This week’s question comes from John J. in the Mission who asks “I have been reading about the vulnerability of today’s modern cars. Is it true that they can be hacked and taken over? If they are taken over and a crash happens who is responsible?”
John, your question is timely. There have been recent articles published about a remote take-over of a vehicle’s control systems by hackers ten miles away. To date there is no published case which has been brought involving such an incident but this simply means that a collision as a result of a vehicle hacking has yet to occur.
For anyone who thinks that this scenario is unlikely, or decades off, think again. Today’s vehicles incorporate a plethora of automated features such as adaptive cruise control, collision avoidance, lane assist, self-parking, automated braking systems, passive anti-theft system, tire pressure monitoring, remote starting capabilities, remote keyless entry, internet applications, Bluetooth capability, GPS, WiFi, OnStar, etc. If your car has any of these components you are vulnerable. If you have Bluetooth capacity or WiFi, your vulnerability rises exponentially as these features provide an access portal for external control of some or all of the computer automated systems in your vehicle.
Currently there is no industry protocol relating to encryption or security of these systems. The vulnerabilities go far beyond our personal vehicles, they have implications for robotic devices and drones and, therefore, they have the attention of the U.S. Military.
On July 21, 2015, an experiment was conducted by a team of systems vulnerability and security analysts from a company called IOActive who, over the last five years, through a series of Department of Defense grants, have conducted research on the ability to gain remote control over a vehicle’s computerized control systems. While a new Jeep Cherokee was being driven by Andy Dreenberg, an author for Wired Magazine, at 70 mph on a highway though St. Louis, Charlie Miller and Chris Valasek from a company called IOActive began turning on and off the air condition, manipulating the radio, and the windshield wipers. All of this was done without their having altered any of the vehicle’s hardware or having any hardware link installed on the car. Miller and Valasek then upped the ante and completely disengaged the transmission causing a complete power failure. Dreenberg lost all ability to control the vehicle’s speed on a highway as an 18 wheeler came fast upon it. If that were not enough, Miller and Valasek made their likenesses appear on the vehicles navigation and control screen. Miller and Valasek were ten miles away when they assumed all control.
This experiment is not isolated. Mission Secure Inc. (MSI), a cyber-defense solutions provider, and Perrone Robotics Inc., a software developer for autonomous vehicles, working with The University of Virginia and the Department of Defense, also took over control of a vehicle. Then they demonstrated a prototype of a security system, called “Secure Sentinel” which can sense a security threat to vehicles automated systems and engage a counter measure “faster than a human could.” Perrone hopes to have a smart phone enabled version of Secure Sentinel available in 18 months.
The seriousness of this threat can be better appreciated by reading a February 2015 Congressional Study, commissioned by Senator Ed Markey of Massachusetts, entitled, “Tracking and Hacking, Security and Privacy Gaps Put American Driver’s at Risk.” The study’s results were so alarming that on July 21, 2015, Senator Markey introduced The Security and Privacy in Your Car (SPY Car) Act designed to craft and enact regulations to protect not only hacking of a vehicle’s control systems, but also to protect the privacy of drivers as, unbeknownst to most of us, many of our vehicles regularly transmit data, wirelessly, regarding how and where we drive to manufacturers and third parties who may use that information to engage in marketing goods, services and products to you.
Right now, given manufacturer’s knowledge of the inadequate security of their vehicle control systems and the threat posed by this weakness, it is quite plausible that a manufacturer could be sued for failing to install adequate cyber security systems on their vehicles . That may be why Fiat-Chrysler, after vulnerabilities in the Jeep were exposed, recalled 1.4 million vehicles.