Can a Connected Car Ever Be Safe from Hacking?

JARED GALL

October 3, 2017 at 12:05 PM

Charlie Miller made headlines in 2015 when he and another cybersecurity researcher, Chris Valasek, remotely hacked into a Jeep Cherokee as it was being driven down the highway for a story in Wired magazine. (The Cherokee’s driver, a Wired writer, knew what was happening.) Having made no prior physical contact with the vehicle, Miller and Valasek used the Jeep’s Uconnect cellular connection to access its computers and take control of its acceleration, braking, and, during a later test, even its steering—all from Miller’s couch. The most chilling aspect of the attack? It would have worked on any vehicle in the United States running that version of the Uconnect software. Their findings led to a recall of 1.4 million Chrysler, Dodge, Jeep, and Ram vehicles to have the vulnerability rectified. Miller has led driverless-vehicle cybersecurity at Uber, and both he and Valasek recently accepted positions with Cruise Automation, the GM subsidiary focused on the development of computer-driven cars.

C/D: Do you see a clear path to truly securing a shared driverless car?

CM: Yeah, for sure. I mean, that’s my job, to do just that. If I can’t do that, we’re in trouble. There’s nothing special about the computers that autonomous cars are using, the hardware, or the software. None of that stuff is fundamentally different security-wise than securing networks or computers that are sitting in a corporate network. The only difference is that, if you mess up and a hacker gets in, the consequences are much more severe. But no new defensive techniques need to be invented. We just need to systematically apply what we know, take our time, and do it right.

C/D: That sounds fair enough, but you’ve read the headlines. So many companies and government entities fail to secure their networks. Are they simply failing to implement these best practices?

CM: It’s a little different than that. In some respects, securing a car is easier than securing a network of 20,000 laptops run by 20,000 people who are carrying them around, going to coffee shops, clicking on things, and surfing the web. A car at least is predictable. It’s still a lot of computers, but they’re used in predictable ways and we have a lot of control over the environment.

C/D: But as we advance toward new ownership models, we’ll have countless people with direct access to shared cars.

CM: For sure. People will have access to the vehicle for extended periods of time, and you need to design security into that. But the advantage you have is that, unlike a car company that’s making a car and has to secure it, if you’re talking about autonomous cars run by ride-sharing firms, you’ve got cars that come home at night. We can examine them, check them, and update them. Where a normal car company sells a car it may never see again, we will have the advantage of knowing where the cars are. So we can monitor them and bring them in, we can update them whenever we feel like it, we can add new hardware. There are a lot of things we can do to help ourselves.

C/D: In a full-on connected-car future, wouldn’t you have assorted vulnerabilities in the infrastructure as well?

CM: Well, presumably the infrastructure would all be talking to each other, and so each device is a potential point of attack. But the car’s computer needs to be smart enough to use multiple sources of data. You never want to rely completely on one sensor or one type of data.

C/D: Is it realistic or even necessary to adopt a set of standards to regulate the implementation of these practices and technologies?

CM: Standards are one thing and might be helpful to make sure everybody is doing at least the right general things, but in the end, it’s going to come down to each particular automaker and supplier doing everything right, checking each other, testing things, and getting third-party validation. Standards definitely are not going to solve the problem but might be the first step in the right direction.

C/D: Is it reasonable to fear hackers taking control of the whole fleet and, say, have all cars make a 90-degree left simultaneously?

CM: We could have done that in the Jeep, so yeah, that’s realistic.

C/D: Could you have done it to multiple cars at the same time?

CM: Absolutely. At any one time, all the cars that were on were vulnerable. Not all 1.4 million that were recalled are on at any given time, but all that were on [during our test], we could have scanned, found them, and made them do things. You could scan the internet, find them, and make them do things. It would take some preparation—you can’t instantly scan and find 100,000 cars in one second, but you could scan over time, find them, and then once you knew where they were, and maybe you’ve programmed some part of your attack ahead of time, you could push a button and, yeah, they’d all do something.

C/D: How long was it from when you got your hands on a Jeep to the time you were able to implement that hack?

CM: It took a couple of months to even know there was a problem. But to get from end to end, where we exploited the vulnerability and we could do the most dangerous kinds of attacks, including turning the steering wheel at speed, that took close to two years. Of course, this wasn’t our day job; we did it on weekends and evenings, so we could have gone faster. So maybe with more people . . . But in reality, it took close to two years, and so it’s not something that some kids are going to do overnight or in a weekend. It is difficult, but at the same time, you don’t ever want two guys in their basement to figure out how to do that.

C/D: Are there any practical steps the industry should be taking that it isn’t?

CM: The one I’d love to see is more transparency about what steps they are taking. They say they’re working together, but I’d love to see academic people and researchers helping them as well. Security should not be a competitive advantage in any market, especially one that has to do with physical safety. The good news is, we’re not going to have an autonomous car tomorrow or next week. Nobody knows when it’s going to be, but we have time to get it right. We’re in a good position now to do it.

C/D: Is it possible to make a system unhackable?

CM: No. Nobody knows how to do that. But what you can do is make it so hard that nobody cares enough to do it.

C/D: But when the potential for mayhem is so high . . .

CM: I guess. But when you make it so hard that only someone with a billion dollars can do it . . . A person with a billion dollars can cause a lot of mayhem in a lot of ways. Spending that to hack into autonomous cars probably isn’t number one on that list. Hacking cars is hard.

Thinking Tank

The cybersecurity threat ratchets even higher when computer-driven vehicles go to war. Dariusz Mikulski is a ground-vehicle robotics research scientist for the U.S. Army Tank Automotive Research, Development, and Engineering Center, which plans to have driverless supply vehicles in war zones within 10 to 15 years. —Eric Tingwall

C/D: What’s at stake if the military doesn’t get cybersecurity right?

DM: We have a lot of wireless devices . . . radios, radar, lidar, short-range and long-range communications, satellites, exposed ports, and we have supply-chain issues. We have a lot of different potential avenues that someone could exploit and have complete control of the entire vehicle.

C/D: Does the threat change when you’re fighting insurgents rather than a foreign government? Are they more or less capable of pulling off a cyber attack?

DM: With cyber, there are low barriers to entry. People can learn it pretty easily. It’s somewhat cheap to get involved in. That’s not to say that it’s easy to break into one of our systems. Even though there may be tools available and people may shop the knowledge, there’s a lot of domain-specific knowledge that’s not publicly available.

C/D: If you can’t make a computer system unhackable, what’s the best defense?

DM: The whole point of doing cybersecurity is that you want to create a bigger time buffer between when an adversary begins and when they actually get to your crown jewels. You want to make the time buffer so big that by the time they actually get to where they want to get, it doesn’t matter anymore. The data is obsolete, it’s irrelevant. If it takes an adversary six months to get into your system, but you can patch it in a couple of hours, that’s a big win from a cybersecurity standpoint.

Auto•No•Mo'•Us: Return to Full Coverage

Billboard
Britney Spears Gets Cheeky in NSFW Beach Video: ‘Hello to My A–!’
The star previously gushed about her recent travels to Mexico.
Cosmopolitan
Anya Taylor-Joy's Butt-Baring Corset Dress Is Best Described as Iconic
Anya Taylor-Joy wore a butt-baring corset dress to the Late Show and looked incredible—check out the pics.
MarketWatch
The stock market has already chosen a winner in the 2024 presidential election
‘It’s the stock market, stupid,’ and that’s why the Dow Jones Industrial Average is a surprisingly reliable election predictor.
Fox News
Kate Middleton portrait enrages public: 'Is this a joke?'
A new portrait of Kate Middleton is sparking discourse on the internet, with many believing the painting does not do the princess justice and looks nothing like her.
Hello!
Elizabeth Hurley is perfection in eye-catching underwear shoot
Elizabeth Hurley is known for her head-turning photoshoots and the glamorous model made sure to command attention with her latest daring social media post
Parade
Fans Distracted from Ginger Zee’s Severe Weather News by Her ‘Gorgeous’ Striped Dress
The 'Good Morning America' meteorologist made the weather forecast fabulous.
BuzzFeed
11 Actors Who Couldn't Stand Their Costars And Made It Their Mission To Get Them Fired
Lawrence Tierney, who played Elaine's father on one episode of Seinfeld, was never brought back because he "scared the living crap" out of the rest of the cast.
In Touch Weekly
Could Brittany Hensel Feel Jealousy When Conjoined Twin Abby Is Having Sex? Intimacy Expert Weighs In
Conjoined twins Abby and Brittany Hensel share everything together, including their sex lives. The sisters, who rose to fame when Abby & Brittany aired on TLC in 2012, are dicephalus conjoined twins — defined by the National Library of Medicine as people who are "fused side-by-side with a shared pelvis." Despite their rare condition, Abby...
BuzzFeed
"The First Time I Visited The US I Thought This Was A Restaurant Scam": Non-Americans Are Sharing The Things That Are Totally Common In The US But Bizarre In Other Countries
"I was in the US the first time ever a couple of weeks ago and it blew my mind. I wish I could have brought some back home with me."
Fox News
IT'S A 'DISGRACE': Americans deliver blunt assessment of Trump trial
Residents from across the country discuss whether they think former President Trump's trial in New York is on the level and if he's guilty or innocent.
MarketWatch
‘Is he trying to bamboozle me?’ My husband wants a divorce after 20 years. He offered his $275,000 401(k) in exchange for our $250,000 house.
“I used my 401(k) for life expenses because doctors found a parasite behind my husband’s eye.”
SheKnows
Princess Eugenie Hints at Where She Stands in Prince Harry & Prince William’s Feud
It feels like Princess Eugenie has drawn a line in the sand when it comes to the family feud between Prince William and Prince Harry. She’s always been the cousin who seemed closest to the Duke of Sussex, visiting him and Meghan Markle in Montecito, California several times since they’ve moved, but her recent moves …
The Daily Beast
Godawful New Picture of Kate Middleton Gives Art Critics the Chills
Hannah Uzor/TatlerIf you thought King Charles’ portrait was bad, wait ‘till you get a load of Kate’s.Someone who is allegedly the Princess of Wales has been depicted in a radical new portrait for the cover of British society magazine, Tatler, and the painting by British-Zambian artist Hannah Uzor has attracted almost universal derision.The image, which might generously be described as “quirky” and was published on the magazine’s front cover, shows ‘Kate’ in a white floor-length Jenny Packham eve
The Daily Beast
Star of 90s Pop-Rock Band Dies After Slipping in the Shower
Rodrigo Vaz/FilmMagic via Getty ImagesOne of the founding members of Train, the 90s pop-rock band behind hits like “Drops of Jupiter” and “Hey, Soul Sister,” has died after slipping in the shower, his mother said.Charlie Colin, 58, had moved to Belgium recently to teach music and was house-sitting for friends in Brussels when tragedy struck, TMZ reported. He fell in the shower but no one realized until the friends arrived home five days ago to find his body, Colin’s mom told the outlet.Colin, a
ABC News
He fell ill on a cruise. Before he boarded the rescue boat, they handed him the bill
Vincent Wasney and his fiancée, Sarah Eberlein, had never visited the ocean. The couple chose a cruise destined for the Bahamas in part because it included a trip to CocoCay, a private island accessible to Royal Caribbean passengers that featured a water park, balloon rides, and an excursion swimming with pigs. It was on that day on CocoCay when Wasney, 31, started feeling off, he said.
The New Republic
Religious Zealot Mike Johnson Is Speechless About Trump’s Womanizing
A reporter asked the House speaker what he thought about Trump’s affair with Stormy Daniels. Watch his reaction.
FTW Outdoors
Yellowstone coyote not alone; can you spot the other mammal?
The coyote passed virtually unnoticed behind tourists observing bears, but it was definitely noticed by the smaller animal.
Fox Weather
Video: Tanker truck drives directly into Iowa tornado before winds flip another semi
An Iowa Department of Transportation camera caught terrifying moments Tuesday for two truck drivers near Nevada, Iowa, when both were swallowed by a tornado.
NY Post
‘Entitled’ dad blasted for sending kids to hug mom just before she reaches marathon finish line: ‘I’d have a divorce lawyer on phone’
A father has been labeled “entitled” online after he reportedly sent his kids out to hug their mom while she was running a race — nearly spoiling her chances of winning.
Variety
‘Seinfeld’ Star Michael Richards Says ‘I’m Not Racist’ or ‘Looking for a Comeback,’ Nearly 18 Years After Racist Outburst: ‘I Have Nothing Against Black People’
“Seinfeld” fans got a shock last month when Michael Richards made a public appearance at the Hollywood premiere for Jerry Seinfeld’s Netflix movie “Unfrosted.” It was one of the rare times Richards has showed up on a major red carpet in nearly 18 years, as his career more or less ended in 2006 after he …

Thinking Tank

Auto•No•Mo'•Us: Return to Full Coverage

Recommended Stories