The automotive world is one of give and take. If you want hardcore performance, you sacrifice comfort; if you prioritize fuel economy and luxury, you probably won’t be king of the racetrack; and if you have a connected car, you may be vulnerable to hackers.
Cybersecurity concerns have swirled around the transportation sector for some time, but never with the same gravitas that coursed through the blogosphere last week. Chris Valasek — Director of Vehicle Security Research for the security consultancy IOActive — and Charlie Miller — a former NSA employee — were able to able to hijack a Jeep Cherokee’s Unconnect infotainment system via the car’s cellular network. Once they were in, the duo was able to send signals to the car’s computer system, manipulating the brakes, engine, and transmission with a couple laptops in a living room. All they needed was the vehicle’s IP address.
If you’re still driving your grandpa’s 1968 Oldsmobile, you probably weren’t too worried. If you own a more modern car though, one packed with wireless features and the ability to link with mobile devices, the news probably gave you some pause. And for good reason.
The modern car market demands increased functionality and inter-device communication from the factory, and there are unique security threats that come along with that. Any time a vehicle’s systems are connected to the Internet — directly or indirectly — there will be gaps in the digital armor. The fallout could be something as simple as an unresponsive radio or flashing headlights, but as we found out last week, cybercriminals can potentially access a car’s vital systems remotely, and we don’t need to explain how dangerous that is.
Any time a vehicle’s systems are connected to the Internet — directly or indirectly — there will be gaps in the digital armor.
We have yet to hear about a harmful unauthorized attack on a passenger vehicle, and clearly Valasek and Miller are not amateurs, but the vulnerabilities are clear. It’s not just Jeep vehicles either: nearly every major automaker offers an infotainment system that’s connected to the Web: Ford, Toyota, Honda, Volvo, Volkswagen, Subaru, Hyundai … you name it. Tesla’s newest vehicles can even download powertrain updates over the air, which directly affect the car’s acceleration. Is it only a matter of time before something horrible happens outside of a controlled experiment?
For answers, we turn to the carmakers themselves, and Fiat Chrysler’s initial response to the events was quite interesting. On July 22, the brand put out a press release, explaining that “some functions” had been remotely controlled, and that the automotive industry is a potential hacking target like any other. After the community began to flex its muscles, the company implemented a recall of 1.4 million vehicles, issuing USB sticks that contained a software patch to every owner alongside network-level security measures. Mailing out a truckload of thumb drives seems like an ironically insecure way to fix the problem, but a major automaker has admitted that modern cars are at risk from the attacks of cybercriminals. That’s big.
It’s impossible to say whether or not the company would have issued the recall if it weren’t for the original Wired story, but there is a clear cause and effect here — call the manufacturers out on their failings and they will address them. If we don’t? That’s a scary thought.
The U.S. government has responded as well. Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have introduced a new bill called The Security and Privacy in Your Car Act (SPY Car Act). The legislation will direct the National Highway Traffic Safety Administration and the Federal Trade Commission to set industrywide benchmarks to protect driver safety and privacy, shining regulatory light on an issue that was largely contained within the automotive sector until now.
“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Senator Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes.”
It’s a start, but in the meantime, there will be hiccups. Personal safety and priceless information are all at stake here, but despite our best efforts, federal agencies, credit card machines, dating websites, and celebrity Twitter accounts are hacked every single day. It’s a constant rat race to keep up, and unfortunately for us, it’s not always the guy with the suit and tie that gets there first.
As car buyers, we crave connectivity. We lust for convenience. But are we ready to live with the consequences?
