When I watched some security researchers hack into several cars without even touching them, my head exploded a little bit.
There are countless models on the market now that offer slick upgrades like 4G LTE connectivity and even wifi. Why have wifi in your car? Who cares, the car companies must think, people will pay extra for it. Based on recent revelations about car hacking, however, it seems destructively apparent that car companies don’t want to devote the budget dollars to pay for strong security on these new connected cars. It’s almost as if the manufacturers themselves are still so dazzled by the idea of an internet-connected car that they’re ignoring the less-glamorous implications. As such, it’s hard to tell just how much the average driver should be worried about the apparent hacker threat.
But we shouldn’t be scared of the hackers. They’re currently the only people looking out for driver safety, by publicizing how easy it is to turn cars into remote-controlled death machines. Instead, we should be scared of the car companies and their intransigent negligence when it comes to digital security.
The Chrysler Conundrum
Thanks to the recent Black Hat and DEF CON conferences, where several sessions were devoted to car hacking, the world has learned about a host of new vulnerabilities. There’s little doubt that the remote Jeep hacking that Charlie Miller and Chris Valasek displayed at both conferences seems most extreme. After all, these researchers took control of a Grand Cherokee while Wired’s Andy Greenberg was driving down the highway at 70-miles-per-hour. That’s some scary shit!
“Stop saying unhackable,” Charlie Miller said at the beginning of his Black Hat talk. The imperative was directed at a Daimler spokesperson who had claimed that one of their top models couldn’t be hacked. Of course, this is a foolish claim, since it just taunts hackers into proving it’s not true. (And indeed, hackers did just that to Daimler a couple of weeks ago.)
Miller and Valasek emerged as the stars of this year’s hacker cons, not just because of their impressive exploit but also because of the impact that their research is already having on the auto industry. By the time they took the stage at Black Hat, the duo’s work had forced Fiat Chrysler to recall 1.4 million cars. Those 1.4 million car owners will get USB sticks with a software update that will patch the vulnerability and, maybe, keep them safe.
However, Fiat Chrysler doesn’t seem to want to admit that anything is really wrong. In the press release announcing the recall, the company was quick to point out that any unauthorized access to one of its cars—including the security researchers’ work, presumably—“constitutes criminal action.” The automaker goes even further to dissuade its customers from being scared:
The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.
No defect has been found. FCA US is conducting this campaign out of an abundance of caution.
The abundance of caution and government-enforced software updates are great, but that’s not the point. The point is that Fiat Chrysler knew about the issue before the recall but “didn’t consider the problem a safety defect.” That’s utterly absurd. The government thought so, too. Fiat Chrysler got slapped with a $105 million fine for not recalling its cars on time.
Security Through Obscurity
So far, car hacks are extremely unusual in the wild. That’s why it’s been easy for automakers to gloss over the work of security experts like Miller and Valasek. Essentially, they’re taking making the age-old mistake of confusing security with obscurity. Just because a hack is obscure doesn’t mean it isn’t dangerous — and it may even be a harbinger of more to come.
Samy Kamkar is perhaps most infamous for building and deploying the Samy worm, a fun-loving, self-propagated script that shut down MySpace within 24 hours. However, the 29-year-old has recently earned well-deserved accolades from the security community for his work hacking into cars. His focus? The systems that control keyless entry and remote ignition.
Kamkar’s latest project is called OwnStar. With just $100 in off-the-shelf parts, the researcher managed to build a device that can be planted on a car, then pilfer the car owner’s credentials from GM’s OnStar Remote Link app. With those credentials, hackers can do all kinds of things—including but not limited to unlocking and turning on the car. Last week, Kamkar revealed that the device would also work on BMW, Chrysler, Dodge, and Mercedes-Benz automobiles. (So much for being unhackable!) It’s the same vulnerability that affected GM cars, but the other companies didn’t even bother to check their systems. It’s still unclear if they’re even planning to update their apps.
“I’m only testing this stuff because these are things I use,” Kamkar told me in an interview. “These are things my mom uses. I want to know if my mom uses things that people can break into.”
Kamkar’s mission is the same as Miller’s and Valasek’s and every other researcher who’s trying to spot problems before bad guys find them. Heck, even that 14-year-old kid who hacked into a car with $15 worth of parts from Radio Shack is doing good work. The car companies, for their part, are still dragging their feet when it comes to addressing security vulnerabilities.
Automakers Are Wearing Blinders
Here’s a tough truth: Everything is hackable. If technology has wireless features, it’s especially hackable. If it’s connected to the internet, it’s the most hackable. So a car with a key fob, onboard wifi, and a built-in 4G antenna? Very, very hackable.
The fact that automakers want to pretend that they can build an unhackable car is a big problem. Beyond that, the rumor that you don’t really need to be worried about your car being hacked is misleading. If your car connects to the internet, you’re exposing yourself to a level of next-generation threat. These are issues that security researchers have told car companies about repeatedly, only to receive dismissive responses.
“Some of the things that I’m finding are not crazy,” Kamkar told me. “I’m finding very common vulnerabilities that have been known about for at least a decade in the cyber security world.” He added, “Clearly, [automakers] are not paying as much attention as they should.”
If the white hats like Kamkar are worried, it’s not hard to imagine that black hats are paying attention, too. The next car you buy will probably be internet-connected. And the companies selling that car probably hasn’t built the security measures required to make sure those flashy new features don’t put you at risk.
If car companies aren’t going to watch out for your security, you’ll just have to do it yourself. My advice: Buy a 2000 Volkswagon Jetta. It has zero internet connectivity and gets great gas mileage.