Modern field guide to security and privacy

Jeep hackers: Only a dramatic stunt could force a Chrysler recall

At this week’s Black Hat security conference, researchers Charlie Miller and Chris Valasek said hacking a reporter’s car on a highway – which some called needlessly reckless – was the only real way to effect change.

Courtesy of Black Hat
Researchers Charlie Miller (at podium) and Chris Valasek present their car hacking technique at the 2015 Black Hat security conference.

By now, more than 1 million people have seen the video of two hackers seizing control of a Jeep Cherokee as Wired reporter Andy Greenberg drove down a St. Louis highway at 70 miles per hour.

The video was visual evidence hackers could kill the car’s engine from miles away. And it showed the hack’s real-life hazards: Mr. Greenberg, whose vision was already blocked by a deluge of wiper fluid the hackers unleashed on his windshield, was unable to accelerate. There was no shoulder for him to steer onto as an 18-wheeler approached from behind, honking. “Guys, I’m stuck on the highway,” Greenberg exclaims. “Seriously. It’s … dangerous.”

The jarring video featuring security researchers Charlie Miller and Chris Valasek sparked accusations of recklessness and debate on social media and blogs about whether the demonstration was worth the risk to Greenberg and the drivers around him.

But the researchers say the shock value of their demonstration – and added publicity of the Black Hat and DEF CON hacker conferences taking place this week in Las Vegas – was the reason they raised enough awareness of the security weaknesses to spur Fiat Chrysler Automobiles and Sprint Corp. to fix the problem affecting potentially 1.4 million cars and trucks.

“If we didn’t have the Wired article writing about how we did what we did, there wouldn’t have been a recall,” Mr. Valasek told reporters Wednesday after he and Mr. Miller unveiled, to an overflowing room of cheering hackers at the Black Hat conference, the details of how they took control of the car via Chrysler’s UConnect dashboard computer feature that controls its entertainment and navigation system and enables a Wi-Fi hotspot.

The recall was worth the risk of using Greenberg – and themselves – as guinea pigs. “That’s why we report bugs the way we do. We tell [the company] – then we say we’re going to be at Black Hat, and there’s a story about it,” Miller said. “And that’s what makes them really do something.”

Even though the researchers say they disclosed their findings to the company in October, Chrysler quietly offered a software upgrade just days before the Wired report revealed it publicly last month. Then, as the media maelstrom grew, Fiat Chrysler Automobiles recalled a massive number of Dodge, Jeep, and Ram vehicles with UConnect computers. For its part, Sprint moved to prevent such attacks by fixing what the researchers called a network flaw that allowed its cellular networks to talk to the in-car systems.

These are long awaited changes for researchers such as Miller, who by day is a security engineer at Twitter, and Valasek, head of vehicle security research at IOActive, who have been researching and explaining potential vulnerabilities in connected cars for years. “Car companies are saying, ‘We’re more secure, and working harder’ – but they’ve been saying that for a few years,” Miller said. “We only have like, one data point. And from that data point, they’re not doing that good.”

But the pair – and accompanying journalist – have critics, who say the attention-grabbing stunt wasn’t the only way to prove their point. “It was a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders,” Kashmir Hill wrote for Fusion. “It’s troubling that [Greenberg] and his talented collaborators would explore this vulnerability in a way that put him and the drivers around him at risk of something going terribly wrong.”

The researchers, however, maintain that they tested the hack themselves while driving, and that “all the really dangerous things – like steering and braking – it was in the controlled environment, the parking lot,” Miller said. “We tried to choose something that would make for a good visual but wasn’t actually dangerous.”

Demonstrating the entire hack in such closed environment would not have had the same effect, they insist. “There was a 60 Minutes story where they did this in a closed environment, and no one [cared at all],” Valasek added, referring to the video of a CBS reporter who was unable to use her brakes in order to stop her car at the designated cones in a parking lot as a Defense Advanced Research Projects Agency hacker stood nearby.

If Miller and Valasek have their way, there will be more high-profile hacks on the horizon. The pair plan to release a paper in the coming days detailing the techniques and code they used to hack the connected car. Since Chrysler and Sprint took action to fix the issue, there’s no way a hacker could use those same techniques detailed there to hack a car, but Miller said “the hope is … that other researchers will look at other cars, and will find vulnerabilities, and will report them, and will get them fixed.”

In an ideal world, the car manufacturers themselves would also use this blueprint to “see how someone would go about tearing apart what they built," said Valasek.

After all, as Miller said, “there’s nothing you can do” as a consumer to protect yourself from a potential attack on connected cars. “You’re at the mercy of the manufacturer,” Valasek added. The only thing consumers can do, they say, is ask the manufacturer about their security measures.

Here, too, is another purpose of the stunt hack: Inspiring consumers to actually advocate for their own security when buying a car – and pressure automakers. "Average people now understand that cars can be hacked,” Miller said.

Consumers have a different kind of power, too: Just this week, three Jeep Cherokee owners filed a lawsuit against both Fiat Chrysler Automobiles and the UConnect-maker, Harman International, alleging fraud and negligence (among other things) for failing to heed Miller and Valasek’s previous warnings of security risks. They are inviting any of the rest of the millions of car owners who had vulnerable system to join them in what Wired notes could be a massive class action suit.

So the added media and legal focus means car companies are going to have to pay attention to cybersecurity, the researchers say. “I don’t care if someone hacks my fridge, or my Furby, or my toaster, right? If it’s not going to cause you any physical harm, I can see why they wouldn’t spend their budget on [fixing those security weaknesses],” Valasek said. “But car companies spend millions on millions of dollars on safety. And this is now part of safety – whether they like it or not.”

In the end, the hackers are just as vulnerable as everyone else. "I still drive that Jeep Cherokee. That same one," Miller said. "There’s nothing I can do that could make it more secure than what everyone else does."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.