The recent news that Fiat Chrysler cars were vulnerable to takeover through remote hacking was unnerving enough. Now it seems the issue could be more far-reaching.
Fiat Chrysler recalled approximately 1.4 million vehicles after cybersecurity researchers demonstrated they could use a wireless connection to turn off a Jeep Cherokee’s engine as it drove. The attack was reported in Wired by Andy Greenberg, who volunteered to drive a car as cybersecurity researchers Charlie Miller and Chris Valasek took over its controls through a zero-day exploit.
“Their code is an automaker’s nightmare,” Greenberg reported, “software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”
More recently, David Morgan of Reuters reported that other auto manufacturers have installed similarly vulnerable systems, which may lead to a wider recall. “The supplier didn’t just supply radios to Chrysler but to a lot of other manufacturers,” Mark Rosekind, head of the National Highway Traffic Safety Administration (NHTSA), told reporters. “A lot of our work now is trying to find out how broad the vulnerability could be.”
Rosekind noted that this represents a bellwether for how the automotive industry will handle cybersecurity in the future. “It’s not just about the hack,” Rosekind said. “It’s what the response from the industry has been to see whether or not their issues have been acknowledged and what they’re planning. And that’s the part we have to see going forward.”
Another researcher, Samy Kamkar, has showed he could similarly exploit a security flaw in a mobile app for General Motors Co’s (GM.N) OnStar vehicle communications system—even after GM claimed to have fixed the attack.
These findings have already prompted action toward legislation. Wired has reported that Senators Ed Markey and Richard Blumenthal plan to introduce new legislation that would “call on the National Highway Safety and Transportation Administration and the Federal Trade Commission to together create new standards that automakers would be required to meet in terms of both their vehicles’ defenses from hackers and how the companies safeguard any personal information such as location records collected from the vehicles they sell.”