Can Hackers Take Control of Your Car?
Would you like to play a game of global thermonuclear war? That was the question in the movie "WarGames," in which Matthew Broderick hacks into a military supercomputer and (spoiler alert!) nearly triggers Armageddon. The movie debuted in 1983.
Decades later, Broderick is older and paunchier, and the threat of hacking is no longer a fantastical conceit. As more of our lives are run by computers, new frontiers continue to open to hackers. So it should surprise virtually no one that cars, which are becoming more computerized every year, are turning into an ever juicier target. Automotive hacking is not a new phenomenon, but until recently it was primarily achieved through physically plugging into a car's diagnostic port. As automakers breathlessly rush to add Internet connectivity and smartphone vehicle control apps to lure tech-savvy buyers, cars are becoming increasingly vulnerable. As many as 82.5 million vehicles are expected to be hooked up to the Internet by 2022, according to estimates by IHS Automotive. That's a target-rich environment.
It's not like we haven't been warned. "We find the existence of practically exploitable vulnerabilities that permit arbitrary automotive control without requiring direct physical access," wrote researchers with the University of California, San Diego, and University of Washington back in 2011. In English: Hackers could infiltrate and take command of a car through its cellular modem or Bluetooth connection—or even through music played in a Windows Media Audio format.
That scenario is now playing itself out, thanks in part to a recent Wired piece that showcased a stunning vulnerability in certain Fiat Chrysler cars. By exploiting a hole in a Jeep Cherokee's Uconnect Internet connectivity software, hackers Charlie Miller and Chris Valasek were able to plant code into the car's head unit, ultimately gaining remote control over multiple vehicle functions, including the transmission and brakes. It's the type of scenario that scares the daylights out of people—you're in the driver's seat, but no longer the driver.
It's important to note that Miller and Valasek are extremely experienced hackers who have been working to exploit vulnerabilities in vehicle computer systems for years. They spent an inordinate amount of time and effort worming their way into the Cherokee. Playing "Mario Kart" with your car is not something any hack hacker could pull off—or would want to. The bigger target for most malicious hackers (we wouldn't put Miller and Valasek in that category) is credit card numbers and other personal information. The potential is there to mine that type of data from your car.
New federal legislation aims to establish rules designed to secure cars against hackers and protect personal data privacy. "Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers," said Sen. Richard Blumenthal of Connecticut, who proposed the legislation with fellow Democrat Sen. Ed Markey of Massachusetts. Markey has for some time been sounding the alarm about the dangers of connected vehicles. He authored a report that gained traction earlier this year calling automakers to the carpet to do more to address the threats.
Fiat Chrysler was eventually forced to recall some 1.4 million vehicles by the NHTSA, which marked the first time a recall was enacted due to a hacking threat. (The fix is available via a download or by going to an authorized dealer.) Since the Wired piece, car hacking stories have been coming out of the Ethernet. One exploited a vulnerability in GM's OnStar app the automaker quickly moved to address. Others tore into a Tesla's dash, ultimately finding a way to wirelessly connect to it. (Tesla quickly rectified the issue.) Another team figured out a way to access a car's CAN Bus (the way a car's electronics talk to each other) by text message through an aftermarket dongle plugged into the diagnostic port.
I recently spoke with Mathias Halliger, a principal engineer for Audi AG's MMI systems, about hacking. Audis have been connected for several years now. Halliger is confident Audis are secure, as it has been a focus for his team, but he admits, "We're not arrogant enough to think that [a hack] couldn't happen."
At the end of "WarGames" the computer learns the futility of war by playing tic-tac-toe, and the humans learn the importance of maintaining control. So is it time to panic and start buying cars from the analog era? Hardly. But what the recent spate of hacks has exposed is that automakers need to tighten up their security measures, pronto. Because in-car connectivity is here to stay, and you better believe the bad geeks aren't going to settle for a nice game of chess.
Are you concerned by hacking threats? Let me know at firstname.lastname@example.org.