Why Apple Should Pay Particular Attention to Wired’s New Car Hacking Story

This morning, Wired reports that the hackers who two years ago hacked an Escape and a Prius via physical access have hacked a Jeep Cherokee via remote (mobile phone) access. They accessed the vehicle’s Electronic Control Unit and from that were able to get to ECUs controlling the transmission and brakes, as well as a number of less critical items. The hackers are releasing a report [correction: this is Markey’s report], page 86 of which explains why cars have gotten so much more vulnerable (generally, a combination of being accessible via external communication networks, having more internal networks, and having far more ECUs that might have a vulnerability). It includes a list of the most and least hackable cars among the 14 they reviewed.

Screen Shot 2015-07-21 at 8.37.22 AM

Today Ed Markey and Richard Blumenthal are releasing a bill meant to address some of these security vulnerabilities in cars.

Meanwhile — in a remarkably poorly timed announcement — Apple announced yesterday that it had hired Fiat Chrysler’s former quality guy, the guy who would have overseen development of both the hackable Jeep Cherokee and the safer Dodge Viper.

Doug Betts, who led global quality at Fiat Chrysler Automobiles NV until last year, is now working for the Cupertino, Calif.-based electronics giant but declined to comment on the position when reached Monday. Mr. Betts’ LinkedIn profile says he joined Apple in July and describes his title as “Operations-Apple Inc.” with a location in the San Francisco Bay Area but no further specifics.

[snip]

Along with Mr. Betts, whose expertise points to a desire to know how to build a car, Apple recently recruited one of the leading autonomous-vehicle researchers in Europe and is building a team to work on those systems.

[snip]

In 2009, when Fiat SpA took over Chrysler, CEO Sergio Marchionne tapped Mr. Betts to lead the company’s quality turnaround, giving him far-reaching authority over the company’s brands and even the final say on key production launches.

Mr. Betts abruptly left Fiat Chrysler last year to pursue other interests. The move came less than a day after the car maker’s brands ranked poorly in an influential reliability study.

Note, the poor quality ratings that preceded Betts’ departure from Fiat Chrysler pertained especially to infotainment systems, which points to electronics vulnerabilities generally.

As they get into the auto business, Apple and Google will have the luxury that struggling combustion engine companies don’t have — that they’re not limited by tight margins as they try to introduce bells and whistles to compete on the marketplace. But they’d do well to get this quality and security issue right from the start, because the kind of errors tech companies can tolerate — largely because they can remotely fix bugs and because an iPhone that prioritized design over engineering can’t kill you — will produce much bigger problems in cars (though remote patching will be easier in electric cars).

So let’s hope Apple’s new employee takes this hacking report seriously.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

7 replies
  1. P J Evans says:

    It makes me glad my car’s most advanced feature is the remote for the doors. (No Bluetooth, no GPS, no satellite radio, no cellphone access that I know of.)

    • wallace says:

      Yet another story that makes me glad I’m driving a 82 Toyota station wagon…that has nothing that the manufacturer, or insurance company, or loan company can stop it with(remote disable). And, I can fix it myself, vs new cars you can’t even change the spark plugs. And, I get 28 mpg around town. And..it’s paid for. I’d submit, one day, you won’t be able to “own” a vehicle. Only lease it. And one day, only transportation companies with driverless cars will own them, and pick you up, for a fee.

      • Stephen says:

        And one day, only transportation companies with driverless cars will own them, and pick you up, for a fee.

        .
        Unfortunately, unless and until the car manufacturers ramp up IT security on the vehicles these driverless vehicles are going to have the same security problems as their human driven counterparts.
        .
        And note that I use “vehicles”. Driverless trucks and buses as well as driverless cars also seem likely to happen sooner rather than later. If they too are vulnerable to hacking then what we would effectively be putting on those roads are a bunch of potential drones.
        .
        For example, consider the consequences of hackers gaining control of a single 10-ton semitrailer barrelling along at 60 mph with a load of gasoline on a crowded interstate. Now ask yourself what the consequences would be if (say) Al Qaeda or ISIS could do the same thing remotely from Iraq or Pakistan.

  2. Rayne says:

    “But encryption is evil, EVIL, I tell you! Backdoors everywhere, on everything, is a must!”

    And the Chrysler patch must be installed using a USB device? Jeebus. Let’s just insert Duqu and StuxNet everywhere, for gods’ sake.

    This latest automotive-based vulnerability should give lawmakers pause with regard to Boeing and Hacking Team work on spyware-launching drones. Could this be used to hack automobiles on the highway? Boeing should answer to lawmakers about this because this technology has certainly been leaked outside the country already.

Comments are closed.