How Hackers Can Control Your Car’s Brakes, Doors, and Steering—and Why Car Makers Can't Stop Them
More modern cars are easier to hack. So are pacemakers and other medical devices. What does that mean for the future?
Kathleen Fisher is a Professor in and the Chair of the Computer Science Department at Tufts. Previously, she was a program manager at DARPA where she started and managed the HACMS and PPAML programs, a Consulting Faculty Member in the Computer Science Department at Stanford University, and a Principal Member of the Technical Staff at AT&T Labs Research. Kathleen's research focuses on advancing the theory and practice of programming languages and on applying ideas from the programming language community to the problem of ad hoc data management. The main thrust of her work has been in domain-specific languages to facilitate programming with massive amounts of ad hoc data. Recently, she has been exploring synergies between machine learning and programming languages and studying how to apply advances in programming languages to the problem of building more secure systems.
Kathleen is an ACM Fellow. She has served as Program Chair for OOPSLA ICFP, CUFP, and FOOL, and as General Chair for ICFP 2015. She is an Associate Editor for TOPLAS and a former editor of the Journal of Functional Programming. Kathleen is a past Chair of the ACM Special Interest Group in Programming Languages (SIGPLAN) and past Co-Chair of CRA's Committee on the Status of Women (CRA-W). Kathleen is a recipient of the SIGPLAN Distinguished Service Award. She is Vice Chair of DARPA's ISAT Study Group and a member of the Board of Trustees of Harvey Mudd College.
Kathleen Fisher: We’re hearing a lot about the internet of things, how your many, many devices are becoming networked computers.
And many of these devices are a ten dollar thing that you buy and you put on your shelf and you have it for a year and you throw it away.
I think not a lot of attention is being paid to the security of those kinds of devices. In some sense the companies that are making them can’t afford to do it, but they can lead longstanding vulnerabilities.
The automotive industry is another interesting example. A typical American modern automobile has somewhere between 30 and 100 what are called “embedded control units”. An embedded control unit is just a computer. Some of them are very, very small and run very simple code native on the hardware.
Some of them are full blown Linux computers or Windows computers, and they’re networked. A modern car has four to five network connections where the computers on the car talk to computers outside of the car. So an example is: there’s a Bluetooth connection so that your cell phone can talk to the car so that you can play your music from your phone on the car or you can talk on the cell phone without having to use your hands. There’s also a telematics unit which is the thing that if you get in an accident will arrange to call 911 or have the paramedics come. That service which is really useful and it’s a great safety feature means that your car has a cell phone number and that it’s possible to communicate with your car over that cell phone connection. Hackers can use those network connections to remotely break in to the computer system that’s on your car, and white hat hackers have shown they can do that and then can then rewrite any of the software on the car, replace the code that was legitimately put there by the car manufacturer with whatever code they want to have there.
And a typical modern car pretty much all of the functionality of the car is now controlled by software. So braking is controlled by software because you really want to have antilock braking.
Acceleration is controlled by software because of cruise control. Like you really want to have a car that can do parallel parking for you. That means steering is under software control. The locks are under software control so you can push the key fob button and have your locks open. Essentially all of the functionality of cars are under software control. And for the most part that’s a really good thing. Having it be under software control means that you can get increased functionality. You can have improved safety features. You can get upgrades as the car companies figure out how to do things better. All of that’s really good.
The downside is that, because it’s controlled by software, if an attacker can come in and replace that software then they can control the braking and the acceleration and the locks and everything that was under software control.
So we’re starting to see theft rings, for example, that are using electronic hacking in order to steal cars more easily. Lloyds of London recently stopped insuring Land Rovers in England unless the Land Rovers were garaged in a locked facility because they were being stolen too frequently.
So that’s the kind of state of the art of the automotive industry. The question is well, why isn’t it better? So one starting point is: it’s really hard to get good security. You have to do tons of things right. It costs money. So the car industry could improve the security of their cars, and hopefully they will eventually. That improvement will cost them money and the car industry doesn’t have huge profit margins. They can’t really afford to invest in the security unless they can recoup the cost associated with that investment by passing the cost on to the consumer. So that means the price of the car is going to be higher.
So then why is the consumer going to go buy the car that’s more than the equivalent car from a different manufacturer?
Well typically the answer is how well you do advertising. You explain to the consumer why they’re getting more value for this extra cost.
The problem is if you imagine a car company starting an ad campaign to explain their car is more cyber-secure... most consumers these days probably think their car was already cyber-secure. They didn’t realize that their car could be hacked into. So the result of such an advertising campaign could, in fact, be to make people afraid to buy any new car whatsoever rather than causing them to buy a particular car. So I think an advertising approach to motivating consumers to pay slightly more for a particular car is not really viable. So that means all of the cars have to have, basically all of the companies have to do it at the same time. They all have to do this extra investment and basically the price of all cars goes up by a little bit.
Then there’s no longer this differentiation between manufacturers and consumers to be choosing between cars that all have roughly the same level of security.
Going back just a bit: Another reason why the car companies can’t advertise on the security is suppose one car company actually did go and invest a ton in making their cars more secure. And then they advertise their car was more secure. That’s kind of painting a big target on your back as far as the hacker community is concerned. Certain individuals would take that as a challenge, and they would go—you sort of get some number of credibility for hacking into any car, but if you hack into the car that is from the company that is advertising that their cars are secure you get way more credibility.
If they find a vulnerability and then publish it, that car all of a sudden is less secure than the other cars that might actually have more vulnerabilities, but no one has discovered it because the vulnerability is public and people know it exists and therefore can exploit it. So it’s this weird situation where although the car in some absolute sense is more secure, in a practical sense it’s less secure because there’s a publicly known vulnerability.
So advertising is bad both because it could scare away consumers entirely and it could direct hackers to your specific car, decreasing the security of that car as a result.
So we’re left with “how do you get sort of the car industry as a whole to produce more secure cars?” And that requires some kind of external motivation. They might decide to do it because it’s just the right thing to do. Typically companies are motivated by financial reasons. They usually can’t afford to do things just because they’re the right thing to do.
In terms of outside forces, one outside force would be government regulation. So, cars many years ago were very unsafe. Ralph Nader wrote famously “Unsafe At Any Speed,” and that prompted federal regulations.
There’s the five star safety crash rating system, for example, that created a regime where cars were tested for their safety and given scores and consumers could then use those scores in making their decisions. I think creating such a regime in the current political climate is unlikely.
Another possibility is the insurance industry might start to impose—put financial pressure on the car industry.
We saw that with the Lloyds of London refusing to insure Land Rovers that weren’t garaged in locked facilities because of electronic theft, that if the insurance companies start to notice that certain kinds of cars are getting hacked into with negative consequences for theft or for accidents they might increase the insurance premiums on that particular brand, and those insurance premiums might then drive consumers to cars that don’t have those characteristics. And that might then motivate the car industry to improve the security. That’s kind of a long chain, but at the moment I think that’s my best guess as to how we’ll get better cybersecurity in our cars.
I think the car industry is in some sense representative of many other industries. So like medical devices are another domain. Things like pacemakers and insulin pumps. They are relatively simple computer systems that are networked to other computers. Like it makes sense for a pacemaker to have a Wi-Fi device so a doctor can monitor how the heart’s doing. But once you have that Wi-Fi connection a hacker can use it to go in and modify the code in the pacemaker.
And so there are basically lots of examples of industries where things that previously weren’t computers at all are now not only computers but they’re networked computers, and over time those industries will need to accept that they’re network computers and start to apply security techniques so that the systems are more secure.
Cars are getting increasingly cooler, with many new bells and whistles like cruise control and hands-free parallel parking added on year by year. But this also means that cars are increasingly reliant on onboard computers which in turn leads to the possibility of hackers finding their way into your car and having it do whatever they want it to. And although it might sound like the plot of a terrible romantic comedy, think about this: could a hacker hack their way into your heart? Possibly, as many newer pacemakers are set to a wifi signal. It's a scary prospect, but one that we have to face.
The Flynn effect shows people have gotten smarter, but some research claims those IQ gains are regressing. Can both be right?
- Many countries made incredible gains in IQ scores during the 20th century, averaging three IQ points per decade.
- Studies out of Europe have shown a reversal of this trend.
- Such declines are not universal, and researchers remain unsure of what is causing them.
They'll reportedly last for thousands of years. This technology may someday power spacecraft, satellites, high-flying drones, and pacemakers.
Nuclear energy is carbon free, which makes it an attractive and practical alternative to fossil fuels, as it doesn't contribute to global warming. We also have the infrastructure for it already in place. It's nuclear waste that makes fission bad for the environment. And it lasts for so long, some isotopes for thousands of years. Nuclear fuel is comprised of ceramic pellets of uranium-235 placed within metal rods. After fission takes place, two radioactive isotopes are left over: cesium-137 and strontium-90.
New research shows that a healthy supply of locally-sourced beer helped maintain Wari civilization for 500 years.
- A new analysis of an ancient Wari brewery suggests chicha helped maintain the civilization's social capital for hundreds of years.
- Civilizations throughout the ancient world used alcoholic drinks to signify kinship, hospitality, and social cohesion.
- The researchers hope their findings will remind us of the importance in reaffirming social institutions and sharing cultural practices — even if over coffee or tea.
Beer is history's happiest accident. Though the discovery probably happened much earlier, our earliest evidence for beer dates back roughly 13,000 years ago. Around this time, the people of the Fertile Crescent had begun to gather grains as a food source and learned that if they moistened them, they could release their sweetness to create a gruel much tastier than the grains themselves.
One day a curious — or perhaps tightfisted — hunter-gatherer hid his gruel away for a safekeeping. When he returned, he found the bowl giving off a tangy odor. Not one to waste a meal, he ate it anyway and enjoyed an unexpected, though not unpleasant, sensation of ease. By pure happenstance, this ancestor stumbled upon brewing.
That's one possible origin story, but we know that our ancestors learned to control the process, and beer took a central role in Fertile Crescent civilizations — so central that Professor Patrick McGovern, a biomolecular archaeologist at the University of Pennsylvania, argues that beer, not bread, incentivized hunter-gatherers to relinquish their nomadic ways.
Beer may also be proof of a God who wants us to be happy (Dionysus?), because the beverage* would be independently rediscovered by peoples across the ancient world, including those in China and South America.
One such peoples, the pre-Inca Wari Civilization, made beer, specifically chicha de molle, a critical component in their religious and cultural ceremonies. In fact, a study published in Sustainability in April argues that the role was so important that beer helped keep Wari civilization intact for 500 years.
Brewing social capital
Twenty years ago, a team of archaeologists with the Field Museum of Natural History, Chicago, discovered a brewery in Cerro Baúl, a mesa in southern Peru that served as an ancient Wari outpost. The brewery contained original equipment, clay storage vessels, and compartments for milling, boiling, and fermentation.
The team recently analyzed these on-site vessels to uncover the secrets of the Wari brewing process. Removing tiny amounts of material found in the spaces between the clay, they were able to reconstruct the molecules of the thousand-year-old drink. They then worked alongside Peruvian brewers to recreate the original brewing process.**
Their molecular analysis revealed several key features of the beer: The clay used to make the vessels came from a nearby site; many of the beer's ingredients, such as molle berries, are drought resistant; and though alcoholic, the beer only kept for about a week.
These details suggest that Cerro Baúl maintained a steady supply of chicha, limited by neither trade nor fair weather, and became a central hub for anyone wishing to partake. The Wari would likely make such trips during times of festivals and religious ceremonies. Social elites would consume chicha in vessels shaped like Wari gods and leaders as part of rituals attesting to social norms and a shared cultural mythology and heritage.
"People would have come into this site, in these festive moments, in order to recreate and reaffirm their affiliation with these Wari lords and maybe bring tribute and pledge loyalty to the Wari state," Ryan Williams, lead author and head of anthropology at the Field Museum, said in a release. "We think these institutions of brewing and then serving the beer really formed a unity among these populations. It kept people together."
The Wari civilization was spread over a vast area of rain forests and highlands. In a time when news traveled at the speed of a llama, such distinct and distant geography could easily have fractured the Wari civilization into competing locales.
Instead, the researchers argue, these festive gatherings (aided by the promise of beer) strengthened social capital enough to maintain a healthy national unity. This helped the Wari civilization last from 600 to 1100 CE, an impressive run for a historic civilization.
Bringing people together (since 10,000 BCE)
A Mesopotamian cylinder seal shows people drinking beer through long reed straws. Image source: Metropolitan Museum of Art.
Of course, the Wari weren't the first civilization to use beer to reaffirm bonds and maintain their social fabric. Returning to the Fertile Crescent, Sumerians regarded beer as a hallmark of their civilization.
The Sumerian Epic of Gilgamesh tells of the adventures of the titular hero and his friend Enkidu. Enkidu beings as a savage living in the wilderness, but a young woman introduces him to the ways of civilization. That orientation begins with food and beer:
"They placed food in front of him,
They placed beer in front of him,
Enkidu knew nothing about eating bread for food,
And of drinking beer he had not been taught.
The young woman spoke Enkidu, saying:
"Eat the food, Enkidu, it is the way one lives.
Drink the beer, as is the custom of the land."
Enkidu ate the food until he was sated,
He drank the beer — seven jugs! — and became expansive
and sang with joy.
He was elated and his face glowed.
He splashed his shaggy body with water
and rubbed himself with oil, and turned into a human."
Tom Standage, who recounts this scene in his History of the World in 6 Glasses, writes: "The Mesopotamians regarded the consumption of bread and beer as one of the things that distinguished them from savages and made them fully human." Such civilized staples not only demarcated their orderly life from that of hunter-gatherers, they also served a key role in their culture's unifying mythology.
Furthermore, Standage notes, Sumerian iconography often shows two people sipping from waist-high jars through reed straws. The earliest beers were consumed in a similar fashion because technological limitations prevented baking individual cups or filtering the beverage. But the Sumerians had the pottery skills to make such cups and filter the dregs. That they kept the tradition suggests that they valued the camaraderie brought by the experience, a sign of communal hospitality and kinship.
The ancient Greek's similarly used alcohol as a means of maintaining social and political relationships — though their drink of choice was wine.
During symposiums, upper-class Greek men would gather for a night of drinking, entertainment, and social bonding. In Alcohol: A history, Rod Phillips notes that symposiums were serious affairs where art, politics, and philosophy were discussed throughout the night and could serve as rites of passage for young men. (Though, music, drinking games, and sex with prostitutes may also be found on the itinerary.)
Of course, we can amass social capital without resorting to alcohol, which has been known to damage social relationships as much as improve them.
In the 17th century, London's coffeehouses stimulated the minds of thinkers with their caffeine-laden drinks, but also served as social hubs. Unlike the examples we've explored already, these coffeehouses brought together people of different backgrounds and expertise, unifying them in their pursuit of ideas and truths. Thus, coffeehouses can be seen as the nurseries of the Enlightenment.
Relearning ancient lessons
The Field Museum archaeologists hope their research can help remind us the importance social institutions and cultural practices have in creating our common bonds, whether such institutions are BYOB or not.
"This research is important because it helps us understand how institutions create the binds that tie together people from very diverse constituencies and very different backgrounds," Williams said. "Without them, large political entities begin to fragment and break up into much smaller things. Brexit is an example of this fragmentation in the European Union today. We need to understand the social constructs that underpin these unifying features if we want to be able to maintain political unity in society."
So, grab a beer or coffee or tea, spend some time together, and raise a glass. Just try not focus too much on whether your friend ordered Budweiser's swill or an overpriced, virtue-signaling microbrew IPA.
SMARTER FASTER trademarks owned by The Big Think, Inc. All rights reserved.