24 Jul The Web-Connected Car Is Cool, Until Hackers Cut Your Brakes
When the history of the connected car is written, this week may go down as a pivotal moment for consumers worried about security.
That is because a pair of technology researchers said that they had wirelessly hacked a Jeep Cherokee through its Internet-connected system, allowing them to take control of critical components like the engine, brakes and even steering under certain conditions.
The revelation left automakers scrambling to reassure their customers that security was a top priority, and Fiat Chrysler said that a software patch it had released a week earlier was designed to plug the hole used by the same two researchers, who had alerted the company before going public.
But the breach showed just how vulnerable the new breeds of web-connected vehicles can be, and the challenges that manufacturers face in defending against the types of attacks common in other technology fields.
“Customers are demanding new capabilities and more technology, so the risk is only going to increase for vehicles,” said Jon Allen, a web security expert at Booz Allen Hamilton. Auto manufacturers, he said, “know they need to get ahead of this from a security perspective.”
Such a web-enabled threat is relatively new for the industry: Complex computer software has been used for years to power cars’ performance, but those computerized brains were always walled off inside the cars themselves; they were not connected to the wider world. For example, when the same researchers, Charlie Miller and Chris Valasek, hacked into a Ford Escape in 2013, they could do so only by plugging a cord directly into the vehicle.
Now, the need for a cord is gone. About 27 million vehicles worldwide are now connected to the Internet, and that number is predicted to triple by 2022, to more than 82 million, according to IHS Automotive.
“The reality is that this is something that needs to be on the forefront of the industry’s radar,” said Akshay Anand, an analyst at Kelley Blue Book. “It’s not talked about as much as it should be.”
The issue has also gotten the attention of lawmakers on Capitol Hill.
In February, Senator Edward Markey, Democrat of Massachusetts, released a report that found only a handful of automakers had systems in place to even detect a hacking intrusion. Mr. Markey, together with Senator Richard Blumenthal, Democrat of Connecticut, has also drafted legislation to establish federal web security standards for automobiles.
A video and article posted by the technology news site Wired showed just how helpless a driver would be in a hacking attack.
As the Jeep Cherokee barreled down a St. Louis highway at 70 miles an hour, the driver, who participated in the experiment, was rendered helpless to control the air-conditioning fan, radio, windshield wipers and the car’s digital display. The two hackers, sitting with a laptop in a basement 10 miles away, took control of them all, even cutting the engine at one point and bringing the Jeep to a stop as traffic whizzed by. Later, they also cut the brakes.