A pair of veteran cybersecurity researchers have shown they can use the Internet to turn off a car’s engine as it drives, sharply escalating the stakes in the debate about the safety of increasingly connected cars and trucks.
Hackers managed to remotely commandeer the controls of a Jeep Cherokee, activating windshield wipers and blasting the radio—even going as far as turning off the car’s engine in the middle of a highway, according to a report from Wired.
“The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch,” the Wired report read.
This story has been widely reported. See CNBC, Fox or USA Today for the details. The hackers believe as many as 471,000 vehicles may be vulnerable, although they have only proven the concept on a Jeep Cherokee.
The safety issues of this are enormous. They will be widely debated, and I won’t step into that debate. Instead, I want to look at the business implications of this news.
Fiat Chrysler (makers of Jeep) said it had issued a fix for the most serious vulnerability involved. The software patch is available for free on the company’s website and at dealerships.
It’s good news Fiat Chrysler responded quickly, but it raises several questions. Is this “fix” user installable, or does it require the dealership? If it’s user installable, why isn’t Fiat Chrysler issuing software updates regularly to improve the quality, performance and functionality of its cars? If, on the other hand, it’s a dealer installed fix, does this constitute a recall; adding to record recalls in the auto industry over the past few years? From a safety standpoint, this problem is as serious as any mechanical recall.
Should auto manufacturers move to a business model of regular software upgrades to improve the quality, safety, performance and functionality of vehicles
The app economy has conditioned consumers to expect frequent, no-charge updates to software on their mobile devices. How long will it be before consumers demand this from their ultimate mobile device, their vehicle?
No doubt long-range planners for the auto manufacturers foresee this, but it puts them on the horns of a dilemma. If they acquiesce to consumer demands, it will allow customers to keep their vehicles for a longer time and slow down the vehicle purchase cycle for dealerships. If they don’t acquiesce, however, they run the risk of alienating customers.
Taken to an extreme, it becomes the ultimate “razor vs. razor blades” economic decision. Do manufacturers sell vehicles (razors) to continue to sell them software upgrades (razor blades) and keep them locked into their vehicle brand longer? If so, what impact does that have on the dealer network?
I, for one, would welcome the opportunity to purchase a vehicle once and receive frequent, low-cost/no-cost upgrades. I dread the vehicle buying process and would be grateful for any solution that delayed that experience. I’m certain I’m not alone in this regard.
Hardware vs. software
Automakers are good at hardware, bad at software. Ford outsourced its infotainment to Microsoft’s Sync. Others kept software development in-house creating a variety of user experiences, some better than others.
Car manufacturers have produced a hodge-podge of software solutions. None of them conform to any standard. All of them have features and functionality that exceeds the competition in one way or another, but also lag the competition in other ways.
The Ford model of outsourcing the infotainment software to a 3rd party (Microsoft) seems prudent to me. It’s a wonder why other manufacturers aren’t following suit. Extend this idea further. Outsource more of the on-board computer systems to 3rd parties.
Auto manufacturing grew due to specialization of tasks, aka Henry Ford’s assembly line. It’s surprising manufacturers haven’t picked up on the fact that specializing in hardware and leave the software for another company.
There are precedents for this. Boeing builds the jets, but uses 3rd party software for navigation, flight control and communication. If Boeing specializes like this to keep a 735,000-pound jet aloft, surely the car manufacturers could do the same to keep a 3,000-pound car running.
Autonomous driving cars
A thoughtful person will conclude exposing this bug is good for autonomous cars. Cars from Google, Facebook and Apple (allegedly) may be less vulnerable because these companies are already combating hackers in their main business and can extend that knowledge and experience to autonomous cars.
Two things are noteworthy. First, the autonomous car companies leading the pack are software companies and have built software security into the initial design. Second, Google, Facebook nor Apple is manufacturing the hardware on its own. They’re using hardware manufactured by other companies and integrating its software into it.
Legislation vs. Free Markets
Coincidentally, on the same day as the hack, Massachusetts Sen. Ed Markey introduced new legislation calling for the FTC and National Highway Traffic Safety Administration to secure the safety of cars on the road.
Is legislation the solution?
This is a small problem affecting one car and potentially affecting 741,000 others. This is 0.29% of the 253 million vehicles on the road in the country today. The problem will grow as vehicles are replaced with newer ones with the software vulnerability, but it will take decades. Is this a solution in search of a problem? Expanding the authority of the FTC and NHTSA adds bureaucracy and stresses overworked and underfunded agencies. Such an action assumes that buyers protecting. Buyers are smart, though. They will weigh the risk/reward of buying a Fiat Chrysler (or similar) product with vulnerable software. It may force car manufacturers to reduce prices to attract more buyers or improve software to minimize the vulnerabilities. Neither is a bad outcome.
White hat hackers
Surprisingly, cybersecurity researchers discovered this flaw. Why wasn’t it Fiat Chrysler’s own cybersecurity team? Aren’t auto manufacturers hiring or contracting “white hat” hackers to test the vulnerability of their software? The answer is no, for now. When software isn’t your main business, security is an afterthought. Car manufacturers are now on the defensive to prove to consumers their software is reliable and secure. This only intensifies the argument of specializing in hardware manufacturing and allowing 3rd parties to specialize in software.
Try this next time you’re stopped for speeding. Tell the officer your car was hacked and you weren’t in control. You’ll still get the ticket, but you may win in court. There’s no way law enforcement can challenge that your car was hacked. Take this advice with a grain of salt, however. I’m not an attorney, so this doesn’t constitute legal advice.
The national media attention surrounding this incident blows the problem out of proportion. Currently, it’s only affected 1 vehicle out of 235 million. Potentially, it could impact another 741,000 more vehicles, but even that number is 0.29% of the total vehicles on the road.
Let’s not throw the baby out with the bath water. More software in vehicles is a positive trend. We should encourage it and not restrict it through legislation. At the same time, though, it points out the auto manufacturers need help designing and maintaining the vehicle software. This has enormous business implications that partnering with 3rd party software manufacturers could solve.