We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Automotive security bill

I was somewhat surprised to learn about the possibility of taking complete control of a Jeep Cherokee using a laptop and a mobile phone. It seems as if the car makers have added software features to their cars without properly understanding how to make them secure. I work with embedded software that merely has to prevent movies from being copied. If the hacking methods described by Wired are accurate, there are some quite obvious precautions we take that the makers of Jeeps appear not to. I am glad not to be working on life or death software; I expect more from people who do.

Nonetheless, this should all be fixed soon.

Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. Earlier this month, in fact, Range Rover issued a recall to fix a software security flaw that could be used to unlock vehicles’ doors. “Imagine going up against a class-action lawyer after Anonymous decides it would be fun to brick all the Jeep Cherokees in California,” Savage says.

Free speech and free markets seem to be working, then. Which makes this seem unnecessary:

It’s the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks, first sparked when Markey took note of Miller and Valasek’s work in 2013.

As an auto-hacking antidote, the bill couldn’t be timelier.

Meh. It sounds to me more like the government has come along after the problem is already being solved to take the credit. I suspect such a bill will end up protecting car makers from civil suits if they merely have to show they have complied with inevitably flawed regulations.

16 comments to Automotive security bill

  • No; the Senators want to be able to get at the information themselves.

    (Seriously, some people would love to get at cars’ computers for mileage taxes.)

  • Roue le Jour

    Yes it is surprising considering that they employed experienced safety systems programmers.

    What’s that you say? They may have saved a buck or two there?

  • Thailover

    Rob Fisher, your last paragraph says it all. I suspect you hit the nail on the head.

  • William O. B'Livion

    It seems as if the car makers have added software features to their cars without properly understanding how to make them secure.

    That wasn’t the real problem–if you actually had to be INSIDE the car hooked up with a wire of some sort it would be interesting but not all that dangerous.

    No, they put the bloody thing ON THE INTERNET.

    Because we all know how trustworthy the internet is.

  • Mr Ecks

    Automotive Security Act? There will of course be an exemption to allow the costumed thugs to shut your car down. Any “safety” program will have a backdoor for that.

  • Andrew Duffin

    It is quite beyond my understanding that anybody should even suggest equipping an ordinary private vehicle with command-and-control systems that can be accessed remotely in any way at all.

    One can understand remote data-logging – although I and most people here would disagree with it quite violently; one can even, at a pinch, understand a remote kill switch – useful for various police purposes, though with similar caveats.

    But this? Which idiot thought this was a good idea? Which other idiots didn’t laugh the first idiot out of the room?

  • bob sykes

    GM advertizes the ability of its OnStar system to shutdown car engines and lock “thieves” inside cars as a benefit.

  • This looks like a scam to me, like many things cyber- a stunt made in an attempt to either get contracts from corporate types who don’t know better, or to get government money from politicians who don’t know better. There’s no reason for the entertainment system and more critical systems to be linked up. Some idiot did a faux attack on a plane recently, where he fiddled with the entertainment system, but pretended like he could actually alter the plane’s altitude or something.

    I suspect the only way this really happens is if hackers have physical access to the car. Then they can re-wire to the point where they can do these things.

  • Spot-on, William. I don’t trust this “internet of things” stuff one bit. Especially – no offence, Rob – if it’s running on proprietary firmware. I certainly don’t expect governmental action to allay my worries.

  • Laird

    Assuming this is real (and not just some sort of publicity stunt or scam such as August suggests), it could only be because the government is behind it. There is no legitimate reason for the operating systems of any automobile to be accessible remotely, and the risks are so obvious that no reputable company would do this absent coercion.

    Or should I put my tinfoil hat back on?

  • All this is why my fallback vehicle of choice would be the 1960s-era Type 2 VW van, the one with the split windshield and hinged (not sliding) side doors.

    No computers, no WiFi, no a/c, no airbags, crumple zones or creature comforts of any kind. (Even the “heater” is just a pipe which feeds warm air from the engine compartment in the back, and it doesn’t really work.) Mine didn’t even have seatbelts…

    Lest anyone think that I’m just romantically attracted to this old beater, I should point out that I once owned one — bought new in 1974 — and when I finally got rid of it (a few years before I emigrated to the U.S. in 1986), it had 176,000 miles on the odometer. Hard miles, they were: I played in a rock band and it humped our gear all over South Africa. During a period of poverty, I even lived in it for a few weeks.

    If I could find one of these in any kind of decent shape, I’d buy one in a heartbeat. But sadly, they’re mostly all rusted junkers; or if not, the owners want upwards of $60,000 for them — insane, when you consider that I bought mine for the modern equivalent of $7,500.

    It’s a death trap, of course. But I was young, stupid and invulnerable in those days, so the threat of injury/death didn’t bother me. Nowadays I’m old, cranky and all too aware of my vulnerability — so said threat bothers me even less.

    Now if you’ll excuse me, I’m off to clean my 1911 Government pistol.

  • Rob Fisher

    It is real. There is now a recall: http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

    Laird: the legitimate reason is for the entertainment system to access the Internet. I can think of some cool features that this would make possible.

    Connecting the entertainment system to the same bus that controls the rest of the car seems more questionable. But if you want to have things like the map display dimming when the headlights are on I can see how you would get there.

    What they didn’t reckon on was someone re-writing the firmware of the entertainment system so it could send arbitrary commands to the bus.

    I think August’s bullshit meter might need recalibration. I have a feeling that plane hack was real, too. But they arrested that guy.

  • Laird

    Rob, I’m no engineer so I don’t have any basis to disagree with your comment. But it still seems to be such an unbelievably and obviously stupid idea that it could only have come from government. Not even Big Auto management could be that idiotic.

  • Julie near Chicago

    Kim, you wouldn’t know where I could a guaranteed-reliable, and preferably cherry, 1991 Camry, would you?

    …I got curious, and found a site for converting Year X dollars to Year Y dollars.

    http://www.dollartimes.com/inflation/inflation.php?amount=1000&year=1974

    It claims that $ 7500 in 1974 is equivalent to $38,118.83 today. So chee, Kim can replace his VW Van for less than twice the original cost. Such a deal! Surely the memories alone are worth a little south of $ 22,000. After all, it’s only $ 4328.56 in 1974 dollars. :>))

  • Julie,

    I actually bought the VW van for ZAR1,975 (South African) which at the time was the equivalent of about US$1,500*. Using your supplied inflation calculator (thank you) instead of my renowned on-the-fly mental arithmetic skills, that translates to about $7,600 in today’s money. Call me a liar for $100.

    *Amazingly, back then the ZAR-USD exchange rate was 0.76 (ZAR1 bought 76 US cents). Thanks to South Africa’s insane monetary policies, the current exchange rate is about 0.079 (ZAR1 buys 8 US cents).

    But in response to your original question: I don’t know anything about Japanese cars — I’ve never owned one except for a “Mazda” pickup truck that was actually a rebadged Ford Ranger. Nor am I likely ever to buy one, because I’m an Anglo-/Europhile when it comes to cars (VW, Fiat, Alfa Romeo, Alvis and Austin-Healey, by choice). (Yeah, I’m a masochist. Shuddup, all of you.)

  • I’m reminded of this song, which is close to 25 years old now. Yikes I’m getting old.