Jeep hackers: Only a dramatic stunt could force a Chrysler recall
At this week’s Black Hat security conference, researchers Charlie Miller and Chris Valasek said hacking a reporter’s car on a highway – which some called needlessly reckless – was the only real way to effect change.
LAS VEGAS — By now, more than 1 million people have seen the video of two hackers seizing control of a Jeep Cherokee as Wired reporter Andy Greenberg drove down a St. Louis highway at 70 miles per hour.
The video was visual evidence hackers could kill the car’s engine from miles away. And it showed the hack’s real-life hazards: Mr. Greenberg, whose vision was already blocked by a deluge of wiper fluid the hackers unleashed on his windshield, was unable to accelerate. There was no shoulder for him to steer onto as an 18-wheeler approached from behind, honking. “Guys, I’m stuck on the highway,” Greenberg exclaims. “Seriously. It’s … dangerous.”
The jarring video featuring security researchers Charlie Miller and Chris Valasek sparked accusations of recklessness and debate on social media and blogs about whether the demonstration was worth the risk to Greenberg and the drivers around him.
But the researchers say the shock value of their demonstration – and added publicity of the Black Hat and DEF CON hacker conferences taking place this week in Las Vegas – was the reason they raised enough awareness of the security weaknesses to spur Fiat Chrysler Automobiles and Sprint Corp. to fix the problem affecting potentially 1.4 million cars and trucks.
“If we didn’t have the Wired article writing about how we did what we did, there wouldn’t have been a recall,” Mr. Valasek told reporters Wednesday after he and Mr. Miller unveiled, to an overflowing room of cheering hackers at the Black Hat conference, the details of how they took control of the car via Chrysler’s UConnect dashboard computer feature that controls its entertainment and navigation system and enables a Wi-Fi hotspot.
The recall was worth the risk of using Greenberg – and themselves – as guinea pigs. “That’s why we report bugs the way we do. We tell [the company] – then we say we’re going to be at Black Hat, and there’s a story about it,” Miller said. “And that’s what makes them really do something.”
Even though the researchers say they disclosed their findings to the company in October, Chrysler quietly offered a software upgrade just days before the Wired report revealed it publicly last month. Then, as the media maelstrom grew, Fiat Chrysler Automobiles recalled a massive number of Dodge, Jeep, and Ram vehicles with UConnect computers. For its part, Sprint moved to prevent such attacks by fixing what the researchers called a network flaw that allowed its cellular networks to talk to the in-car systems.
These are long awaited changes for researchers such as Miller, who by day is a security engineer at Twitter, and Valasek, head of vehicle security research at IOActive, who have been researching and explaining potential vulnerabilities in connected cars for years. “Car companies are saying, ‘We’re more secure, and working harder’ – but they’ve been saying that for a few years,” Miller said. “We only have like, one data point. And from that data point, they’re not doing that good.”
But the pair – and accompanying journalist – have critics, who say the attention-grabbing stunt wasn’t the only way to prove their point. “It was a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders,” Kashmir Hill wrote for Fusion. “It’s troubling that [Greenberg] and his talented collaborators would explore this vulnerability in a way that put him and the drivers around him at risk of something going terribly wrong.”
The researchers, however, maintain that they tested the hack themselves while driving, and that “all the really dangerous things – like steering and braking – it was in the controlled environment, the parking lot,” Miller said. “We tried to choose something that would make for a good visual but wasn’t actually dangerous.”
Demonstrating the entire hack in such closed environment would not have had the same effect, they insist. “There was a 60 Minutes story where they did this in a closed environment, and no one [cared at all],” Valasek added, referring to the video of a CBS reporter who was unable to use her brakes in order to stop her car at the designated cones in a parking lot as a Defense Advanced Research Projects Agency hacker stood nearby.
If Miller and Valasek have their way, there will be more high-profile hacks on the horizon. The pair plan to release a paper in the coming days detailing the techniques and code they used to hack the connected car. Since Chrysler and Sprint took action to fix the issue, there’s no way a hacker could use those same techniques detailed there to hack a car, but Miller said “the hope is … that other researchers will look at other cars, and will find vulnerabilities, and will report them, and will get them fixed.”
In an ideal world, the car manufacturers themselves would also use this blueprint to “see how someone would go about tearing apart what they built," said Valasek.
After all, as Miller said, “there’s nothing you can do” as a consumer to protect yourself from a potential attack on connected cars. “You’re at the mercy of the manufacturer,” Valasek added. The only thing consumers can do, they say, is ask the manufacturer about their security measures.
Here, too, is another purpose of the stunt hack: Inspiring consumers to actually advocate for their own security when buying a car – and pressure automakers. "Average people now understand that cars can be hacked,” Miller said.
Consumers have a different kind of power, too: Just this week, three Jeep Cherokee owners filed a lawsuit against both Fiat Chrysler Automobiles and the UConnect-maker, Harman International, alleging fraud and negligence (among other things) for failing to heed Miller and Valasek’s previous warnings of security risks. They are inviting any of the rest of the millions of car owners who had vulnerable system to join them in what Wired notes could be a massive class action suit.
So the added media and legal focus means car companies are going to have to pay attention to cybersecurity, the researchers say. “I don’t care if someone hacks my fridge, or my Furby, or my toaster, right? If it’s not going to cause you any physical harm, I can see why they wouldn’t spend their budget on [fixing those security weaknesses],” Valasek said. “But car companies spend millions on millions of dollars on safety. And this is now part of safety – whether they like it or not.”
In the end, the hackers are just as vulnerable as everyone else. "I still drive that Jeep Cherokee. That same one," Miller said. "There’s nothing I can do that could make it more secure than what everyone else does."