Detroit Should Put Hackers Behind the Wheel
While the self-driving car has been touted as the inevitable future of the automobile industry, the idea of giving up the wheel to a software program still makes plenty of people anxious. Yet a couple of recent incidents demonstrate that these fears of lost control are already being realized, well before robots actually start taking the wheel. Instead of living in fear of a hacked planet, this new challenge should be seen as an opportunity to improve safety regulation for today as well as tomorrow.
The first was a staged demonstration set up by Wired magazine to show the ease with which hackers can get take over the dashboard: A driver cruising along at 70 miles an hour in a Jeep Cherokee suddenly found his air conditioning, radio and windshield wipers all going haywire. Days later, a researcher announced that he had created a small box that allows entry into all vehicles equipped with GM's OnStar connectivity suite. (He plans to reveal it at the Defcon hacker conference starting Aug. 6.)
As worrisome as these displays of technological infiltration were, the corporate and regulatory response has been even scarier. In filings to the National Highway Traffic Safety Administration, Jeep's parent company, Fiat Chrysler Automobiles, admitted that people involved in its supply chain knew as early as January 2014 about the fundamental vulnerability that allowed the hack. (On the heels of a record-breaking $105 million NHTSA fine for failing to act sufficiently in 23 other recalls, Fiat's lengthy delay in dealing with the Jeep's technological weakness raises renewed questions about the firm's safety practices.) When the OnStar vulnerability was revealed, GM issued a response that "an immediate fix is being implemented," but the researcher behind the hack insisted that the system was still vulnerable. Even though fixing software problems is easier than recalling mechanical defects, automakers appear no more likely to publicize problems or repair them without prodding from regulators or the press.
Meanwhile, the safety agency's handling of the defects only magnifies issues raised in last month's inspector general audit, which found the regulator woefully underequipped to cope with new high-tech safety challenges. That NHTSA failed to find the defect is unsurprising -- it is woefully short of information security experts -- but its after-the-fact handling of the problem marks it as a flailing institution. Fiat Chrysler brought the vulnerability to the agency on July 15, saying it would issue a safety bulletin rather than a full recall. The NHTSA pressured the automaker into a full recall a week later, on the day the Wired story broke. Via Twitter, the agency's communications director told me the Wired story was a "factor, but not central to the decision."
This pattern of automakers dragging their feet on defects and regulators struggling to keep up is creating an atmosphere around auto safety similar to the dark days of the 1970s (remember the Ford Pinto?), even as cars themselves become safer than ever. Who really thinks that the transportation safety agency, having done such a poor job with mechanical liabilities over the last few years, is any match for hackers?
Perhaps, rather than pushing an already-overworked agency into a new and profoundly complex area, the auto industry can approach the hacking threat the way the technology business does. To find hidden vulnerabilities in their code, technology firms offer bounties to "white hat" hackers, effectively crowdsourcing their security efforts. Given the complexity of modern software and high demand for those qualified to test its weaknesses, the NHTSA may never have manpower to effectively regulate automotive hacking vulnerabilities. The bounties themselves would be cheap by auto industry standards, potentially reduce regulatory compliance costs, and even generate positive public relations. Currently, Tesla is the only automaker actively engaging the hacking community, having offered cash bounties and a place on their "Wall of Fame" to researchers who find and share vulnerabilities.
Adapting crowdsourcing to their security regimes might even help automakers rethink their entire approach to defects and safety concerns. As we have seen in recent scandals, they hoard proprietary knowledge about their products, using this informational monopoly to conceal defects. A more open safety protocol would engage the public and emphasize rapid, cooperative disclosure of bugs and vulnerabilities. This would mean more than just bounties for the white hat crowd: as the Electronic Frontier Foundation argues, automakers will have to rethink their copyright claims with regard to vehicle code, as their zealous protections chill the kind of independent research that was a "factor" in NHTSA's decision to force a recall last week.
Embracing the challenge of car hacking will not be easy, but a progressive approach could pay huge dividends for automakers. Cars have become so computerized that software is critical to hot-rodding and many vehicle repairs; hacking and coding are the 21st century equivalents to fiddling with a carburetor, the sort of homespun innovation that trickled upward in Detroit's glory days. Most of the industry even gives lip service to the idea that cars are "the ultimate electronic device," yet automakers' support for copyright law tamps down the kind of enthusiastic engagement that makes the consumer electronics sector so exciting.
If automakers embrace the hacking community and nurture a culture of openness and collaboration, they might even begin to generate new forms of passion and engagement in younger generations, which are far less enamored of cars than their parents. As autos become even more software-dependent -- and by Audi's estimate, 50 percent of the industry's value creation will be in software by 2020 -- the companies that make them will have to start thinking and acting more like software firms. Otherwise, only bad actors will look into exploiting vulnerabilities, and sitting behind the wheel will become far more scary for the rest of us.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author on this story:
Edward Niedermeyer at email@example.com
To contact the editor on this story:
Tobin Harshaw at firstname.lastname@example.org