It seems that almost everything is Smart these days, including of course one of the most common and useful of our tools, the car. These machines learn and respond, all made possible by their programming and connections to the Internet. But is this safe? Well, we have been warned of the dangers of connected lives, and it applies most definitely to our vehicles. This is why the EFF is pointing their fingers at the Digital Millennium Copyright Act – two of its sections are putting owners in danger.
DMCA Hinders Security Fixes
The EFF is going after the DMCA because its sections 1201 and 512 are blocking the path to immediate action. The DMCA was intended to secure copyrights, but these two sections are affecting security researchers. Section 1201 and related materials, also known as the anti-circumvention provisions, are meant to protect copyrighted materials from being hacked. Section 512 protects service providers under certain conditions from having to take responsibility for the trespasses of their users and third parties. These provisions have not worked very well since they came into effect in 2000, and they are now hindering healthy competition and innovation as well as interfering with free expression, fair use, scientific research and computer intrusion laws, according to the EFF.
Security researchers need to break locks to do their jobs. But messing with Digital Rights Management will get them into trouble under the DMCA. So many are hamstrung and cannot develop the systems and tools that would sniff out vulnerabilities and warn the public. Security researchers need to be free from the legal entanglements of these sections so that they can work to generate awareness about the very real threat of vehicle hacking and to work with car manufacturers to develop solutions that will protect everyone who rides in these vulnerable cars. There also needs to be better competition in the field of software development for cars to encourage better quality products that will secure user privacy as well as the systems. The EFF has been fighting for this, but for some reason car makers are against it.
Are Smart car makers afraid that independent researchers will find something wrong with their software? If this is the case then wouldn’t they be grateful for the help to secure their customers? Perhaps they already know that their car systems are buggy but they cannot wait to make them secure before rolling the new models out and raking in the cash. This is the only reason we can think of since it seems to be pretty much the way things go where money is involved.
Vehicle Security Concerns
The fact alone that our cars are connected to the Internet spells trouble. There is an inherent vulnerability in being connected because nothing is hack proof. But since no one pays attention unless there is striking evidence, two security researchers set out to prove it. Chris Valasek and Charlie Miller have been working on the issue of security weakness in connected vehicles for some time. They have been ignored because manufacturers and their affiliates have maintained that physical access to the vehicle is necessary to launch an attack. But recently these dedicated researchers again showed how cars can be hacked by remote, using the Internet and other wireless connections like Bluetooth.
The discovered vulnerability is a very dangerous one, more dangerous that the average hack in fact, because it puts passengers at grave risk of physical injury and even death. The hacks that can be carried out through these Smart cars can allow attackers to access their critical systems. This means that hackers can gain control of brake systems and engine functions, for instance. This opens up a whole new level of hostage-taking and blackmail. Auto manufacturers are of course reluctant to admit that these flaws exist, because many vehicle owners would have second and third thoughts about owning a Smart car when they realize that their lives and those of their families and friends could so easily be put in grave danger.
Here’s Proof
Valasek and Miller have run several tests on these new cars that are highly connected and have presented some astonishing results. They do this to draw attention to the scary reality that there are now about 471,000 hackable cars out there right now. One particularly notable test was done on Andy Greenberg, a senior security and hacker culture writer for Wired. The test demonstrated a bug in the Uconnect system of popular US car make Chrysler. There are similar bugs in systems like Infiniti’s Connection, Lexus’s Enform, GM’s Onstar, Hyundai’s Bluelink, and Toyota’s Safety Connect.
Agreeing to be the guinea pig in the researchers’ demonstration, Greenberg drove a Jeep Cherokee down Route 40 at 70 miles an hour and soon found himself in what must have felt like a possessed vehicle. The “hackers” were ten miles away in a basement, messing with several of the jeep’s functions all at once. Greenberg first lost control of the ventilation system, which wasn’t so bad. Then the radio started blasting loudly while the windshield was smeared with blurry cleaning fluid. This alone could cause a driver to lose control over the vehicle and crash, if they were not aware that it was an experiment. Greenberg himself was nervous, even though the comforting images of Valasek and Miller appeared on the digital screen and he remembered their reassurance that they would not do anything too crazy.
The researchers used a zero-day exploit that they had developed to use the Internet connection to gain access to vehicle functions such as transmission, brakes and steering. They executed their hack successfully and caused Greenberg to stall in front of an oncoming vehicle, a huge truck. He was given back the ability to move the car in time to avoid a deadly collision, but later the would-be hackers cut his brakes and caused him to roll into a ditch. All these very dangerous hacks were successfully executed before the demonstration was over, any of which could have caused a serious accident. Yet car makers are still unwilling to have their Smart cars rechecked or to even admit that their customers are in any real danger.
