Wired published a blockbuster story Tuesday about security researchers remotely hacking a Jeep Cherokee driven by reporter Andy Greenberg.
Taking advantage of a vulnerability in the car’s UConnect “in-vehicle connectivity system,” the hackers were able to take control of parts of the car, turning the AC to full blast, pumping up the volume on the radio, and spraying the windshield with washing fluid. “I can’t see,” complained Greenberg in a video accompanying the story. At the time, he was driving 70 mph on a highway in St. Louis.
And then it got worse. Researchers Charlie Miller and Chris Valasek, who have been trying to bring attention to security vulnerabilities in cars for years now, turned off the acceleration so that the Jeep slowed dramatically. Greenberg, who had given Miller and Valasek permission to hack him but who had been assured “it wouldn’t be life-threatening,” gets visibly distressed, telling them via iPhone, “This is fucking dangerous.”
A semi-truck drives around the car, honking angrily.
Miller and Valasek can barely hear Greenberg over the loud music, which he can’t turn down. And they say in the video that Greenberg probably can’t hear them instructing him to turn off the car to retake control over it. Greenberg notes in his write-up that he had no shoulder to pull over onto, so presumably stopped in the middle of the highway.
It makes for an amazing and dramatic story that will surely bring new urgency to carmakers’ plans to secure the software on their vehicles and that will inspire lawmakers to pressure carmakers to do so. But, much like the alleged mid-air hacking of a plane by a security engineer earlier this year, it was a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders.
When it comes to real-life experiments, these “in-the-wild” demonstrations of vulnerabilities in the Internet of Things are far more troubling and dangerous than other recent controversial experiments, such as Facebook’s attempts to manipulate users’ emotions.
Greenberg is a former colleague and a friend, but it’s troubling that he and his talented collaborators would explore this vulnerability in a way that put him and the drivers around him at risk of something going terribly wrong.
A Hacker News commenter said that he’s filed a complaint with Missouri Police about the demonstration and that they were “concerned.” “I’m all for testing exploits and security research, but this isn’t the right way to do it,” he wrote.
“This attack has serious consequences,” said car hacker Charlie Miller in the Wired video. “We did it in as safe a way as we could.”
Not really. Greenberg has worked with these researchers before, showing last year that they could hack a vehicle by plugging a laptop into the control port, but he did so in a controlled environment — a parking lot, with no one else around who could get hurt. That should be the way these things are done. If the Jeep hack demonstration requires a car going 70 miles per hour, it should be on a deserted race course, not on a public highway.
Another security researcher who has done work around hacking cars tweeted that his team did take those types of precautions.
Yes, it’s very troubling that cars can be hacked remotely. (People with Chrysler vehicles that have the UConnect system should definitely patch the vulnerability, stat.) Yes, car companies should be building more secure vehicles. Yes, these companies should do everything they can to work with security researchers to find these flaws before the cars are out on the road, and to fix them if they make it out onto the road.
But there are going to be many, many security vulnerabilities in the Internet of Things, from planes to trains to automobiles. Some of these software vulnerabilities could kill you if exploited. Journalists and researchers have a flair for the dramatic (I personally love stunt journalism); they’ll be tempted to demonstrate these vulnerabilities “in the real world,” but that recklessness needs to be reigned in. Otherwise security-minded hackers may well be seen as the enemy, and, more importantly, someone could get hurt.