Tuesday, July 21, 2015

Going Too Far to Prove a Point

I just read Hackers Remotely Kill a Jeep on the Highway - With Me in It by Andy Greenberg. It includes the following:

"I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold...

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the I-40 on-ramp, “no matter what happens, don’t panic.”

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.


“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop...

After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment." (emphasis added)

I had two reactions to this article:

1. It is horrifying that hackers can remotely take control of a vehicle. The auto industry has a lot of work to do. It's unfortunate that it takes private research and media attention to force a patch (which has now been published.) Hopefully a combination of Congressional attention, product safety laws, and customer pressure will improve the security of the auto industry before lives and property are affected.

2. It is also horrifying to conduct a hacking "experiment" on I-40, with vehicles driving at 60 or more MPH, carrying passengers. It's not funny to put lives at risk, whether they are volunteers like the driver/author or other people on the highway.

Believing it is ok reflects the same juvenile thinking that motivated another "researcher," Chris Roberts, to apparently "experiment" with live airplanes, as reported by Wired and other news outlets.

Hackers are not entitled to jeopardize the lives of innocent people in order to make a point. They can prove their discoveries without putting others, who have not consented to be guinea pigs, at risk.

It would be a tragedy if the first death by physical-digital convergence occurs because a "security researcher" is "experimenting" in order to demonstrate a proof of concept.

15 comments:

Anonymous said...

You use a lot of quotation marks.

darkfader said...

It's so sad to see how all the time the necessary curiosity only breaks free in the people that are totally removed from clear thinking.

We owe them for taking the time to evaluate and dig in deep enough to find how bad the security was.
Nonetheless, putting up a traffic risk and being so incredibly STUPID is, I hope a punishable offense.
I think it would not hurt the least to put these guys in jail for a few months as would be the same punishment for having manipulated someones' car and putting others at risk.
Just long enough so they have time to identify some basic interactions of computers, humans and reality.

i.e. you can cause someone to be hurt with something you do.

White Dragon Security, LLC said...

Every electronic device, needs to have a human cut-off switch.

Richard Bejtlich said...

Anonymous, does this "bother you"?

Unknown said...

Compare this to the research at UW and UCSD who did their experiments on a de-commissioned runway and at low speed, as well as having contingency plans for unexpected situations.

Brandon Workentin said...

Valasek and Miller have done "experiments" in controlled situations, also. Which ones got the media attention that actually drive change in this society?

Richard Bejtlich said...

Brandon, by that reasoning, they should have injured or killed someone. That would really have driven change.

S A said...

It was a juvenile and dangerous idea from the researchers, no doubt. But I almost expected that; I am more disappointed at the "adult in the room" Andy Greenberg who went along with the idea of experimenting in traffic (presumably because it reads like more of a thriller). Would there really be much less attention to this story if the entire experiment was performed in an empty parking lot or decommissioned runway (as mentioned above)? It would have still grabbed all the media hype and headlines.

Mike said...

Another aspect of this thing is that quite frankly, it doesn't make security researchers look very good. Any sensible government bod looking to crack down on security tools and researchers has a great example here - "unregulated researchers risk a pile up on the I-40 to make a good news story."

One day, our industry is going to have to grow up.

Anonymous said...

I had the same reaction to the experiment! Totally made security researchers look like loose cannons, willing to put everyone in danger on a lark! Did it grab the media's attention? Yes! Though given the state of security in general, even with us talking about the need for security since the 70's, I don't think it moved the needle in a positive direction.

Lynn said...

As automobiles become more reliant on software AND connected I am wondering how long they will be supported by the manufacturers and any third-party developers as far as security updates. Companies are driven by financial incentives to only support their products for so long. This is especially (and notoriously) seen with cellular phones wherein security updates for a certain model soon become less and less frequent after the new and improved version is rolled out. At what age of the automobile does the manufacturer's and third-party developer's due diligence to fix security flaws end when the flaw can cause real world damage and deaths?

Kirsten said...

In the spirit of interest in telematics - If you'll be in Vegas next week, stop by the first ever Car Hacking Village at DEFCON!!! You dont want to miss it.

Kirsten said...

PS In followup to my last comment - in said Village, we will NOT be doing anything to any cars while they are being driven. Just talks, learning zones etc the only 'live' thing we do to cars IRL/outside of our village is give an opportunity to use a special badge to collect VINs as part of a challenge.
:) Hope to see you all there
PPS Wish I could get into the CISO summit...didnt register on time!

Cassie said...

I would have been screaming the whole time! But in all seriousness, I think it is crazy that they would put you in danger like that because it really was dangerous, even if it was to prove a point!

White Dragon Security said...

Lesson Take-away: Treat the experiment as if the human subject was a child. Would you use your own child as the test subject? Never. You would use a similar representation of the real variable. We research boards to protect human life. We don't research predators using real babies. We use decoys, in the case the predator actually harms the child before the experiment is concluded.