How to Hack a Car
Condé Nast’s Andy Greenberg is all over car hacking, with three articles about security exploits and Congressional actions here here and here this week. A pair of hackers discovered Chrysler Jeeps are vulnerable to attacks in the wake of Chrysler’s refusal to respond to a letter from Sen. Ed Markey (D, Mass) on auto security and driver privacy. Their demonstration of Jeep’s vulnerability made a strong impression on Greenberg, as they put him in serious danger while driving by disabling the Jeep’s transmission:
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.
“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.
I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.
This is going too far and it makes me question the motives of the hackers, Charlie Miller and Chris Valasek. This was their second Jeep hack; the first involved plugging into the car’s diagnostic port, which isn’t so much a hack as a demonstration the the power of the diagnostic port. They claim that this hack was accomplished through access to the car’s unmodified on-board LTE interface. If that’s true – and it needs to be independently verified – it’s a severe indictment of Chrysler’s engineers. I wouldn’t go so far as to say it reflects badly on the whole industry, but some data collection by unbiased experts can tell us a lot about how severe the problem of car insecurity really is across the board. And it’s also possible that this hack was only possible because the hackers had several weeks with the car to get around its security and authentication protocols.
My guess is security problems are not isolated to Chrysler or to the other carmakers who refused to respond to Sen. Markey’s questions in February. It’s been my experience that auto manufacturers haven’t done a good job of adapting their product to personal electronics, smartphones, and mobile networks. They insist on dedicated spectrum for collision avoidance, but they’ve made scant progress toward developing standards for car-to-car or car-to-road communication in the fifteen years since the spectrum was assigned. Infotainment systems that are supposed to incorporate smartphones are frequently clownish: BMW’s iDrive system introduced in 2001 is still a laughingstock of bad user interface design, even though it made an impression on one espresso machine manufacturer, Saeco.
So the answer to my trollish headline is to exploit a feature intended for legitimate use by mechanics and abuse the hell out of it, cackling the whole time about how clever you are. With any luck, you’ll be able to rope in some members of Congress and make a name for yourself. [EDIT: And with any luck, you’ll cause a recall out of an abundance of caution.]
But security is the kind of problem that’s never really solved, so any short-term advances your hack inspires won’t offset the drag on the industry created by drawing attention to the wrong problem. The issue I have with car electronics isn’t their lack of security as much as their lack of utility. A cheap Android phone runs rings around a $3000 automobile infotainment system, and that’s really sad.
Modern infotainment systems often incorporate calendars, email, and selected apps, but they don’t begin to integrate these functions with the cars’ navigation system. The Apple and Google iPhone navigators integrate with the iPhone’s calendar and address book, but you don’t even think about pressing a link in a calendar notice on a car’s infotainment screen in the hope that the car’s navigation system will take you there without re-typing. Car infotainment systems are so primitive I wonder whether the people who code them have ever used a smartphone.
It seems that the best way to make progress toward cars with better infotainment systems and smartphone integration is to take the car companies out of the business. There are two ways to do this: computer companies like Apple, Google, and Microsoft can start making cars that incorporate some fresh thinking about motoring. Tesla has paved the way here, because it’s more a computer company than a car company. If you’re building electric cars in particular, computer companies already have the requisite expertise in every area except safety: they certainly understand user interfaces, design, creature comfort, and batteries. I’d love to see an Apple car, a Google car would be priced attractively, and Microsoft would make sure the car’s software was always up to date.
The other, less radical, way is for car companies to admit they don’t know what they’re doing with electronics and create an aftermarket for plug-in infotainment systems with a standard bus and mounting dock like they did with the ISO/DIN connectors for third party DVD players. The car companies can handle the car control functions, but they can leave navigation, entertainment, and smartphone support to people who are willing to invest in doing a good job of it. This is a security vulnerability, but if the state of security is as dire as Miller, Valasek, and Markey say, we don’t lose any security by going this way.
Car companies can leave a hole the dash with a standard connector and leave it to the buyer to plug in an Apple, Samsung, or Microsoft head unit and we’ll all be better off. The industry can focus on what they do best, make engines run and up-sell buyers on useless plastic coatings, and the computer companies can do what they do best. This doesn’t need to be federally mandated, because the car companies that open up to the computer companies will sell lots of cars.
The bill that Senators Markey and Blumenthal have written doesn’t consider this option. Its contents are a mix of two different issues, unfortunately: on the one hand, it has lots of ideas about safety and security, but half of its content is about consumer privacy, tracking, and protection of sensitive information about the user that has nothing to do with car safety. This combination of loosely related issues all but precludes rational debate.
Getting the government more involved in auto security used to sound like a fair idea, but in the wake of the OPM hacks I have reservations about their ability to make a constructive contribution. The problems are too complex and the technology just advances too rapidly.
Sorry, Condé Nast, you don’t have the right answer.