They've risked people's lives to produce real life looking footage documenting a life threatening event.
Without such event present in the footage, car manufacturers can just say "Meh - no big deal". And continue recklessly risking lives by manufacturing unsafe cars without air gap between CAN bus and Internet.
Remember, it's the car manufacturers that are the bad guys here, not the white hats... And just think how hard was this decision. It's a choice between risking lives and having footage that doesn't catch attention and thus allows car manufacturers to continue making unsafe cars with horrible security vulnerabilities. Amazing.
So demo it at a race track. The essential point here is that the uninvolved public were placed at real risk of maiming or death.
Your argument is ludicrous, because you're attempting to cast the actors as either good or bad. IMHO they are guys with a good idea and motivation who did a bad thing.
We are a very visual culture, unfortunately. Unless there's a video of your average Joe driving on a regular highway and a regular car going wild, everyone would just dismiss the problem as limited to "race track" and would not connect the vulnerability to his/her own car.
edit: as per the article "researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.".
>We are a very visual culture, unfortunately. Unless there's a video of your average Joe driving on a regular highway and a regular car going wild, everyone would just dismiss the problem as limited to "race track" and would not connect the vulnerability to his/her own car.
If optics is your justification for this, then perhaps having these two irresponsible researchers arrested would bring even more attention to this.
>edit: as per the article "researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.".
Where do you see that in the article? Only thing I read was manufacturers downplaying a wired-in attack they demoed.
> "researchers arrested would bring even more attention to this."
Yep.
> Where do you see that in the article? Only thing I read was manufacturers downplaying a wired-in attack they demoed.
No "air gap" between "CAN bus and Internet" equals vulnerable.
We know that. Auto manufacturers know that.
Yet they dismiss the possibility of a hack and continue producing unsafe vehicles. And the trend is toward more vulnerabilities.
I was to lazy to search a direct quote, but here it is now: "Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws.".
That is very much NOT a quote from this article, if you are quoting another article by mistake please link it. As this article does not even use the word "presented"
In this article it mentions how Chrysler is working with them and has developed a patch, indicating that they did not dismiss previously done tests. So basically saying the opposite of what I take your point to be.
Yeah, you and your family. Well, you are lucky. These researchers and this reporter had already risked their reputations, lives and their livelihoods. So you, now, don't have to. And maybe you'll be even able to benefit from all their hard work, because were would be fewer vulnerable cars around. Although you would probably never know that.
No. They absolutely did not have to produce a life threatening event. They could have done it 5MPH and car manufacturers would still take notice because it would still spread like wildfire on the Internet. What they did was supremely irresponsible and the cops should have been called.
They already did do it at slower speeds in parking lots. Manufacturers didn't care. They probably still won't care, which means that it's a matter of time before someone even less morally-bound decides to wreak havoc on traffic.
> Without such event present in the footage, car manufacturers can just say "Meh - no big deal". And continue recklessly risking lives by manufacturing unsafe cars without air gap between CAN bus and Internet.
Oh really, can you point to the responsible tests that were done in the past that proved inconsequential necessitating this reckless alternative? Or are you just inventing that the car manufacturers would ignore this and somehow the story would just go away?
The actions - according to the article - of auto manufacturers in response to prior more-controlled tests is exactly equivalent to that. The manufacturers basically said "hey, thanks for showing us this crash-test footage that shows our vehicles are literal fucking coffins on wheels; we don't really care", leaving the researchers with no results after taking more "sane" measures.
Researchers perform controlled experiments. Controlled experiments are ignored. Researchers opt for more damning (though less controlled) experiments to further prove their point, and now they're suddenly the bad guys here.
Researchers opt for more damning (though less controlled) experiments to further prove their point, and now they're suddenly the bad guys here.
Much of the commentary here focuses on the recklessness of the highway test and doesn't weigh in too heavily on who the bad guys are.
I think people mostly find the idea of remotely exploitable and controllable cars so terrible that there isn't anything to discuss about that aspect of it, it's nearly universally considered unacceptable (hence the epic thread about the side issue).
Maybe try reading the comments without imputing a side that the writer is taking.
What they should have done was involve the police from step #1. If the video had been conducted on a closed section of roadway with ambulances standing by, police escorts, and lots of badges and sirens, it would have been even harder for the automakers to blow off.
It wouldn't have been difficult to do this right. Cops love drama and publicity. It wouldn't have taken much convincing to get them on board, and the video would gained a lot of credibility.
I agree completely; there were a lot of formalities that were neglected - and had they not be neglected, there would be less backlash against the researchers.
However, this doesn't change the fact that vulnerabilities were demonstrated, nor does it change the implication that auto manufacturers are excessively sluggish about security patches on things that can and do kill people on a regular basis. Even an imperfectly-conducted demonstration like this particular case is preferable to such a demonstration not occurring at all.
Blocking the visibility through the windscreen, then shutting off the transmission of a car, that is driving on an interstate overpass in traffic, is not white hat by any stretch of the imagination.
Perhaps not, but it's necessary to get the attention of auto makers so that they stop building such trivially-compromisable systems. This was a couple of security researchers on one car for a proof-of-concept; better to demonstrate these flaws early and with a more limited sample than to watch the pileup of epic proportions that would happen should someone even less scrupulous acquire such control over vehicles on the road.
I don't exactly condone the ethics (or lack thereof) of the researchers, either, but if that's the only way to get proper attention (after previous, more polite and reasoned attempts were simply dismissed by manufacturers), then so be it.
Had that Jeep run into you or you ran into it as a result of this experiment, you may have found that you have a profoundly different threshold for what is, "necessary to get the attention of auto makers".
Just because automakers are seemingly keen on ignoring security vulnerabilities does not justify putting people's lives at risk. And let's face it – a multi-ton vehicle that is not entirely in its driver's control puts lives at risk in just about any situation. The reason you and others argue that the demo's methodology is effective is precisely because of the risks involved; not in spite of them.
It is the responsibility of researchers to demonstrate risks without exercising the extent of those risks. Imagine if virologists regularly demonstrated communicability risk by injecting humans with disease outside of the lab.
> Just because automakers are seemingly keen on ignoring security vulnerabilities does not justify putting people's lives at risk.
So condemn the auto manufacturers for putting hundreds of thousands - if not millions - of lives at risk instead of yammering about a couple of nerds who put at most 2 vehicles in probably-nonfatal danger in a worst-case scenario.
And as busy as that highway was in the video, it was far more than just 2 vehicles, especially if one of those vehicles was the 18 wheeler.
At the very least they could have done this on a less busy stretch of highway that had a wide shoulder and with control vehicles in front and behind with paramedics at the ready (just like a movie production that is shooting on public streets). Instead the researchers and the journalist chose to be reckless.
Nobody's saying you can't. I certainly do (I strongly disagree with the researchers' obstruction of communication between themselves and their test subject).
My only point is that there's a massive difference in scale between a couple dented fenders and hundreds of thousands of dead/maimed innocents.
Difference of scale? Ok, I agree with you there, but characterizing the risk as "a couple dented fenders" is intellectually dishonest. A high speed accident on an interstate could easily involve serious, even fatal injuries.
It could in some situations, yes. This was not one of those situations.
We're talking about someone coasting uphill with absolutely no braking whatsoever. There's plenty of reaction time in such situations (as I happen to know firsthand, as was the case when my SUV ran out of gas and I had to coast a quarter-mile over a hill to get to the next offramp while merging from the fast lane to the far right at 70MPH). Even for semis, the reporter's car wouldn't mean having to slam on the brakes. Not to mention that the uphill helps with stopping.
The story would be different if the researchers slammed the car's brakes. If that were the case, then yes, death would be possible. That wasn't the case.
No intellectual dishonesty here. Just thorough examination of the situation as described by the author of the article.
Because scale. One is very limited in scope, ie: On one day, in one city, on one road, for a few minutes, one car caused a few other vehicles to make otherwise unnecessary lane-changes. vs the vulnerabilities exposed which affect tens or hundreds of thousands of vehicles in every city, every day, on almost every road, at almost any time.
Agreed, the researchers deserve some criticism, but let's not lose sight of the forest for these two goofball trees.
> it's necessary to get the attention of auto makers
That's mere conjecture. And it's an assertion you could easily test by first doing the remote hack in a controlled environment (e.g. a racetrack) and seeing if automakers respond before trying this on an actual freeway!
If you read the article, you'd know full well that the researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.
I've read the article. Where does it mention controlled environments? The only mention of exploits being dismissed by manufacturers was in regard to a wired exploit, not a remote one.
The paragraphs after the photo of Charlie Miller describe the process of identifying and isolating wireless exploits, including remote-activation of windshield wipers on a vehicle in one of the researchers' driveways. This did admittedly escalate quickly to passive "tagging" of vulnerable vehicles by VIN, but that's a far cry from the experiment in question.
The findings before physical tests (identifying cars with a lack of airgapping or other basic security measures) were also reported to Cadillac (as one example among others); said findings were basically dismissed with a "well we've already released a newer Escalade model with some more security features, so whatever".
This isn't to mention that the wired exploits should've been enough to at least spark some level of concern.
First, there's no indication in the article that the researchers or Wired presented the remote windshield wiper hack to the car's manufacturer and that they subsequently ignored it.
Second, there is plenty of indication that the exact opposite is true. The remote windshield wiper hack occurred this June, whereas the article states that they've been working with Chrysler on this for nearly nine months and that Chrysler released a patch prior to the publication of this article.
Third, the Cadillac anecdote isn't really relevant here. For starters, it looks like they were contacted by Wired, not the researchers, so it's unclear whether they were contacted before the dangerous freeway demonstration took place. And while the mention of the newer model is a bit odd, the statement also mentions devoting more resources and hiring a new cyber-security officer, making it unfair to characterize it as a "whatever" response.
Sure, it'd be nice if Cadillac was a little more proactive here, but keep in mind that the researchers hacked a Jeep (made by Chrysler), NOT a Cadillac (made by GM). The researchers think the Cadillac is also vulnerable based on its feature set, but absent a specific flaw to patch and given the short amount of time since the initial demonstration (less than two months), it's unclear what GM is supposed to do here.
My point wasn't about Chrysler specifically. My point was about auto manufacturers in general (and I've made this clear from the beginning). By pinning it to Chrysler alone, you're also reaching, I'd reckon.
Also, it's worth noting that the root flaw here - a hole in UConnect - is not limited to Chrysler. The article mentions tracking and surveilling GM vehicles, too (particularly Dodge), which makes sense, seeing as a lot of recent Dodge vehicles have UConnect as well (per http://www.driveuconnect.com/features/uconnect_access/packag...).
> For starters, it looks like they [Cadillac] were contacted by Wired, not the researchers, so it's unclear whether they were contacted before the dangerous freeway demonstration took place.
The article doesn't actually say that. Infiniti was contacted by Wired according to the article, but the initiator of Cadillac's response isn't specified (as far as I can tell).
If they were contacted in the same manner as Infiniti, then it's implied that said contact happened after the wireless hack, since the Infiniti contact involves a notification that the researchers' predictions were "borne out" in at least one of the three of them (in this case, Chrysler).
If you want to get their attention, you demonstrate it on a test track, for a court, as part of a lawsuit against them, for introducing such dangerous features into their vehicles.
Without such event present in the footage, car manufacturers can just say "Meh - no big deal". And continue recklessly risking lives by manufacturing unsafe cars without air gap between CAN bus and Internet.
Remember, it's the car manufacturers that are the bad guys here, not the white hats... And just think how hard was this decision. It's a choice between risking lives and having footage that doesn't catch attention and thus allows car manufacturers to continue making unsafe cars with horrible security vulnerabilities. Amazing.