The Internet of Things promises to make almost everything we deal with “smart” and “smart means exploitable,” as our Chief Research Officer Mikko Hypponen has said many times.
Many people began to understand this for this first time in July of 2015 when Wired broke the news that it had successfully hacked a Jeep on the highway.
The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering!
Fiat Chrysler Automobiles NV announced a recall of 1.4 million cars to fix the vulnerability — the first recall for a software patch in history.
And since it was the first, it was also a bit of a mess, as The Verge’s Russell Brandom reported:
There was no way to update the cars automatically, so the company was reduced to in-person dealership updates and, in some cases, mailing USB sticks to affected customers. The result was a clear mismatch of offense and defense: UConnect makes the cars vulnerable to remote attack, but there’s no way for Chrysler to remotely defend them by pushing out patches. Chrysler also made network-level changes that seem to have blunted the attack, but fixing the car’s software still required in-person USB contact.
And they may not be the only car manufacturer forced take such steps.
“The supplier didn’t just supply radios to Chrysler but to a lot of other manufacturers,” National Highway Traffic Safety Administration Mark Rosekind told reporters. “A lot of our work now is trying to find out how broad the vulnerability could be.”
Rosekind is hoping the industry sees this as a wakeup call.
“This is the shot across the bow. Everybody’s been saying ‘cybersecurity’. Now you’ve got to step up,” he said. “You’ve got to see the entire industry proactively dealing with these things.”
It’s science fiction come to life. But as Micke reminds us, we’re a long way off before accidents caused by compromised computers are a bigger risks than accidents caused by people — especially people texting on their computers while driving.
[Image by davejdoe | Flickr]