+ A
A -
NYT Syndicate
It started about seven years ago. Iran's top nuclear scientists were being assassinated in a string of similar attacks: Assailants on motorcycles were pulling up to their moving cars, attaching magnetic bombs and detonating them after the motorcyclists had fled the scene.
In another seven years, security experts warn, assassins won't need motorcycles or magnetic bombs. All they'll need is a laptop and code to send driverless cars careering off a bridge, colliding with a driverless truck or coming to an unexpected stop in the middle of fast-moving traffic.
Automakers may call them self-driving cars. But hackers call them computers that travel over 100 mph.
"These are no longer cars," said Marc Rogers, the principal security researcher at the cybersecurity firm CloudFlare."These are data centres on wheels. Any part of the car that talks to the outside world is a potential inroad for attackers."
Those fears came into focus two years ago when two"white hat" hackers ” researchers who look for computer vulnerabilities to spot problems and fix them, rather than to commit a crime or cause problems ” successfully gained access to a Jeep Cherokee from their computer miles away. They rendered their crash-test dummy (in this case a nervous reporter) powerless over his vehicle and disabling his transmission in the middle of a highway.
The hackers, Chris Valasek and Charlie Miller (now security researchers respectively at Uber and Didi, an Uber competitor in China), discovered an electronic route from the Jeep's entertainment system to its dashboard. From there, they had control of the vehicle's steering, brakes and transmission ” everything they needed to paralyse their crash test dummy in the middle of a highway.
"Car hacking makes great headlines, but remember: No one has ever had their car hacked by a bad guy," Miller wrote on Twitter."It's only ever been performed by researchers."
Still, the research by Miller and Valasek came at a steep price for Jeep's manufacturer, Fiat Chrysler, which was forced to recall 1.4 million of its vehicles as a result of the hacking experiment.
It is no wonder that Mary Barra, the chief executive of General Motors, called cybersecurity her company's top priority last year. Now the skills of researchers and so-called white hat hackers are in high demand among automakers and tech companies pushing ahead with driverless car projects.
Uber, Tesla, Apple and Didi in China have been actively recruiting white hat hackers like Miller and Valasek from one another as well as from traditional cybersecurity firms and academia.
Last year, Tesla poached Aaron Sigel, Apple's manager of security for its iOS operating system. Uber poached Chris Gates, formerly a white hat hacker at Facebook. Didi poached Miller from Uber, where he had gone to work after the Jeep hack. And security firms have seen dozens of engineers leave their ranks for autonomous-car projects.
Like a number of big tech companies, Tesla and Fiat Chrysler started paying out rewards to hackers who turn over flaws the hackers discover in their systems. GM has done something similar, though critics say GM's programme is limited when compared with the ones offered by tech companies, and so far no rewards have been paid out.
One year after the Jeep hack by Miller and Valasek, they demonstrated all the other ways they could mess with a Jeep driver, including hijacking the vehicle's cruise control, swerving the steering wheel 180 degrees or slamming on the parking brake in high-speed traffic ” all from a computer in the back of the car. (Those exploits ended with their test Jeep in a ditch and calls to a local tow company.)
Granted, they had to be in the Jeep to make all that happen. But it was evidence of what is possible.
The Jeep penetration was preceded by a 2011 hack by security researchers at the University of Washington and the University of California, San Diego, who were the first to remotely hack a sedan and ultimately control its brakes via Bluetooth. The researchers warned car companies that the more connected cars become, the more likely they are to get hacked.
In all the cases, the car hacks were the work of well meaning, white hat security researchers. But the lesson for all automakers was clear.
The motivations to hack vehicles are limitless. When it learned of Rogers' and Mahaffey's investigation into Tesla's Model S, a Chinese app-maker asked Rogers if he would be interested in sharing, or possibly selling, his discovery, he said. (The app maker was looking for a backdoor to secretly install its app on Tesla's dashboard.)
Criminals have not yet shown they have found back doors into connected vehicles, though for years, they have been actively developing, trading and deploying tools that can intercept car key communications.
But as more driverless and semiautonomous cars hit the open roads, they will become a more worthy target. Security experts warn that driverless cars present a far more complex, intriguing and vulnerable"attack surface" for hackers. Each new"connected" car feature introduces greater complexity, and with complexity inevitably comes vulnerability.
