Remote Control at the Wheel

Teaser Image Caption
New cars have anywhere between 60 to 80 mini-computers installed. But most don’t have a single firewall to protect against hackers

Jerry Davis has many a chase behind him. As a captain with the state police, he is responsible for traffic safety in Virginia. Usually it’s a matter of speeding, but sometimes there are more serious cases. His patrol cars normally perform well – after all, they’re equipped with all kinds of technology. But that all changed recently. First the engine didn’t start, then the transmission was blocked. It was impossible to drive. Luckily, it didn’t happen when he was actually on duty. Instead, the malfunction was part of an experiment conducted by the University of Virginia (UVA) in cooperation with the police. Using the officers’ own vehicles, the IT experts from UVA demonstrated how easily they could trick supposedly secure systems. A simple laptop was enough to remotely control the most important functions of the officers’ cars – bad luck for whoever happens to be sitting at the wheel.

“The idea caught us off guard at first,” says Davis.  Even among the squad, no one had ever thought about the idea that hackers could immobilize a car, much less a police car. “We’re probably even more at risk than others. It’d be a great way to escape in a chase.” Now the police are working closely with scientists to make their vehicles more secure. “But,” David concedes, “we’re still at the very beginning.”

The fact that such scenarios are even possible has to do with the complexity of modern vehicles. “Today there are 60 to 80 mini-computers installed in every car,” explains Professor Barry Horowitz, who directs the experiments in Virginia. “There’s practically never been a firewall for cars the way there is for normal computers.”

In addition to the control units that the car needs to drive – such as ESP, ABS or emergency brake assistance—modern “connected cars” are also always online. The on-board computer connects automatically with the driver’s smart phone in order to read text messages or play music. Diagnostic programs monitor the state of the car and transmit updates by radio to the manufacturer. In the future, self-driving cars will even “speak” to one another in order to avoid rear-end collisions – just like the anti-collision systems used in airplanes.

All of these systems improve traffic safety and are practical for the passengers. But they are also practical for hackers: the more complex the technology, the more weak points that hackers can target. It’s a problem that affects all models and manufacturers equally. Yet, the experiment on the UVA campus was relatively mild. In the past, hackers have proved that they can remotely control cars in real traffic across long distances – by laptop, in the comfort of the living room sofa.

The latest efforts by renowned IT expert Chris Valasek and former NSA-hacker Charlie Miller demonstrated that the two could remotely control even the brakes and steering wheel of a Jeep Cherokee – and there’s little a driver can do to resist. In light of such experiments, it’s easy to imagine situations in which the drivers’ lives would be endangered: when emergency brakes are activated at 100 mph, the steering wheel is blocked in the middle of a sharp turn, or cruise control locks in while the driver tries to brake. It’s also possible for hackers to install technical malware, for example, by forcing the engine to run at a higher RPM and causing long-term damage.

There is no way to know whether hackers have already intentionally damaged cars or caused accidents. We just don’t have the statistics to track this, but there is plenty of speculation. The investigative journalist Michael Hastings, for instance, lost his life in the summer of 2013 when his Mercedes C250 Coupé ran full speed into a tree. Hastings, who was working on government monitoring, had earlier suggested that he was being targeted by the authorities. Safety experts later argued that Hastings could have been the victim of a car hacker attack.

“We do not know whether such things are already happening,” says Captain Jerry Davis. What is clear is that many police squad cars are equipped with an internet connection and are at risk because of it. “Now we want to bring other authorities on board in order to develop a common strategy.” Yet it’s not just about preventing such crimes. “First, we have to learn to recognize them,” says Davis. Currently, no one even considers examining a car’s on-board computer after an accident to check for manipulation.

“We still have a long road ahead of us,” says Davis, “but we’ve got to start confronting this problem.

Research was made possible by the Transatlantic Media Fellowship Program.  

Please note that the views expressed by the author(s) do not necessarily reflect those of the Heinrich Boell Foundation.