Oh, CNN. I have to admit, I love it when you talk about cars. And car hacking is always exciting to read about through mainstream media's filter of pants-soiling fear mongering. And this time, CNN's really doubling down on the stupid, with a video that shows car hacking that's only an issue if you give a hacker your keys.
The CNN story is called "How Hackers Could Slam On Your Car's Brakes" and has a video with security researchers Charlie Miller and Chris Valasek who "hacked" a Ford Fusion and a Toyota Prius to make it do all manner of scary things.
And, they certainly did make the cars do scary things — they cut off brakes, caused dramatic steering inputs, and generally messed pretty severely with a driver's ability to operate the car safely. But there's some colossal caveats here. The first one is mentioned by CNN themselves right in the article:
... did their analysis by looking at the technical configurations of different models; they did not actually remotely hack any of the cars in the report.
They "did not actually remotely hack" anything. That's a huge, huge deal right there, and that fact pretty much discounts absolutely everything else in the video. Just look at the state of the cars in the video: most of the dashboard covering is removed, there's wires hanging everywhere, and there's a laptop hardwired into the car so they can send the commands to the car's various computers to make it misbehave.
What they're doing isn't hacking — it's tampering. With this level of access to a car, you could make pretty much any car ever made into something dangerous and unpredictable. You could go into a completely computer-free Skoda 1000MB or '55 Chevy Bel Air and cut wires and slice hydraulic lines and move control cables and rods and end up with something that can put you into a wall as effectively as hard-wiring a laptop into the throttle control system of a Prius.
Shit, if you had this level of access to a blender you could also make something with the potential to kill or injure yourself. The only thing that video proves is that if you really want to, you can screw with a car enough to make it dangerous. Which is something we've known for decades.
I don't blame the researchers — they actually are providing some interesting information about how modern cars are really networks of interconnected computers running things, and they even manage to show how safe from hacking modern cars are. For example, in the test where they've disabled the brakes, they say
"This only works if you're driving really slow, like 5 or 10 miles per hour."
They're spoofing the car's computer by sending signals that it's being serviced, and the brakes are being bled. But the takeaway here is that there are safeguards in place to make sure this won't happen at high speeds.
And when they do the hack that causes the steering wheel to rapidly turn, they say
"We had to basically trick the car. It was designed not to allow you to turn at speed."
... and, to trick the car into going against the safety protocols, they had to tear apart the dash and hard-wire right into the system.
Now, I'm not saying car security is perfect and will never be hackable — the article's points that systems and networks that connect to the outside internet should, ideally, not be on the same networks that handle safety and car control functions absolutely make sense. But the way the headline screams HOW HACKERS CAN TAKE OVER YOUR CAR is just more of the same alarmist bullshit we've seen for years.
So, let's go with the premise CNN puts forth in their headline for a moment, and break down how it could be true:
How Hackers Could Slam On Your Car's Brakes
1. Give your car keys to a malicious hacker.
2. Loan the hacker your credit card so they can purchase a laptop, OBDII interface, tools, etc.
3. Permit the hacker to remove most of your dash, connect to your car's systems, and spend time learning the commands and protocols used.
4. Get your keys back, get ready to drive to work
5. Ignore all the missing trim and interior paneling in your car, as well as all those wires and the hacker sitting in the passenger's seat with a laptop connected to your car via a cable. The hacker may be laughing in an evil manner. Ignore that, too.
6. Shit your pants in panic when the hacker sends the commands to prevent your brakes from working (at least at low speeds)
Of course, I'm by no means the only one to notice this little vast detail. Toyota issued this statement:
It is important to note that a recently publicized demonstration required a physical presence inside the vehicle, partial disassembly of the instrument panel, and a hard-wired connection.
Toyota's statement went on to say that their security efforts are focused on preventing hacking of the car remotely, from outside the vehicle. Which makes a lot of sense.
So far, we've yet to see an actual demonstration of totally remote-access of a car that resulted in car control being compromised. I'm not saying there's no way it couldn't ever happen, but if this is the best stuff CNN has to get me scared, I'm just not that worried just yet.