The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.How bad is it? This bad:
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.I've been talking about this for years and years. Here's an example from four years ago:
The rush to computerize your car is basically over, which means the rush to pwn it has begun in earnest. Fortunately (for the Bad Guys), security was never part of the design - for example, all of the non-critical components (like cell phones, music players, and GPS nav units) are on the same network as the critical ones (brakes, throttle, transmission control).Sigh.
I mean, what could possibly go wrong?
It looks like the automakers are fixin' to learn what software companies learned decades ago:
- If a software developer finds a security bug right after he wrote the code, it costs a few bucks to fix.
- If QA finds the security bug a couple months after the developer wrote it, it costs hundreds of dollars to fix.
- If the customer finds the security bug years after the developer wrote it, it costs thousands of dollars to fix.
Remotely hackable cars are a PR nightmare, but I expect there will be a bunch of these stories over the next few years. The rush to market with lousy security designs will cost the automakers millions of dollars. All I can say is that stupid is expensive.