St. Louis-based security researcher Charlie Miller and his collaborator Chris Valasek got themselves in the news this week by hacking a Jeep driven by Wired journalist Andy Greenberg on I-64.
The reaction was mixed, but one common theme was, why I-64, where lives could have been at risk, rather than an abandoned parking lot?
I don’t know Miller or Valasek, so it goes without saying I don’t speak for either one of them, but I think I have a pretty good idea why they did it that way.
You see, as a security professional, I’ve had to get used to being ignored. Sometimes there are valid reasons for the shoddy security I see. Other times I fail to see the validity.
I think Miller and Valasek wanted to make sure they didn’t get ignored this time, because this time, the stakes are too high.
Most people had never heard of Charlie Miller before this week, and in a couple of months, they probably will have forgotten about him. I’ve known about him for a couple of years, because I’m a security professional and a couple of years ago he gave an interview to one of the security podcasts I listen to. (I knew Miller had a collaborator, but I’ve heard Miller speak. Valasek wasn’t on the show with him.)
I was holed up in a conference room when the Wired story broke, so it had been out a couple of hours when a software developer who sits near me asked if I’d heard about that guy who hacked a Jeep on I-64.
“No, I haven’t,” I admitted. “What did Charlie Miller do?”
Thanks to this stunt, lots of people are suddenly talking about Miller and Valasek’s work. That’s important. Chrysler has released a patch but refuses to declare a state of emergency–you can download a patch and install it yourself via a USB stick, or you can take your car to the dealer and have them do it, but if you hadn’t seen the story, you’d never know to do it. There’s no recall or anything. There’s a recall on the airbag on a bunch of Honda airbags, but if that airbag goes off, it poses no harm to anyone but the driver. But if someone decides to randomly disable the brakes or the engine on Chryslers during rush hour, several people can be killed.
Miller and Valasek got people’s attention, but I still don’t think they got the outcome they really wanted.
Here’s the problem with putting a microprocessor in everything that exists and throwing it on the Internet. We haven’t figured out how to do it safely. But we do it anyway, because it’s cool.
Well, it would be cool to put a couple of ramjets on a riding lawnmower, but it’s not safe, so rational people don’t do it, and when some idiot does and blows himself up, everyone else makes fun of him.
And yet, Chrysler has the cheek to call Miller and Valasek irresponsible.
Here’s the thing. When a company launches a web site, there are measures they have to take to demonstrate that they’re going to protect your credit card information and the data about you. Sometimes they fail anyway, but at least they have to have a team of security professionals look the site over, and look over the servers it’s running on. I don’t think the standards are high enough, but at least there are some standards.
When it comes to putting something that isn’t a traditional computer on the Internet, there are no standards at all. And if the car makers do anything more than the minimum, they might not be price competitive, so the incentive is to do only the minimum.
That’s why there are hackable cars driving on every interstate in the country as we speak. And there’s a very real risk that after Miller and Valasek go to Las Vegas and present at Defcon and Black Hat there will be some outrage, but in a week or so the story will fade away to make way for some stupid gossip about Kim Kardashian or something.
Most likely there won’t be sufficient outrage until someone dies. And then maybe we’ll try to get car security right. I think that’s what Miller and Valasek were trying to avoid.