Dude, Where’s My Car? Car Hacking in the Digital Age
Will hackers soon have us all saying “dude, where’s my car?”
Dude, Where’s My Car? Car Jacking Hacking in the Digital Age
In 2015, Chrysler recalled over 1.4 million vehicles after hackers proved that they could remotely hijack a Jeep’s digital control systems over the internet.[1] In a popular video posted to Wired Magazine’s website, hackers Charlie Miller and Chris Valasek demonstrated how they could use the internet to gain wireless control of thousands of vehicles from their laptop.[2] Using what’s known in the cyber security industry as a ‘zero-day’ exploit—a previously undiscovered vulnerability in an operating system that’s been there since the system was coded—Chris and Charlie were able to use the 2015 Jeep Grand Cherokee’s internet-connected entertainment system to send commands to the vehicle’s steering, brakes, transmission, radio, and dashboard functions.[3] To prove how powerful (and dangerous) their discovery was, the two hackers seized control of a Jeep driven by a Wired reporter in an experiment, cutting the vehicle’s transmission and bringing it from 70mph to a dead-stop on a highway outside St. Louis.[4]
Photo Credit: Wired.com
How is this possible you ask? The answer lies in the rush by automakers like Chrysler to “turn the automobile into a smartphone.”[5] Automakers have competed with each other to offer internet connected services for entertainment, navigation and safety—features that earn the companies significant recurring monthly revenue streams long after a car drives off the lot.[6] In the push to get internet-enabled features into vehicles, automakers like Jeep parent Fiat Chrysler have generally failed to secure them from digital attack. Chris’ and Charlie’s discovery of a vulnerability in the ‘UConnect’ internet-connected computer found in thousands of new vehicles produced by Fiat Chrysler gave them access to the most critical functions of a vehicle.[7] The UConnect software enables Chrysler vehicles to connect to the internet for entertainment and navigation purposes while also enabling drivers to make phone calls and have access to wifi.[8] In all, Chris and Charlie estimate that there are as many 471,000 vehicles vulnerable to their UConnect hack.[9]
Photo Credit: Wired.com
How did Chris and Charlie discover a vulnerability in UConnect? Simple: they signed up for mechanics accounts on Chrysler’s website and downloaded technical manuals and wiring diagrams for vehicles including the Jeep Grand Cherokee used in their demonstration.[10] Luckily, the two hackers were cybersecurity researchers and readily shared their discovery with Chrysler, allowing the company to fix the security flaw in a massive recall.[11] While the recall was embarrassing and costly for Chrysler, no one was hurt and the vulnerability Chris and Charlie discovered has since been fixed according to the company.[12] But the success of the two hackers in rendering a $45,000 vehicle inoperable points to larger issues—namely, why was it so easy for two researchers to find a way in?
While Chrysler quickly developed and distributed a patch to fix the zero-day exploit utilized by Chris and Charlie, the incident should serve as a wakeup call to automakers—and makers of internet connected devices everywhere—to the need to think about cybersecurity when designing, building and installing internet connected devices. Chris and Charlie argue that their discovery shows the need to build better protections into vehicles before automotive hacking becomes a practical threat.[13] How has Chrysler responded? By embracing the work of the two hackers and offering an industry-first $2,500 “bug bounty” to hackers who inform the company of new security flaws discovered in its vehicles.[14] But Chris and Charlie worry that automakers are moving too slow. In August of this year, just days after the hackers presented findings at the annual Black Hat conference that showed Chrysler’s patch hadn’t completely shut off outside access to the UConnect system, police in Houston, Texas arrested two men accused of using their laptop to steal 30 Jeeps over a six-month period.[15] The thieves are accused of hacking Chrysler’s DealerCONNECT software to reprogram vehicles’ security systems to accept a generic key and remotely start them.[16] The Department of Homeland Security estimates that over 100 Fiat Chrysler vehicles have been stolen nationwide using similar methods.[17]
Photo Credit: Wired.com
While there are certainly a myriad of benefits to internet-connected vehicles, including Tesla’s innovative over-the-air software updates that improve vehicle functionality and emissions performance, automakers everywhere must recognize that they are responsible for protecting consumers from the dangers of connecting vehicles to the internet of things. In an age when a webcam can take down the internet (seriously), companies everywhere must change their business and operating models to reflect this new responsibility. For automakers, these changes look like more robust testing and de-bugging of internet connected devices and a commitment to employing leading cybersecurity measures. Government regulations must also be updated to reflect the challenges posed by the internet of things. Regulations should hold automakers accountable for protecting consumer safety in the same way that they currently mandate crash-testing and seatbelt use.
(Word Count: 783)
[1] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[2] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[3] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[4] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[5] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[6] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[7] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[8] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[9] Greenberg, Andy. “Hackers Remotely Kill A Jeep On The Highway–With Me In It.” Wired 21 July 2015
[10] Greenberg, Andy. “The Jeep Hacker Are Back to Prove Car Hacking Can Get Much Worse.” Wired 1 Aug. 2016
[11] Greenberg, Andy. “The Jeep Hacker Are Back to Prove Car Hacking Can Get Much Worse.” Wired 1 Aug. 2016
[12] Greenberg, Andy. “The Jeep Hacker Are Back to Prove Car Hacking Can Get Much Worse.” Wired 1 Aug. 2016
[13] Greenberg, Andy. “The Jeep Hacker Are Back to Prove Car Hacking Can Get Much Worse.” Wired 1 Aug. 2016
[14] Greenberg, Andy. “The Jeep Hacker Are Back to Prove Car Hacking Can Get Much Worse.” Wired 1 Aug. 2016
[15] Lewis, Brooke A. “Police: Suspects Used Laptops to Steal Cars in Houston Area.” Houston Chronicle. N.p., 4 Aug. 2016. Web. 14 Nov. 2016.
[16] Lewis, Brooke A. “Police: Suspects Used Laptops to Steal Cars in Houston Area.” Houston Chronicle. N.p., 4 Aug. 2016. Web. 14 Nov. 2016.
[17] Lewis, Brooke A. “Police: Suspects Used Laptops to Steal Cars in Houston Area.” Houston Chronicle. N.p., 4 Aug. 2016. Web. 14 Nov. 2016.
One interesting question for the future of automotive cyber-security is in over the air (OTA) updates. OTA updates are compelling because when a bug is found, the company can push a software update and fix the issue immediately. Tesla has used OTA fixes as a competitive advantage, as the company was able to fix a bug discovered by white-hat security researchers to ensure the safety of the vehicles (http://fortune.com/2016/09/20/tesla-security-bug-hack/). On the other hand, in the case of the Jeep Cherokee hack, the fix must be implemented via USB at the dealership (https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/). If you’re interested more in automotive cybersecurity technology, check out Karamba Security (https://karambasecurity.com/) and Argus Security (https://argus-sec.com/)!
Thanks for the insights! In an age where we know that hacking is all but inevitable, it’s deeply disturbing that major manufacturers would be this cavalier about the widespread dissemination of an inadequately-tested product with potential life/death implications.
What concerns me even more, however, is what appears to be a woefully underwhelming response and utilization of independent cyber-experts. Here’s my thinking: total direct and indirect estimates for the recall appear to be in the region of $800 million(i) to in excess of $1 billion.(ii) For context, the company has had annual profits near the ~$500-600 million mark in 2014(iii) and 2015.(iv) I wonder, therefore, the degree to which a $2,500 “bug bounty” is anywhere near an appropriate response?
I’d be curious to understand how auto manufacturers have thought about a “bug bounty” in the past when dealing with non-digital hackers and if there are any lessons to be learned for the digital age?
i) Detroit Free Press, “FCA profits fall 40% to $410 million for 2015,” http://www.freep.com/story/money/cars/chrysler/2016/01/27/fca-profits-fall-40-410-million-2015/79365248/, accessed November 20, 2016.
ii) Detroit Free Press, “Fiat Chrysler buyback, fines could surpass $1 billion,” http://www.freep.com/story/money/cars/chrysler/2015/07/27/nhtsa-anthony-foxx-mark-rosekind-fiat-chrysler-recalls/30730931/, accessed November 20, 2016.
iii) Auto News, “Fiat Chrysler’s $4.1 billion operating profit in 2014 fueled by N.A.,” http://www.autonews.com/article/20150128/OEM01/150129809/fiat-chryslers-$4.1-billion-operating-profit-in-2014-fueled-by-n.a./, accessed November 20, 2016.
iv) Detroit Free Press, “FCA profits fall…”
Interesting take on this issues. I wrote about autonomous cars in my post and briefly touched on this point. I think that if autonomous cars are truly an inevitability they’ll all have to “talk” which means they’ll all have to be linked to a common platform or at least speak via an API which could make a vulnerability even more dangerous. What do you think the future or car cyber security looks like in the context of autonomous cars which will be both linked to the cloud and in constant communication with each other?