Posted by Mike Ahmadi on July 29, 2015
On July 24th, 2015 FIAT CHRYSLER CARS announced a recall of 1.4 million vehicles to correct a cybersecurity issue that a Wired reporter unveiled on the world earlier that same week. In his video report, the reporter showed how the enterprising security researchers Charlie Miller and Chris Valasek could remotely hack into the vehicle via the UConnect feature found on newer Chrysler systems, which gives the car internet connectivity via the Verizon network. The video went on to show Miller and Valasek perform various acts of mischief, such as turning on windshield wipers and fluid, playing loud music on the sound system, uploading images of Miller and Valasek…none of which the reporter could control via the automobile controls at his reach. Miller reminded the reporter not to panic no matter what happened, which seemed to work just fine until they disabled his accelerator (while he was driving on the highway), forcing him to pull over and stop the car. In another scene, they disabled his brakes while he was trying to park the car, forcing him into a ditch.
This was the first time I am aware of any security researcher using a live human target to make a point. While nothing did go wrong, something could have gone wrong. This drove the point home to anyone who was watching, that cybersecurity issues are not just theoretical lab experiments. In other words, this is REAL. While this was surprising enough, what I found most surprising was the swift announcement of a recall to address this issue. This is, as far as I am aware, the first and only consumer product recall in history specifically for a cybersecurity issue, and it sets a precedent that is likely to send shockwaves throughout the world of IoT. Until this moment, addressing a cybersecurity issue has relied on the good will of the organization building the product. There is currently no law in existence that I (or any of my colleagues are aware of) that holds an organization liable for vulnerabilities that allow someone to maliciously misuse a product. What immediately became apparent to me when I heard of this recall is that someone must have come to the conclusion that a reasonable person would not expect that the car they were driving could be taken over remotely and potentially cause serious injury to the passengers or innocent bystanders.
I was suddenly reminded of that 1980’s song by Gary Numan “Cars”. The song starts with these lyrics:
Here in my car I feel safest of all
I can lock all my doors
It’s the only way to live
In cars …
It was a great song, with great lyrics, and it hit home with anyone who had a car back then (and perhaps up until this past week) because the song is about the autonomy and independence…the separation your car gives you from the world. I am sure everyone knows at least one person who, having been down on his luck, ends up sleeping in his car…which to some is their home on wheels…or at least an extension of the home. The point is that the IoT world we now live in is forcing us to take a closer look at what we have all traditionally believed to be zones of separation and safe environments and situations. You do not consider your television set to be a security hole in your home network, until you take a look at the firmware and realize it is riddled with hundreds of known vulnerabilities. While you may still feel comfortable sitting in front of your smart tv with a bowl of cheese puffs in your bath robe, that notion becomes uncomfortable once you realize that the Skype connected camera can be remotely hacked to spy on you…and you may end up being the next YouTube sensation.
The sad reality is that there are tools out there that can help a product vendor discover and address these vulnerabilities before they become headline news…and many organizations do indeed use such tools and do the required testing, but many also do not use such tools or test for vulnerabilities…and those who choose not to do so put us at great risk, yet face little or no liability for doing so. As I said, this recall by FIAT CHRYSLER sets a precedent, and perhaps other product vendors may consider upping their game when it comes to vulnerability testing, analysis, and mitigation. I certainly hope it does.
In the meantime, I am going to enjoy my cheese puffs while fully dressed…and place some opaque tape over my webcam.
Global Director – Critical Systems Security
Synopsys Software Integrity Group