For the first time, IT specialists have remotely hacked a car and full control of it – including the brakes and engine. Growing connectivity can improve life, but it also raises concerns over technical vulnerabilities.
This was one drive Andy Greenberg will not forget any time soon, even though the writer for “Wired” magazine was forewarned. Before a test drive, security specialists Charlie Miller and Chris Valasek advised him not to panic – no matter what happened.
It was all fun and games on the highway when the white Jeep Cherokee unexpectedly blew ice-cold air into the car’s passenger area. It started getting annoying when the radio switched to a hip-hop station and played music at full volume. Greenberg started feeling queasy when the windshield wipers were set off and partially obstructed his view. But it was when the hackers turned off the engine while Greenberg was driving that he did, however, reach the verge of panicking. In a parking lot, the hackers showed how they were able to manipulate the steering wheel and the brakes.
About 470,000 cars are in danger
Miller and Valasek wanted to prove that they could hack the Jeep Cherokee by using a laptop and a cell phone. And they wanted to show that they could do it remotely, via an Internet connection, from the comfort of their living room. The experiment proved to be successful. According to the two hackers, the attack would work with about a half a million other vehicles that are furnished with Uconnect systems, like the Jeep Cherokee. Uconnect provides Internet connectivity and supports features like GPS and sound systems. It also lets passengers connect smart phones and tablets to the cars internal systems.
Mikko Hypponen of the Finnish security company F-Secure, told DW automakers have insisted for years that they focus on secure systems, but, he added, they have very little experience in the field and a lot of ground to make up when to comes to keeping their vehicles’ computer systems safe.
And it’s a problem that will probably grow with the popularity of automated driving, according to Ferdinand Dudenhöffer of the CAR Center Automotive Research at the University of Duisburg-Essen. In the future, cars will communicate even more frequently with their environment, Dudenhöffer added.
“Communication takes place through the Internet,” he said. “That means the dangers will grow. We have to think more about vehicle safety with regard to hackers.”
The fridge that produces digital spam
The same holds true for other products. The much-lauded “Internet of things” has long found its way into reality. More and more of the appliances around us are connected to the Internet. The IT company Cisco has estimated that around 15 million connected appliances are in use today. Cisco expects that to increase to 50 million by 2020. But now, even a “smart” refrigerator can be a target.
In early 2014, first reports surfaced about a refrigerator that was part of a botnet, which sent massive number of spam emails.
“It is the nature of the Internet to link things together that are not necessarily related to the Internet – cars, refrigerators, smart homes and whatever new buzzwords you hear,” said Christopher Paar, a professor for embedded security at Ruhr University in Bochum.
He said many manufacturers are content with creating a good enough network to offer additional features. But, Paar added, “Security is often not considered or is ranked lowly when designing systems.”
But when it comes to compromises in driving safety the consequences are more than just a nuisance, like a fridge sending spam. That’s why Miller and Valasek have been pointing out the flaws of connected cars. A demonstration in a Toyota Prius and a Ford Escape in 2013 showed how cars can be taken over by a laptop and that the Jeep Cherokee isn’t the only vulnerable vehicle on the road. Andy Greenberg was in the driver’s seat back then, too, but Miller and Valasek were in the passenger seats and cables connected them to the car.
Miller and Valasek have said they are going to the Black Hat conference, a global security meeting, in early August and there, they want to demonstrate how remote hacks via the Internet work. Public exposure should make people aware of the dangers. That will likely put extra pressure on car manufacturers, who in the past have been slow to react to safety issues.
Miller and Valasek informed Chrysler about the security breaches months ago. Now, Chrysler has brought out a patch to repair them, but on a USB stick, which is rather unhandy as it has to be installed manually. In one of his tweets, Miller strongly urged people not to be intimidated by this inconvenience.