Carmakers used to only worry about faulty components or shoddy workmanship leading to a damaging product recall. Now they can add another problem to the list: the risk of meddling computer hackers. And as the industry rushes to make vehicles more computerized and connected, the threat posed by computer flaws could get a lot worse.
Fiat-Chrysler issued a recall today for 1.4 million cars following a demonstration in which two computer security consultants showed that they could take remote control of a Jeep Cherokee, turning up the climate controls and the radio, activating the windscreen wipers, and even cutting the brakes and shutting off the engine.
The researchers behind the stunt, Charlie Miller and Chris Valasek, took over the car from miles away, through the Uconnect service, which links the infotainment systems in Fiat-Chrysler vehicles to the Internet. Almost all carmakers offer similar wireless services as an add-on these days. The recall issued by Fiat-Chrysler states that “exploitation of the software vulnerability may result in unauthorized remote modification and control of certain vehicle systems, increasing the risk of a crash.”
That may be true, but Miller and Valasek’s exploit is also a pretty complicated piece of work. It requires a “zero-day” (that is, previously unknown) software bug, as well as knowing how to reprogram a chip in the entertainment unit and communicate with other systems via the car’s internal network. A little ironically, the cars affected can’t be remotely updated with software patch. Instead you can download one to install yourself here, or have Chrysler mail it to you on a USB stick.
Unfortunately, much easier exploits may not be far away. Carmakers are rushing to add more computers and more connectivity to vehicles, not only for infotainment, but also to make drivetrain components more reconfigurable and customizable (as I reported in “Rebooting the Automobile”). Tesla’s Model S shows where the industry is headed: many of the car’s features can be accessed and controlled via the Internet, using the company’s app, and its hardware is routinely reprogrammed with remote software updates issued from the company. Added complexity and accessibility could make vehicles a much richer target for troublemakers. Borrowing more technology from the consumer electronics industry may also increase the risk, as it means more people will have the skills needed to access and modify a device and its code.
Carmakers do seem to be taking the issue seriously, as do large computer security companies, some of which see protecting vehicles as a big future opportunity. But when I spoke with Miller and Valasek for my story, they said that automakers are moving very slowly to address the problem, and that the computer security of vehicles remains mostly unknown. The good news is that proposed legislation as well as campaigns by computer security experts calling for more transparency and better security practices may help the industry finally get up to speed.