Car hack reveals peril on the road to Internet of Things

August 6, 2015 by Glenn Chapman
The ability to seize data from and take control of once-dumb devices that are now deemed "smart" with wireless Interne
The ability to seize data from and take control of once-dumb devices that are now deemed "smart" with wireless Internet connections was a hot topic at the premier Black Hat cybersecurity conference in Las Vegas

A software glitch that allows hackers commandeer a Jeep Cherokee while on the move is just a glimpse of dangers on the road ahead for the Internet of Things.

The ability to seize data from and take control of once-dumb devices that are now deemed "smart" with wireless Internet connections was a hot topic at the premier Black Hat cybersecurity conference in Las Vegas Wednesday.

Researchers described how they remotely took control of a moving car or re-aimed high-tech sniper rifles, and many at the gathering warned the ramifications could be far more serious and wide-reaching.

For starters, many companies don't even have teams tasked with making sure their smart devices are secure.

"Almost none of the Internet of Things device-makers have any real security teams, it is sort of a gold rush to market," Black Hat founder Jeff Moss told AFP.

He expects the problem to grow, with skilled hackers eager to push the boundaries.

"The Jeep hack is the beginning," said Moss, who also founded the annual Def Con hacking conference that takes place later this week in Sin City.

"Criminals are geniuses at figuring out how to misuse this stuff."

He theorized a scenario in which a connected home appliance, a toaster for example, is hacked and becomes an entry point for an attack that hops wirelessly to other online devices, such as entertainment systems. A hacker could then jump next door via wireless Internet to take over a neighbor's home devices.

The possibilities for hackers are numerous—and chilling.

Data from smart appliances or other devices can be used to learn about people's lifestyles or daily routines. Cameras in smart gadgets could be activated to spy on intimate moments people would prefer to keep private.

Adding to the problem is the fact that , such as ovens or washing machines, are designed to last but do not typically get software updates. With time, hackers find vulnerabilities, and companies do not protect devices against attacks with new security software.

Black Hat founder Jeff Moss told AFP he expects the problem of seizing data from and taking control of devices with wireless Int
Black Hat founder Jeff Moss told AFP he expects the problem of seizing data from and taking control of devices with wireless Internet connections to grow, with skilled hackers eager to push the boundaries

"You can see us racing toward a future where everything is connected, nothing is updatable, and it is going to last 10 years," Moss said.

"Then, it is a numbers game. A million of anything is trouble, a hundred million is a disaster."

Massive car recall

Fiat Chrysler Automobiles issued a safety recall for 1.4 million US cars and trucks in July after hackers demonstrated that they could remotely control their systems while the vehicles are in operation.

The recall came after cybersecurity experts Charlie Miller and Chris Valasek remotely commandeered a Jeep Cherokee, made by Chrysler, to demonstrate the vulnerability of the vehicles' electronic systems.

Working from laptop computers at home, the two men were able to enter the Jeep's electronics via its online entertainment system, changing its speed and braking capability and manipulating the radio and windshield wipers.

The pair said it was a fairly easy job.

"We might be good at what we do, but this was a weekend project," Miller said.

"What if we did this full time, or got paid to do it?"

Miller is a security researcher at Twitter and Valasek works at cybersecurity firm IOActive.

Fiat Chrysler Automobiles issued a safety recall for 1.4 million US cars and trucks in July after hackers demonstrated they coul
Fiat Chrysler Automobiles issued a safety recall for 1.4 million US cars and trucks in July after hackers demonstrated they could remotely control their systems while the vehicles are in operation

Miller and Valasek said they dug into automobile security because they wanted to make a point.

"Car companies spend millions of dollars on safety, and now this is a part of safety, whether they like it or not," Valasek said.

After the report, Chrysler offered a free software patch for vulnerable vehicles, but said it had no first-hand knowledge of hacking incidents.

The recall involves a broad range of Dodge, Jeep, Ram and Chrysler automobiles produced between 2013 and 2015 that have radios vulnerable to hacking.

The hack involved Harman hardware and the Sprint mobile network, but fixes have been put in place to block the tactic, according to Miller and Valasek.

The Internet of Things promises to spotlight a liability issue software makers have managed to avoid, according to Jennifer Gran
The Internet of Things promises to spotlight a liability issue software makers have managed to avoid, according to Jennifer Granick, director of civil liberties at the Center of Internet and Society at Stanford University law school

Moss said the potential for hacking Internet-connected power meters was especially troubling. Hackers could not only target individual homes but could cause trouble on city grids, perhaps by toying with electric power in entire neighborhoods.

The Internet of Things promises to thrust into the spotlight an issue of liability that software makers have managed to avoid, according to Jennifer Granick, director of civil liberties at the Center of Internet and Society at Stanford University law school.

Most people might not think to sue a software maker when a computer crashes, but the odds are high they will when a smart car crashes, Granick said.

"Something that now has software in it but didn't before is going to blow up," added Granick, who gave a keynote presentation at Black Hat.

"Software liability is unavoidable, and it is necessary."

Explore further: Fiat Chrysler says it has a software fix to prevent hacking

Related Stories

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...

5 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Returners
2.6 / 5 (5) Aug 06, 2015
Engineers should take notes from Emergency Fire Sprinkler designs...

Keep everything as low tech as possible. Relying on a computer which can fail because a single switch, capacitor, or other circuit fails is well, stupid.

This is why Emergency Fire Sprinkler systems are designed to be passively activated, and have no electronic components.

you don't want to trust your life to a computer component working.

Every time you get in your car you are trusting your life to computerized crap that can fail at any moment.
AGreatWhopper
3 / 5 (4) Aug 06, 2015
I can't wait until you get an intelligent butt plug that I can hack!
jljenkins
2.3 / 5 (3) Aug 06, 2015
Don't waste your breath on a piece of shit that obviously has no life except to troll this site.
NiteSkyGerl
1.8 / 5 (5) Aug 06, 2015
This is *entirely* the fault of an industry and populace that has accepted Microshaft Windoze for 35 years. It can't manage memory, can't multitask right, is opaque and prone to being compromised...but that doesn't affect market share! Twist OEM arms, buy out competitors- the populace don't care. It's also about the total lack of professionalism in the industry and there's a "get it to barely work and ship it!" mentality. Testing should be 90% about negative cases, not showing the positive ones work, but that is seldom done.

It's all marketing and legal gyrations. Everyone that buys Windoze agrees- and by agree we now mean breaking the plastic- that it "is not waranteed to be fit for any particular purpose". Yeah, they just buy it to fund the Bill Gates foundation.

Meanwhile the oldest extant OS, Unix, has no such problems. It's not just the internet of things. Crappy medical software, budget overuns on federal/state/local projects...
AGreatWhopper
1 / 5 (2) Aug 06, 2015
MS is rotten to the core. Do you remember the Homeland Security warning back in 2012 about Java? The only software notice they have ever issued. Sun corrected the problem immediately, and then they issued it again! Coincidentally that was the week that MS were launching their line of cell phone OS software into the Android (Java) dominated market. Later Snowden's revelations told us why they did it. NSA wanted the encryption keys for Outlook.

What I don't understand is how any of the NSA arm twisting and under the table deals aren't SEC violations. When FB went public they were cooperating with the NSA but didn't disclose it. Ditto Twitter. SEC regulations require that all significant risks to future profitability be disclosed, but the NSA can gag them, forcing them to violate the law, with impunity. That's an accessory to a felony. So now the FBI does the same thing with police departments and cell phone mimicking technology. They lie in court when asked about it.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.