Jeep Cyberattack: Why Cars Are Much Bigger Security Risks Than Mobile Devices
[Updated 8/6/15, 10:44 am. See below.] Back in early 2012, cybersecurity researcher Cameron Camp wrote a blogpost under the heading, “Could your next new car be hacked (should you be scared)?”
Camp identified significant potential dangers as automakers moved beyond the simpler computers first installed in cars years ago—to do tasks like calculating fuel inputs for injection systems—and developed on-board consumer features that connect cars to the Internet. Camp had already seen benign hackers wirelessly popping car door locks, and imagined crowds of scammers later using browsers to steal data from drivers.
So experts like Camp weren’t surprised when a pair of other security researchers, Charlie Miller and Chris Valasek, demonstrated recently that they could wirelessly stop a Jeep Cherokee that started out at 70 miles an hour on Interstate 64 at the edge of downtown St Louis, MO., Camp’s colleague Stephen Cobb says. Miller and Valasek exploited a weakness that allowed them to control core automotive functions by infiltrating Fiat Chrysler’s Uconnect infotainment system.
“A car now is a network of computers connected to a global network,” says Cobb, a senior security researcher at the San Diego office of (Bratislava,) Slovakia-based ESET, an Internet security company whose products include antivirus software. “You exponentially increase the risk factors.” [Phrase added to indicate the broader mission of ESET.]
Although Cobb says he’d previously seen similar demonstrations of hackers taking over automotive controls, those were carried out in parking lots. But the highway experiment, reported by the Jeep’s driver in Wired magazine, stunned the nation. In its aftermath, Fiat Chrysler recalled 1.4 million vehicles under the Jeep, Dodge, and Chrysler brands to fix the security deficiency. The recall procedure itself brought down scrutiny from the National Transportation Safety Board, and two U.S. senators called for legislation to set cybersecurity standards for cars. Miller and Valasek, who have shared their methods with Chrysler, plan to disclose more details publicly at a Black Hat security conference in Las Vegas this week.
The incident highlights a significant business opportunity for cybersecurity companies to serve carmakers—as well as any business whose employees ever travel by car.
In many ways, a connected car creates the same daunting security challenges as those presented by mobile devices, which are vulnerable to hackers because they’re carried outside the controlled office environment. On streets and in cafes, they can be stolen or exposed to unsecured Wifi networks. Mobile devices and connected cars both may fail in ways that inconvenience users, cost them money, or allow malicious actors to tap into their employers’ secrets.
But a faulty car can also result in deaths or injuries. That safety concern exposes automakers to … Next Page »