The main criticism of so-called “car hacking” over the past few years has been that cyber attackers could not use wireless commands to hijack and manipulate a driver’s vehicle under normal driving conditions. Sure, researchers could remotely unlock doors or prompt a car’s computer to jam on the brakes, but only after carefully manipulating the vehicle ahead of time. The recent crackdown on Fiat Chrysler—including an unprecedented fine and a recall of 1.4 million vehicles—however, indicates that both carmakers and the U.S. government can no longer dismiss car hacking as purely hypothetical.
Fiat Chrysler was already in hot water with the U.S. Department of Transportation for failing to execute on 23 vehicle recalls covering more than 11 million defective vehicles in recent years. The situation boiled over last week when Wired published an article detailing a test drive during which cybersecurity experts took over the controls of a Jeep Cherokee wirelessly after breaching the vehicle’s touch-screen Uconnect infotainment system. The researchers used that point of entry to access other systems within the car, cutting the vehicle’s transmission and, later, shutting down its braking system. The Jeep ended up in a ditch alongside the highway.
“The big difference between our previous work and this work is that this [experiment] allowed remote attack,” says Charlie Miller, a security engineer at Twitter, who engineered the hack along with Chris Valasek, director of security intelligence at IOActive. The pair’s previous research focused on attacking specific systems within an automobile—such as the brakes—after plugging directly into those vehicles. In 2013 Miller and Valasek described in detail at a cybersecurity conference how they used a MacBook to take control of electronic control units (ECUs) in a Toyota Prius and a Ford Escape, both model year 2010. ECUs manage critical, real-time systems such as steering, air-bag deployment and braking as well as less critical components including the ignition, lights and infotainment console. Carmakers connect multiple ECUs together within the vehicle using an internal communications network known as a controller area network (CAN). The researchers connected their laptop via a cable to each car’s data port to fool the vehicles’ computers into braking suddenly at high speed and steering into oncoming traffic.
Such demonstrations failed to convince many carmakers that cybersecurity could be a serious problem at some point, so Miller and Valasek raised the stakes. “Since the manufacturers blew us off because they said we required physical access, we figured we’d have to show them you can do it remotely—and that is exactly what we did,” Miller says.
The researchers first reached out to Fiat Chrysler with their security concerns in October and informed the company that they planned to present their research at next month’s Black Hat cybersecurity conference, according to Miller. “That is why all of this is coming to a head at this time,” he adds. Several other news outlets have reported that Fiat Chrysler filed documents with federal regulators last week indicating the company knew of a potential security flaw in its communications system as early as January 2014.
Late last week Fiat Chrysler recalled 1.4 million vehicles in the U.S. equipped with the hackable Uconnect device. That move shortly after the Transportation Department’s National Highway Traffic Safety Administration (NHTSA) ordered the carmaker to submit to “rigorous” federal oversight, buy back some defective vehicles from owners and pay a $105 million civil penalty, the largest ever issued by the NHTSA.
Fiat Chrysler’s recall is likely only the beginning of a much larger response to automotive cybersecurity. Last week Sens. Edward Markey (D–Mass.) and Richard Blumenthal (D–Conn.) introduced a bill that would direct the NHTSA and the Federal Trade Commission to establish national standards for vehicle cybersecurity and efforts to protect driver privacy. The proposed Security and Privacy in Your Car Act would also create a rating system to inform car buyers about how well a vehicle protects drivers’ security and privacy beyond the bill’s minimum standards.