Last week, Wired published an article ‘Hackers remotely kill a Jeep on the highway – with me in it’ detailing the actions of two well know hackers Charlie Miller and Chris Valasek. In the words of the journalist, Andy Greenberg, he agreed to be their ‘digital crash-test dummy’.
The hackers managed to remotely control many important functions of the Jeep, including braking, transmission and accelerator. They also controlled the wipers, air-con and radio, but the threat is very different when someone can control the driving and safety features of the vehicle.
Miller and Valasek proved in 2013 that they could hack a car, at that time a Ford Escape and Toyota Prius, but at that time they demonstrated it from the back seat and they needed to be physically connected in the car.
This latest demonstration of their skills show that in this instance they could control the vehicle remotely, which is of course a very different risk.
This story has so many similarities to the recent stories about the ability to hack an aircraft and control it. Experts in avionics were quick to disclose that only in a few aircraft have the infotainment systems connected to the control of the aircraft and in all cases the pilot has a manual control button in the cockpit to take control and fly without the reliance on technology in this way.
While similar stories they are two very separate industries, the automotive industry regulators would appear to be in catch up mode as opposed to setting definitive standards for the industry to follow in advance of deployment in the field.
My other concern raised by this and previous stories about car vulnerabilities is the method of deployment of the fix. There is a software update available for the Jeep, it can be downloaded and loaded through a USB stick. While this sounds simple it should not be left to the consumer to perform updates of this importance, if there was a manufacturing fault in the breaks of a car they would be recalled and a trained mechanic would repair them. While the dealer may load the software for you its my opinion that when a major vulnerability like this is found the car companies should be made to do a full recall and take responsibility.
I wonder how many car drivers of connected cars have the latest software loaded in the cars today? I suspect that many BMW drivers that were subject to the ‘unlock’ hack earlier this years are still driving around in a vulnerable car.
There is light on the horizon as US and UK Government departments that control standards in this area are both reportedly writing new guidance. I am sure that in the next few months they will be published but of course implementation in manufacturing takes time and the risk grows with every new ‘connected’ car that rolls off the production line.