The article on Wired.com last week was like something out of a Hollywood thriller. As writer Andy Greenberg sped down the highway in a Jeep Cherokee, the radio started blasting hip-hop, the air conditioning unexpectedly turned on, the wipers activated — and then the SUV switched itself into neutral. Or rather, hackers on laptops miles away switched it into neutral. They later disabled its brakes so that it ran into a ditch.
The tale plays into the public’s worst technophobic nightmare: that our smart machines might do us harm. The problem with the Jeep was that its manufacturer, Chrysler, didn’t follow a basic rule of security, which is to keep the parts that communicate with the outside world completely separate from the parts that control the crucial systems, such as steering and brakes.
Yet Jeep’s practices are typical of the auto industry, which has raced to add Internet-connected information, entertainment and emergency systems without walling them off from internal communications channels. To hackers, any electronic pathway out of a car is also a way in. And with more internal car functions being controlled by chips and software, the list of things that could conceivably be commandeered by hackers is steadily expanding.
Granted, it took Greenberg’s hackers — a pair of security researchers who warned him in advance — months to find a way to take over a Jeep through its entertainment system, and Chrysler has already issued a software update to plug that hole. Nevertheless, the incident should set off alarms throughout the industry, which still relies on protocols developed long before cars could connect electronically to other, potentially hostile devices.
Security experts say there has been no concerted effort by automakers or parts suppliers to redesign internal communications channels to guard against attackers. Yet the risks will only grow as more vehicles add features that require the car to communicate digitally with the world around it.
The same day Wired published Greenberg’s Jeep piece, Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced a bill to require the National Highway Traffic Safety Administration to develop security and privacy standards for vehicle electronics and offer ratings on how well they guard against hackers. Although mandating a specific security approach would be a bad idea — lawmakers and regulators can’t keep pace with ever-changing technology — having the agency shepherd the industry’s efforts to identify and respond to vulnerabilities would be welcome.
And putting a security grade next to the mileage estimate on a new car’s sticker would bring needed pressure on the industry to make vehicles more resistant to hackers before they hit the showroom floor.
FROM AN EDITORIAL IN THE LOS ANGELES TIMES