It’s been quite a week for the connected car industry—which, really, at this point, means the car industry as a whole. On Tuesday, Wired reported on the work of two White Hat hackers who successfully hacked into and remotely controlled a Jeep Cherokee while miles away from the vehicle. That same day, Sens. Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced new legislation aimed at securing data in connected cars. By Friday afternoon, just days later, Fiat Chrysler announced a voluntary recall of 1.4 million cars equipped with a specific radio-entertainment system.
Update, Monday, July 27, 1:19 pm EST: After publishing this post, the U.S. National Highway Traffic Safety Administration launched a "recall query" to investigate the company's proposed fixes for the security vulnerabilities. The NHTSA's Mark Rosekind said the agency will "further assess" the recall, and said it "encouraged" Fiat Chrysler to initiate the recall. Fiat Chrysler said it is cooperating with the investigation. To add onto what ended up being a bad weekend for the auto company, the U.S. Department of Transportation (DoT) announced Fiat Chrysler has acknowledged it violated the Motor Vehicle Safety Act, will submit to "rigorous federal oversight," purchase back defective vehicles and will pay $105 million civil penalty for faulty suspension issues not relating to the security vulnerabilities. This is the largest fine ever imposed by the DoT's National Highway Traffic Safety Administration.
The recall is a first-of-its-kind move in the Internet of Things era.
Though voluntary, this recall is a big deal, demonstrating a very real convergence of the online and offline worlds. The Internet is expanding into our physical world to the point where a person miles away and through a computer can jam on the brakes of a brand new vehicle travelling 70 miles an hour down a interstate highway. And the realities of the Internet of Things means that a hack might not only mean the injection of malware or the loss of a digital identity, but a tangible and physical accident threatening human lives.
To quickly recap, hackers Charlie Miller and Chris Valasek successfully exploited a vulnerability in certain Fiat Chrysler vehicles that allowed for the remote control capabilities. After gaining entry into a vehicle’s system (they won’t reveal the actual vulnerability until their Black Hat demonstration next month), they rewrote code on the entertainment system’s firmware and then injected their code. They then were able to send their commands throughout the vehicle’s entire internal computer network.
The article, which generated tons of media hype throughout the week, was published on the same day that Markey and Blumenthal announced new legislation to protect drivers from data security vulnerabilities and privacy risks. The bill, called the Your Car (SPY) Act, would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission to create federal standards to secure connected cars and protect drivers’ privacy. The bill would also establish a “cyber dashboard” to inform consumers on the levels of digital protection a given connected vehicle will provide. Whether it has a chance to pass remains to be seen, but this week's demonstration and subsequent recall may give it a jolt.
To add pressure on the car industry, the NHTSA also expressed concern this week about connected car data security and privacy. NHTSA Administrator Mark Rosekind said the industry must not only focus on traffic safety, but also on information security as well. “We much reassure vehicle owners that their data is secure,” he said.
And that’s clearly what Fiat Chrysler is attempting to do. Really, their fix is a two-step measure. First, they’ve “applied network-level security measures to prevent the type of remote manipulation demonstrated,” according to the Wired report. Second, a willing consumer will receive a USB device for upgrading the vehicle’s software. These updates are independent of the network-level fixes, but require a physical implementation of the software.
The car hack and the subsequent recall gets to the heart of the security issues inherent in the Internet of Things. I’ve written about the issues found with security patches and firmware before. As security vulnerabilities are found in IoT devices “in the wild,” how will companies ensure their consumers get those security updates?
Since consumers will have to physically access the correct USB device, the chances of them upgrading the internal system goes down. It will be interesting to see how the auto industry deals with this concept moving forward. On the one hand, this more cumbersome patch is bad because not as many consumers may implement it. On the other hand, it could be thought of as a cybersecurity precaution: If this were patchable online, it would also be more vulnerable to malware.
Will we get to a point where our cars have to go to the shop, not only for their periodic oil change, but for their periodic software update? Or will cars be designed so that such patches will be conducted online, just like your PC or phone?
Whichever way it goes, privacy and security by design will be paramount for the car industry. The road ahead for engineers will be a tough and serious one, and one that lawmakers and government regulators are clearly already eyeing closely.
I shared news of the vulnerability with my neighbor who has a vulnerable car. He was definitely annoyed with the incident, but added that it would be so hard for someone to actually implement it, that he wasn’t that concerned and that he'd deal with it later.
Fiat Chrysler points out how difficult that actual hack was, stating, “The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.”
I’m sure it would be easy for a company to use such facts as a reason to not recall their product. To Fiat Chrysler’s credit, they did it anyway. Better safe than sorry, as many a privacy pro knows.
Fiat Chrysler released a timeline of vulnerability here. While Fiat doesn’t mention the white hat demonstration as part of their rationale for the recall, the timing does seem awfully coincidental, and it's generating a lot buzz among security experts on Twitter.
Regardless of whether it was the hack that prompted the recall or not, I just hope other companies learn from this.
photo credit: The Fiat LOGO! coming soon to you with the Chrysler Family via photopin (license)