This week’s question comes from Terry C. from San Francisco, who asks:
Q: “Is it true that somebody hacked into a regular car and took over control from the driver? Who is responsible if that happens and someone is injured or killed?”
A: Terry, indeed, it is true. On July 21, 2015, two cyber security and hacking experts (I guess you have to be one to be the other) hijacked a late model Jeep Cherokee from 10 miles away, thereby assuming control of its windshield wipers, radio, ventilation and speed. Ultimately, they disengaged the transmission, causing a total loss of power. (Everyone should read Andy Greenberg’s July 21 account of the event, published in Wired Magazine.)
The “attack,” conducted by Charlie Miller and Chris Valasek, gained access through the vehicles UConnect head unit — controlling the stereo, GPS and climate-control systems — and allowed Miller and Valasek access to the vehicle’s automated driver assist technologies. The demonstration left the giant automaker Fiat-Chrysler scurrying for a solution, recalling some 1.4 million cars that feature the 8.4-inch touchscreen head unit. The recall includes: 2013-2015 Dodge Ram pickups and chassis cabs and Dodge Viper sports cars; 2014-2015 Dodge Durango, Jeep Grand Cherokee and Cherokee SUVs; and 2015 Chrysler 200 and 300, and Dodge Charger and Challenger models.
Around the same time of the Jeep takeover, David Dresher of Mission Secure Inc., a cyber-defense solutions provider, in collaboration with Perrone Robotics Inc., an autonomous vehicle software developer, used an assessment methodology developed by the University of Virginia’s Department of Systems and Information Engineering, in cooperation with the Defense Department, to remotely take over control of a vehicle and crash it.
Researchers have shown that control and entertainment systems — including GPS, keyless entry, tire-pressure monitoring, Blue Tooth and Wi-Fi features — allow easy access to the central command and control systems. Our quest for convenience has not only enhanced our driving experience, it
has made hacking much more convenient too. Implementation of V2V or V2I technology poses a significant security risk: Imagine a hacker who decided to shut down several vehicles on a busy, high-speed freeway or accelerate a
gas tanker towards a school or government building.
This threat is real and imminent.
It should come as no surprise that one of the key backers behind automated vehicle technology has been, and continues to be, the United States Department of Defense through its research and development arm, DARPA (Defense Advanced Research Projects Agency). Autonomous vehicles are just a small part of the DOD’s automated military arsenal, joining drones, remote controlled ships and artillery and supply vehicles.
Given the weaknesses inherent in an automated platform, DARPA has also invested heavily in security counter measures, and one of its private-enterprise partners, Mission Secure, has developed the “Secure Sentinel” system, which uses both hardware and a cloud-based software to block “hostile takeovers.”
Fiat Chrysler Automobiles will pay up to $105 million in fines and penalties to the National Highway Traffic Safety Administration, submit to oversight and buy back nearly 500,000 vehicles it has recalled. This is the largest fine ever issued by NHTSA.
As far as who would be responsible in a civil action, that would be the hacker and the manufacturer: The hacker for hacking into the vehicle, and the manufacturer for failing to protect against the security threat under the doctrines of product liability and negligence.
Christopher B. Dolan is owner of the Dolan Law Firm. Email questions to firstname.lastname@example.org.