This week’s question comes from Terry C. from San Francisco “is it true that somebody hacked into a regular car and took over control from the driver. Who is responsible if that happens and someone is injured or killed?”
Terry, indeed, it is true. On July 21, 2015, two cyber security and hacking experts (I guess you have to be one to be the other) hijacked a late model Jeep Cherokee from 10 miles away thereby assuming control of its windshield wipers, radio, ventilation, speed, and ultimately disengaged the transmission causing total loss of power. (Everyone should read Andy Greenberg’s July 21, 2015 account published in Wired Magazine.) The attack, conducted by Charlie Miller and Chris Valasek, gained access through the vehicles UConnect head unit that controlled the stereo, GPS, climate control systems and allowed access to the vehicles automated driver assist technologies.
The demonstration left the giant automaker Fiat-Chrysler scurrying for a solution recalling some 1.4 million cars which employed the 8.4-inch touchscreen head unit including its: 2013 to 2015 Ram pickups and chassis cabs, and Dodge Viper sports cars; its 2014-2015 Dodge Durango, Jeep Grand Cherokee and Cherokee SUVs; and its 2015 Chrysler 200 and 300, and Dodge Charger and Challenger models. Around the same time of Miller and Valasek’s Jeep takeover, David Dresher, of Mission Secure Inc., a cyber-defense solutions provider, in collaboration with Perrone Robotics Inc., an autonomous vehicle software developer, used an assessment methodology developed by the University of Virginia’s Department of Systems and Information Engineering, in cooperation with the Defense Department, to remotely take over control of a vehicle and crash it.
Researchers have shown that control and entertainment systems, including GPS, keyless entry, tire pressure monitoring, Blue Tooth and Wi-Fi features allow easy access to the central command and control systems. Our quest for convenience has not only enhanced our driving experience, it has made hacking much more convenient too. Implementation of V2V or V2I technology poses a significant security risk: imagine a hacker who decided to shut down several vehicles on a busy high speed freeway or accelerate a gas tanker towards a school or government building. This threat is both real and imminent.
It should come as no surprise that one of the key backers behind automated vehicle technology has been, and continues to be, the United State Department of Defense through its research and development arm, DARPA (Defense Advanced Research Projects Agency). Autonomous vehicles are just a small part of the DOD’s automated military arsenal joining drones, remote controlled ships, and artillery and supply vehicles. Given the weaknesses inherent in an automated platform, DARPA has also invested heavily in security counter-measures and one of its private-enterprise partners, Mission Secure, has developed the “Secure Sentinel” system which uses both hardware and a cloud based software, to block “hostile takeovers.”
Fiat Chrysler Automobiles will pay up to $105 million in fines and penalties to the National Highway Traffic Safety Administration, submit to oversight and buy back nearly half-a-million of the vehicles it has recalled,. This is the largest fine ever issued by NHTSA. As far as who would be responsible in a civil action, that would be the hacker and the manufacturer: the hacker for hacking into the vehicle and the manufacturer for failing to protect against the security threat under the doctrines of product liability and negligence.