Lessons Learned from a Jeep’s Hacked Computer
Two security researchers recently proved that automobile manufacturers may need to beef-up security for vehicles with dashboard computers.
Charlie Miller and Chris Valasek were able to manipulate a Jeep’s dash computer and remotely disable its brakes, take control of its steering wheel and shut off the engine while journalist Andy Greenberg was driving it. The experiment prompted Fiat Chrysler to recall 1.4 million vehicles.
On its website, Fiat Chrysler America seemed to imply the hack was possible only because Miller and Valasek were experts who spent months trying to access the control systems. But there’s no way to predict the number of hackers worldwide with plenty of time to burn and a desire to create havoc.
Miller and Valasek exploited a security vulnerability in FCA vehicles’ use of Sprint, which provides wireless access for the company’s UConnect “infotainment” system. Since the security vulnerability was discovered, FCA has issued a patch users can install directly into dashboard computers, via a USB port. FCA cars aren’t currently able to receive automatic software updates via Internet connections.
So, how are manufacturers able to introduce computerized vehicles to the market without ensuring those systems are safe for consumers? One explanation is that automakers don’t fully understand the various methods hackers could use to gain access to dash computers. Another explanation is that the technology is moving faster than regulators’ ability to establish guidelines.
Development of Oversight
In February 2015, U.S. Sen. Edward J. Markey, D-Mass., issued a report, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.” Markey and his staff surveyed 16 major automotive manufacturers about the security of vehicle technology. Among some of the more troubling findings were:
- Only two manufacturers were able to describe credible, real-time reactions to remotely detect the hacking of a vehicle computer; most employed technologies that would detect hacking only through inspection at a service center or dealership.
- Data collected on drivers may include previous destinations, location during transit, speed of travel and last location parked, and a majority of automakers transmit that information to third-party data centers and don’t describe an effective method for protecting it.
Mackey’s report shows that a hacker might be able to collect detailed information about a driver’s daily driving habits and whereabouts, and automakers might be unable to detect such a breach.
On July 21, 2015, Mackey and Sen. Richard Blumenthal, D-Conn., introduced legislation that would task the Federal Trade Commission and National Highway Traffic Safety Administration with developing rules for automotive cybersecurity.
It’s a mistake to assume hackers have to be experts to infiltrate sensitive systems. Given enough time and determination, hackers may be able to find that tiny hole in an organization’s security – whether that’s in a business’s relationship with a third-party vendor, or through an employee’s use of weak passwords.
Lifeline Data Centers can help businesses stay one step ahead of hackers, thanks to our physical and virtual security controls. Schedule a tour today to see how our secure solutions could work for you.