Complex Car Software Becomes the Weak Spot Under the Hood


Shwetak N. Patel looked over the 2013 Mercedes C300 and saw not a sporty all-wheel-drive sedan, but a bundle of technology.

There were the obvious features, like a roadside assistance service that communicates to a satellite. But Dr. Patel, a computer science professor at the University of Washington in Seattle, flipped up the hood to show the real brains of the operation: the engine control unit, a computer attached to the side of the motor that governs performance, fuel efficiency and emissions.

To most car owners, this is an impregnable black box. But to Dr. Patel, it is the entry point for the modern car tinkerer — the gateway to the code.

“If you look at all the code in this car,” Dr. Patel said, “it’s easily as much as a smartphone if not more.”

Fear of Hacking

Andy Greenberg steered a 2014 white Jeep Cherokee down a highway in St. Louis, cruising along at 70 miles per hour. Miles away, two local hackers, Charlie Miller and Chris Valasek, sat on a leather couch at Mr. Miller’s house, laptops open, ready to wreak havoc.

As Mr. Greenberg sped along, both hands on the wheel, his ride began to go awry. First, the air-conditioning began blasting. Then an image of the hackers in tracksuits appeared on the digital display screen. Rap music began blaring at full volume, and Mr. Greenberg could not adjust the sound. The windshield wipers started and cleaning fluid sprayed, obstructing his view. Finally, the engine quit.

Mr. Greenberg was on a highway with no shoulder. A big rig blew past, blaring its horn.

“I’m going to pull over,” Mr. Greenberg said. “ ’Cause I have PTSD.”

The episode was in fact a stunt orchestrated by the hackers and Mr. Greenberg, a writer for Wired magazine, to demonstrate the Jeep’s very real vulnerabilities. The article appeared on July 21.

Days later, Fiat Chrysler, the maker of Jeep, announced a recall of 1.4 million vehicles to fix the flaws the hackers had identified — the first known recall intended to address a possible hacking threat.

Though automakers say they know of no malicious hacking incidents so far, the risks are real. Stefan Savage, a computer security professor at the University of California, San Diego, said that automakers were “in a state of panic” over the prospect. “They are trying to figure out what to do, quickly,” he said.

“Cars already have very complex computer systems across the board,” said Elliot Garbus, vice president for transportation at Intel, the computer chip maker, which has a fast-growing autos division. “We’re at the beginning of this evolution, and there’s a question of how do we do a better job of securing the vehicle from cyberthreats, and those threats are significant.”

Aware of the threats, most major carmakers have started to explore the idea of sharing critical information about security. General Motors last year appointed a chief product cybersecurity officer, the first automaker to create such a position.

Tesla has hired a new security chief from Google, who previously oversaw security for the Chrome web browser. And in early August, the company began offering $10,000 to outsiders who find security problems. (It had been giving $1,000.) “We are hiring!” the automaker wrote on a whiteboard at Def Con, a premier computer hackers’ conference in Las Vegas, in announcing the prize.

Author: Amanda Walker

Share This Post On
Submit a comment

Submit a Comment