C. Warren Axelrod

Jeep Hacked, Manufacturer “Dismayed”

Dismayed? Is that as much emotion that Fiat Chrysler can muster when informed that their vehicles can be hacked remotely and many of the vehicle-control systems can be taken over by researchers Charlie Miller and Chris Valasek, including those systems that handle steering and braking (okay, right now it’s apparently only when the Jeep is travelling less than 6 mph, but two tons of metal at 6 mph is big-time kinetic energy). This situation was reported in an article by Nicole Perlroth in an article “Hackers Get Inside a Jeep, and Fiat Chrysler is Dismayed” on page B4 of The New York Times of July 22, 2015. Perhaps they are disappointed, too. But they should be “scared out of their wits,” as should vehicle owners.

As an aside, the remote control of vehicles is by no means new. It has been available for well over a decade with such systems as GM’s OnStar. Not only do these systems open the doors when you are locked out of your vehicle, automatically call for help if they detect that you’ve been in a serious accident, and know your exact location as they provide driving directions, but they also have the capability to disable your vehicle if you report that it has been stolen and they are able to listen into conversations, although GM apparently turned down requests by law enforcement to allow their monitoring of in-vehicle conversations. There is a real and present danger that OnStar and similar systems could be hacked, giving hackers all the OnStar capabilities or that a malicious insider could cause havoc. Newer capabilities, such as steer-by-wire, only give hackers more opportunities to play with.

I first reported on the work by researchers Charlie Miller and Chris Valasek in a presentation “Securing Cyber-Physical Software,” at the OWASP AppSec USA Conference, in New York City, in November 2013, following the publication of my book Engineering Safe and Secure Software Systems (Artech House, December 2012). I showed the video of Andy Greenberg at the wheel of a Toyota Prius at the presentation and remarked that researchers Miller and Valasek were sitting in the back seat of the Prius laughing out loud as they caused all sorts of dangerous vehicle activities. Greenberg’s article appeared in the August 13, 2013 issue of Forbes magazine and is available online at http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/ Miller and Valasek had ripped apart the dashboard of the Prius and connected their laptops. They showed how they could take over many of the operational functions of the vehicle. The industry essentially pooh-poohed the research, saying that it was not practical to perform this experiment in the real world. Much as the airline industry has done the same when responding to researchers’ aircraft systems hacks.

Two years later, Greenberg is reporting on the latest research by Miller and Valasek, referenced above. Here the access is remote over the Internet and the Jeep SUV itself has not been tampered with in any way. The results are especially hair-raising as you can see in the video contained in Andy Greenberg’s July 21, 2015 article “Hackers Remotely Kill a Jeep on the Highway—With Me in It” at http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ As before, the industry has downplayed the research, stating (in Perlroth’s article) that “anyone with physical access to the car could just as easily cut the brakes.” It seems they missed the point. Fiat Chrysler says “they have issued a patch” and that it was irresponsible of the researchers “to disclose the vulnerability to the public.” The manufacturer’s spokesperson said that the company “monitors and tests its systems to identify and remove security vulnerabilities.” Well, they clearly didn’t do a great job here. Did they perform the exhaustive “functional security testing” that I have been advocating for years? … Apparently not.

It is really wearying to warn of obvious dangers as we rapidly expand our information and control systems and increasingly tie them together. This is the case with cybersecurity, where today’s data breaches were anticipated more than a decade ago (per my 2001 Congressional testimony and statements by many others far more prestigious than I at that time). The risks are increasing rapidly with control systems as they begin to interoperate with information systems. As I have written many times, there is a major gap in expertise between infosec professionals and safety engineers as systems are brought together and this gap needs to be addressed, as do certification standards. Such certification requirements are spelled out for aircraft and land vehicles, but they are obsolete. Granted that a malfunction or failure of an entertainment system is not nearly as hazardous as a malfunction or failure of a flight-control or vehicle-control system, but when a bridge between these systems is created, then a hack on the former can lead to compromise of the latter. Yet we continue to build systems that are vulnerable with equanimity and blame the deliverers of the message for inappropriately publicizing the dangers. The aircraft and automobile (and train and ship) industries have had fair warning and clearly have not done enough to correct the situation … in fact they are making it worse by allowing the introduction of inadequately-tested new technologies. What will it take for manufacturers to recognize that they are endangering the populace in their pursuit of cool new features in order to give themselves a marketing edge? And how much greater will the risk be when cars get automatic pilots?

Post a Comment

Your email is never published nor shared. Required fields are marked *