Update July 24, 2015: Fiat Chrysler has issued a voluntary recall for 1.4 million of its potentially vulnerable vehicles.
On Tuesday, Wired published an alarming account in which two security researchers carjack a Jeep Cherokee. Remotely. Miles away. From the comfort of a couch.
The stunt involved Wired reporter Andy Greenberg cruising down a highway outside of St. Louis, Mo. As the pair of code-crackers wirelessly infiltrate his jeep, blasting the radio and air conditioning, killing the hazard lights, cutting the car’s transmission, and generally delighting in the futility of his situation. Their attack leaves Greenberg rattled and stranded in the middle of the road, albeit briefly, as a semi-truck weaves past him.
After the story appeared, commenters immediately pointed out how dangerous this demonstration—performed on a public road amid traffic—was. Indeed, strapped in the hot seat, Greenberg himself admits: “This is fucking dangerous.” (Watch the video here.)
Nice stunt hack but live testing on one of the most dangerous highways in my hometown seems irresponsible http://t.co/zsOmDk6T7r ht @semenko
— yan (@bcrypt) July 22, 2015
https://twitter.com/kevinroose/status/623610836406263808
Agreed that the Jeep hack is alarming. However, pulling that crap on a freeway is irresponsibly stupid.
— Not My Home Planet 🏳️🌈 (@Hoos1492) July 21, 2015
People piled on the criticism. Fusion called the act “a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders.” A security researcher told Forbes, “We as a community need to [not] condone this sort of behavior.” And one agitated viewer, posting to Hacker News, apparently called the cops.
Other came to the stunt’s defense. My Coins2Day colleague Daniel Roberts called it “awesome, ballsy, important journalism.” Cybersecurity researcher and blogger Robert Graham wrote that “Any rational measure of the risk of that stunt is that it’s pretty small — while the benefits are very large.” And mostly everyone praised the story’s narrative.
Https://twitter.com/readDanwrite/status/623626618955788288
In defense of @0xcharlie and @nudehaberdasher:http://t.co/S86foyQv4v
— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) July 22, 2015
https://twitter.com/BlakeSobczak/status/623492549114728448
terrific story by @a_greenberg on research by @nudehaberdasher @0xcharlie – scanning Sprint's network to hack Jeeps http://t.co/Z7mNpBqsEr
— Jordan Robertson (@jordanr1000) July 21, 2015
For many people, the blow-back is justified. Though veteran vulnerability-wrangler Charlie Miller, an ex-NSA hacker who is a security engineer at Twitter, claims in the accompanying video that the demo was done “in as safe a way as we could,” there’s no question it could have been done safer. In a deserted parking lot, perhaps? Or on a test driving track? To be sure, the team did not have to place other people’s lives in danger—regardless of how incredibly compelling that made the tale.
That said, one element of the conversation must not be lost. One should not let the brazen manner of Wired‘s story-telling eclipse the piece’s central point: Automakers are, right now as you read, shipping increasingly connected cars to market that perform pitifully in terms of security. Their critical, internal electronic systems are not adequately isolated from one another. Their code has not been vetted to an acceptable degree by penetration testers. They are open to attack.
Miller and his associate, Chris Valasek, director of vehicle security research at the consultancy IOActive, estimates that hundreds of thousands of Fiat Chrysler vehicles on the road today could be vulnerable. That’s unsettling.
Worse yet is the manner in which the manufacturer is rolling out the security update. There is no recall. There is no auto-patching feature to immediately remedy the issue—a flaw that in itself needs fixing. This is the precedent now being set.
Instead, customers must independently download the patch to a memory stick, or take their cars to a mechanic to fix. “Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said in a statement. “Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.”
Think what you will about Wired‘s escapade—there is a greater danger at play here. Who knows how many vehicles will fail to be patched, potentially jeopardizing the lives of their occupants as well as those in their surroundings? While this author is not an apologist for the researchers’ dicey exploit presentation, their central findings bear reiterating.
As we approach that brave new destination termed the Internet of things, our security processes need to keep pace.
