015
After reading dozens of mechanics' manuals and evaluating
over twenty different models, the pair decide that the model most vulnerable to
an online hack is the Jeep Cherokee. Miller buys one in St. Louis and the pair
begin searching for bugs and vulnerabilities in software. Finally, in June of 2015, Valasek
issues a command from his home in Pittsburg and Miller watches the Cherokee
respond in his driveway in St. Louis.
They have succeeded in hacking remotely into the car's CAN bus, which
controls virtually all essential functions such as brakes, throttle, transmission,
wipers, and so on.
After the lukewarm reception they received from automakers
a couple of years earlier, they have decided a stronger stimulus is needed to
get prompt action. When they
informed Fiat Chrysler Autos of their hacking work into the firm's Cherokee
back in October of 2014, the response was minimal. Accordingly, they invite Wired
journalist Andy Greenberg to drive the Cherokee on an interstate highway,
telling him only in general terms that they will do the hack while he's driving,
and surprise him with particular demonstrations of what they can do.
Greenberg must have felt like he was in a bad sci-fi flick
about aliens taking over. As he
recalled the ride, "Though I hadn’t touched the
dashboard, the vents in the Jeep Cherokee started blasting cold air at the
maximum setting, chilling the sweat on my back through the in-seat climate
control system. Next the radio switched to the local hip hop station and began
blaring Skee-lo at full volume. I spun the control knob left and hit the power
button, to no avail. Then the windshield wipers turned on, and wiper fluid
blurred the glass." During
the finale, the hackers disabled the transmission, throwing it into neutral and
causing a minor backup on the interstate.
Greenberg's article appears on Wired's website on July 21.
On July 24, Fiat Chrysler Autos announces a recall of 1.4 million
vehicles to fix software flaws that allow their cars to be hacked remotely via
the UConnect Internet connection that Miller and Vasalek used. It is the first recall ever due to a
demonstrated flaw that lets hackers access a car through its Internet
connection.
. . . Back in December of 2014, I blogged on the possibility
that someone would figure out how to use the Internet to hack into a car's
controls. At the time, I reported
that several automakers had formed an Information Sharing Advisory Center to
pool knowledge of problems along these lines. And I hoped that nobody would use a remote hack for
unethical reasons. What Miller and
Vasalek have done has ruffled some feathers, but falls short of truly illegal
activity.
Instead, it's in the tradition of what might be called
"white-hat" hacking, in which security experts pretend to be bad guys
and do their darndest to hack into a system, and then let the system designers
know what they've done so they can fix the bug. According to press reports, pressure from the National
Highway Traffic Safety Administration prompted Fiat Chrysler Autos to issue the
hacking recall as promptly as they did, only three days after the Wired article appeared. The annals of engineering ethics show
that a little adverse publicity can go a long way in stimulating action by a
large organization such as a car company.
You might ask why Fiat Chrysler's own software engineers
couldn't have done what Miller and Vasalek did, sooner and more
effectively. That is a complex
question that involves the psychology of automotive engineers and what
motivates them. Budgeting for
someone to come along and thwart the best efforts of your software engineers to
protect a system is not a high priority in many firms. And even if an engineer with Fiat
Chrysler had concerns, chances are that his superiors would have belittled them,
as they did Miller and Vasalek's demo of the wired hack in 2013. To do anything more would have required
a whistleblower to go outside the company to the media, which would have
probably cost him his job.
But this way, Miller and Vasalek get what they
wanted: real action on the part of
automakers to do something about the problem. They also become known as the two Davids who showed up the
Goliath of Fiat Chrysler, and this can't do their consulting business any
harm. Best of all, millions of
owners of Cherokees and other vehicles can scratch one small worry off their
list: the fear that some geek
somewhere will pick their car out of a swarm on a GPS display somewhere and
start messing with the radio—or worse.
Sources: The Associated Press article on the
Fiat Chrysler Auto recall appeared in many news outlets, including ABC News on
July 24 at http://abcnews.go.com/Technology/wireStory/fiat-chrysler-recalls-14m-vehicles-prevent-hacking-32665419. The Wired
article by Andy Greenberg describing the Cherokee hack is at http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. My latest previous blog on this subject
appeared on Dec. 1, 2014 at engineeringethicsblog.blogspot.com/2014/12/will-remote-car-hacking-stop-before-it.html.