Recently, a number of media outlets, including Wired magazine and theWashington Post, reported how two hackers wirelessly took over a Jeep Cherokee, including at one point on a Missouri highway. The culprits — who staged the “hijacking” for reporters — forced the SUV to slow down, played with the windshield wipers and stereo, and then interfered with the vehicle’s brakes.
The hackers are actually researchers studying the hacking vulnerability of two dozen makes of vehicles, based on readily available Web information about various car systems that allow the vehicles to receive information electronically.
Their goal is to prompt carmakers to defend against remote attacks by securing remote endpoints, using cryptography to verify messages and isolating data access points from those systems that control critical safety features. They also recommended adding attack detection and prevention technology to critical networks. While many of these recommendations seem reasonable,their implementation should be left to the experts and system designers.
A couple of senators introduced legislation within hours of the story breaking. Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.)proposed new rules for automakers, including a requirement that automakers follow a government-mandated set of security standards for vehicles. The bill would also require the establishment of privacy standards and require automakers to inform people about how data from cars is collected and sold, allowing customers to opt out or restrict how their data can be used in marketing.
The proposal also would require manufacturers to display window stickers on new cars that explain security and privacy protections.
The Jeep experiment demonstrates how premature government involvement is likely to interfere with potential industry solutions. Software security teams in industry are better off focusing on the latest threats and security best practices, rather than compliance with bureaucratic measures handed down from Washington.
We must keep in mind that the researchers behaved according to “white hat” rules, by giving Chrysler early access to data and time to develop a patch. Indeed, the automaker has already issued a security patch to fix a few of the issues, so the system worked as intended.
But the wireless-hijacking meme is catnip to legislators eager to regulate the new features consumers want, even if the risk is close to zero. As a practical matter, other than this well-funded hacking effort — and it’s not clear who paid for it — there has been no known wireless hacking of automobiles.
Many of the security issues described in the Wired essay require near-proximity wireless access and highly skilled hackers with special tools and knowledge. Indeed, one of the researchers is a former National Security Agency hacker, and the other is a professional consultant on vehicle-security research. And most of the cars listed in the researchers’ report were never actually hacked or tested. Bottom line? Most of the hacking risk is negligible.
At this point, the best thing policymakers can do is give auto companies some breathing room and the opportunity to respond in the marketplace. Automakers can and should position their vehicles as safe and secure machines.
Auto companies also face legal risk if hacking is easy, especially if hackers can actually control the safety of the car, so it’s in their own interest to address the issue. Even in the absence of legislation, the market will respond. Tesla’s quick reaction to fix several software flaws in its Model S is a prime example of how quickly and seamlessly car companies can respond to and correct technical issues.
The public would be better served by policymakers working instead to advance new safety technologies, such as vehicle-to-vehicle (V2V) communication. At a House Energy and Commerce subcommittee hearing on the subject this year, Barry Einsig, global transportation executive for Cisco Systems, told lawmakers that V2V-connected cars “will be able to help drivers avoid everything from a fender bender to a deadly crash.”
With V2V technology, Einsig added, “Cars will have the capability to warn motorists to brake immediately or even take evasive action when accidents are imminent.” That would “save countless lives and trillions of dollars in property damage and lost productivity.”
Before we legislate new restrictions on innovation and technology, let’s take a moment to survey how the industry is best positioned to address potential problems — especially those based on some obscure, theoretical harm. Historically, automakers have a track record of advancing safety and security in cars, and there’s no reason to expect them to backpedal when it comes to the critical and forward-looking area of cybersecurity.