Hackers have long been able to cause a lot of damage to people's privacy, reputations, and pocketbooks. But until recently, it usually wasn't possible for hackers to kill people.
Now that's changed. In a terrifying demonstration to Wired reporter Andy Greenberg, two hackers have shown the ability to hack into a Jeep Cherokee from miles away, gain control of its internal network, and then tamper with its transmission, brakes, and other safety-critical features.
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
The hackers, Charlie Miller and Chris Valasek, are professional security researchers, so they aren't planning to use their discovery for evil. But malicious hackers could use the same techniques to remotely tamper with cars across the country:
A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.
The researchers also know how to disable a vehicle's brakes remotely, and they're working on the ability to take over the car's steering.
Miller and Valasek notified Chrysler about this problem nine months ago, and the company recently released a software patch to fix the vulnerability. But customers have to manually upgrade the software themselves, which means that thousands of Chrysler drivers won't realize they're driving around in a car that could be crashed by hackers at any time.
This is an issue the automobile industry is going to need to take a lot more seriously, and hopefully it won't take a spate of hacking deaths for that to happen. Driving around in a car with known-vulnerable software is dangerous — car companies should be proactively notifying customers about the defect, and perhaps even doing a formal recall. They should also be working on better remote-update capabilities, so that security flaws can be fixed automatically.
But more broadly, car companies need to realize that they're in the software business now. Security is one of the most important responsibilities of a major software company. Companies like Microsoft and Google have hundreds of security experts on staff — and security flaws in Windows and Android generally won't get anyone killed. Car hacking can get people killed, so car companies should be taking computer security even more seriously.