After years of downplaying threats, carmakers are forced to admit that their vehicles are vulnerable to serious cybersecurity attacks
ByFiat Chrysler was with the U.S. Department of Transportation for failing to execute on 23 vehicle recalls covering more than 11 million defective vehicles in recent years. The situation boiled over last week when published an article detailing a test drive during which cybersecurity experts took over the controls of a Jeep Cherokee wirelessly after breaching the vehicle’s touch-screen . The researchers used that point of entry to access other systems within the car, cutting the vehicle’s transmission and, later, shutting down its braking system. The Jeep ended up in a ditch alongside the highway.
“The big difference between our previous work and this work is that this [experiment] allowed remote attack,” says Charlie Miller, a security engineer at Twitter, who engineered the hack along with , director of security intelligence at . The pair’s previous research focused on attacking specific systems within an automobile—such as the brakes—after plugging directly into those vehicles. In 2013 Miller and Valasek described in detail at a cybersecurity conference how they used a MacBook to take control of electronic control units (ECUs) in a Toyota Prius and a Ford Escape, both model year 2010. ECUs manage critical, real-time systems such as steering, air-bag deployment and braking as well as less critical components including the ignition, lights and infotainment console. Carmakers connect multiple ECUs together within the vehicle using an internal communications network known as a controller area network . The researchers connected their laptop via a cable to each car’s data port to fool the vehicles’ computers into braking suddenly at high speed and steering into oncoming traffic.
The researchers first reached out to Fiat Chrysler with their security concerns in October and informed the company that they planned to present their research at next month’s Black Hat cybersecurity conference, according to Miller. “That is why all of this is coming to a head at this time,” he adds. Several other news outlets have reported that Fiat Chrysler filed documents with federal regulators last week indicating the company knew of a potential security flaw in its communications system .
Late last week Fiat Chrysler 1.4 million vehicles in the U.S. equipped with the hackable Uconnect device. That move shortly after the Transportation Department’s National Highway Traffic Safety Administration (NHTSA) ordered the , buy back some defective vehicles from owners and pay a $105 million civil penalty, the largest ever issued by the NHTSA.
Fiat Chrysler’s recall is likely only the beginning of a much larger response to automotive cybersecurity. Last week Sens. Edward Markey (D–Mass.) and Richard Blumenthal (D–Conn.) that would direct the NHTSA and the Federal Trade Commission to establish national standards for vehicle cybersecurity and efforts to protect driver privacy. The proposed would also create a rating system to inform car buyers about how well a vehicle protects drivers’ security and privacy beyond the bill’s minimum standards.
No comments:
Post a Comment