The Critical Need to Halt Carhacking in Its Tracks
Jul 23, 2015
People always have been very ingenious in finding ways to misuse new technologies. But the lead times between innovation and harm are quickly shrinking, while the risks, and the horrible consequences, have increased exponentially.
Case in point is connected cars/Internet of Things (IoT). There is shocking new evidence that requires governments to apply the brakes to these new technologies until life-threatening security issues can be sorted out.
For we are likely on the cusp of the potentially dangerous, violent, and deadly new crime of “carhacking”. This is the “smart” cyber cousin of carjacking, and it arises from criminal control of connected vehicles.
A Wired magazine article published July 21 graphically showed how a car can be remotely controlled by hackers. The Wired hackers gained access into a Jeep Cherokee and cut the vehicle’s brakes, which forced the driver, and article author, Andy Greenberg, to swing it into a ditch. More dramatically they killed the accelerator that nearly led to a collision between the SUV and a truck, which was averted when the hacking team relinquished control.
The Wired team is probably not telling everything. But here’s a chilling fact. If they can carhack, and write about it, it is a safe bet that others have gained a deeper level of control, thereby opening the doors to unspeakable mayhem.
It is not difficult to imagine thieves or kidnappers using car data to track when targets leave or arrive home. Or terrorists carhacking into a truck driven by a mom accompanied by her infant daughter, locking the doors to imprison them, and use it to ramraid a government office where they follow in and slaughter the occupants and witnesses.
Sadly the least surprising aspect about the Wired article is the apparent tail-covering by automakers. It reported that the industry has known about the hacking risks since 2011 through research shared with them by the University of California at San Diego and the University of Washington. And there could be as many as over 470,000 vehicles at risk, reports Wired.
“Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaw,” warned and wrote Greenberg.
Again not surprisingly, shortly after the article appeared, Fiat Chrysler issued a well-publicized patch for the fix. But this approach now forces the automotive industry into the same cat-and-mouse security game of attacks and solutions that plague IT where the hacking mice always seem to get an edge.
Yet manipulating connected vehicles i.e. carhacking isn’t some game. And the consequences are much more severe than even data and ID theft, as the Wired example dramatically showed.
The hard truth is that connected vehicle technologies, particularly infotainment, systems are frills. They are nice-to-haves, but they are not essential to safe vehicle operation. Cars have and will work very well without them.
If you have to look at something other than the road then pull over. Whatever it is that you are doing is not worth putting you and others in danger. Unless you are a first responder on a call there is nothing that you do is that important that merits communicating and engaging with IT systems while driving.
U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have, to their credit, introduced the SPY Act that would require vehicle makers to make connected models secure, according to a July 21 Huffington Post article. But given the high and present risks of carhacking, governments should immediately step in before criminals get remotely behind the wheel. Like looking at having existing vehicles’ onboard communications systems physically disconnected from vehicle operations systems, and disabling any means to track them, even if it means recalls.
“Regulation chills innovation” is one refrain I've heard to discussions about applying legislation to technology. But in the case of connected cars it is far better to cool technology expansion if it means fewer cold bodies in morgues from carhacking.
* Here's a great report that came out in October about Cybersecurity and Cars:
Brendan Read is Senior Industry Analyst with over 25 years’ experience covering business, communications, staffing, and technology. He has worked in, prepared reports, and blogged on a wide range of topics including customer contact, CX, CRM, IoT, social media, supply chain, and BC/DR. He also has backgrounds in construction, manufacturing, materials, resource extraction, site selection, and transportation. He examines the broad economic, environmental, innovation, political, and social mega trends, and their impacts on businesses, markets, and society.