You seem to be making some wild assumptions here. First, until recently, cars were all fully self-contained, so to say there isn't a history of hacks is not too relevant. The past is not a good indicator of the future in this case.

Second, while I am not too familiar on this topic, this seems like a potentially much more wide-spread vulnerability. No physical access was required to the car and the attackers were using a standard Sprint network. This makes it much more easily accessible to standard hackers.

Third, while it's true that this vulnerabilities will exist in connected cars, just as they no exist in smartphones, computers, etc, that does not mean companies are absolved of their responsibility to defend against such attacks. And the public should call manufacturers out when their security is sub-par, as it clearly was in this case.

Here's just a part of it: Generally speaking, if you want to gain access to a vehicle system, such as to reprogram a processor, etc, there are layers of security access.

First, generally speaking, in order to initiate any communications with the vehicle, you have to meet certain cyber security standards. These include having the vehicle in some sort of known state -- such as "Propulsion System NOT Active"....i.e. if the car is in Drive, the system is going to naturally reject any attempt to initiate communications.

Second, the vehicle is broken down into netoworks, with secure gateways between these networkds. So great, there is a satellite signal, and wifi, etc in the vehicle, but there is no "natural" connection between teh entertainment system utilizing these signals and, say, the powertrain system. Therefore, you would need to thouroughly understand the vehicle network, and build in (reprogram) network access from one sub-network to another to accomiplish what is suggested.

So then, in order to actually perform some sort of reprogramming activity, you would need to simply gain access to the software programming system, which in addition to looking for physical vehicle states (propulsion system NOT active, etc), there is also a Seed and Key scheme.

There is no random hacking of vehicles going on. It just isnt' happening. And if someone is actually demonstrating *true* hacking of vehicles, they are only doing so because they have very deep detailed access to design documentation...or they spent a hell of a lot of time and resources to prove a far-fetched and obvious concept (obvious in that all systems are vunerable....but vunerable does NOT equate to being probbable/dangerous/in danger....i.e. the sun is vunerable to being exploded by an insanely massive alien weapon....but that is not a dangerous concept because: 1. we know of know powerful alien life and 2. the energy of the weapon would be improbable.)

As someone with no background in this field, I'm torn.

I can believe the guy with a log order more webDip points

or a krellin who's speaking with proper grammar and full sentences.

These are the times that try men's souls

krellin,

I think the issue is not drive by wire per se, but the combination of drive by wire with internet access, which is relatively new.

You raise a fair point about banking. But online banking uses extremely good cryptography. I can't claim to know much about auto systems, but it's conceivable to me that they haven't put as much thought into their security as banks, because the threat is not as obvious.

Moreover, bank system security *is* breached fairly routinely -- not on the bank end, but on the "lost creidt card number" end. If we are to have a transportation system with ubiquitous connectivity, we have to make sure there's nothing analogous that can happen. When a few million credit card numbers are stolen, the downside isn't really that big. There's robust consumer protection, so at worst a few banks lose a few million dollars. A few cars piling into concrete barriers would be a worse situation.

@krellin

But what about this particular instance? It's true this certainly required a lot of time and knowledge, but what if it weren't black-hat researchers that figured this out and notified Chrysler? More importantly, what about all the people who don't get the firmware update and are still vulnerable now that this exploit is known?

IN other words, when you say, "The public should call out companies...blah blah blah..."

Puhhhhh-lease. Demonstrate that a REAL vunerability exists, and I'll join you in the crusade.

There are cyber-security issues EVEYWHERE, most of which is the fact that not a single business, including BAnks AND the government, are capable of encryting your data OR (GASP!!!) disconnecting servers with ALL your information combines into a single database from the internet.

You are a hell of a lot more vunerable to have your life disrupted if you use ANY form of electronic ANYTHING to pay bills...meaning not just that you use a credit card, but that you actually have any sort of account with anyone (ie power company, phone comany, et....if you do business with anyone...you are infiintely more vunerable to attack than you are driving a car.)

Abge -- as I said, EVERY electronic system is vunerable; it is the nature of the beast.

Before I go screaming to the government and demanding another $1000 worth of high-tech bullshit get embedded into my vehicles, how about we demonstrate that this is a LEGITIMATE PUBLIC threat...and not a very, very expensive science experiment that, no doubt, had insider help from Chrysler.

There ARE secureity measure in place in vehicles. These sort of bullshti stories try to give the impression that vehicles have wide-open security holes. It simply isn't true.

As you said, you are not familiar with the topic. Well...I am. I IN the topic. Cyber Security is one of the system requirements that I track to ensure that my product achieves the standards put before us.

And serously....if I'm a, say, terrorist seeking to cause harm....do you really think I"m going to go through the exspense of hacking a car versus....oh, I don't know...funding easy-to replicate attacks, like BOMBS....

It's fine and good to exercise caution....but caution should be tempered by rational thought.

krellin, you're deflecting. We aren't talking about the vulnerability of banks or consumer electronics. We're talking about cars.

Out of curiosity, what would you consider a "legitimate public threat"? In my opinion, gaining control of a vehicle while it barrels down a highway seems fairly threatening.

Again, *now* this probably isn't much of an issue because it doesn't apply to most cars on the road. But what about when 50% of cars are connected? Surely that could be a concern.

TL;DR: I spend all my time thinking about cybersecurity, because it doesn't matter at all.

I agree, this is unlikely to be a terrorist attack. Some bored script kiddie, though? Not out of the realm of possibility.

Also, you say you deal with security. I know you have a strong background in the automotive industry, but what background do you have in security? Do you work with actual security experts?

His goats are protected by a very modern electric fence.

As someone with limited experience in this area, I believe that, whole this capability is currently limited, that it IS possible.

Very scary.

The last thing I'd want to do is assume it can't happen or could happen but won't to me, and simply ignore the possible warning signs.

Now, if the USA had zero foreign and domestic enemies, I might be more inclined to brush it off. Not in our current state.

As someone who just had all his information stolen from OPM, the foreign enemy aspect worries me a lot.

Lets say the President's car is like this Chrysler. Could a foreign state using all the powers of a foreign state hack the President's motorcade and drive his car off a bridge?

Now with the example it depends upon whether access is enabled. The easiest way to stop it is to just rip out external access wires so you don't worry. Screw fixing software to block access.

@krellin -

Computers in cars are going from a close-to-zero attack surface to a MUCH larger attack surface with the connection to the Internet.

And while EVERYONE claims that control and entertainment systems are separate, there are plenty of reports showing that this is not completely true. While I still find the reports of an airplane hack from a passenger somewhat suspect, I don't find it impossible. How many times have experts assured us of things we then found that the designers broke?

@Abge: I do not write code. I am a "Requirements" engineer. my job is to track the customer requirements, work with the cross-functional teams (electronics hardware, software, mechanical, etc) and verify that our program is meeting the customer requirements. I verify that our Test/Validation teams are writing test plans that fully validate the customer requirements.

So I am involved in reading and understanding the customer requirements -- that means when it comes to issues of cyber-security, I have read the OEM specfications for the security of their systems. I then coordinate with the hardware and software guys to make sure that in their detailed designs, they are actually addressing the customer (security requirements). I do not do this singularly...I coordinate the cross-functional reviews of the design and the test plans to make sure that all requirements are being met.

So....insofar as we are given security requirements, I can assure you that my company is meeting those requirements.

NOw...that of course brings into question "Are the customer security requirements up to snuff...are we really secure?"

Well...that's a different question. Is a vehicle 100% safe?

An Indy car or a stock car can hit a wall at 200 mph and the driver can walk away. Can you do the same in a Toyota "consumer" car? A GM? A BMW? Very, very doubtful. But we all meet the government mandated crash requirements.

Interesting...the Fiat bought Chrysler, and all the nation was orgasming because the Fiat 500 from Europe with its high MPG was coming to the US and the global warmnign crisis was going to be solved. Sad thing happened along the way: European vehicle crash standards suck ass. By the time the beefed up the Fiat 500 to meet US crash standards they had added enough weight the the Fiat 500 was just another run-of-the-mil small car....it wasn't the salvation of gas consumtion that US Government proclaimed it to be prior to its US introduction.

So...in like fashion, the scyber-security of any vehicle is designed to meet government and industry standards. So is it safe? Who the fuck know? OF COURSE NOT...because the hackers will always be ahead of the designers.

But, being an industry insider, do I have a smidgen of fear that my vehicle is going to be hacked and have someone crash me into the viaduct? No. because that's just utterly absurd.

You are far more likely to die of <pick you poison> than you are of having you vehicle hacked and driven into a wall.

I'm **far** more concerned about having my life fucked up by some hacker stealig my personal info.

I'm far more concerned with random guman killing me in the mall...and let's be realistic....all the "terrorism" hype we hear is statistically INSIGNIFICANT. I'm willing to bet you $1,000,000 you will not die of terrorism within the next 10 years. I'll bump that bet up an order of magnitude that you will not die becuse someone hacked your car.

Let's just keep the insane fear-mongering to a minimum, shall we?

@jbalcorn: Just because you have an internet-accessible behicle does not mean that EVERY vehicle system is tied to the internet.

I'm sorry that so many of you have a lack of understanding of technolgy, but that radio/satellite/internet signal coming into your infotainment system does NOT patch directly into your powertrain and braking system.

Get a fucking grip, man. The people designign automobiles are not morons...they don't have an internet gateway from the radio to the powertrain.

OK....sure...the vehicle are highly networked. But those netowrks are both physically and electronically separated. IN order to have an internet signal recieved by an infotainment system meander its way into the vehicle control systems and drive your fucking car, you would have to REPROGRAM multiple control units in the vehicle, each of which has it's own security measures -- including encryption, seed and key access, etc.

It's just not *reasonable* to suspect that there is going to be some broad-based attack on vehicles such that teenage hackers are going to start crashing cars.....or terrorist hackers, for that matter.

If and when this happens TO A CONSUMER (WHICH HAS NEVER HAPPENED) --- when the pull the vehicle modules and investigate the crash, they will IMMEDIATELY know that the processor has been reprogrammed -- that's mindlessly simple to determine...so there would be one, and exactly one, crash before we knew that vehicles were being hacked and crashed.

Now...whether or not the government or the OEM would reveal that the car had been hacked...again...a different question. But DISCOVERING that the crash was caused by hacking is easy and quick...and (in a decent world....???) the cars that are susecptible would be immediately pulled from service.

And hacking ONE car....is a ONE CAR trick. Each car has unique code, unique security....ie you won't hack a Ford Focus one day and the next day use the same process to hack a GM x-car.

So....once again...get a grip. "Possible" doesn't even come close to "probable". It would be a hell of a lot of wasted effort for VERY MINIMAL impact....except for the fact that it would scare the shit out of ignorant people.

krellin - does my fear have any base? Or if not a President, then a CEO

"I'm sorry that so many of you have a lack of understanding of technolgy, but that radio/satellite/internet signal coming into your infotainment system does NOT patch directly into your powertrain and braking system."

Well, in this particular case they actually were, which is why they could kill the engine with their cell phone...

As to your other points. I'm not saying cars can ever be 100% safe. But, you must admit cyber security is not something you'd even need to consider even, say, 10 years ago on cars. It's a very rapid change that auto manufacturers may not be able to keep up with. Again, no so much of a problem now, as you point out. But what about 5 years from now when a larger percentage of cars are connected?

There are three problems on car security:

1) National car standards may not cover software flaws that were not apparent to the software designers --- this appears to be the problem in the article.

2) Designers actually block problems and not just meet standards --- the need to exceed standards and find flaws not listed in the standards doesn't always happen.

3) Manufacturers build everything to designer plans --- this has already been a known problem when a few years ago small planes were crashing due to Asian subcontractors substituting older recycled computer chips with new casings that could not do what the required chips were supposed to do.

You may approve a design that meets standards and still not get a product that can't be hacked.

@abgemacht Auto companies will always keep up. The industry is too cut throat. Those that cannot will contract it out to specialist companies. If there is any industry to adapt, it is this one. The safety requirements, in reality are so strict (especially in the US compared to Europe where the US is many times more strict with regulations), that even if the company does not keep up there will be legislation forcing them. One thing the government loves doing is to regulate automotive. heck there's even companies that exist only to develop the inboard garage door opener that's in the cars (that nobody uses). If there's a need, there will be a company with experts to solve the problem.

And yet, the real safety issue being ignored is drunk driving where it's culturally ok to have a few pops and drive home in the US. Abge, you should place the efforts of your worry on the more likely scenario of death by vehicle.