> t could have just as easily been demoed in a private lot or something.
It was previously demoed in parking lots and other controlled environments by these researchers, according to the article. Said demonstrations were ignored by the auto manufacturers, with some manufacturers - like Toyota - trying to claim that their systems were still "secure".
The public and the manufacturers need a proper wakeup call. My fear is that even a "reckless" test like this one isn't enough of a wakeup call.
Life is hard. Sometimes people don't pay attention. Pulling irresponsible stunts isn't an appropriate response "to make people pay the proper amount of attention."
If someone had died from this stunt, the total number of deaths from remote hacking of cars would be 1.
NB: I highly favor a bounty system where someone who can demonstrate the ability to take over a car without touching it gets paid lots of money, and if the company fails to fix it they get fined even more money. But "someone else is doing something bad, too" is never a good justification.
> If someone had died from this stunt, the total number of deaths from remote hacking of cars would be 1.
If this stunt had never happened, we'd be in a position where some less-scrupulous actor would demonstrate such exploits on a much bigger scale. I can guarantee you that the total number of deaths from remote hacking of cars would be far greater than 1.
If we're going to play the "OH NO THINK OF THE CHILDREN^H^H^H^H^H^H^H^HHYPOTHETICAL DEATHS" game, then let's put this into some goddamn perspective, eh? 1 v. hundreds of thousands (if not millions) that are currently vulnerable to remote hacking right this very instant.
In all actuality, of course, that "1" death was highly unlikely; at most, we'd probably see a few dented bumbers and a couple grand in car repairs. Maybe somebody with whiplash.
But you're ignoring the fact that this exploit could have been demonstrated in a safe manner on a racetrack or similar with just as much effectiveness.
It could have been demonstrated, yes. It's the effectiveness that's in question, seeing as similar demonstrations weren't particularly effective.
And yes, they could've easily done this demonstration with better safety constraints (particularly regarding communication between the researchers and the driver; said communication was seriously impaired), but the implication is that the researchers believed a "live" test to be necessary to actually get that attention. The point is less "this is what happens to your car" than "this is the sort of danger your car poses to the general public".
My fear, of course, is that even this won't be effective. Hopefully proper basic security measures (like, say, not connecting the transmission, brakes, and steering to the bloody Internet) will be taken seriously before some multi-fatality catastrophe happens because of such security flaws.
Presumably you are leaning on this paragraph when you say that their earlier attacks were ignored?
When they demonstrated a wired-in attack on those vehicles at the DefCon hacker conference in 2013, though, Toyota, Ford, and others in the automotive industry downplayed the significance of their work, pointing out that the hack had required physical access to the vehicles. Toyota, in particular, argued that its systems were “robust and secure” against wireless attacks. “We didn’t have the impact with the manufacturers that we wanted,” Miller says. To get their attention, they’d need to find a way to hack a vehicle remotely.
But you are apparently ignoring this paragraph, which discusses Chrysler responding to the hack, as I read it, prior to the events in the article:
Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” reads a statement a Chrysler spokesperson sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”
The way I put the information in those two paragraphs together, it's the fact that the attack can be done without physical access to the car that got the attention of Chrysler, not the publication of a stunt in some web rag.
Even Chrysler is ignoring the root problem that was demonstrated even with wired access: that should the outermost layer of security be compromised in a modern car, the whole car is likely compromised due to a lack of separation between the car's inner workings and the numerous attack surfaces. That's why the paragraph about Ford and Toyota is very relevant here; once that wireless exploit is found (and believe me, it will be found; this is a question of when, not if), drivers of Toyotas and Fords are hosed. Being anywhere on that list of "hackable" cars [0] should be recognized as a significant problem, but manufacturers are continuing to blow off the core problem and only react to specific breaches.
Basically, folks like Chrysler, Ford, and Toyota (and other mentioned manufacturers, too, like Cadillac) are relying on white hats and grey hats to be the ones finding the zero-day exploits in their wireless systems. And even when those exploits are found, they're being "addressed" with half-assed solutions like requiring an upgrade via USB (never mind that if a remote attacker can hijack the brakes and transmission, of all things, an OTA upgrade should at least be possible).
In other words, I'm not ignoring Chrysler's "response" at all. Rather, I'm noting that their response isn't actually indicative of the attitude shift that's actually necessary to prevent death and maiming of drivers.
It was previously demoed in parking lots and other controlled environments by these researchers, according to the article. Said demonstrations were ignored by the auto manufacturers, with some manufacturers - like Toyota - trying to claim that their systems were still "secure".
The public and the manufacturers need a proper wakeup call. My fear is that even a "reckless" test like this one isn't enough of a wakeup call.