Bull Session

Hacking Cars

July 30, 2015          

Episode Summary

In this episode of The Digital Life, we discuss the Jeep auto hack in which cybersecurity researchers were able to remotely take control of a car’s critical systems, the subsequent 1.4M vehicle recall by Chrysler, and the new bill introduced by Senators Ed Markey (Dem – Massachusetts) and Richard Blumenthal (Dem – Connecticut) to protect automobiles from cyberattacks. Are security and privacy the defining issues for the Internet of Things? Unfortunately, it seems like this incident may be the first of many examples of hacking the IoT and connected environments.


Hackers Remotely Kill a Jeep on the Highway—With Me in It
After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
Senate Bill Seeks Standards For Cars’ Defenses From Hackers

Welcome to Episode 114 of The Digital Life, a show about our adventures in the world of design and technology. I’m your host, Jon Follett, and with me is founder and co-host, Dirk Knemeyer.

Greetings, Jon. What’s in the news today?

I think some of the biggest tech news the past week or so has been all about this Chrysler auto hack. Basically, a set of hackers who were benevolent, apparently, in their intent, hacked into a Jeep while a writer from Wired Magazine was driving it on the highway, and demonstrated how they could do things, sort of innocuous things, but annoying things like turn on the air conditioning and put their picture up on the dashboard, and then do something very alarming, which was, they were actually able to cut the power to the engine entirely.

I’ve seen other video where they’re able to take control of the steering and do things to the brake system, all of this connected software that Chrysler has in their vehicles and has since issued a patch for and shut down this particular exploit.

The idea is certainly maybe not a new one but has not had this level of public scrutiny, which is, as our cars become rolling boxes of technology, they are subject to people being able to do this sort of exploit of events to them and then ultimately wreak all kinds of mischief.

In this case, no one was hurt, of course, but we can see the potential, where the Internet of Things is meeting up with all of the security concerns of being hacked, and it’s really causing quite an uproar. What’s been your take on that exploit, Dirk?

It’s a great foreshadowing of how we’re moving into a period where our connected computing devices are integrated into our lives in a way where they can be used to hurt us physically. They can used to hurt us for real, so hacking, until now, the limits of it were basically identity theft, which is not great. If you really had your identity stolen, there could be some big inconveniences and, depending on how you react to it, potentially big problems, but there’s nothing that can physically harm you directly, as if a weapon is hitting you.

Here, we have this exploit where somebody could take your car and, with the little picture they showed with the article, drive it right into a ditch. You could be killed by a hacker who gets into your device and gives it instructions to take you off path and put you in the way of physical harm.

This is just the beginning. This is going to be a lot more in the future, not less, as the devices are either integrated into us physically. By into us, I’m not talking necessarily about from a sideboard prospective, but just from touching our bodies, or from controlling things in and around our bodies that, if taken in a certain direction, could cause us harm. To me, it’s just sort of a warning sign for something that those of us on the inside have known is coming. This, now, is really showing it to the mainstream and saying, “Look at the potential of what can happen,” and again, it’s just the beginning.

I think as it means something extra special in America, where your car, in a lot of ways, the car has been seen by many as an extension of yourself. We spend a lot of time in our cars, and we love our cars, and we transformed our entire national infrastructure to support driving. We’re not super into taking rail, whether it’s lighter or heavy rail. aWe fly a lot, but the car, the American roadway, this country was built up around cars, so exposing someone’s most personal vehicle is meaningful, because it touches on just about everybody. This technology, of course, is not in every car right now, but that’s where it’s headed. I think there’s a culture in America around cars that is being invaded by this cyber security problem.

I honestly don’t know what the total reaction’s going to be. Certainly Chrysler was immediate with their recall of 1.4 million vehicles across a number of their different vehicle types. There’s a US Senate bill which was introduced on July 21st by Senators Markey and Blumenthal, both from the New England region, which is technology laden. These guys are immediately calling for security standards, privacy standards, and some transparency around those compliance issues. Car manufacturers in the future, you’ll look and you’ll see, “Oh, we get 70 miles to the gallon, and oh, by the way, we’re hopefully 100 percent compliant with out cyber security and cyber privacy standards as well, as you go around to your car dealer.”

I think it’s an interesting moment for a lot of reasons, because it’s forcing, as you said, this intersection of digital and reality in a very physical and immediate and scary way in an area that’s so important to Americans, generally speaking. How do you see this playing out, especially with this US Senate bill, Dirk?

Let me come back to the legislative aspect in a little bit. There’s a couple of things that should make us frightened. One is that hacking is something that is going to happen, and going to happen successfully despite best efforts. This happens at the level of the US government being hacked in different ways. We had a show on that recently. If the US government can’t protect itself, who the hell can? Certainly not a car manufacturer.

On a more local level, look, for a long time people have been able to hack into ATMs. That’s a proven, not this big giant government saying, hackers in Siberia, thinking that happened. We have proof of concept of people, in local ways, being able to apply technology to corrupt and undermine physical systems that, in the case of an ATM, it’s “just” stealing a lot of money out of a machine, but if we get into things that are on, around, or implanted in our bodies, the implications can be really, really a whole lot more dire.

Again, going back to the show we did before, on the hacking of the US government, it’s not preventable at a certain level. Coming back and talking, now, about the specific car example that started this whole conversation, there’s way too many fail points. Depending on what the specific application is, or what’s happening, you have a car manufacturer that may have software in this process. You have a device manufacturer, an Apple, or a Google, or one of their Samsung, one of their partners may have software in this process. There may be apps being used within those platforms that additionally have a role in this process.

Then you have the carrier. You have your Sprint. I guess it was Sprint’s network, or maybe it wasn’t the network, but something about how Sprint interfaced with this whole system that was the fail point in this example. You’ve got that aspect, so it’s hard enough to lock an information system like those that the US Government has when you’re talking about all of these different platforms and applications that all present potential vulnerabilities. Holy Cats! It’s a hard problem.

I don’t want to call it unsolvable, but certainly today it’s unsolvable to really, really be able to look the consumers in the eye and say, “This system that’s connected to the internet and makes all these cool things happen for you in the context of this device, and in this case, we’re talking about a car as a device, can’t be hacked. You’re a hundred percent safe. Nobody can crack this.” As long as it’s going out and connecting with external networks, nobody can make that promise, so it’s an eye-opener, that’s for sure.

I think you touched on something important there, as you were talking about the devices in and around our person. There’s certainly all kinds of medical devices that are connected to networks, both embedded within people, like pacemakers or mission critical, life critical systems that are connected.

The automobile hack, while it’s directly related to those kinds of systems, it also portends bad things for systems that have that physical capability of doing harm, as you mentioned earlier. Because there’s often a lot of standard ways for communicating wirelessly, that also means that there’s a lot of exposure for a hack and an exploit that could be warped in one area may very well apply to another if it’s not patched.

It sort of opens up a can or worms, because now we’re not just thinking about our desktops and laptops and tablets and phones. We’re also thinking about all of these other nifty gadgets that are proliferating, whether they’re in health environment or home environment or out on the road. There’s so much great promise to the general Internet of Things, but the security issue is quickly racing to the forefront. It will be interesting to see how the government gets involved in the design of the Internet of Things, because they’re already starting to do that. Then how private industry tries to manage the potential damage caused by the perception and the reality of security being so porous.

That’s right, and circling back to the legislative question that you asked, that’s a whole different complicatedness. The legislative process moves so slowly, and the legislators are so almost universally out of touch with the latest and greatest in what’s happening with all of this technology. Academia and the government just don’t keep up with market technology and with the markets, with the business world. Technologies are changing and evolving so rapidly. The government in general isn’t able to even figure out what’s happening today, let alone predict where things are going tomorrow, let alone legislate in a sensible, considered, flexible, appropriate way to address those things. I just roll my eyes. In a much less sophisticated context, something we’ve talked about before on this show, it was a legislation around flying drones. There was an interesting story recently about how people flying drones over wild fires were preventing the firefighters from fighting the fires. They had to keep their helicopters on the ground for half an hour or something, until the drones left. That’s something we’ve talked about on the show as the government not taking care of and is going to have unintended consequences. Here we go. Fires raging out of control as idiots fly their drones to get pictures and post them on social media. That’s straightforward. What should be done about drones and controlling that in smart, sensible ways. That’s not rocket science. The stuff we’re talking about here is closer to rocket science. I have no faith at all that the government will do anything approximating the right thing in any kind of time frame that isn’t measured probably in decades, even as opposed to years, which is horrifying to say, but I do believe it.

I think, as you pointed out, you mentioned the word “flexible,” and our legislative process and the regulatory process that comes out of that is really going to reach a tipping point, I think, where it’s not going to be flexible enough to manage. We’re talking about a couple of different emerging technologies here. The Internet of Things is just one of those, drone technologies another. There are a number of emerging technologies coming to the fore, all of which need this technical attention. It makes you wonder whether or not the government needs a more robust technology evaluation and interface on where they can keep up to speed with these market-driven technologies.

Frankly, it’s one thing in the United States. There’s the whole specter of next-generation warfare, and there has been a lot of blame cast on the Chinese, or for groups that are associated with the Chinese Government for hacking into US Government facilities and systems. You can see how cyber warfare could be brought to the next level when you’re talking about hacking into automobiles, so all of a sudden, it’s not just information moving that sort of a negative player would want to act on that information. It could also be physical consequences to that hacking as well, which I think is going to at least be a consideration when we’re talking about cyber warfare in the future.

Riffing on that, and the example I’m going to use isn’t possible, and probably wouldn’t be possible, but wouldn’t it be fascinating if, at some point in the future, as the US and China are locked in some bullshit that could erupt into something, if the Chinese government’s hackers made every car on the US roads for two seconds, go out of control, and then back into control? What a display of power that would be, just to use sort of a bombastic example. It’s a different world, my friend. It’s a much different world than you and I grew up in, that’s for sure.

It never ceases to amaze me how much faster this is moving. I’ve been an observer of technology and user of technology for a long time, and the speed at which this is happening seems a lot more rapid than anything we’ve seen in the past. That could just be my perception of things, but I feel like we’re at a moment where the saturation point of new technology and the consequences of it all coming to the fore at the same time, and some are more than our organizations and our groups, our structures are capable of dealing with.

Like I said, it’s astonishing to me how quickly this moves. A good example of that is our discussions around drones regulation. At the beginning of the year, we were postulating about that. Now it’s very much an issue at the forefront. Same thing with Internet of Things hacking is all of a sudden becoming very, very important. I always think it’s going to be happening in a couple of years, but this seems to have reduced the time line to months. That’s going to be something I’m very interested in keeping an eye on.

Amen, brother.

Listeners, remember that while you’re listening to the show, you can follow along with the things we’re mentioning on here in real time. Just head over to thedigitalife.com. That’s just one L in thedigitalife, and go to the page for this episode. We’ve included links to pretty much everything mentioned by everybody, so it’s a rich information resource to take advantage of while you’re listening, or afterward, if you’re trying to remember something that you liked.

If you want to follow us outside of the show, you can follow me on Twitter @jonfollett. That’s J-O-N-F-O-L-L-E-T-T. Of course, the whole show is brought to you by Involution Studios, which you can check out at goinvo.com. That’s G-O-I-N-V-O dot com. Dirk?

You can follow me on Twitter @dknemeyer, that’s D-K-N-E-M-E-Y-E-R, or e-mail me, dirk@goinvo.com.

That’s it for Episode 114 of The Digital Life. For Dirk Knemeyer, I’m Jon Follett, and we’ll see you next time.

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *