Following a Wired Magazine article where hackers remotely took over a Jeep, Fiat Chrysler is issuing a recall of more than one million vehicles that could be hacked. It’s a solid move to restore confidence, but there’s still a long road ahead for reining in car-hacking.
The hackers, security researchers who have been sharing their findings with Chrysler for nine months, aren’t set to reveal their full bag of tricks until the Black Hat conference next week—and even then they’ll leave out the part on how to rewrite the chip’s firmware in the car. Meanwhile, Fiat has released a firmware update, and is issuing a voluntary recall of a reported 1.4 million vehicles that use the built-in software. But even if Jeep (and other) drivers are safe for now, this is just another example that the Internet of Things is more trouble than it’s worth unless security is built in.
A couple years ago the stunt might’ve sounded like something from a bad spy show: Hackers Charlie Miller and Chris Valasek remotely turned on Wired reporter Andy Greenberg Jeep’s stereo, blasted the windshield wipers, and cut the transmission—all while he drove (and eventually, slowed to a stop) along a St. Louis highway. Later on (off the highway) they would demonstrate their ability to kill the engine and abruptly activate or disengage the brakes.
The weak point, they said, was the Uconnect “infotainment” system, an increasingly common Internet of Things idea car makers have been using to turn each vehicle into a roaming hotspot and connecting devices. Uconnect’s system was used across Fiat’s brands, including Chrysler, Jeep, Dodge, and Ram—hence the recal.
It’s a good move, but shouldn’t be other car makers’ first wave of defense. As Greenberg writes in his article:
Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. Earlier this month, in fact, Range Rover issued a recall to fix a software security flaw that could be used to unlock vehicles’ doors. “Imagine going up against a class-action lawyer after Anonymous decides it would be fun to brick all the Jeep Cherokees in California,” Savage says.
For the auto industry and its watchdogs, in other words, Miller and Valasek’s release may be the last warning before they see a full-blown zero-day attack. “The regulators and the industry can no longer count on the idea that exploit code won’t be in the wild,” Savage says. “They’ve been thinking it wasn’t an imminent danger you needed to deal with. That implicit assumption is now dead.”
Which is not a bad message for anyone interacting with the Internet of Things to have: In a dynamic area like cybersecurity it’s not enough to be on top of things, you need to be ahead of the game.
The article was released (coincidentally) in time with the introduction of a Senate bill aiming to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. But for many, regulation is not really the most effective solution.
“Laws are ill-suited for a dynamic space like this,” Josh Corman, a cofounder of the security industry group I Am The Cavalry, told Wired earlier this month. “If this [law] can catalyze [the industry] standing up straighter and getting a plan in place, that’s great. If it makes them less responsive in the face of new adversaries, that could be very bad.”
To help foster that spirit of competition and impending downfall, when Miller and Valasek speak at next week’s Black Hat security conference (where many a security vulnerability have been disclosed in years past) they’ll release their code in almost its entirety. It won’t make Fiat Chrysler Automobiles (FCA) very happy, given that at this point the only thing stopping hackers from jerry-rigging their own complete code is a software update the company released on July 16. But for the researchers, it’s the move that will help automakers gain awareness and competence at blocking security breaches.
As the NHTSA noted in their announcement that they would also be investigating whether the recall will be effective at all, the federal agency’s administrator noted that so far FCA’s actions were setting an important precedent. But for many drivers, The Beatles’ “Baby you can drive my car” has never sounded so ominous.