1) Were public roadways and speeds of 70mph absolutely necessary to demo this?

2) What was the plan if the trucker approaching at 70mph hadn't seen the Jeep stalled early and had to swerve or panic stop, possibly crashing and injuring themselves or others?

3) Anyone notify the Missouri State Highway Patrol about this? They may be contacting the researchers with questions about this demo if they weren't consulted in advance.

4) What's the plan if they trigger a bug in the car software of the people they had tested this with earlier? The article mentions them tracking people remotely as they attempt to learn more about the exploit.

I could go on but why bother? In case any of you think this was cool or even remotely (no pun intended) ethical, I'd like to know if you have a problem with letting these two test this on a loved one's car. How about they remotely poke around your husband or wife's car and explore, as long as they promise not to intentionally trigger anything?

If I ever learned this had been tested on a vehicle I was in, I'd make sure this cost the researchers dearly.

EDIT: I've just phoned 'Troop C' of the Highway Patrol at their main number, +1-636-300-2800 and they seemed pretty keen to follow up. The fact that the vehicle was disabled where there was no shoulder, was impeding traffic, and the demo not cleared with them in advance has them concerned. I'm all for testing exploits and security research, but this isn't the right way to do it. And to film it and post it to a high traffic site is nuts.

Back to the article, I think that this type of exploit will become more and more common as vehicles become more connected and automated. We need to know that we can trust the software and firmware running on the devices that literally have the power of life and death over us. Unfortunately, this is a VERY complicated issue, and no one has a solution yet AFAIK.

I watched a talk by Cory Doctorow last year where he suggested validation at the hardware level (a la trusted platform modules), but unlike the typical TPMs that only allow vendor software to be authenticated, these TPMs would allow the user to directly authenticate the firmware. If you know the firmware is good, then each layer can validate the next layer up all the way to the OS.

I have yet to hear of a system that allows the user to directly authenticate software/firmware at the hardware level. Is anybody working on research of this nature? Or are there insurmountable problems with this approach?

While I strongly support free speech and believe security researchers should be given some extra latitude when appropriate, what I saw was not at all appropriate. I saw two well respected security researchers sitting in a room like Beavis and Butthead laughing and remotely disabling a vehicle on a multi-lane interstate highway, like it was a big joke. The reporter in the Jeep literally says "This is dangerous" and asks urgently for help. This all filmed and posted to Wired for the world to see, like they are proud of it.

Before working with computers I drove tractor-trailers for a while and was lucky to achieve a million-mile safe driving award. I have a pretty good idea of the dangers here and I know that stretch of road well, I've crossed it many times. I know from experience that a car stopped in the middle of a multi-lane interstate is one of the most dangerous situations you can be in. I've had people hit me who didn't see my huge trailer with flashers on and warning triangles out on a sunny day - it happens quite often. I've seen dozens of people killed in situations exactly like this. You see it coming and a random driver just plows into the stopped vehicle.

I exercised my judgement and decided to phone the local Highway Patrol office. I've read the negative comments and I disagree, I still think it was the correct thing to do. If you are a researcher and you do something this dangerous, and are foolish enough to then post it on a high-traffic site like Wired, I think you forfeit any right to a discreet warning and you deserve to have the police show up demanding answers to some tough questions.

Important research but very poorly tested. Wired and Chrysler (research was funded by Chrysler?) legal teams would not like the contents of this video.

edit: wired's link to video, jump to 2:00: http://dp8hsntg6do36.cloudfront.net/55ad80d461646d4db7000005...

And that was while the security researchers caused the radio to blare so loud that he couldn't hear them on the other end of the phone. The more I see, the more I think they were really negligent in how they planned this out, and I was already firmly in that camp.

  Driver: "It says 43 miles an hour, but it's not really that fast."
  [voiceover omitted]
  Driver: "Guys, I'm stuck on the highway."
  Researcher A: "I think he's panicking."
  Researcher A: "He's not going to be able to hear us with that radio.  So loud."
  Driver: "Guys, I need the accelerator to work again."
  Researcher A: "The accelerator..."
  Researcher B: "It won't work!  You're doomed!"
  Driver:  "Seriously [beep] dangerous, I need to move."
  Researcher A: "You gotta turn the car off!"

I don't think this discussion has been distorted. It's based on the information they provided. They put a vehicle on a public highway traveling at the faster end of what's legal in the US on public roads, and then removed a large portion of the drivers ability to control the vehicle. It's unclear whether this affected the steering or brakes, which in a modern vehicle would both be power assisted, generally through the vacuum system of the vehicle. The vacuum is provided by the engine, so if the engine was actually off (which is unknown, but I think it's more likely they just forced the car into neutral), then they removed a large portion of his ability to control the car.

The bottom line is that they put a driver in a situation not only unsafe to himself (which they could have gotten consent to), but unsafe for the other drivers on the road. They did not have consent from the other people on the road to do this (indeed, it's not possible they could have), and if what they purport to happen in the article and video did happen, then they endangered those people. I've seen accidents from stopped cars being hit by others. If the highway is busy enough, the initial accident isn't even necessarily the largest damage, but it moves vehicles into even more obstructing positions and causes follow-on accidents.

https://www.google.com/search?q=stalled+car+accident&tbm=isc...

Without such event present in the footage, car manufacturers can just say "Meh - no big deal". And continue recklessly risking lives by manufacturing unsafe cars without air gap between CAN bus and Internet.

Remember, it's the car manufacturers that are the bad guys here, not the white hats... And just think how hard was this decision. It's a choice between risking lives and having footage that doesn't catch attention and thus allows car manufacturers to continue making unsafe cars with horrible security vulnerabilities. Amazing.

Your argument is ludicrous, because you're attempting to cast the actors as either good or bad. IMHO they are guys with a good idea and motivation who did a bad thing.

edit: as per the article "researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.".

If optics is your justification for this, then perhaps having these two irresponsible researchers arrested would bring even more attention to this.

>edit: as per the article "researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.".

Where do you see that in the article? Only thing I read was manufacturers downplaying a wired-in attack they demoed.

Yep.

> Where do you see that in the article? Only thing I read was manufacturers downplaying a wired-in attack they demoed.

No "air gap" between "CAN bus and Internet" equals vulnerable.

We know that. Auto manufacturers know that.

Yet they dismiss the possibility of a hack and continue producing unsafe vehicles. And the trend is toward more vulnerabilities.

I was to lazy to search a direct quote, but here it is now: "Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws.".

In this article it mentions how Chrysler is working with them and has developed a patch, indicating that they did not dismiss previously done tests. So basically saying the opposite of what I take your point to be.

Oh really, can you point to the responsible tests that were done in the past that proved inconsequential necessitating this reckless alternative? Or are you just inventing that the car manufacturers would ignore this and somehow the story would just go away?

Researchers perform controlled experiments. Controlled experiments are ignored. Researchers opt for more damning (though less controlled) experiments to further prove their point, and now they're suddenly the bad guys here.

Much of the commentary here focuses on the recklessness of the highway test and doesn't weigh in too heavily on who the bad guys are.

I think people mostly find the idea of remotely exploitable and controllable cars so terrible that there isn't anything to discuss about that aspect of it, it's nearly universally considered unacceptable (hence the epic thread about the side issue).

Maybe try reading the comments without imputing a side that the writer is taking.

It wouldn't have been difficult to do this right. Cops love drama and publicity. It wouldn't have taken much convincing to get them on board, and the video would gained a lot of credibility.

However, this doesn't change the fact that vulnerabilities were demonstrated, nor does it change the implication that auto manufacturers are excessively sluggish about security patches on things that can and do kill people on a regular basis. Even an imperfectly-conducted demonstration like this particular case is preferable to such a demonstration not occurring at all.

> And just think how hard was this decision

Given that they did the easy thing, it wasn't very hard at all.

Just because automakers are seemingly keen on ignoring security vulnerabilities does not justify putting people's lives at risk. And let's face it – a multi-ton vehicle that is not entirely in its driver's control puts lives at risk in just about any situation. The reason you and others argue that the demo's methodology is effective is precisely because of the risks involved; not in spite of them.

It is the responsibility of researchers to demonstrate risks without exercising the extent of those risks. Imagine if virologists regularly demonstrated communicability risk by injecting humans with disease outside of the lab.

And as busy as that highway was in the video, it was far more than just 2 vehicles, especially if one of those vehicles was the 18 wheeler.

At the very least they could have done this on a less busy stretch of highway that had a wide shoulder and with control vehicles in front and behind with paramedics at the ready (just like a movie production that is shooting on public streets). Instead the researchers and the journalist chose to be reckless.

Nobody's saying you can't. I certainly do (I strongly disagree with the researchers' obstruction of communication between themselves and their test subject).

My only point is that there's a massive difference in scale between a couple dented fenders and hundreds of thousands of dead/maimed innocents.

We're talking about someone coasting uphill with absolutely no braking whatsoever. There's plenty of reaction time in such situations (as I happen to know firsthand, as was the case when my SUV ran out of gas and I had to coast a quarter-mile over a hill to get to the next offramp while merging from the fast lane to the far right at 70MPH). Even for semis, the reporter's car wouldn't mean having to slam on the brakes. Not to mention that the uphill helps with stopping.

The story would be different if the researchers slammed the car's brakes. If that were the case, then yes, death would be possible. That wasn't the case.

No intellectual dishonesty here. Just thorough examination of the situation as described by the author of the article.

Agreed, the researchers deserve some criticism, but let's not lose sight of the forest for these two goofball trees.

That's mere conjecture. And it's an assertion you could easily test by first doing the remote hack in a controlled environment (e.g. a racetrack) and seeing if automakers respond before trying this on an actual freeway!

First, there's no indication in the article that the researchers or Wired presented the remote windshield wiper hack to the car's manufacturer and that they subsequently ignored it.

Second, there is plenty of indication that the exact opposite is true. The remote windshield wiper hack occurred this June, whereas the article states that they've been working with Chrysler on this for nearly nine months and that Chrysler released a patch prior to the publication of this article.

Third, the Cadillac anecdote isn't really relevant here. For starters, it looks like they were contacted by Wired, not the researchers, so it's unclear whether they were contacted before the dangerous freeway demonstration took place. And while the mention of the newer model is a bit odd, the statement also mentions devoting more resources and hiring a new cyber-security officer, making it unfair to characterize it as a "whatever" response.

Sure, it'd be nice if Cadillac was a little more proactive here, but keep in mind that the researchers hacked a Jeep (made by Chrysler), NOT a Cadillac (made by GM). The researchers think the Cadillac is also vulnerable based on its feature set, but absent a specific flaw to patch and given the short amount of time since the initial demonstration (less than two months), it's unclear what GM is supposed to do here.

Also, it's worth noting that the root flaw here - a hole in UConnect - is not limited to Chrysler. The article mentions tracking and surveilling GM vehicles, too (particularly Dodge), which makes sense, seeing as a lot of recent Dodge vehicles have UConnect as well (per http://www.driveuconnect.com/features/uconnect_access/packag...).

> For starters, it looks like they [Cadillac] were contacted by Wired, not the researchers, so it's unclear whether they were contacted before the dangerous freeway demonstration took place.

The article doesn't actually say that. Infiniti was contacted by Wired according to the article, but the initiator of Cadillac's response isn't specified (as far as I can tell).

If they were contacted in the same manner as Infiniti, then it's implied that said contact happened after the wireless hack, since the Infiniti contact involves a notification that the researchers' predictions were "borne out" in at least one of the three of them (in this case, Chrysler).

It's a shame because this is an incredible story and the work they did was great, but what a completely reckless stunt they pulled. Totally unnecessary too, the story would have been just as effective if the demo happened on a test track or empty parking lot.

These people did the exact opposite. They put others in potentially mortal danger.

They could have killed someone's daughter, son, mom or dad.

Stop and think about that for 10 minutes before you continue posting with this unreasonable point of view. Would your mom, dad or siblings life be worth this test? Imagine they collided with this car and died. Close your eyes and imagine that for a moment. Imagine receiving that call. Going to the hospital. Seeing the, all torn-up and suffering befor they die due to the injuries.

And then you find out it was due to two fuckers who thought it'd be funny/interesting/whatever to disable a car remotely.

Imagine that.

Although I do agree with you, I modded you down and the GP up in this case because appeals to emotion aren't the answer. Your post is a form of the "If it saves just one child" thought-ending pattern.

Game, set, match.

Angry mobs are dangerous and volatile and can push prosecutors to overreact. And prosecutors and politicians love to overreact when it comes to hacking.

Imagine: you're a local and you're trying to call the police. But, you can't, because the number is busy. Or you wait forever on hold, because people on the internet are angry about a reckless driving incident that happened weeks ago and that the police already know about.

OP called the police, that's enough. They know about it now. If you want to express your opinion, write the editor of Wired or, if you're really angry, the local district attorney.

The fact you have included their phone number seems to me like you are instigating some sort of lynch mob.

If you actually though it was an issue you would have privately contacted them without telling the world.

Very childish.

This is a big story that the appropriate authorities will be looking at anyway.

I just sat back and tried to estimate (since of course, I don't have a CB in my car and can't follow traffic details like a trucker) but I'd guess I've driven past at least 5 fatalities -- and that's just fatalities I've noticed (body on stretcher, read about it on the news later, etc)

Emphasis in too long, because this is the reason why road signs announce dangerous sections of a road with even miles in advance.

EDIT: Formatting.

1: http://dp8hsntg6do36.cloudfront.net/55ad80d461646d4db7000005...

Making factual statements contrary to how a situation was reported by those involved is fraught with pitfalls you can't anticipate, from things you don't know about. Until there's careful investigation, or the people involved recant or make factually impossible statements, you should be careful about making assumptions.

In any case, their reported actions are what people are upset about. If someone makes false statements about illegal activity and it results in the police showing up, they have only themselves to blame.

I understand it's tempting to see a single bit of evidence and want to use it to invalidate an entire narrative, but is it so hard to accept that while editing could have made a situation less dangerous seem more dangerous, the inverse could be true as well? We really have no authoritative source of what happened other than the story put forth. The story may indeed be fabricated or subject to hyperbole in parts, but unless you have a source beyond what's here, you are not qualified to make that assessment from the little evidence presented.

But putting many lives in danger is considered acceptable behavior by security researchers? Does it actually matter that it was security researchers? Do security researchers working on banking software need to steal a million dollars in order to prove that they've found an issue? Would calling the police be acceptable in that situation?

Actual outrage is acceptable when there's actual danger. Calling the cops on a loud neighbor might not be acceptable, but calling the cops on a neighbor firing a gun in the general direction of your house certainly would be.

We don't know, for sure, what happened. There might be some creative license in the journalism. There might be some omission of them talking to authorities (even if someone called the highway patrol and they said "oh, we don't know about this," all it proves is there's bureaucracy at the highway patrol). etc.

Calling the cops is invoking a powerful and hard-to-control force. Unless you think that the cops and the legal system are capable of talking to people fairly and understanding security research and making sense of tech journalism and reaching a reliably just outcome, there are better ways to exert your outrage.

For instance, the researchers are very well known in the security community. They're not rogues or mobsters or fugitives. If they recklessly endangered lives, we can pressure them to turn themselves in to the legal system.

I happen to have more faith in the ability of the hacker community to fairly figure out what happened than the legal system to fairly figure out what happened. If I shouldn't, then we have a serious problem as a community.

1. You don't trust the police/legal system.

2. You trust our own community more.

Not saying I agree or disagree, but there are a LOT of people who would really disagree with this, and a lot more who would think that someone saying "why involved the actual people the public has chosen to deal with this, we can deal with it ourselves" would be very wrong.

I don't like the fact that I trust self-policing by any community (even my own) more than the institution that is supposed to be doing policing. But whether I like it doesn't affect things.

I agree that it is important for us, as a free society, to fix policing. In the meantime, the best way to minimize injustice is not to invoke police when there is no immedate threat that can't be otherwise solved.

The police and judicial system sometimes have conflicting incentives as well, but at least they are aligned more with the public good than ours are. There are laws and they are, for the most part, rewarded for enforcing them.

I would like to think that a call to 911 with more information (which of course a fellow driver wouldn't have) would be handled differently:

  911: 911, What's your emergency?
  Driver: Hi, someone on the freeway has purposefully disabled their vehicle in a location without shoulders, and is slowing while driving, impeding traffic.  I'm not sure if the power brakes or steering are functioning, but the driver is definitely not in full control of the vehicle.
  911: We've dispatched an officer to your location.  Has there been an accident yet?  Has the driver recovered control of the vehicle?

And tossing chocolate bars into your neighbor's campsite in hopes that the angry bear will wreck their stuff is just not cool.

Unless the unruly bear is these security researchers, the fleeing campers are other security researchers in the same field, and their fleeing is them correctly assessing that some LEA is going to be taking down any bears nearby that even twitch wrong after this.

Bad actors ruin it for everyone.

You seem to think that because the police are theoretically under democratic oversight, that one can safely interact with cops as though the nominal rules of engagement will restrict them, but even if - in the long run - it is possible to rein them in, the law enforcement system we actually have right now is unpredictable, unjust, and unsafe.

If you distrust the police to the degree that you think even if your actions weren't illegal you will still have negative consequences from interacting with them, definitely don't do the above.

When someone's actions extend to endangering the public to the degree we see here (which I think is obvious once you've watched the video), they are past any good will I would have extended them in not contacting the police for fear of an overreaction. Their clear disregard for public safety is reason enough for me.

Additionally, on the chance that it was entirely intentional and they are counting on the media and possibly even law enforcement response to help make this an issue, they they definitely don't need our restraint, and nor do they want it.

It does not matter that we theoretically have democratic oversight. In practice, what we have is a system where cops can do whatever they think fit and expect to get away with it. They are armed and dangerous; it is not safe to interact with them. It is not a good idea to call them, or to talk with them if someone else calls them, because they - the cops - have a clear disregard for public safety when it is counter to their own interests.

If I was robbed, I would call the police. If I saw someone waving a gun around in public, I would call the police. If I saw someone using a car as a weapon, I would call the police. If I see a situation where people are endangering the public and someone might get hurt, I would call the police. Not doing so when I clearly knew I should would make me feel somewhat responsible for any negative outcomes otherwise.

I'm not really interesting in continuing a discussion where the other side's position seems to be "the police are racist scumbags and they will ruin your life with the slightest contact, so don't call them on criminals." You might find that characterization unfair, but then again, you're the one over-generalizing using large media events as evidence instead statistics.

Edit: Removed reference to ad-hominem, which wasn't factually correct.

While I agree with much of the rest of what you right in that comment, this is not accurate: overgeneralizing a negative stereotype of someone other than the other party in a debate isn't "pulling an ad hominem".

https://en.wikipedia.org/wiki/Poisoning_the_well

The cops can wreck your house, break your stuff, take your money, shoot your dog, deprive you of your liberty, and - if they think they can get away with describing you as a threat - shoot you dead. Even if you spend the time and money it would take to prove in court that all of this activity was illegal and unjustified, most of the time you'll fail, and even if you succeed you'll never get anything back.

I don't trust hackers or cops, but I can sure as hell see which one is the bigger threat.

Meanwhile hackers can break into the control systems for the power grid and shut down electricity, causing major damage. They can open or close hydroelectric dams, causing flooding and death. They can control hospital systems and kill or injure patients. They can control the airplane you're riding on while sitting in their seat. And all of these have been demoed at security conferences I've been to. I've seen these all in person.

There's a lot of physical harm that hackers can do. Sure, with a cop it's more personal since they're standing there in front of you pulling the trigger and a hacker doesn't even have to see your face.

Love them or hate them, both hackers and cops exist for a reason and are not going anywhere any time soon. One of the reason hackers exist is to point out dangerous security flaws like this. One of the reasons cops exist is because sometimes hackers are just as dangerous as the actions they're trying to draw attention to.

It also should be noted (since nobody else has raised this point) that some people within the police force likely read Wired anyway. So complaining about the police involvement for a piece posted to a popular news site is like moaning that your boss reads your Twitter feed.

IMO, the danger to the public caused by the researchers somewhat-controlled exploit is utterly dwarfed by the danger Jeep/uConnect is causing by directly connecting its cars to the internet. If the researchers are successful in getting car manufacturers to remove features like this entirely, the net result will ultimately save lives.

The article claims that the transmission was cut on a section of the freeway with no shoulder, so I'm curious how being stuck in the middle of the freeway translates to "slowing down and eventually driving off onto a grass shoulder." (And just because something "isn't the craziest thing I've seen" doesn't mean it isn't dangerous)

With or without shoulder, a stalled automobile is an everyday occurrence that drivers must absolutely watch and be prepared for. It wasn't the safest thing to do, but it isn't outside the normal range of "dangerous" events that one will experience on their commute daily, often more than once daily. IMO it doesn't increase the danger nearly as much as traffic patrol conducting a routine traffic stop on the freeway. If we're prepared to accept traffic patrol on busy freeways, then I don't think it's justified to treat a rare, even if foolish demonstration such as this one as anything more than a nuisance.

People who routinely test things that have the capability for real harm learn to take precautions for as many of the the things you don't think off as you can. For example, the Mythbusters are routinely testing things with cars and other bits of machinery that can cause physical harm if something goes wrong. They also routinely retire to abandoned airforce bases, remote locations, and the salt flats to test things.

But perhaps a little more objectively, there's certainly a moral hazard here; if every security researcher did this on public roads it'd likely be chaos. An appropriate response, IMO, would be for the police to make a phone call and tell them not to do it again.

It's actually not that different than pure software security research. You don't show a POC for your new DNS exploit by doing it against Comcast or AT&T public DNS servers without expecting some blowback. You set up a test environment.

The danger of a car having its transmission crap out on the freeway is non-zero, yes. On the other hand, they explicitly cut a vehicle's transmission on the freeway. The danger for the people in the immediate area of this vehicle was increased because the situation (a cut transmission) went from "maybe it will happen" to "it is definitely happening." At that point, whether or not an accident happened depended entirely on the skill and attention of the drivers around this vehicle something completely out of the control of the researchers.

Not the highway.

1: http://dp8hsntg6do36.cloudfront.net/55ad80d461646d4db7000005...

Demoing it on a test track with no other vehicles and a volunteer driver with helmet and roll cage -- that'd be acceptable, maybe, with suitable safeguards.

But doing it on the open highway with unaware third parties driving past, merely telling the test guinea pig "not to lose control" while being blasted with cold air and loud noise, having the controls disabled, and visibility impaired? That's gross recklessness with public safety. (Here's a clue: you could have put me in that car and given me all the warning in the world and I could not guarantee maintaining control or not causing a potentially fatal accident at 70mph under those conditions.)

You shouldn't run experiments on big powerful machines in public places where you can't keep by-standers out. Gross ethical breach. I just hope the journalist is exaggerating or making things up.

Had someone died you might (in countries which have it) get corporate manslaughter on a company that ignored security warnings. You absolutely would on the researchers and the journalist for their reckless disregard for the lives of others.

I think it's 100% OK to test on a private car on a private track.

Was it a hacker? Nope, just a dumb mechanic that got trash deep into the air intake during a routine oil change.

How many (dumb mechanics)*(routine oil changes) are there in this country? Five-Six orders of magnitude more than auto hackers, which is why I don't see any harm in one more (where the driver knew ahead of time it was going to happen).

Here's the good test: since humans were involved, how did they present this to their ethical review board?

I'm pretty confident the answer would be "what's an ethical review board?".

These people, on the other hand, knowingly and deliberately disabled a car on a highway. Yes, they had a plan, but they are still running their little experiment on other unwitting drivers on the highway. I don't consider the manner in which they ran their test to be ethical; it should have been performed on a closed track.

You can't just waive it away because other risk is more dangerous across the entire nation. Under that standard: One little murder is a rounding error compared to the 2.5 mil who die each year.

What would contacting the researchers achieve? They arbitrarily did the experiment in a public highway "to make the headline more shocking".

As much as I support any kind of security research, and as much as I support getting the attention of people to raise awareness, contacting the authorities was the correct move; a public highway is not a research lab without the proper permission from authorities.

There is even a bigger problem. These researchers, even if they were negligent, are far more at risk of legal punishment for creating a small risk for the sake of increasing safety standards overall than the people who choose to cut security funding and put magnitudes more people at risk for the sake of making more money.

Isn't it odd that we have a legal system where the ones attempt to expose and fix the problem for the sake of safety are facing far greater legal trouble than those who knowingly allowed for the problem to first occur due to increasing profits?

But as someone who says the car manufacturer ought to face legal consequences for failing to fix a remotely exploitable stall-out in a timely manner (even without demonstration of anyone being harmed), I also say that people who fuck with moving cars on the road are a menace as well.

http://www.lawyerinlongbeach.com/Torrance-DUI-Attorney.html

What about this "experiment" could not be done in controlled environment on a track… or a country road… or an empty parking lot.

I suppose we could just have infectious disease researchers set up shop on a street corner by this logic. Whatever! It's just a small risk! They're doing it for the sake of increasing safety standards!

If these guys want to be regarded as researchers, they need to act like them and be accountable like them. No ethics committee would ever approve a test like this.

WTF are you talking about? There is no the IRB.

The people who "choose to cut security funding" (I'm assuming you mean congress?) acted within the bounds of the law and within their power as elected officials. They broke no laws and your disagreement with the results does not make them criminals.

I don't know if these researchers broke the law. All that's happening now is they are being investigated. If they did break the law, then it seems to me perfectly logical that they would be in "far greater legal trouble" than someone who didn't.

TL;DR it's not odd that someone who broke the law is in more legal trouble than someone who didn't

Not conducting this demonstration on a public highway would also have been a much less aggressive and thoughtful move, not to mention less dangerous.

Their test-engineers don't say "hey, we're going to do some stuff, but try not to kill anyone".

Gross negligence.

Perhaps you are simply unaware of how dangerous the situation was? Several experts (ex-truckers) have described how they have seen people killed in circumstances like this. If you're being intellectually honest, that should inform your responses.

Reminds me of people who will call the police on a loud neighbor instead of just, you know, talking to them first.

The driver was clearly distressed and they were just laughing it up.

This has no bearing on the original issue ('Calling police on security researchers'), but I'm just saying that you can't debate nicely with everyone.

So, you don't care about the fact that this experiment on public roads could have killed people? Just because it's for security research it's ok to recklessly endanger lives? What Wow's me is your cavalier attitude, I'm glad he informed the police and I hope they face repercussions. What they did needlessly endangered people's lives and public safety to add a sensational bit to a story, I find that way more "aggressive" than informing the proper authorities of those actions.

> they cut the transmission. [...] Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed

In what world do we not call the police on this kind of behavior?

nothing novel there in terms of having to have some "new" TPM. Just OEMs choose to lock down their boot chain. Probably most secure boots are minimally implemented to only support the use case of secure/trusted boot (device/chip/OEM key) xor untrusted boot (no key).

If both are supported, whatever functionality that relies on OEM firmware or chain of trust would be disabled if it is an untrusted boot (like fastboot oem unlock for some android devices) situation.

May be tricky to enable certain desirable/required features if user wants to run their own firmware.

>I have yet to hear of a system that allows the user to directly authenticate software/firmware at the hardware level. Is anybody working on research of this nature? Or are there insurmountable problems with this approach?

I think chromebooks/chromeOS folks have been looking at this. Not sure of the current state of things.

p.s. TPMs kind of suck if they are not able to be updated OTA.

Who cares what their job title is? They deliberately blocked visibility and then cut the transmission of a vehicle being driven on a public road in traffic. That is well into the territory of criminal negligence.

The right way to do this would have been for the researchers to call the police up front and arrange a demonstration on a closed road with police escort. That would have lent the video more credibility and shielded the researchers from liability, while addressing any concerns about safety or ethics.

We are here not an intellectual debate club were people take pro and contra sides and points are distributed based on the rigor of the argument, but discussions around here are about real world problems.

And somebody calling the cops on security researchers just because he read an article on the intern is in my view highly questionable behavior for somebody familiar with the tech community.

Even you, the busybody who called the cops because you read an article, said "What was the plan if the trucker approaching at 70mph hadn't seen the Jeep stalled early..." which implies that the trucker would have been following too closely or not paying attention (or both).

It's worth pointing out that the driver was aware of the situation and they didn't do anything dramatic like lock the brakes or throw the car in reverse. They chose a gentle deceleration in a stretch of road that had no shoulder to make it feel dangerous, but, on the spectrum of hazards that most drivers face every time they take the car out of the garage, this is pretty tame.

The fact is, had something happened, it wouldn't have been the disabled car that was at fault.

I think the researchers are in the clear, and for you to have read the article and been bothered enough to call the cops (and post the number for, presumably, the convenience of other hyper-sensitive folk who might otherwise just go back to staring at the neighbor kids from their bedroom window with their phones in their hands and 911 on their speed dial) is nuts.

Say there was a person working at a grown-up lab that deals with traffic safety. Like the University of Michigan Transportation Research Institute http://www.umtri.umich.edu/ .

The person wants to know what happens when someone slams on their brakes on a 70mph road. He says "don't worry, if anyone hits me, it will be their fault, because they were following too close."

What do you suppose the ERB says in response?

I do think that educating them with regards to better choices would be helpful, but they appear to have committed an offense and documented it on camera in the news. I think they were going to end up in trouble one way or another here.

Similarly, the researchers have increased the probability of a crash from the near-zero probabilities that are typical of actuarial tables to close to 100%.

I feel like there's a lot of cargo cult thinking going on here. The situation is _almost_, but not quite, like a lot of other ones where the security researcher is unreasonably blamed. For example, I could easily see some people being up in arms about announcing this exploit at Black Hat.

But that's not the case here. I have a healthy fear and respect of a ton of metal flying down the road at 70mph. And this stunt, done just to generate headlines, was needlessly reckless. It could have just as easily been demoed in a private lot or something.

It was previously demoed in parking lots and other controlled environments by these researchers, according to the article. Said demonstrations were ignored by the auto manufacturers, with some manufacturers - like Toyota - trying to claim that their systems were still "secure".

The public and the manufacturers need a proper wakeup call. My fear is that even a "reckless" test like this one isn't enough of a wakeup call.

If someone had died from this stunt, the total number of deaths from remote hacking of cars would be 1.

NB: I highly favor a bounty system where someone who can demonstrate the ability to take over a car without touching it gets paid lots of money, and if the company fails to fix it they get fined even more money. But "someone else is doing something bad, too" is never a good justification.

When they demonstrated a wired-in attack on those vehicles at the DefCon hacker conference in 2013, though, Toyota, Ford, and others in the automotive industry downplayed the significance of their work, pointing out that the hack had required physical access to the vehicles. Toyota, in particular, argued that its systems were “robust and secure” against wireless attacks. “We didn’t have the impact with the manufacturers that we wanted,” Miller says. To get their attention, they’d need to find a way to hack a vehicle remotely.

But you are apparently ignoring this paragraph, which discusses Chrysler responding to the hack, as I read it, prior to the events in the article:

Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” reads a statement a Chrysler spokesperson sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”

The way I put the information in those two paragraphs together, it's the fact that the attack can be done without physical access to the car that got the attention of Chrysler, not the publication of a stunt in some web rag.

Are we still on Hacker News, or is the transformation to Enablers of Traditional American Power Structure News complete?

I will still call the police in the future, but just so they can fill out a police report for insurance claims or potential law suits. Other than that, I don't expect the police to do anything unless they were on the scene and saw somebody break the law.

And even then, one of the times when my car was vandalized, the cops were there and they filed a police report and told me to try to figure out who will pay between the two dudes that jumped on my car and if that doesn't work, give the officer a call and he will help me with the next steps. Obviously those guys didn't wanna pay so I tried to get in touch with that cop and he was avoiding my calls. I called over 10 times over the course of a couple weeks and he was never there and never returned my calls.

Another time my neighbor was throwing eggs at my motorcycle for 3 nights in a row and I got him on video, call the cops and they come by about 12 hours later and just laughed at the video, and then all of a sudden got a call to something more important and bounced. It may seem funny, but me having to pay someone $300 to clean egg out of all of the fairings and tubing is not funny. At the very least, do your job and file a fucking police report.

* Cops are under no obligation to go into harms way to protect the public.

* Cops primarily exist to collect evidence for prosecution after the fact.

* Just because criminals and crimes exist doesn't take away from cops' bad behavior.

* If calgoo becomes the victim of a crime, cops are unlikely to be able to make him whole again - for bodily injury, prosecution of the perpretrator can't restore his body or life - for property damage or theft, police usually can't be bothered with the small stuff.

Have you seen what happens to communities when police withdraw? They become overrun by gangs and other less accountable organizations.

Even favelas where cops act paramilitarily, say in Caracas, people still want cops because no cops is usually worse, unless you get a private version of cops, which is essentially cops by another name.

(Of course, even if it's not an exaggeration and even if it reflects the actual probabilities of getting hurt by cops and criminals there, it does not follow that things wouldn't be even worse without a police force.)

Being a security researcher or journalist doesn't give you a license to put the public in physical danger.

https://twitter.com/0xcharlie/status/623492229714313216

Why not engage the FBI? This is not an issue specific to St. Louis. Throwing some researchers in jail solves nothing. This is a way bigger deal than some local offense.

You need an agency with the ability to see the bigger picture.

This basically suggests thousands of cars could be driven off the road and deliberately crashed right now. I'd say that's a threat that they need to deal with at the national level on an immediate basis.

Would you rather wait for a malicious actor like North Korea to get involved before the FBI makes a move?

What I'm trying to say is I'd rather the FBI gets involved and works with these researchers to develop an expedient fix for this problem than some beat cop in St. Louis to bust them and throw them in jail where they help nobody and the threat remains extremely grave.

Calling the police will not have them go to jail or have their data deleted. It might (rightfully) get them a fine. It will however ensure that their next experiments are done in a safer, more legal way.

Calling the police isn't all about emergency. You can call them to talk about issues that worry you such as this one. They will take care of bringing the issue the the right entities, it's their job.

  > Calling the police will not have them go to jail or have their data deleted. 

If there's a case to be made, the police will build it. If they build it, the DA will prosecute it, and there could be (is going to be?) things like charges under the CFAA, since they could certainly try the perspective that the access needed to be authorized by the auto manufacturer, rather than the owner of the car.

I could totally see how invoking the power of the police on these researchers could, through the kind of progression we've seen many times before, destroy their lives. I really hope that's not the case -- I'd much rather they got some kind of warning like, "Don't you ever do this on a road with other people on it again". Even so, I agree with many others that their actions were pretty reckless, more so than I realized when I first read the article. This is the kind of thing that should have been done on a private test track, and doing it around others was reckless and negligent.

Having considered how dangerous their little stunt was, I'd almost expect them to be sentenced to some gaol time. What they did was pretty darn Serious!

If prior HN articles are anything to go by, it's a matter of time before SWAT kicks down their doors, beats them up a bit, and maybe even a few officers "fearing for their own lives" (yeah right) take a couple of shots in "self defense" against unarmed nerds.

You're delusional if you trust in a law enforcement agency to take reasoned and measured action in any situation.

Or not done at all.

I may not fully agree with their methodology but I'm thankful this work is being done by people with good intentions instead of having these issues come to light when people with malicious intent find the vulnerability and kill or maim countless people.

You cannot simply test a car like that on the highway. There are privates road, abandoned airports, big parking lots that are more suited.

Old habits die hard.

This isn't really engaging with his action. Specifically, because called the cops because he believed that their methods put people in danger of physical harm. This objection isn't coherent without an argument either that:

1) He was unreasonable in his belief that they'd put people in harm's way.

or

2) It is not appropriate to contact law enforcement as a result of observing one person put another in harms way.

I'm guessing you're arguing both, correct?

aside: He contacted the state highway patrol, not the local St. Louis police. aside2: Hi Geofft! How are things going?

My argument is roughly that we don't know for sure that people were put in harm's way, and we have good reason, as hackers, not to trust the legal system to reliably figure these sorts of things out (and they generally fail in the direction of being worse for both individual researchers and society of a whole). If we did empirically find the legal system reliable and fair, I'd be more convinced that the threshold for objecting should be "unreasonable".

The action is also over right now, and I see no indication that they intend to do so again. So this is either about punishment-as-retribution, or about dissuading future researchers from doing similar things. I don't think retribution is particularly justifiable, and I think there are better ways to dissuade future researchers, like having a conversation about it without the police involved. So I guess I'm arguing the specific sub-case of 2 that if they don't intend to put someone in harms' way again, law enforcement isn't necessarily right.

(You're right about the highway patrol thing, btw. I think I had it confused in my head with some other recent public/police conflict where the highway patrol was worse than the local police, but it looks like the opposite was true of the Ferguson protests.)

The researchers could have achieved the exact same results (albeit with fewer clicks) by conducting this experiment in a remote parking lot or a private road. Heck, if the writer had contacted the cops, they could have given him an escort to make sure nothing bad happens.

If you ask me, it is this kind of behavior that makes the work of real researchers harder, as the media is quick to paint all security researchers as clueless nerds who will put people at risk.

According to the article, the researchers already did as early as 2013. Auto manufacturers ignored the reports while continuing to pretend that their vehicles are secure.

If I were an auto manufacturer, I wouldn't wait until someone finds a wireless exploit (at which point it's too late to do anything about it before people die or are maimed unless I'm lucky enough for the zero-day to be found by a white-hat or grey-hat). I'd see those earlier reports, say "holy shit if we have one wireless bug, the whole car could be pwned", and start working on a better isolation of critical systems from internet-connected systems immediately.

Sure you do. This is why large businesses (smart ones, anyway) require employees' smartphones to be locked with a password or PIN. This is why standards like HIPAA require secure data to be encrypted at rest. This is why laptops being stolen from government agencies leads to things like millions of confidential records disclosed (true story).

And you're still missing my point: that the likes of Toyota and Ford are relying on their wireless systems being secure. That's reckless, since now their wireless systems are the single point of security failure. The lack of even basic safeguards, access levels, etc. should a breach occur is the point of this article, more so than the specific UConnect breach. Having only one layer between "secure" and "pwned" is by no measure a good idea.