Jeep hackers: Only a dramatic stunt could force a Chrysler recall
| LAS VEGAS
By now, more than 1 million people have seen of two hackers seizing control of a Jeep Cherokee as Wired reporter Andy Greenberg drove down a St. Louis highway at 70 miles per hour.
The video was visual evidence hackers could kill the car鈥檚 engine from miles away. And it showed the hack鈥檚 real-life hazards: Mr. Greenberg, whose vision was already blocked by a deluge of wiper fluid the hackers unleashed on his windshield, was unable to accelerate. There was no shoulder for him to steer onto as an 18-wheeler approached from behind, honking. 鈥淕uys, I鈥檓 stuck on the highway,鈥 Greenberg exclaims. 鈥淪eriously. It鈥檚 鈥 dangerous.鈥
The jarring video featuring security researchers Charlie Miller and Chris Valasek sparked and debate on social media and blogs听about whether the demonstration was worth the risk to Greenberg and the drivers around him.
But the researchers say the shock value of their demonstration 鈥 and added publicity of听the Black Hat and DEF CON hacker conferences taking place this week in Las Vegas 鈥 was the reason they raised enough awareness of the security weaknesses听to spur听Fiat Chrysler Automobiles and Sprint Corp. to fix the problem affecting potentially 1.4 million cars and trucks.
鈥淚f we didn鈥檛 have the Wired article writing about how we did what we did, there wouldn鈥檛 have been a recall,鈥 Mr. Valasek told reporters Wednesday after he and Mr. Miller unveiled, to an overflowing room of cheering hackers at the Black Hat conference, the details of how they took control of the car via Chrysler鈥檚 UConnect dashboard computer feature that controls its entertainment and navigation system and enables a Wi-Fi hotspot.
The recall was worth the risk of using Greenberg 鈥 and themselves 鈥 as guinea pigs. 鈥淭hat鈥檚 why we report bugs the way we do. We tell [the company] 鈥 then we say we鈥檙e going to be at Black Hat, and there鈥檚 a story about it,鈥 Miller said. 鈥淎nd that鈥檚 what makes them really do something.鈥
Even though the researchers say they disclosed their findings to the company in October, Chrysler quietly offered a software upgrade the Wired report revealed it publicly last month. Then, as the media maelstrom grew, Fiat Chrysler Automobiles recalled a massive number of Dodge, Jeep, and Ram vehicles with UConnect computers. For its part, Sprint moved to prevent such attacks by fixing what the researchers called a network flaw that allowed its cellular networks to talk to the in-car systems.
These are long awaited changes for researchers such as Miller, who by day is a security engineer at Twitter, and Valasek, head of vehicle security research at IOActive, who have been researching and explaining potential vulnerabilities in connected cars for years. 鈥淐ar companies are saying, 鈥榃e鈥檙e more secure, and working harder鈥 鈥 but they鈥檝e been saying that for a few years,鈥 Miller said. 鈥淲e only have like, one data point. And from that data point, they鈥檙e not doing that good.鈥
But the pair 鈥 and accompanying journalist 鈥 have critics, who say the attention-grabbing stunt wasn鈥檛 the only way to prove their point. 鈥淚t was a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders,鈥 Kashmir Hill. 鈥淚t鈥檚 troubling that [Greenberg] and his talented collaborators would explore this vulnerability in a way that put him and the drivers around him at risk of something going terribly wrong.鈥
The researchers, however, maintain that they tested the hack themselves while driving, and that 鈥渁ll the really dangerous things 鈥 like steering and braking 鈥 it was in the controlled environment, the parking lot,鈥 Miller said. 鈥淲e tried to choose something that would make for a good visual but wasn鈥檛 actually dangerous.鈥
Demonstrating the entire hack in such closed environment would not have had the same effect, they insist. 鈥淭here was a 60 Minutes story where they did this in a closed environment, and no one [cared at all],鈥 Valasek added, referring to the video of who was unable to use her brakes in order to stop her car at the designated cones in a parking lot as a Defense Advanced Research Projects Agency hacker stood nearby.
If Miller and Valasek have their way, there will be more high-profile hacks on the horizon. The pair plan to release a paper in the coming days detailing the techniques and code they used to hack the connected car. Since Chrysler and Sprint took action to fix the issue, there鈥檚 no way a hacker could use those same techniques detailed there to hack a car, but Miller said 鈥渢he hope is 鈥 that other researchers will look at other cars, and will find vulnerabilities, and will report them, and will get them fixed.鈥
In an ideal world, the car manufacturers themselves would also use this blueprint to 鈥渟ee how someone would go about tearing apart what they built," said听Valasek.
After all, as Miller said, 鈥渢here鈥檚 nothing you can do鈥 as a consumer to protect yourself from a potential attack on connected cars. 鈥淵ou鈥檙e at the mercy of the manufacturer,鈥 Valasek added. The only thing consumers can do, they say, is ask the manufacturer about their security measures.
Here, too, is another purpose of the stunt hack: Inspiring consumers to actually advocate for their own security when buying a car 鈥 and pressure automakers.听"Average people now understand that cars can be hacked,鈥 Miller said.
Consumers have a different kind of power, too: Just this week, three Jeep Cherokee owners filed a lawsuit against both Fiat Chrysler Automobiles and the UConnect-maker, Harman International, alleging fraud and negligence (among other things) for failing to heed Miller and Valasek鈥檚 previous warnings of security risks. They are inviting any of the rest of the millions of car owners who had vulnerable system to join them could be a massive class action suit.
So the added media and legal focus means car companies are going to have to pay attention to cybersecurity, the researchers say. 鈥淚 don鈥檛 care if someone hacks my fridge, or my Furby, or my toaster, right? If it鈥檚 not going to cause you any physical harm, I can see why they wouldn鈥檛 spend their budget on [fixing those security weaknesses],鈥 Valasek said. 鈥淏ut car companies spend millions on millions of dollars on safety. And this is now part of safety 鈥 whether they like it or not.鈥
In the end, the hackers are just as vulnerable as everyone else. "I still drive that Jeep Cherokee. That same one," Miller said. "There鈥檚 nothing I can do that could make it more secure than what everyone else does."
听
