When WIRED reported on the live hacking of a Jeep a few months ago, the publication was criticized by some people for sensationalizing the risk of car hacking. That criticism resurfaced recently in a column in Scientific American penned by technology writer David Pogue. As someone who has enjoyed Mr. Pogue’s coverage of technology in the past, I was shocked by, and take issue with, his piece titled “Why Car Hacking Is Nearly Impossible“. I’m also confused as to why Scientific American would publish, without any citations or evidence, the assertion that “remotely hackable cars are still only a hypothetical threat.”
I’m sorry Pogue fans, but that is just wrong. The vehicle featured in the WIRED article was hacked remotely. Somebody located a considerable distance from the vehicle took control away from the driver, potentially causing harm. And that was not the only time, nor the first time, nor the only make of vehicle with which something like this has been done. Indeed, what makes the Scientific American article so surprising is that instances of this happening are documented in scientific research. Here two PDFs to read:
- Comprehensive Experimental Analyses of Automotive Attack Surfaces: documents live demonstration of remote attacks, in work originally reported to the National Academy of Sciences Committee on Electronic Vehicle Controls and Unintended Acceleration, March of 2011.
- Fast and Vulnerable: A Story of Telematic Failures: “we have shown that the TCU can send arbitrary CAN packets, and that this is sufficient to remotely control safety-critical automobile features (e.g., the brakes).” Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage, Department of Computer Science and Engineering, University of California, San Diego.
If you don’t have the time to read academic papers, here is a network news video that clearly demonstrates total remote control. The fact is that numerous researchers, such as those in Stefan Savage’s group at UCSD here in San Diego, have clearly shown how numerous makes of car can be attacked remotely. This was accomplished using tools and techniques that can accurately be characterized as “hacking” despite Mr. Pogue’s suggestion that research is different from hacking (so we shouldn’t worry about its implications).
As you will note from those articles, the companies whose products were identified in this research, which dates back several years, have taken actions to reduce vulnerabilities. Corrective action was also initiated by FCA (Fiat Chrysler America), the company that put that Jeep and 1.4 million other vehicles on the road with known hackable vulnerabilities, the ones publicly exposed by WIRED. (Yes, I’m saying the folks who engineered those vehicles were aware that they could be hacked, but decided there was not enough risk of this causing harm to change the design.)
But fixes for vulnerabilities are not the end of the story. Contrary to what Mr. Pogue seems to be saying, patching vulnerabilities in a system does not mean the system was not hacked, unless you tightly define hacking so that what you’re really saying is: “No incidents have been reported in which the patched vulnerability was maliciously exploited prior to its being patched.” Indeed, it is possible to argue that those 1.4 million vehicles are still vulnerable, given that the patching process itself appears to be ill-conceived and insecure. I have to wonder whether Mr. Pogue actually read the Flynn Brown v. FCA suit filed in August (reported and linked in this WIRED article). As the saying goes “I’m no lawyer but” it struck me as a fairly comprehensive argument that “These vehicles, when sold and at all times thereafter, were not merchantable and are not fit for the ordinary purpose for which cars are used.”
So, does anyone still think that “remotely hackable cars are still only a hypothetical threat” as Mr. Pogue asserted? The last time that I checked Webster’s dictionary, hypothetical was defined as: “involving or based on a suggested idea or theory, involving or based on a hypothesis, not real, imagined as an example.” The Jeep hack was not imagined, it was real, it happened. If there is an unknown here, it is this: has anyone been harmed by exploitation of digital vulnerabilities in vehicles? Saying we have not heard of this happening is not the same as saying it has not happened.
As for the WIRED story that started this discussion, I hate to think we need to sensationalize automotive security vulnerabilities with live demos on public roads. Ideally, security researchers should work quietly behind the scenes with car companies and their suppliers to fix problems as expeditiously as possible and design them out of future products. But when research papers and parking lot demonstrations and direct notifications do not move a company to institute protective measures, some researchers are going to break ranks with that approach. After all, the bad guys are not known for giving victims fair warning.
by Stephen Cobb, ESET We Live Security