Estimated reading time: 4 minutes
How safe is your PC? In 2013, Kaspersky tallied some of their antivirus scan data and discovered that out of 50 million machines, almost 5% were infected with some form of malware or other. That’s 1/20, and it’s a scary statistic. But that’s just one report. Take this 2014 infographic that says 32% of all machines are infected with malware, viruses, backdoors, trojans… you name it. 1 in every 3 households in the US are infected with malware.
But what does it have to do with cars?
MEET THE MERCEDES-BENZ F015
It’s a completely self-driving machine, a computer on wheels connected to a network of other computers on wheels. It communicates with its surroundings via LED displays, laser projection systems, and acoustic communication, and is being hailed as the merging of luxury and bleeding-edge technology.
“The car is growing beyond its role as a mere means of transport and will ultimately become a mobile living space.”
– Dr Dieter Zetsche (Head of Mercedes-Benz Cars)
In other words, a hackable death trap of sorts.
THE JEEP CHEROKEE HACK
It is no surprise at all that most things are vulnerable to hacking, from TSA locks to remote car keys, and the most vulnerable of all: the computer. What do you imagine will happen, when you have a computer on wheels that holds the lives of its passengers in its metaphorical hands?
Well, no need to imagine, because it’s already happened.
In what must have been one of the most terrifying things to happen to him, Wired’s Andy Greenberg challenged a team of hackers to remotely hack into his Jeep Cherokee while he was driving it, and hack they did.
“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”
– Andy Greenberg (Wired senior writer)
It’s a terrifying situation to imagine yourself in, your control getting ripped out of your hands and given over to someone with a laptop sitting miles away from you.
It’s important to remember here, that the Cherokee isn’t even a self-driving car, but a car with a controller inside it that handles the electronics, which in today’s world, that’s basically everything.
Obviously, in this particular scenario both hackers were security researchers, so the intent was not to cause harm, but nothing stops blackhats from harnessing these vulnerabilities to cause havoc on the streets.
So the question that arises then is: Why would anyone release a car that’s vulnerable? It’s a good question and the answer is a complete let-down.
IT’S HARDER TO TEST SOFTWARE THAN MECHANICS
Let’s say you’ve produced a bulletproof vest. The testing’s simple enough: Put a gun in front of it and attempt to put holes through the vest. You might want to test various kinds of weapons, sure, but the number is limited. You might want to test various ranges, or angles of attack, but, again, the variation is limited.
Similarly, if you have a mechanical system like an engine, you know the situations it’s going to be used in. You can list each scenario and test it.
Unfortunately, this is not the case with software.
Remember the 5% statistic from Kaspersky earlier? These are people who already have antimalware software installed on their machines, and still, 1 in 20 is infected. It obviously gets worse when you consider the general situation, which includes people without antimalware software installed. This is because software can be attacked, infinitely and via unimaginable means. The IT security industry has always been reactive in nature, reacting to new attacks by patching holes and blocking the vulnerable pathways through which hackers have already entered and damaged a system. Even when an action seems proactive, such as crazy new encryption methods, it is still, at its very core, a reactive action.
What we have now with cars is what we had with Windows PCs in the 90s: a dangerously false sense of security. With car companies releasing increasingly autonomous cars — from braking when an impending crash is sensed, to keeping in lane automatically, to completely self-driving — the number of vulnerabilities gets inevitably larger and the security industry just doesn’t have enough data to work with in order to preemptively fix those vulnerabilities.
While a PC getting wiped by a virus may cause damage to your personal or professional life, a self-driving car that suddenly and uncontrollably veers into oncoming traffic could seriously hurt (even kill) its passengers and the passengers of the cars it hits. We just won’t know about those vulnerabilities until they’re uncovered by hackers.
All we can do is hope that the good guys get to them first.