It was a driver’s worst nightmare.
Andy Greenberg was speeding along a busy interstate in St. Louis recently when he suddenly lost control of his vehicle. The accelerator abruptly stopped working. The car crawled to a stop. As 18-wheelers whizzed by his stalled vehicle, Greenberg began to panic.
His car hadn’t spun out on black ice, however. It hadn’t been hit by another vehicle or experienced engine trouble.
It had been hacked.
Greenberg, a senior writer for Wired magazine, had asked Charlie Miller and Chris Valasek — two “white hat” or altruistic hackers — to show him what they could do.
So, while Greenberg drove down the highway, Miller and Valasek sat on Miller’s couch 10 miles away and played God.
“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
“As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.”
The situation stopped being funny, however, when the two hackers cut the engine.
“Seriously, this is f—– dangerous. I need to move,” Greenberg said, pleading for the hackers to return power to the vehicle.
Greenberg survived to tell his tale, of course, but the ordeal is just the latest in a series of incidents highlighting the startling security vulnerabilities of hundreds of thousands of American automobiles.
These incidents have raised the specter of remote-controlled car accidents, in which anarchist hackers or computer-savvy assassins could still be at home in their pajamas while wreaking havoc.
On Tuesday, just hours after Wired published its story, Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) unveiled a bill aimed at keeping Internet-connected cars from getting hacked.
“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” Blumenthal said.
“Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car,” Markey said in a statement to Wired. “Drivers shouldn’t have to choose between being connected and being protected…We need clear rules of the road that protect cars from hackers and American families from data trackers.”
Even the hackers themselves were taken aback by their abilities.
“When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek told Wired. “I was frightened. It was like, holy f—, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”
The problem is one of our own creation.
Like thousands of other everyday devices, from coffeemakers to power plants, cars are increasingly connected to the Internet. This enables drivers to stream music, watch videos and use GPS.
But it also exposes their cars — and therefore the drivers as well — to hackers.
Miller and Valasek exploited a weak spot in Uconnect, an Internet-connected feature on as many as 471,000 Fiat Chrysler late-model automobiles, most of them in the United States. Using a laptop computer and a burner phone, they were able to send a series of commands to the car.
“Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them,” Greenberg explained. By connecting a phone to his laptop, Miller was able to use the phone as a Wi-Fi hot spot and search Sprint’s entire 3G network for hack-able cars.
Not only does the computer weakness allow hackers to manipulate the locks and turn off the engine, it also enables them to cut the brakes. They can even take over the steering wheel if the car is in reverse.
“From an attacker’s perspective, it’s a super nice vulnerability,” Miller told Greenberg.
The stunt seems to confirm fears that have worried security experts for several years now. In 2011, researchers at the University of Washington and the University of California at San Diego proved they could remotely disable a car’s locks and brakes.
While the researchers didn’t reveal the car manufacturer, Miller and Valasek have made no secret that their hack affects cars made by Fiat Chrysler.
Before going public with the news, however, the hackers took their findings to the company. Chrysler has recently released a patch to prevent such hacking.
Checked patch, looks good. Well done Chrysler! Now, back to a vulnerable version for more testing! pic.twitter.com/RdBOyrRPuc
— Charlie Miller (@0xcharlie) July 20, 2015
“[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” the company said in a statement sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”
“Patch your Chrysler vehicle before hackers kill you,” warned Fox News on Wednesday after Wired published its article.
Thanks to Miller and Valasek, Chrysler drivers can now guard against such invasions. But the Uconnect weakness is only the tip of an Internet security iceberg. There are many other ways that a car can be compromised by hackers.
Other brands, for example, might not be any safer.
“I don’t think there are qualitative differences in security between vehicles today,” UCSD computer science professor Stefan Savage told Wired. “The Europeans are a little bit ahead. The Japanese are a little bit behind. But broadly writ, this is something everyone’s still getting their hands around.”
In February, hackers demonstrated to NBC 4 in New York how they could override a car’s system using a tiny Wi-Fi dongle plugged underneath its steering wheel.
Other successful attacks have involved “infecting the computers in the repair shop and then having that infection spread to the car through the diagnostic port, or hacking in through the Bluetooth system, or using the telematics unit that’s normally used to provide roadside assistance,” Kathleen Fisher from the federal Defense Advanced Research Projects Agency (DARPA), told NBC.
Car makers have been slow to respond to criticism from researchers or hackers like Miller and Valasek.
“There is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” according to a study compiled by Markey and released in February.
The study, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” found, among other things, that:
- Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
- Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
- Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
The security shortcomings exposed by Miller, Valasek and others are especially worrying as fully automated cars appear on the horizon.
Imagine laying back in your fully automated car on your way to work when someone at a Starbucks miles away takes control and sends your robotic car swerving into oncoming traffic.
If you think that’s scary, however, there are a countless other devices that could, theoretically, fall under the sway of hackers.
A computer security advocacy group called I Am The Cavalry warns that the threat goes far beyond cars to include common Wi-Fi connected medical devices like IV pumps or implantable pacemakers, electronic home security systems, and — on a grander scale — public infrastructure like railways, airplanes and power plants.
“When you get up in the morning and get in your car to go to work, by the time you’ve gotten to work and sat down at your desk, you’ve literally interacted with probably several hundred of those controllers from when you turn on the tap to brush your teeth, to when you turn on the power to when you turn on your car engine,” Tom Parker, a professional hacker hired to help companies find their systems’ flaws, told NBC 4.
Miller and Valasek told Wired that they will give more details on their harrowing hack in two weeks at the annual Black Hat security conference in Las Vegas.
“This is what everyone who thinks about car security has worried about for years,” Miller told Greenberg. “This is a reality.”