What if driving your car exposed you to the tender mercies of online criminals the way using a credit card at Target did last fall or trusting your personal information to a website compromised by the Heartbleed software bug did?
The risk is real
Last year, security researchers Charlie Miller and Chris Valasek showed, using some late-model cars, that a laptop aboard a speeding vehicle could be used to steer it off the road. This week, Miller and Valasek released a follow-up study of some cars’ exposure to remote attacks over the Internet that lists the models they found most and least hackable. (If you own a 2014 Dodge Viper, Audi A8, or Honda Accord, congratulations!)
More features = More risk
As more and more cars are connected to the Internet and embellished with new features, such as adaptive cruise control and parking assist, that rely on software and embedded computing devices, the risk of a remote hacker killing or maiming drivers and passengers will only grow.
Have such incidents occurred yet? Probably not, given the technical difficulty of pulling off such a feat. But the truth is that we don’t really know. According to a group led by computer security experts, new high-tech cars lack the capability, akin to an aircraft’s “black box,” to gather the data needed to detect such intrusions.
That group, a grassroots organization called I am the Cavalry, found the car industry so lacking in attention to computer security that it just published an open letter to the industry’s CEOs asking them to work with computer security researchers to vastly improve the security of new cars now—before a disaster occurs that harms drivers, passengers, and pedestrians.
The automotive industry has often resisted calls for safety improvements, dating back at least to the publication in 1965 of Ralph Nader’s Unsafe at Any Speed. In the years after that book’s publication, despite that resistance, car safety in the U.S. was improved (including the requirement of seat belts in all cars starting in 1968), after which Americans’ rate of auto deaths began an unprecedented decline that continues to this day.
What you can do
Want to tell the car industry to do the right thing and work with security professionals to make high-tech cars safer for you and your family? Click on and sign the above petititon from Change.org that was posted by I am The Cavalry—and tell your friends to sign it
We need security for more than cars
Cars aren’t the only products for which computer security is arising as a problem that can endanger you and your family. New gadgets for the home (e.g. Internet-connected security systems and door locks), medical devices, and our public infrastructure are all becoming more dependent on software and Internet connectivity in a society-wide development known as the Internet of Things.
I am The Cavalry, which is seeking non-profit status, plans to help improve safety in all industries where the rapid adoption of technology affects public safety and human life.
In the video below that I recorded at a press event this week at this year’s DEFCON conference in Las Vegas, the organization’s founders, security researchers Josh Corman and Nick Percoco, explained how they have learned to adapt a popular hacking technique called fuzzing to influence manufacturers and policymakers by what they call “fuzzing the chain of influence:”
Video: Josh and Nick describe how they fuzz the chain of influence.
In the coming days, I’ll be doing a lot more coverage here on the growing concerns about computer security and public safety. Stay tuned.
–Jeff Fox
