Cyber Pros Say Some Cars More ‘Hackable’ Than Others
Computer security researchers Charlie Miller and Chris Valasek concluded in the report due to be released later this week that the most hackable models out of 20 reviewed were Chrysler Group’s 2014 Jeep Cherokee, Nissan Motor Co. Ltd’s 2014 Infiniti Q50 and General Motors Co. 2015 Cadillac Escalade.
The researchers are scheduled to discuss their findings on Wednesday at the Black Hat hacking conference in Las Vegas, where thousands are gathering to learn about emerging security threats. Safety of vehicles, medical devices and other equipment with embedded computers is a hot topic this year.
“Chrysler Group will endeavor to verify these claims and, if warranted, we will remediate them,” said company spokesman Eric Mayne.
Nissan said in a statement to Reuters that it was reviewing the findings, adding there is “no indication” that the authors tried to exploit any cyber vulnerabilities in the Q50.
General Motors did not respond to requests for comment.
Miller, a security engineer with Twitter, and Valasek, director of vehicle security research at the consulting firm IOActive, said they assessed car safety based on the potential for remote attacks.
They did not test the vehicles themselves but reviewed key criteria, including the number of remote access technologies such as WiFi and Bluetooth that could allow hackers to gain control of systems to manipulate and cause physical damage to the car, the researchers said.
One model from Fiat SpA’s Chrysler Group made the list of the three “least hackable” cars: the 2014 Dodge Viper. It shared that distinction with Volkswagen AG’s 2014 Audi A8 and Honda Motor Corp.’s 2014 Accord.
Miller and Valasek cautioned that since they had not actually attempted to hack the cars, the ones designated “most hackable” might actually be quite secure.
They released their assessments of “hackability” to create what they say they believe is the first general benchmarks that consumers could use to compare the cybersecurity of vehicles.
“This doesn’t mean that the most susceptible looking isn’t in fact quite secure (i.e. coded very securely) or that the most secure looking isn’t in fact trivially exploitable,” they said in the report.
“But it does provide some objective measure of the security of a large number of vehicles that wouldn’t be possible to examine in detail without a massive effort,” the report said.
(Reporting by Michael Leibel, Additional Reporting by Jim Finkle; Editing by Richard Chang)