This week’s question comes from John J. in the Mission, who asks:
Q: “I have been reading about the vulnerability of today’s modern cars. Is it true that they can be hacked and taken over? If they are taken over and a crash happens, who is responsible?”
A: John, your question is timely. There have been recent articles published about a remote take-over of a vehicle’s control systems by hackers 10 miles away. To date, there is no published case that has been brought involving such an incident, but this simply means that a collision as a result of a vehicle hacking has yet to occur.
For anyone who thinks this scenario is unlikely — or decades off — think again. Today’s vehicles incorporate a plethora of automated features such as adaptive cruise control, collision avoidance, lane assist, self-parking, automated braking systems, passive anti-theft system, tire pressure monitoring, remote starting capabilities, remote keyless entry, Internet applications, Bluetooth capability, GPS, Wi-Fi, OnStar an so on. If your car has any of these components, you are vulnerable. If you have Bluetooth capacity or Wi-Fi, your vulnerability rises exponentially as these features provide an access portal for external control of some or all of the computer automated systems in your vehicle.
Currently, there is no industry protocol relating to encryption or security for these systems. The vulnerabilities go far beyond our personal vehicles: they have implications for robotic devices and drones and, therefore, have the attention of the U.S. military.
On July 21, an experiment was conducted by a team of systems vulnerability and security analysts from a company called IOActive, which, over the last five years through a series of Department of Defense grants, has conducted research on the ability to gain remote control over a vehicle’s computerized control systems.
While a new Jeep Cherokee was driven by Andy Dreenberg, an author for Wired Magazine, at 70 mph on a highway though St. Louis, Charlie Miller and Chris Valasek from IOActive began turning on and off the air conditioner, manipulating the radio and the windshield wipers. All of this was done without them altering any of the vehicle’s hardware or having any hardware link installed on the car.
Miller and Valasek then upped the ante and completely disengaged the transmission causing a complete power failure. Dreenberg lost all ability to control the vehicle’s speed on a highway as an 18-wheeler came fast upon it. If that were not enough, Miller and Valasek made their likenesses appear on the vehicles navigation and control screen. Miller and Valasek were 10 miles away when they assumed all control.
This experiment is not isolated. Mission Secure Inc., a cyber-defense solutions provider, and Perrone Robotics Inc., a software developer for autonomous vehicles, working with the University of Virginia and the Department of Defense, also took over control of a vehicle. Then they demonstrated a prototype of a security system, called “Secure Sentinel,” which can sense a security threat to vehicles automated systems and engage a counter measure “faster than a human could.”
Perrone hopes to have a smartphone enabled version of Secure Sentinel available in 18 months.
The seriousness of this threat can be better appreciated by reading a February 2015 congressional study, commissioned by Sen. Ed Markey of Massachusetts, entitled, “Tracking and Hacking, Security and Privacy Gaps Put American Driver’s at Risk.” The study’s results were so alarming that on the same day, July 21, Sen. Markey introduced The Security and Privacy in Your Car (SPY Car) Act designed to craft and enact regulations to protect not only hacking of a vehicle’s control systems, but also to protect the privacy of drivers. This is because many of our vehicles, unbeknownst to most of us, regularly — and wirelessly — transmit data about how and where we drive to manufacturers and third parties, both of whom may use that information to engage in marketing goods, services and products to you.
Right now, given manufacturer’s knowledge of the inadequate security of their vehicle control systems and the threat posed by this weakness, it is quite plausible that a manufacturer could be sued for failing to install adequate cyber-security systems on its vehicles. That may be why Fiat-Chrysler, after vulnerabilities in the Jeep were exposed, recalled 1.4 million vehicles.
Christopher B. Dolan is owner of the Dolan Law Firm. Email questions to firstname.lastname@example.org.