Published on July 22, 2015
The complaints that flooded into Texas Auto Center that maddening, mystifying week were all pretty much the same: Customers’ cars had gone haywire. Horns started honking in the middle of the night, angering neighbors, waking babies. Then when morning finally came, the cars refused to start.
The staff suspected malfunctions in a new Internet device, installed behind dashboards of second-hand cars, that allowed the dealership to remind customers of overdue payments by taking remote control of some vehicle functions. But a check of the dealership’s computers suggested something more sinister at work: Texas Auto Center had been hacked.
The making of a vulnerable Internet: This story is the fourth of a multi-part project on the Internet’s inherent vulnerabilities and why they may never be fixed.
Part 1: The story of how the Internet became so vulnerable
Part 2: The long life of a ‘quick fix’
In addition to blaring horns and disabling starters, someone had replaced listings of Dodges and Chevrolets with names of top-of-the-line sports cars. The owners of these vehicles, meanwhile, now appeared to be an odd mix of rappers and fictional characters.
“Mickey Mouse was driving a Lamborghini,” recalled Martin Garcia, general manager of the Austin dealership. “We pretty much figured out within a matter of minutes that we had a problem.”
Above: Charlie Miller, a security researcher, demonstrates in St. Louis his ability to take control of a Jeep Cherokee. Using the car’s Internet address and a laptop, Miller was able to adjust the radio volume and turn on the windshield wipers as the Jeep was being driven nearby. He shut off the engine and disabled the brakes when the vehicle was more than a mile away. (Bill O’Leary/The Washington Post)
Police later reported more than 100 victims and charged a former dealership employee with computer crimes. Five years later, this incident remains noteworthy because of what has followed: An increasingly vast array of machines — from prison doors to airplane engines to heart defibrillators — have joined what is commonly called the “Internet of Things,” meaning they are wired into our borderless, lawless, insecure online world.
As the number of connected devices explodes — from roughly 2 billion in 2010, the year of the Texas Auto Center incident, to an estimated 25 billion by 2020 — security researchers have repeatedly shown that most online devices can be hacked. Some have begun calling the “Internet of Things,” known by the abbreviation IOT, the “Internet of Targets.”
Security experts detect disturbing echoes from previous eras of rapid innovation, notably the 1990s when the World Wide Web connected hundreds of millions of people to a thrilling new online universe. Warnings about looming dangers went unheeded until viruses and cyberattacks became commonplace a few years later.
Widespread hacks on cars and other connected devices are destined to come, experts say, as they already have to nearly everything else online. It’s just a question of when the right hacking skills end up in the hands of people with sufficient motives.
“If we’ve learned anything from the Internet, it’s that it’s clearly going to happen,” said Kathleen Fisher, a Tufts University computer science professor and security researcher. “Now that we know it’s going to happen, can’t we do something different?”
The inherent insecurity of the Internet itself — an ungoverned global network running on technology created several decades ago, long before the terms “hackers” or “cybersecurity” took on their current meanings — makes it difficult to add effective safety measures now. Yesterday’s flaws, experts say, are being built directly into tomorrow’s connected world.
Among the most vivid examples came this week, when security researchers Charlie Miller and Chris Valasek demonstrated that they could hijack a vehicle over the Internet, without any dealership-installed device to ease access. By hacking into a 2014 Jeep Cherokee, the researchers were able to turn the steering wheel, briefly disable the brakes and shut down the engine.
They also found readily accessible Internet links to thousands of other privately owned Jeeps, Dodges and Chryslers that feature a proprietary wireless entertainment and navigation system called Uconnect. Valasek and Miller said they could, by merely typing the right series of computer commands, hack into these vehicles, almost anywhere they might be driving.
Government and industry officials are racing to add protections before techniques demonstrated by Miller, Valasek and and other researchers join the standard tool kits of cybercriminals. In this battle, defensive forces have one clear strength: Connected devices run many types of software, meaning that an attack on one may not work on others. Even cars from a single manufacturer can vary dramatically from one model year to the next, hindering hackers.
“They haven’t been able to weaponize it. They haven’t been able to package it yet so that it’s easily exploitable,” said John Ellis, a former global technologist for Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car basis.”
Yet Ellis and other experts fear the race to secure the Internet of Things already is being lost, that connectivity and new features are being added more quickly than effective measures to thwart attacks. Long development cycles — especially within the automotive industry — add to the problem.
If a hacker-proof car was somehow designed today, it couldn’t reach dealerships until sometime in 2018, experts say, and it would remain hacker-proof only for as long as its automaker kept providing regular updates for the underlying software — an expensive chore that manufacturers of connected devices often neglect. Replacing all of the vulnerable cars on the road would take decades more.
Chris Valasek, the director of vehicle security research for the security company IOActive, is among the researchers who have hacked cars by taking control of onboard computers via the Internet, cellular signals or other systems. (Ricky Carioti/The Washington Post)
The drive-by hack
Cars sold today are computers on wheels, with dozens of embedded chips running millions of lines of code. These vehicles can talk to the outside world through remote key systems, satellite radios, telematic control units, Bluetooth connections, dashboard Internet links and even wireless tire-pressure monitors. Security experts call these systems “attack surfaces,” meaning places where intrusions can start.
Once inside, most computer systems on modern vehicles are somehow connected, if only indirectly.
Researchers who have hacked their way into computers that control dashboard displays, lighting systems or air bags have found their way to ones running transmission systems, engine cylinders and, in the most advanced cars, steering controls. Nearly all of these systems speak a common digital language, a computer protocol created in the 1980s when only motorists and their mechanics had access to critical vehicle controls.
The overall security on these automotive systems is “15 years, maybe 20 years behind where [computer] operating system security is today. It’s abysmal,” said researcher Peiter Zatko, who once directed cybersecurity research for the Pentagon’s Defense Advanced Research Projects Agency (DARPA) and now is developing an independent software security research group.
Attackers don’t need to crash cars to cause trouble. A jealous, malicious hacker could use a vehicle’s navigation system to track his spouse’s movements while remotely activating the built-in microphone to secretly record conversations that happen in the car. Thieves are already using mysterious “black boxes” that, through the radio signals that control modern entry systems, unlock cars as the crooks walk by; some simply climb in, start the engine and drive away.
The next wave of attacks, researchers say, could include malicious software delivered over the Internet to disable your car’s engine, with the sender offering to revive your vehicle for a few hundred dollars. Or the new generation of wireless links between cars and their surroundings — designed to improve traffic flow and avert crashes — could enable drive-by hacks. Imagine a single infected WiFi beacon on a stretch of highway delivering a virus to every passing vehicle.
“Cars are a major part of the Internet of Things,” said Sen. Edward J. Markey (D-Mass.), who this week filed a bill seeking minimum federal cybersecurity standards for cars, as long have existed for other systems critical to safety, such as seat belts and brakes. “We’ve moved from an era of combustion engines to computerized engines, but we haven’t put into place the proper protections against hackers and data trackers.”
The Alliance of Automobile Manufacturers, a Washington-based group representing 12 major carmakers, declined interview requests from The Washington Post but agreed to answer a series of written questions.
“Cybersecurity is a serious issue for every industry, including ours,” Auto Alliance spokesman Wade Newton said in a written statement. He added, “That’s why the auto industry is taking steps to reduce risk by building robust security protections from the earliest stages of design.”
The statement also noted that the group had this month created an Information Sharing and Analysis Center to study cybersecurity issues and share information about threats that emerge. It was the first initiative of its kind for the Auto Alliance and came five years after the first major published research about the risks that hackers posed to car safety and security.
“There’s no security in cars, and the systems are wide open,” Peiter Zatko, who later directed cybersecurity research for the Pentagon’s Defense Advanced Research Projects Agency, once told GM executives. “This is an accident, a very bad accident, waiting to happen.” (Nick Otto for The Washington Post)
Taking over from far away
Scientists from the University of Washington and the University of California at San Diego reported in 2010 that, with physical access to a car, they could control almost any computerized system within it. When some critics questioned the realism of that scenario — if you were in the car, you could simply turn off the engine or hit the brakes yourself, they said — the researchers found a way to do many of the same things remotely.
The key was hacking into a telematics unit that car manufacturers, in response to driver requests, used to locate vehicles, unlock them or even start their engines. Although pioneered by General Motors through its OnStar system, such telematics units are commonplace in cars today, relying on cellular signals to find vehicles and send data to their onboard computers.
The researchers found that by transmitting malicious code to the telematics unit of a test vehicle, they could do everything that OnStar could do and much more, taking complete control of the car. It did not stop or even slow down.
“We can do this from a thousand miles away,” said Tadayoshi Kohno, one of the University of Washington researchers who worked on the project, published in 2011.
That same year, in July, a team of General Motors executives met with DARPA officials at the research agency’s headquarters in Northern Virginia. The industry was ailing in the aftermath of the Great Recession, and the executives expressed interest in federal research that might help improve their line of vehicles with new technology.
One of the participants was Zatko, better known as “Mudge” from his days as the frontman for a Boston-based hacker group called L0pht. He now was a program manager for DARPA, which had birthed the Internet decades earlier and was eager to tame the insecurity that had become an inextricable part of the online world.
Zatko, who throughout the 1990s had taunted Microsoft and other software titans for their lax approach to security, heard what he considered a similar attitude from the GM executives. The focus, Zatko said, was on selling products, not protecting consumers from malicious hackers who might later exploit those products. Investing more in security, meanwhile, was viewed as a costly diversion, with no obvious payoff in profit. Zatko believed that other automakers felt the same.
“There’s no security in cars, and the systems are wide open,” Zatko told the GM executives, he later recalled. “This is an accident, a very bad accident, waiting to happen.”
DARPA, which has no regulatory authority, couldn’t force the auto industry to do anything, but it could nudge it along by supporting research demonstrating the problem. So Zatko arranged for a research contract for Miller and Valasek. They bought two cars — a Toyota Prius and a Ford Escape — and went to work.
(GM officials did not dispute Zatko’s account of the DARPA meeting but said in a statement this week, “Our customers’ safety and security is paramount and we are taking a multi-faceted approach to secure in-vehicle and connected vehicle systems, monitor and detect cybersecurity threats and are designing vehicle systems that can be updated with enhanced security as these potential threats arise.”)