Hackers Take Control of a Moving Car; Fiat Chrysler Issues Recall

Fiat ChryslerLast week we posted a blog asking “What Could Be Worse Than Getting Your Bank Account Hacked?” Last week’s answer was having certain behavior you might not want your spouse to find out about (a profile on a website for “cheaters”) made public. This week’s news is even scarier – way scarier. And it could effect anyone, not just “cheaters.”

Two researchers, Charlie Miller and Chris Valasek, have figured out a way to hack into the control systems of cars–while they are moving! They bought a Jeep equipped with all the electronic gadgets, including a chip that connects to the Internet. At first all they could do was fool with stuff that might annoy the driver, but that wasn’t dangerous: change the radio station or adjust the air conditioning. But after a while they figured out a way to take control of a second chip that gave them much more power – including the ability to work the brakes and steering of the car. In an interview with the NYTimes Miller said

I have done a lot of research, but this is the first time I’ve been truly freaked out. When I could hack into a car in Nebraska driving down the freeway, I had that feeling, ‘I shouldn’t be able to do this.’

After this security flaw was discovered, Fiat Chrysler issued the first ever automotive recall related to hacking. The recall affects 1.4 million vehicles. The company tried to downplay the significance in the recall, saying

The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.

No defect has been found. FCA US is conducting this campaign out of an abundance of caution.

However, once a security flaw has been discovered, news spreads in the hacker underground, and you can be certain other hackers won’t have to start from scratch in figuring out how to exploit the vulnerability.

Also an article in the NYTimes disputes Fiat Chrysler’s claims in the recall notice. The researchers claimed

they have discovered a way to control hundreds of thousands of vehicles remotely. From the Internet, they were able to track cars down by their location, see how fast they were going, turn their blinkers and lights on and off, mess with their windshield wipers, radios, navigation and, in some cases, control their brakes and steering.

Clearly the researchers did not have “prolonged physical access” to hundreds of thousands of vehicles.

The cars affected by this hack are part of the “internet of things.” The Internet is no longer being used only as a way to transmit information to people. We now communicate with “things,” and in some instances “things” communicate with other things with no direct intervention from humans. The proliferation of Internet addresses means we need a major shift in thinking about how to secure our “things” from hacking. PACid technology, which would assign a “Master Secret” to the car, would prevent hacks such as this one. See the description of our Five Levels of Data Security for more information.