Date: 23 July 2015
Author: Craig Timberg
Charlie Miller, a security researcher, is shown on July 21 in St Louis, Missouri, with a car that he figured out how to hack.
The complaints that flooded into Texas Auto Centre that maddening, mystifying week were all pretty much the same: Customers’ cars had gone haywire. Horns started honking in the middle of the night, angering neighbors, waking babies. Then when morning finally came, the cars refused to start.
The staff suspected malfunctions in a new Internet device, installed behind dashboards of second-hand cars, that allowed the dealership to remind customers of overdue payments by taking remote control of some vehicle functions. But a check of the dealership’s computers suggested something more sinister at work: Texas Auto Center had been hacked.
In addition to blaring horns and disabling starters, someone had replaced listings of Dodges and Chevrolets with names of top-of-the-line sports cars. The owners of these vehicles, meanwhile, now appeared to be an odd mix of rappers and fictional characters.
“Mickey Mouse was driving a Lamborghini,” recalled Martin Garcia, general manager of the Austin dealership. “We pretty much figured out within a matter of minutes that we had a problem.”
Police later reported more than 100 victims and charged a former dealership employee with computer crimes. Five years later, this incident remains noteworthy because of what has followed: An increasingly vast array of machines – from prison doors to airplane engines to heart defibrillators – have joined what is commonly called the “Internet of Things,” meaning they are wired into our borderless, lawless, insecure online world.
As the number of connected devices explodes – from roughly 2 billion in 2010, the year of the Texas Auto Centre incident, to an estimated 25 billion by 2020 – security researchers have repeatedly shown that most online devices can be hacked. Some have begun calling the “Internet of Things,” known by the abbreviation IOT, the “Internet of Targets.”
Security experts detect disturbing echoes from previous eras of rapid innovation, notably the 1990s when the World Wide Web connected hundreds of millions of people to a thrilling new online universe. Warnings about looming dangers went unheeded until viruses and cyberattacks became commonplace a few years later.
Widespread hacks on cars and other connected devices are destined to come, experts say, as they already have to nearly everything else online. It’s just a question of when the right hacking skills end up in the hands of people with the sufficient motives.
“If you’ve learned anything from the Internet, it’s clearly going to happen,” said Kathleen Fisher, a Tufts University computer science professor and security researcher. “Now that we know it’s going to happen, can’t we do something different?”
The inherent insecurity of the Internet itself – an ungoverned global network running on technology created several decades ago, long before the terms “hackers” or “cybersecurity” took on their current meanings – makes it difficult to add effective safety measures now. Yesterday’s flaws, experts say, are being built directly into tomorrow’s connected world.
Among the most vivid examples came this week, when security researchers Charlie Miller and Chris Valasek demonstrated that they could hijack a vehicle over the Internet, without any dealership-installed device to ease access. By hacking into a 2014 Jeep Cherokee, the researchers were able to turn the steering wheel, briefy disable the brakes and shut down the engine.
READ MORE: Hackers seize control of Jeep
They also found readily accessible Internet links to thousands of other privately owned Jeeps, Dodges and Chryslers that feature a proprietary wireless entertainment and navigation system called Uconnect. Valasek and Miller said they could, by merely typing the right series of computer commands, hack into these vehicles, almost anywhere they might be driving.
Government and industry officials are racing to add protections before techniques demonstrated by Miller, Valasek and other researchers join the standard tool kits of cybercriminals. In this battle, defensive forces have one clear strength: Connected devices run many types of software, meaning that an attack on one may not work on others. Even cars from a single manufacturer can vary dramatically from one model year to the next, hindering hackers.
“They haven’t been able to weaponise it. They haven’t been able to package it yet so that it’s easily exploitable,” said John Ellis, a former global technologist for Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car basis.”
Yet Ellis and other experts fear the race to secure the Internet of Things already is being lost, that connectivity and new features are being added more quickly than effective measures to thwart attacks. Long development cycles – especially within the automotive industry – add to the problem.
If a hacker-proof car was somehow designed today, it couldn’t reach dealerships until sometime in 2018, experts say, and it would remain hacker-proof only for as long as its automaker kept providing regular updates for the underlying software – an expensive chore that manufacturers of connected devices often neglect. Replacing all of the vulnerable cars on the road would take decades more.
THE DRIVE-BY HACK
Cars sold today are computers on wheels, with dozens of embedded chips running millions of lines of code. These vehicles can talk to the outside world through remote key systems, satellite radios, telematic control units, Bluetooth connections, dashboard Internet links and even wireless tyre-pressure monitors. Security experts call these systems “attack surfaces,” meaning places where intrusions can start.
Once inside, most computer systems on modern vehicles are somehow connected, if only indirectly. Researchers who have hacked their way into computers that control dashboard displays, lighting systems or air bags have found their way to ones running transmission systems, engine cylinders and, in the most advanced cars, steering controls. Nearly all of these systems speak a common digital language, a computer protocol created in the 1980s when only motorists and their mechanics had access to critical vehicle controls.
The overall security on these automotive systems is “15 years, maybe 20 years behind where [computer] operating system security is today. It’s abysmal,” said researcher Peiter Zatko, a former hacker who once directed cybersecurity research for the Pentagon’s Defence Advanced Research Projects Agency (DARPA) and now is developing an independent software security research group.
Attackers don’t need to crash cars to cause trouble. A jealous, malicious hacker could use a vehicle’s navigation system to track his spouse’s movements while remotely activating the built-in microphone to secretly record conversations that happen in the car. Thieves already are using mysterious “black boxes” that, through the radio signals that control modern entry systems, unlock cars as the crooks walk by; some simply climb in, start the engine and drive away.
The next wave of attacks, researchers say, could include malicious software delivered over the Internet to disable your car’s engine, with the sender offering to revive your vehicle for a few hundred dollars. Or the new generation of wireless links between cars and their surroundings – designed to improve traffic flow and avert crashes – could enable drive-by hacks. Imagine a single infected WiFi beacon on a stretch of highway delivering a virus to every passing vehicle.
“Cars are a major part of the Internet of Things,” said Sen. Edward J. Markey (D-Mass.), who this week filed a bill seeking minimum federal cybersecurity standards for cars, as long have existed for other systems critical to safety, such as seat belts and brakes. “We’ve moved from an era of combustion engines to computerised engines, but we haven’t put into place the proper protections against hackers and data trackers.”
The Alliance of Automobile Manufacturers, a Washington-based group representing 12 major carmakers, declined interview requests from The Washington Post but agreed to answer a series of written questions.
“Cybersecurity is a serious issue for every industry, including ours,” Auto Alliance spokesman Wade Newton said in a written statement. He added, “That’s why the auto industry is taking steps to reduce risk by building robust security protections from the earliest stages of design.”
The statement also noted that the group had this month created an Information Sharing and Analysis Centre to study cybersecurity issues and share information about threats that emerge. It was the first initiative of its kind for the Auto Alliance and came five years after the first major published research about the risks that hackers posed to car safety and security.
TAKING OVER FROM FAR AWAY
Scientists from the University of Washington and the University of California at San Diego reported in 2010 that, with physical access to a car, they could control almost any computerised system within it. When some critics questioned the realism of that scenario – if you were in the car, you could simply turn off the engine or hit the brakes yourself, they said – the researchers found a way to do many of the same things remotely.
The key was hacking into a telematics unit that car manufacturers, in response to driver requests, used to locate vehicles, unlock them or even start their engines. Although pioneered by General Motors through its OnStar system, such telematics units are commonplace in cars today, relying on cellular signals to find vehicles and send data to their onboard computers.
The researchers found that by transmitting malicious code to the telematics unit of a test vehicle, they could do everything that OnStar could do and much more taking complete control of the car.
“We can do this from a thousand miles away,” said Tadayoshi Kohno, one of the University of Washington researchers who worked on the project, published in 2011.
That same year, in July, a team of General Motors executives met with DARPA officials at the research agency’s headquarters in Northern Virginia. The industry was ailing in the aftermath of the Great Recession, and the executives expressed interest in US federal research that might help improve their line of vehicles with new technology.
One of the participants was Zatko, better known as “Mudge” from his days as the frontman for a Boston-based hacker group called L0pht. He now was a program manager for DARPA, which had birthed the Internet decades earlier and was eager to tame the insecurity that had become an inextricable part of the online world.
Zatko, who throughout the 1990s had taunted Microsoft and other software titans for their lax approach to security, heard what he considered a similar attitude from the GM executives. The focus, Zatko said, was on selling products, not protecting consumers from malicious hackers who might later exploit those products. Investing more in security, meanwhile, was viewed as a costly diversion, with no obvious payoff in profit. Zatko believed that other automakers felt the same.
“There’s no security in cars, and the systems are wide open,” Zatko told the GM executives, he later recalled. “This is an accident, a very bad accident, waiting to happen.”
DARPA, which has no regulatory authority, couldn’t force the auto industry to do anything, but it could nudge it along by supporting research demonstrating the problem. So Zatko arranged for a research contract for Miller and Valasek. They bought two cars – a Toyota Prius and a Ford Escape – and went to work.
(GM officials did not dispute Zatko’s account of the DARPA meeting but said in a statement this week, “Our customers’ safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cybersecurity threats and are designing vehicle systems that can be updated with enhanced security as these potential threats arise.”)
The vulnerability of the Internet of Things was hardly a new concept. In 2007, then-US Vice President Richard B Cheney had the wireless connection in his implanted heart defibrillator disabled because of fears that a terrorist might hack the device, causing it to deliver fatal electric shocks in an online assassination attempt.
Among the first cyberattacks known to cause physical damage came from US and Israeli intelligence officials, who in 2009 spread sophisticated malware, called Stuxnet, that destroyed Iranian centrifuges by causing them to spin wildly out of control. The controversial, top-secret effort set back that nation’s nuclear program but also showed software’s potential to damage critical mechanical systems.
That idea has proved to have potentially broad consequences in an increasingly connected world. Security researchers Tiffany Rad,Teague Newman, and John Strauchs reported in 2011 that they could hack into the systems that controlled prison doors, opening and closing them at will. Many other mechanical systems, they found, had similar vulnerabilities.
As hackers explored the Internet of Things, vehicles became popular targets. A 14-year-old in Poland altered a television remote control in 2008 to take control of trams in Lodz, Poland’s third-largest city, derailing several trams and causing minor injuries, according to news reports at the time.
The Texas Auto Centre mayhem, two years later, turned out to be the work of a 20-year-old man with a modicum of computer savvy and a grudge against the dealership, which had fired him. He used another employee’s credentials and signed on to the system from his home Internet account, leaving a digital trail the Austin police later tracked.
Drones also have drawn the interest of hackers. When an American RQ-170 Sentinel disappeared into northeastern Iran in 2011, the government there claimed that one of its cyberwarfare teams had wrested control from its CIA operators and brought the surveillance aircraft in for a safe landing. Iran later boasted that it had extracted the captured drone’s downloaded video footage it had collected during a previously secret mission.
On a much smaller scale, security researcher Samy Kamkar – known within the industry for the notorious “Samy worm” he released in 2006, prompting a later criminal conviction – touted a new creation called SkyJack in a YouTube video in 2013.
With SkyJack and less than $100 in extra gear, he transformed a basic, commercially available drone into an attack vehicle capable of spotting and taking control of similar devices as they flew nearby. If enough targets were in the area, Kamkar told YouTube viewers, a SkyJack user could gradually build an “army of zombie drones” controllable from a smartphone.
“He has since expanded his interest in the Internet of Things, releasing a technique for hacking into remote-controlled garage doors. He also has begun working on automobiles and plans to detail new car security flaws at next month’s Def Con Hacking Conference, which also is scheduled to feature a “car hacking village.” Few vehicles, he said in an interview, have defences that can’t easily be overcome.
“I’ve pretty much found attacks for every car I’ve looked at,” Kamkar said. “I haven’t been able to start every car, but in my testing I’ve been able to unlock any car.”
The reasons are simple: There are many automakers, but most buy equipment from just a few major suppliers. All the unlocking systems Kamkar has studied, for example, use the same few radio frequencies. Crack them, and many of the world’s car doors open at your command.
HELPLESS IN A JEEP CHEROKEE
For a taste of our perilous future, visit Miller’s home in suburban St Louis. The wiry 42-year-old security researcher spent five years working for the National Security Agency before striking out on his own and studying weaknesses in Apple products. He now works on Twitter’s security team and spends his spare time hacking into cars.
The Prius and Ford Escape that Miller and his research partner Valasek bought with DARPA funding proved eminently hackable. Almost anything you could imagine doing to a car through its computers, they have now done.
They started by hacking into the vehicles though an onboard diagnostic port. When NBC’s “Today” show ran startling footage in 2013 showing the hackers happily overriding the driver’s control – yanking the steering wheel to one side, disabling the brakes, and shutting off the engine. The car companies issued pointed statements noting that Miller and Valasek were sitting in the vehicles, not controlling them remotely through the Internet.
So Miller and Valasek, like the university research teams before them, set out to prove that they could do the same things from thousands of kilometres away. This time, they bought a white Jeep Cherokee.
This latest round of research, first reported by Wired.com on Wednesday, is no less chilling. In a demonstration for The Washington Post, Miller had to start the car the old-fashioned way, with his Jeep key fob. But once it was running, he found the vehicle’s Internet address and, while sitting in his office and typing on a MacBook Pro, hacked in through the Uconnect dashboard information and entertainment system.
As the Jeep drove in a parking lot nearby, Miller changed the radio station and turned up the volume. He locked and unlocked the doors, and shot wiper fluid onto the windshield as the wiper blades swooped back and forth – all while the driver kept his hands on the steering wheel.
Then it got more serious. Miller, still on his MacBook more than a kilometre away, shut off the engine. He briefly disabled the brakes. And he caused the transmission to malfunction, which led the Jeep to lose speed even when the gas pedal was pressed repeatedly. While the car was moving slowly in reverse, Miller even turned the steering wheel, causing the Jeep to carve a wide circle backward through the lot.
Afterward, he said the purpose of such demonstrations was to prompt urgency from automakers. “I don’t want to want to wait until there are cars crashing on the news every month,” Miller said, having now successfully hacked three different vehicles from three different manufacturers. “All the cars have the same kinds of problems.”
Miller and Valasek previewed their research for Fiat Chrysler Automobiles, the London-based company that is the parent to Jeep, Dodge and Chrysler, allowing it time to prepare a software update preventing the exact techniques they discovered to be used again. Dealerships can install the new software, or customers can download it themselves onto a memory stick and insert it into their vehicles.
Despite the heads-up from the researchers, Fiat Chrysler Automobiles issued a sharply worded statement Wednesday as news of the hack broke. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.”
It also offered reassurances to consumers. “The Company monitors and tests the information systems of all of its products to identify and eliminate vulnerabilities in the ordinary course of business.”
Can motorists relax now? Miller and Valasek don’t think so.
“They really just patched one vulnerability. But they didn’t fix the systemic issues,” said Valasek, director of a vehicle security research for IOActive, a security company.
He was unsure when automakers would take cybersecurity more seriously. “Go look at Fiat Chrysler stock today, and they’re up,” Valasek added. “When they stop making money because of these things, I’m sure they will go about fixing them.”
Cars once were just brainless machines, controlled by cables, belts and sparks of electricity. Emissions were among the first computerised systems on most cars, along with fuel injectors and anti-lock brakes.
Each computer had a distinct purpose, and more purposes existed in newer and fancier cars. The problem was, these systems did not exist in isolation. The anti-lock brakes needed to know if the wheels were spinning wildly. The air bags needed to know if the car was abruptly decelerating. The dashboard display needed to know if the fuel tank was getting low or if the engine was overheating.
Such systems speak to one another using a computer protocol, called “CAN,” that was created in the 1980s and, like the most of the protocols that run the Internet itself, lacks what experts call the ability to “authenticate” messages. That means onboard computers typically have no way to know whether a given command originates from the car’s engine control unit, from a mechanic or from a hacker.
Manufacturers have belatedly begun trying to retrofit protections into their onboard computers. But experts say it is notoriously difficult to build security into systems that were not designed for it from the beginning – a problem that long has bedeviled the larger online world as it has evolved from a network run by a few dozen computer scientists to a vast system open to billions of people worldwide.
“When there are unintended consequences and your computer crashes, that’s one thing,” said Ashkan Soltani, chief technologist for the US Federal Trade Commission, which issued a report in January warning of the security and privacy issues of the Internet of Things. “When there are unintended consequences and your car crashes, that’s a totally different ballgame.”
Rad, who conducted early car hacking research before demonstrating vulnerabilities in prison doors and other mechanical systems, sits on a Society of Automotive Engineers committee working on cybersecurity. She says it’s clear the issue has the attention of the auto industry.
“They are taking action on this,” Rad said. “They know the stakes are high, and they also know that they have work to do.”
In a speech Tuesday, Mark R. Rosekind, the head of the National Highway Traffic Safety Administration in the US, said that federal transportation officials also are working on the problem and have a cybersecurity research team at a car-testing facility in Ohio.
“The folks at our Vehicle Research and Test Centre have figured out how to do some remarkable things with vehicle electronics, in order to prevent others from doing them,” Rosekind said, according to his prepared remarks. “NHTSA not only is aware of these threats, but we’re working to defeat them.”
But Markey said both the industry and the government should do more. When he submitted questions to 20 automakers last year, the answers from most were incomplete. Some didn’t reply at all. Only two reported having a system to detect and report hacks as they happen.
“They’re not doing nearly enough,” Markey said. “There are major holes in how companies are protecting against hackers.”
His bill to require minimum cybersecurity standards and a federal rating system that he calls a “Cyber Dashboard” run contrary to the industry’s resistance to new federal rules. The Auto Alliance said in a statement, “As evidenced by the recent federal breaches in the government, a static, regulatory-based approach to cybersecurity seems like an outdated approach, ill-suited to the current times especially because of the fluid nature of these potential threats.”
There is another fight brewing in Washington that could affect the future of car cybersecurity. Miller, Rad and other researchers are pushing for an exemption to digital copyright laws to protect them while they work. Automakers say they own the computer code in their cars, meaning that researchers could be charged under piracy laws when they download it and make alterations.
The industry says the law protects consumers by preventing cars from being hacked. But the main impact, say Rad and other security researchers, is to stem the tide of revelations embarrassing to carmakers – not to improve vehicle cybersecurity. “If the stuff is out there,” she said, “the bad guys already know about it.”
A COMING WAVE OF LAWSUITS
There is another branch of government in the US that could prompt action from the auto industry: the courts.
As malicious hacking has spread over the past decade or two, software companies have successfully lobbied to avoid legal responsibly for problems caused when their products are compromised. But those problems largely have been confined to matters of privacy, identity and intellectual property, such as when Social Security numbers, personal e-mails or designs for fighter jets have been stolen.
Car hacking – along with hacking of the Internet of Things generally – stands to change the legal stakes considerably. A Texas lawyer already filed a lawsuit in a federal district court in San Francisco seeking damages from automakers for their reported shortcomings in cybersecurity, after he saw a “60 Minutes” report that highlighted a hacker’s ability to take control of a car.
Physical injuries would make cases against manufacturers of connected devices far stronger, said Jonathan Zittrain, a Harvard law professor who is faculty director for the Berkman Centre for Internet and Society. He predicted a coming wave of litigation relying on tort law, a foundational legal principle that can lead to large damage awards when the action of one person or company can be proved to have caused harm to another.
“If my heart monitor fails and I die as a consequence, the company can’t say, ‘Oh, it was only software,’ ” Zittrain said. “That’s no defence. That’s not going to fly.”
If lawsuits – or government action or insurance companies – eventually force a more aggressive approach to cybersecurity, there are ways to make vehicles or other parts of the Internet of Things significantly safer, experts say.
Fisher, the Tufts computer science professor, oversaw research for DARPA demonstrating that computer code for the Internet of Things could be written in ways that are resistant to hackers. Instead of cars, they used drones.
In the first demonstration, a team of attackers was able to take control of a commercially available quadcopter drone flying over an airfield in Rome, New York, by hacking into the radio signals that controlled the device. Once under the control of the attackers, they easily crashed it into the ground.
That was 2013. The team of defenders – all skilled computer scientists – then had six months to write code secure enough to thwart a repeat attack. To make the challenge as difficult as possible, the attack team was given several weeks of free access to the computer code that the defenders had created.
Yet at the same airstrip, in an otherwise identical scenario, the attackers failed, said Fisher. The quadcopter remained in the sky, whirling safely above the airfield, continuously under control of the defense team.
The key, Fisher said, was rigorously secure code, written by scientists using the best available technology. “So it does what it says it does and doesn’t do other things,” she said.
Automakers may be stuck with a flawed and dated computer protocol, said Fisher, but with enough investment of time and resources, better protections are possible. She suggested building sophisticated filtering systems to spot attempted hacks while they are underway. If the tyre pressure monitor asks the door to unlock, for example, the system could be programmed to ignore the command.
“THIS ISN’T A CAR PROBLEM”
But beyond the technical challenge of thwarting hackers, Fisher wonders if the industry has the right business incentives to improve cybersecurity. Customers typically pay for features they desire, not to avoid theoretical future calamities. That means manufacturers rarely compete with one another to provide the best security, Fisher said.
Of the automakers, she said: “They’re all insecure. They’re all worried about insecurity, but they can’t afford to do it on their own.”
While government and industry struggle to address cybersecurity, the numbers of potentially vulnerable systems in cars are steadily growing. Miller and Valasek counted 23 computers in a 2006 Prius and 40 in one from 2014.
That trend is only accelerating as the auto industry moves toward the introduction of driverless cars. Some of today’s most advanced vehicles already take control of the steering wheel, gas pedal and brakes in certain situations to improve performance and safety.
Yet even older cars with fewer onboard computers are belatedly joining the Internet of Things through wireless devices plugged into the diagnostic ports that the federal government has required in cars since 1996. These devices allow direct access to a vehicle’s brain, much as the one used by Texas Auto Center, allowing both the sending and receiving of signals.
One San Francisco-based company, Automatic, has built an app store for customers who buy their $100 Bluetooth device. With the right apps, motorists can make sure their online thermostats turns on the air conditioning when they are headed home, or they can have an automatic 911 call activated to bring emergency response after a crash.
The data offered through diagnostic ports is remarkably fine-grained. One app, called Unmooch, allows a driver giving his or her friends a ride to college to calculate the exact share of gasoline costs for each passenger; Unmooch even sends a message through a payment app to alert the friends to their share of the bill.
Automatic’s research team initially sought to have a software-only service but discovered that many existing wireless devices that connected to diagnostic ports were easily hacked through the wireless signal, said Thejo Kote, the founder and chief executive of Automatic. “It’s a security nightmare,” he said.
Automatic has instituted several protection measures, including encrypted communications and a system to authenticate firmware updates. But Kote acknowledged that protecting connected vehicles remains daunting.
“At the end of the day,” he said, “nothing is absolutely secure.”
Israeli researchers last year hacked into one of Automatic’s competitors, called Zubie, and demonstrated how they could unlock the vehicle’s doors or alter dashboard displays. With a little more time and energy, the researchers wrote in a blog post announcing their findings, they could have found a way to take control of the engine, the steering or even the brakes.
Ellis, the former Ford technologist who is now a management consultant based in Chicago, argues that outsiders underestimate how poorly suited the industry is to combat the growing cybersecurity threat.
Automakers don’t build cars so much as assemble them from parts sourced from other companies, whose top priorities don’t necessarily include addressing threats that might manifest themselves several steps down the supply chain – long after a vehicle is sold.
Building and maintaining secure software systems, by contrast, requires a business model that can find profit in strong defensive measures and also providing the regular updates that even the best computer code needs to keep a step ahead of hackers.
Ellis is not optimistic.
“Am I scared of this near future? Sure,” he said. “I’m scared because car manufacturers don’t get software. This isn’t a car problem. It’s a software and business model problem.”