1. Home
  2. Live Updates
  3. Transcripts For CSPAN2 The Communicators 20151019 : vimarsan

Transcripts For CSPAN2 The Communicators 20151019 : vimarsan

CSPAN2 The Communicators October 19, 2015

Cspan, brought to you as a Public Service by your local cable or satellite provider. Host well, cars are increasingly being called computers on wheels and increasingly being connected to the internet of things. Joining us to talk about some of the issues surrounding that is Andy Greenberg of wired. Mr. Greenberg, what happened to you in st. Louis . Guest well, i, for a couple of years now, three years, in fact, ive been talking to these two hackers, Charlie Miller and chris, who are two very brilliant hackers who have found vulnerabilities in all kinds of things, you know, from an iphone to mac books to the last couple of years theyve been focused on cars and attacking the Network Inside of a vehicle through the internet. So they invited me to come down to st. Louis where charlie lives, and he put me in a jeep, told me to drive onto the highway. I knew they were going to launch some sort of attack from charlies living room 10 miles away. I didnt know what they were going to do, so i was on the highway. The radio starts blasting kanye west without me touching it, i cant turn it down, i cant turn it off. The wind child wipers windshield wipers start going of their own accord and spraying windshield wiper fluid kind of obscuring my vision on the highway. A picture of the two guys in track suits appears on the dashboard. And all that was kind of cute, you know, i thought that was a good demonstration of what they could do. And then they cut the transmission to the vehicle altogether which i really was not expecting. And i found myself unable to accelerate on a highway as cars were, you know, lining up behind me, whizzing by. An 18wheeler was in my Rearview Mirror honking at me, and i, you know, came close to panicking. I think i held it together just barely, but i was yelling into my iphone speakerphone to these two hackers, just begging them to make the car work again. Finally, they told me that i just had to restart it and reengage the engine. In fact, even that didnt work. I was basically paraized on the highway. Paralyzed on the highway. Finally, i rolled the vehicle off an offramp and did get the transmission reengaged. But they had proven their point that this is a terrifying exing appearance, to have terrifying experience, to have someone take control of this twoton computer on wheels that we think is supposed to obey our commands. Host how did they do it . Guest well, its a big piece of earning with lots of steps of research with lots of steps, but the basic vulnerability was in this computer, the socalled head unit in the dashboard of the vehicle known as a uconnect. It has, this computer has an entertainment system, even a wifi hot spot. Unfortunately, it also has this one service that was basically left unprotected. So they could call into it, essentially, through its cellular connections over the Sprint Network from a kind of burner phone, a sprint phone that they had attached to their computers, you know, basically attack it remotely over the internet, exploit that vulnerability. From there launch basically a second step of the attack that rewrote the firmware of another chip aegis sent to the head adjacent to the head unit but this time on the network that controls all the physical components of the vehicle, everything from steering to brakes, transmission, windshield wipers, everything. From there were now able to send commands to all of those really critical physical components. They had spent months reverse engineering the sort of protocol, the language that those components speak. And so they were able to trigger all of these automated functions. So, you know, they could at low speeds, for instance, set off a diagnostic test that can disabled the breaks. Thats supposed to happen inside a mechanics shop. They did it to me while i was driving around a parking lot, and it caused me to crash into a ditch. They could also pretty much do everything that, you know, the vehicle could do automatically. They were able to trigger the selfparking system to turn the Steering Wheel. They were able to unlock the doors which could be used for theft, and, of course, they could also disable the transmission as they did to me on the highway which wassizely the scariest was easily the scariest thing they demonstrated for me. Host how long had they been working on this . Guest they started in 2012, and they got a grant from the defense advance source projects agency, this wing of the pentagon that works on these forwardlooking things. They got a small grant to buy a couple of vehicles n. 2013 they had me come to indiana where they demonstrated the first step of their car hack. They put me inside of a ford prius and a ford escape, and they showed they could, with their laptops plugged into the bash dashboard, do a lot of these same things. It didnt really count to a lot of the security community, the Automotive Industry blew the thing off in some ways because they said youve just connected your laptop to the car like a mechanic might do. Nonetheless, they had reverse engineered all these things. They could slam on the brakes of the prius at high speed, they could disable the brakes of this ford suv. It was still a scary thing to be behind the wheel of those vehicles. But it took them two more years to advance that to a full wireless, over the internet attack that is, you know, a whole order of magnitude scarier, the idea that somebody across the country or potentially across the world in a different nation even could attack a vehicle over the internet and even cause it to spread virally, spread an attack virally. Charlie and chris could have used their attack to spread from chrysler vehicle to other chrysler vehicles, attacking this uconnect system and, you know, taking over millions of cars. At least disabling them, but potentially hijacking them to do their bidding, more or less. Host so they did not even have to be in a wifi network, correct . Guest its not a wifi attack, this is a cellular attack. Over a, i believe, 3g connection. So the proximity wasnt a matter of feet, it was a matter of miles or hundreds of miles. They, in fact, could have done this across the country, and they did at some points. Between the two of them, charlie lives in st. Louis, chris lives in pittsburgh, and chris was able to turn on the windshield wipers of charlies jeep, you know, from pittsburgh to st. Louis. So this is definitely a true remote, acrossthecountry attack. The only limitation is Sprints Network. If Sprints Network extended to europe or china for that matter, it would have been possible to have done the attack from there. Host why is it Sprints Network that is showing this vulnerability . Guest the vulnerability isnt really in Sprints Network, its in this u uconnect computer. And its been patched. Chrysler has had a full recall and fixed the vulnerability or at least sent out a usb to 1. 4 million drivers that theyre supposed to update their software to fix this. But regardless, this isnt sprints problem. This is a chrysler problem and specifically a problem with that uconnect exciter. So if you have a computer. So if you have a, you know, 2014 chrysler vehicle and it has this uconnect machine in the dashboard, you probably got one of these usbs, and you should not just put it in a drawer. You need to plug it in and update your software to be protected from this serious, potential attack. Host Andy Greenberg, did chris and charlie use any special equipment, any special computers or just off the rack . Guest so the hardware was really simple stuff. They spent years working on the software. All they really used was, you know, i think it seemed like chris used a windows machine and charlie used a mac book, and they attached these cheap an droild, sprintenabled phones, but that stuff is available to anyone. I mean, i should be clear. This is not like something anybody could do. Chris and charlie are brilliant hackers. Charlie, for instance, spent years working for the nsa. So, you know, this is not something that a member of anonymous or, you know, at least not the unskilled ones, these teenagers in a basement somewhere, are going to be able to replicate. Nonetheless, its also worth noting it wasnt even something they were doing full time. Chris works for a Security Consultancy working on automotive security, but charlie works for twitter or worked for twitter at the time, and this was almost like a hobby for the two of them. And yet in three years, they were able to develop this full remote exploit, the hacking technique to take over the jeep that i was driving. Host is the hacking vulnerability limited to uconnect and, thus, chrysler vehicles . Guest in this case, yes. But theres really this is not a story, i dont think, about a jeep or about chrysler even. This is a story about the whole Automotive Industry. You know, they all have a lot of catching up to do. Back in 2010 a group of academic researchers from university of california at san diego and the university of washington performed their own remote takeover of a vehicle, and they didnt say which vehicle they were attacking. It only was revealed years later that it was a 2009 chevy impala sold by General Motors. And they told General Motors about this, about the whole, you know, the whole collection of bugs that they had found in their vehicle and how theyd taken over this impala over the bear net to internet to, you know, disable brakes at any speed. They could enable, for instance, like one brake in the front be left wheel to make the car spin out of control or turn it, you know . This is a really dangerous attack. And it took gm almost five years to fully fix that vulnerability. In millions of vehicles. So this is certainly not limited to chrysler. In fact, chrysler was relatively responsive compared to gm who left millions of their vehicles more or less exposed to this. Theres no reason to think just chrysler, just gm are vulnerable. As more and more vehicles are connected to the internet, theres only going to be more of these vulnerables that turn up. Every one of these internetconnected features is a potential bug that can be used to take over, you know, a vehicle on the highway. So its a new era, and its certainly something that the whole Automotive Industry needs to become aware of and start taking seriously. Host could chris and charlie see you in realtime on the road . Could they see where you are going . Could they have steered your car properly . Guest they couldnt control steering very well. They had only developed the ability to turn the wheel at low speeds, actually only in reverse even. So the transmission thing was probably the scariest thing they could do at high speeds. They could, of course, actually track the gpso the vehicle, and theyd gps of the speak, and theyd written a program to show my location. And that is scary in a different way because this is no telling who might have, you know, especially among intelligence agencies, statesponsored hackers have developed these kinds of hacks and used them in that stealthy manner for surveillance rather than sabotage, you know . So, you know, sometimes the Automotive Industry says theres no evidence that these attacks have ever been used on, you know, in the wild on real victims. Thats mostly true, but we also dont know if theyve developed by government hackers and used for that kind of silent tracking. Host how connected are are our cars today . Guest well, it really fends. Pretty much every depends. Pretty much every automaker has an internetconnected system in partnership with some telecom carrier. So, you know, in fact, gm was the first, but this is so many of these other theres so many of these other systems like ford sync and, of course, chrysler uconnect. And it really just fends on which vehicle just depends on which vehicle you had, whether you bought cellular upgrade. Pretty much every make of car has an internetconnected potential. And thats only going to become more and more standard over the years. And i think thats, you know, there will be a time in the near future when every vehicle has an Internet Connection. And hope my by then, that Internet Connection will be isolated from the physical components of the vehicle. Theres no reason the brakes should have any connection with the infotainment system. Host Andy Greenberg, when your article came out in july, what was the response . Guest the very first thing that happened, and this was a surprise to me, a pair of congressmen released a piece of legislation tied to the story to basically regulate automotive cybersecurity. And they swore that this wasnt tied to the story, but it came out a matter of hours later. And it seemed to me like i was probably an attempt to, you know, to piggyback on the Public Awareness of this problem. And their legislation is calling for a kind of Rating System that would be publicly visible on any new car when its sold for its cybersecurity. You know, how connected to the internet is it, how isolated are its systems, how many sort of cyber physical systems does it have, automated features that could be hijacked by a hacker. So that bill is still, you know, still kind of floating around in congress. But then within days, chrysler announced this 1. 4 million vehicle recall which actually is just, you know, means that they had to send out 1. 4 million usb drive drives to all of their customers and publicize that you needed to update your vehicle. And it turned out within 24 hours chrysler kind of made clear that it was the national Highway Traffic Safety Administration that had put pressure on them to do that. And i think that that is, you know, the most important reaction to this, is because it sends a message to detroit and automakers around the world that there is accountability here, that, you know, you will face an actual regulatory, regulatorilydemanded recall if you leave these vulnerabilities in your cars. What gm did, leaving this hackable bug in their onstar vehicles for five years, thats not going to fly anymore. You know, i think that this is a big wakeup call in the sense that this is going to be if your vehicles can be hacked, youre going to face consequences and scandal and regulatory pressure. Host whats been the response from the carmakers . Guest well, they dont talk to me very much. [laughter] i think that theyre i hear that they are taking this very seriously, that, in fact, theyre secretly been taking it seriously for a few years. But they are incredibly shy about talking about the problem. I think they havent even reached the stage yet where they believe that they can get more sort of positive press by talking about the good things theyre doing than the negative press they get by just talking about the fact that cars can be hacked in general. They seem to just believe in shutting up and hoping that the problem goes away, which it wont. So thats not to say that theyre not doing really important things behind the scenes. I hear that pretty much every automaker is, for instance, developing the ability to send overtheair Software Updates to all their vehicles so next time there is some sort of vulnerability, security vulnerability demonstrated in a vehicle like this jeep, they wont have to send out usb drives which is not the right way to patch software, by the way. If you send usb drives in the mail and tell them to plug them into their cars or computers, then youre basically training them to fall for a trick in the future where hackers mail out usb drives and use it to infect machines. So thats really, you know, kind of frowned upon in the Security Industry as a method of patching. The better way to do it are these overtheair Software Updates. Thats something that a few automakers already know how to do. Bmw does it, tesla does it x this would be using the same Internet Connection, the Cellular Service that could make the cars vulnerable to also push out those automatic Software Updates so that instead of having to download it manually and put it on a usb or get one in the mail, you just click o. K. , and it sort of automatically updates itself oaf the air. Host Andy Greenberg, with these bugs or vulnerabilities in the systems because of money . Was it cost that prevented them from being installed in the first place . Guest well, all software has bugs, all software can be hacked. I would never, you know, accuse a Software Engineer of being lazy or a company being cheap just because their software had bugs because every, you know, apple and google and microsoft, you know, the best Tech Companies in the world still have almost it seems like an Endless Supply of bugs in their software. Whats important is where the resources really need to be spent is in testing for those bugs, hiring penetration testers, then having a team of people who respond quickly to patch the software, having a system where you can patch it, you know, in a responsive way, not waiting for regulators to tell you about it and or waiting years for it to come to light. You know, google, for instance, gives Companies Google has its own team of security researchers who find lots of bugs in other companies software. And when they do, they give those Company Three months max to fix the problem before they go public with it. So the five years that gm spent is really not acceptable, and the automakers need to catch up with this Silicon Valley standard of bug fixing which is really a matter of weeks or even days. Host now, you referenced senator ed markey, a democrat of massachusetts, a little bit earlier. He is calling for federal standards, is it, with regard to security in cars . Guest hes calling for at least a kind of federal Public Service<\/a> by your local cable or satellite provider. Host well, cars are increasingly being called computers on wheels and increasingly being connected to the internet of things. Joining us to talk about some of the issues surrounding that is Andy Greenberg<\/a> of wired. Mr. Greenberg, what happened to you in st. Louis . Guest well, i, for a couple of years now, three years, in fact, ive been talking to these two hackers, Charlie Miller<\/a> and chris, who are two very brilliant hackers who have found vulnerabilities in all kinds of things, you know, from an iphone to mac books to the last couple of years theyve been focused on cars and attacking the Network Inside<\/a> of a vehicle through the internet. So they invited me to come down to st. Louis where charlie lives, and he put me in a jeep, told me to drive onto the highway. I knew they were going to launch some sort of attack from charlies living room 10 miles away. I didnt know what they were going to do, so i was on the highway. The radio starts blasting kanye west without me touching it, i cant turn it down, i cant turn it off. The wind child wipers windshield wipers start going of their own accord and spraying windshield wiper fluid kind of obscuring my vision on the highway. A picture of the two guys in track suits appears on the dashboard. And all that was kind of cute, you know, i thought that was a good demonstration of what they could do. And then they cut the transmission to the vehicle altogether which i really was not expecting. And i found myself unable to accelerate on a highway as cars were, you know, lining up behind me, whizzing by. An 18wheeler was in my Rearview Mirror<\/a> honking at me, and i, you know, came close to panicking. I think i held it together just barely, but i was yelling into my iphone speakerphone to these two hackers, just begging them to make the car work again. Finally, they told me that i just had to restart it and reengage the engine. In fact, even that didnt work. I was basically paraized on the highway. Paralyzed on the highway. Finally, i rolled the vehicle off an offramp and did get the transmission reengaged. But they had proven their point that this is a terrifying exing appearance, to have terrifying experience, to have someone take control of this twoton computer on wheels that we think is supposed to obey our commands. Host how did they do it . Guest well, its a big piece of earning with lots of steps of research with lots of steps, but the basic vulnerability was in this computer, the socalled head unit in the dashboard of the vehicle known as a uconnect. It has, this computer has an entertainment system, even a wifi hot spot. Unfortunately, it also has this one service that was basically left unprotected. So they could call into it, essentially, through its cellular connections over the Sprint Network<\/a> from a kind of burner phone, a sprint phone that they had attached to their computers, you know, basically attack it remotely over the internet, exploit that vulnerability. From there launch basically a second step of the attack that rewrote the firmware of another chip aegis sent to the head adjacent to the head unit but this time on the network that controls all the physical components of the vehicle, everything from steering to brakes, transmission, windshield wipers, everything. From there were now able to send commands to all of those really critical physical components. They had spent months reverse engineering the sort of protocol, the language that those components speak. And so they were able to trigger all of these automated functions. So, you know, they could at low speeds, for instance, set off a diagnostic test that can disabled the breaks. Thats supposed to happen inside a mechanics shop. They did it to me while i was driving around a parking lot, and it caused me to crash into a ditch. They could also pretty much do everything that, you know, the vehicle could do automatically. They were able to trigger the selfparking system to turn the Steering Wheel<\/a>. They were able to unlock the doors which could be used for theft, and, of course, they could also disable the transmission as they did to me on the highway which wassizely the scariest was easily the scariest thing they demonstrated for me. Host how long had they been working on this . Guest they started in 2012, and they got a grant from the defense advance source projects agency, this wing of the pentagon that works on these forwardlooking things. They got a small grant to buy a couple of vehicles n. 2013 they had me come to indiana where they demonstrated the first step of their car hack. They put me inside of a ford prius and a ford escape, and they showed they could, with their laptops plugged into the bash dashboard, do a lot of these same things. It didnt really count to a lot of the security community, the Automotive Industry<\/a> blew the thing off in some ways because they said youve just connected your laptop to the car like a mechanic might do. Nonetheless, they had reverse engineered all these things. They could slam on the brakes of the prius at high speed, they could disable the brakes of this ford suv. It was still a scary thing to be behind the wheel of those vehicles. But it took them two more years to advance that to a full wireless, over the internet attack that is, you know, a whole order of magnitude scarier, the idea that somebody across the country or potentially across the world in a different nation even could attack a vehicle over the internet and even cause it to spread virally, spread an attack virally. Charlie and chris could have used their attack to spread from chrysler vehicle to other chrysler vehicles, attacking this uconnect system and, you know, taking over millions of cars. At least disabling them, but potentially hijacking them to do their bidding, more or less. Host so they did not even have to be in a wifi network, correct . Guest its not a wifi attack, this is a cellular attack. Over a, i believe, 3g connection. So the proximity wasnt a matter of feet, it was a matter of miles or hundreds of miles. They, in fact, could have done this across the country, and they did at some points. Between the two of them, charlie lives in st. Louis, chris lives in pittsburgh, and chris was able to turn on the windshield wipers of charlies jeep, you know, from pittsburgh to st. Louis. So this is definitely a true remote, acrossthecountry attack. The only limitation is Sprints Network<\/a>. If Sprints Network<\/a> extended to europe or china for that matter, it would have been possible to have done the attack from there. Host why is it Sprints Network<\/a> that is showing this vulnerability . Guest the vulnerability isnt really in Sprints Network<\/a>, its in this u uconnect computer. And its been patched. Chrysler has had a full recall and fixed the vulnerability or at least sent out a usb to 1. 4 million drivers that theyre supposed to update their software to fix this. But regardless, this isnt sprints problem. This is a chrysler problem and specifically a problem with that uconnect exciter. So if you have a computer. So if you have a, you know, 2014 chrysler vehicle and it has this uconnect machine in the dashboard, you probably got one of these usbs, and you should not just put it in a drawer. You need to plug it in and update your software to be protected from this serious, potential attack. Host Andy Greenberg<\/a>, did chris and charlie use any special equipment, any special computers or just off the rack . Guest so the hardware was really simple stuff. They spent years working on the software. All they really used was, you know, i think it seemed like chris used a windows machine and charlie used a mac book, and they attached these cheap an droild, sprintenabled phones, but that stuff is available to anyone. I mean, i should be clear. This is not like something anybody could do. Chris and charlie are brilliant hackers. Charlie, for instance, spent years working for the nsa. So, you know, this is not something that a member of anonymous or, you know, at least not the unskilled ones, these teenagers in a basement somewhere, are going to be able to replicate. Nonetheless, its also worth noting it wasnt even something they were doing full time. Chris works for a Security Consultancy<\/a> working on automotive security, but charlie works for twitter or worked for twitter at the time, and this was almost like a hobby for the two of them. And yet in three years, they were able to develop this full remote exploit, the hacking technique to take over the jeep that i was driving. Host is the hacking vulnerability limited to uconnect and, thus, chrysler vehicles . Guest in this case, yes. But theres really this is not a story, i dont think, about a jeep or about chrysler even. This is a story about the whole Automotive Industry<\/a>. You know, they all have a lot of catching up to do. Back in 2010 a group of academic researchers from university of california at san diego and the university of washington performed their own remote takeover of a vehicle, and they didnt say which vehicle they were attacking. It only was revealed years later that it was a 2009 chevy impala sold by General Motors<\/a>. And they told General Motors<\/a> about this, about the whole, you know, the whole collection of bugs that they had found in their vehicle and how theyd taken over this impala over the bear net to internet to, you know, disable brakes at any speed. They could enable, for instance, like one brake in the front be left wheel to make the car spin out of control or turn it, you know . This is a really dangerous attack. And it took gm almost five years to fully fix that vulnerability. In millions of vehicles. So this is certainly not limited to chrysler. In fact, chrysler was relatively responsive compared to gm who left millions of their vehicles more or less exposed to this. Theres no reason to think just chrysler, just gm are vulnerable. As more and more vehicles are connected to the internet, theres only going to be more of these vulnerables that turn up. Every one of these internetconnected features is a potential bug that can be used to take over, you know, a vehicle on the highway. So its a new era, and its certainly something that the whole Automotive Industry<\/a> needs to become aware of and start taking seriously. Host could chris and charlie see you in realtime on the road . Could they see where you are going . Could they have steered your car properly . Guest they couldnt control steering very well. They had only developed the ability to turn the wheel at low speeds, actually only in reverse even. So the transmission thing was probably the scariest thing they could do at high speeds. They could, of course, actually track the gpso the vehicle, and theyd gps of the speak, and theyd written a program to show my location. And that is scary in a different way because this is no telling who might have, you know, especially among intelligence agencies, statesponsored hackers have developed these kinds of hacks and used them in that stealthy manner for surveillance rather than sabotage, you know . So, you know, sometimes the Automotive Industry<\/a> says theres no evidence that these attacks have ever been used on, you know, in the wild on real victims. Thats mostly true, but we also dont know if theyve developed by government hackers and used for that kind of silent tracking. Host how connected are are our cars today . Guest well, it really fends. Pretty much every depends. Pretty much every automaker has an internetconnected system in partnership with some telecom carrier. So, you know, in fact, gm was the first, but this is so many of these other theres so many of these other systems like ford sync and, of course, chrysler uconnect. And it really just fends on which vehicle just depends on which vehicle you had, whether you bought cellular upgrade. Pretty much every make of car has an internetconnected potential. And thats only going to become more and more standard over the years. And i think thats, you know, there will be a time in the near future when every vehicle has an Internet Connection<\/a>. And hope my by then, that Internet Connection<\/a> will be isolated from the physical components of the vehicle. Theres no reason the brakes should have any connection with the infotainment system. Host Andy Greenberg<\/a>, when your article came out in july, what was the response . Guest the very first thing that happened, and this was a surprise to me, a pair of congressmen released a piece of legislation tied to the story to basically regulate automotive cybersecurity. And they swore that this wasnt tied to the story, but it came out a matter of hours later. And it seemed to me like i was probably an attempt to, you know, to piggyback on the Public Awareness<\/a> of this problem. And their legislation is calling for a kind of Rating System<\/a> that would be publicly visible on any new car when its sold for its cybersecurity. You know, how connected to the internet is it, how isolated are its systems, how many sort of cyber physical systems does it have, automated features that could be hijacked by a hacker. So that bill is still, you know, still kind of floating around in congress. But then within days, chrysler announced this 1. 4 million vehicle recall which actually is just, you know, means that they had to send out 1. 4 million usb drive drives to all of their customers and publicize that you needed to update your vehicle. And it turned out within 24 hours chrysler kind of made clear that it was the national Highway Traffic Safety Administration<\/a> that had put pressure on them to do that. And i think that that is, you know, the most important reaction to this, is because it sends a message to detroit and automakers around the world that there is accountability here, that, you know, you will face an actual regulatory, regulatorilydemanded recall if you leave these vulnerabilities in your cars. What gm did, leaving this hackable bug in their onstar vehicles for five years, thats not going to fly anymore. You know, i think that this is a big wakeup call in the sense that this is going to be if your vehicles can be hacked, youre going to face consequences and scandal and regulatory pressure. Host whats been the response from the carmakers . Guest well, they dont talk to me very much. [laughter] i think that theyre i hear that they are taking this very seriously, that, in fact, theyre secretly been taking it seriously for a few years. But they are incredibly shy about talking about the problem. I think they havent even reached the stage yet where they believe that they can get more sort of positive press by talking about the good things theyre doing than the negative press they get by just talking about the fact that cars can be hacked in general. They seem to just believe in shutting up and hoping that the problem goes away, which it wont. So thats not to say that theyre not doing really important things behind the scenes. I hear that pretty much every automaker is, for instance, developing the ability to send overtheair Software Updates<\/a> to all their vehicles so next time there is some sort of vulnerability, security vulnerability demonstrated in a vehicle like this jeep, they wont have to send out usb drives which is not the right way to patch software, by the way. If you send usb drives in the mail and tell them to plug them into their cars or computers, then youre basically training them to fall for a trick in the future where hackers mail out usb drives and use it to infect machines. So thats really, you know, kind of frowned upon in the Security Industry<\/a> as a method of patching. The better way to do it are these overtheair Software Updates<\/a>. Thats something that a few automakers already know how to do. Bmw does it, tesla does it x this would be using the same Internet Connection<\/a>, the Cellular Service<\/a> that could make the cars vulnerable to also push out those automatic Software Updates<\/a> so that instead of having to download it manually and put it on a usb or get one in the mail, you just click o. K. , and it sort of automatically updates itself oaf the air. Host Andy Greenberg<\/a>, with these bugs or vulnerabilities in the systems because of money . Was it cost that prevented them from being installed in the first place . Guest well, all software has bugs, all software can be hacked. I would never, you know, accuse a Software Engineer<\/a> of being lazy or a company being cheap just because their software had bugs because every, you know, apple and google and microsoft, you know, the best Tech Companies<\/a> in the world still have almost it seems like an Endless Supply<\/a> of bugs in their software. Whats important is where the resources really need to be spent is in testing for those bugs, hiring penetration testers, then having a team of people who respond quickly to patch the software, having a system where you can patch it, you know, in a responsive way, not waiting for regulators to tell you about it and or waiting years for it to come to light. You know, google, for instance, gives Companies Google<\/a> has its own team of security researchers who find lots of bugs in other companies software. And when they do, they give those Company Three<\/a> months max to fix the problem before they go public with it. So the five years that gm spent is really not acceptable, and the automakers need to catch up with this Silicon Valley<\/a> standard of bug fixing which is really a matter of weeks or even days. Host now, you referenced senator ed markey, a democrat of massachusetts, a little bit earlier. He is calling for federal standards, is it, with regard to security in cars . Guest hes calling for at least a kind of federal Rating System<\/a>. A sort of increase in the transparency so that consumers could see the cybersecurity rating of a vehicle and make their own choices based on that. I think thats probably going to be a very difficult thing to do. Legislating cybersecurity always difficult. I really aproud the fact applaud the fact that hes thinking about this. It does seem like it might be possible for washington to have some effect in pressuring the companies to get serious about cybersecurity. However, the closer you get to telling them exactly what to do, the more likely it is that its going to be wrong. Because the, this is a dynamic game. Its not like you can just make a law that says everyone should have a safety belt in their vehicle because, you know, when a safety belt is designed to deal with a sort of static problem which is that cars crash into each other and, you know, people need to stay where theyre sitting, you know . Thats not a problem that has its own adversarial brain, you know . That problem doesnt adapt and require you to adapt, again, whereas a cybersecurity problem, you know, you fix one of these bugs, and the hacker responds. They find a new bug to circumvent your patch. Thats a real adversary. Its a dynamic problem. So its to treat the traditional safety of vehicle which can be pretty well legislated the same way you treat the cybersecurity vehicles which probably cant be that easily legislated. That would be a mistake. This needs to be thought about in, as a continuing cat and mouse game. Thats a game that, you know, traditional Tech Companies<\/a> like apple and microsoft, google have been playing for years. Its just one that the Automotive Industry<\/a> needs to realize that its already playing too and kind of build its own professional team of hackers to deal with it. Host yeah. I think i read in one of your articles, mr. Greenberg, that gm hired its first cybersecurity chief. Guest thats right. They have their, they do have their own chief product officer of cybersecurity who, it seems has been much more responsive in his whole team. Gm has really shaped up. For instance, a hacker over there found that they werent appropriately kind of securing the connection between their ios or android Smartphone App<\/a> and the vehicle. That app was, is designed to allow you to remotely unlock the vehicle and even turn on the engine, and a hacker had shown that the app could be basically hijacked with this little twice he created that you could plant on a vehicle. His little device would sort of hijack the users smartphone credentials and then send them to the hacker so that the hacker could track the car, unlock it, you know, recover his device or even steal the car, steal the contents of the car. So gm learned about this, and they actually patched their smartphone vulnerabilities in their Smartphone App<\/a> that would have allowed this attack within 48 hours. And thats a big improvement over five years. Of course, its a much easier problem to fix in a smartphone than in a car, but it still shows that theyre taking this seriously, they have a real cybersecurity team. You know, its encouraging, and i dont want to entirely chastise these company. It seems like in general everyones improving, its just a matter of how fast and if they, you know, are really improving as fast in terms of the security that theyre adding as they are with potentially vulnerable features that theyre adding. Host so potentially how many hackable cars are on the road today, and should people who own a newer model car, should they be afraid when they get in their car . Guest well, i dont know the total number of internetconnected cars, but its absolutely in the tens or hundreds of millions. And i, but i do not want to say that people should not, should avoid an internetconnected vehicle or avoid a modern vehicle. I get a lot of comments on my stories that say, well, good thing i drive a 1957 chevy. And i get kind of a chill when i read that, because its a really dangerous attitude. This is still a future, a future threat, future harm, future deaths that could result from an actual, you know, in the wild hack of a vehicle on the road. Whereas, you know, the safety features that have been built into cars over the last decades, including the, you know, the internetconnected safety features, the ability to respond to a crash in realtime and locate vehicles, that thats a presentday problem. And i would never want to convince anyone to buy an older, less safe vehicle because it doesnt have an Internet Connection<\/a> or doesnt have computerized, you know, components. So if theres any be, you know, if theres any doubt, then, yes. Modern vehicles are great. And internetconnected vehicles are also good. But we shouldnt have to give up, you know, that connectivity to achieve safety. With our computers and, you know, with my iphone, for instance, an iphone is an internetconnected device, like always on, always internetconnected, and it has basically faced virtually no malware, no hacker attacks that have been successful for its eight years of existence. I think that that should be possible with a car too. So its really just about achieving both of these things. I wouldnt want to tell people to give up those internetconnected features or any over of this potentially important safety features of a modern car. Host Andy Greenberg<\/a>, are there any additional issues with regard to this hacking when it comes to Driverless Cars<\/a> . Guest oh, of course. You know, i asked researchers about this, what happens when we go from just an internetconnected vehicle to an internetconnected autonomous vehicle, and they just say everything gets worse. Its just like, you know, it puts the problem, you know, into this turbo mold where sudden mode where suddenly instead of just a few automate bl features being hijack bl, now everything is automated. When you control the computer, the kind of exciterrized features of the computerized features of the car, now you control everything. You can steer it entirely instead of just hijacking the selfparking feature, now it has an entire selfdriving feature. You control the Steering Wheel<\/a> just as much as a driver would in a normal car. So this is absolutely something thats going to become vastly more important as selfdriving vehicles hit the roads. And, you know, i think thats something that the automakers that are thinking about selfof driving cars or even the Tech Companies<\/a> that are are aware of charlie and chris, the two jeep hackers, for instance, were hired by uber who is rumored to be building its own Autonomous Vehicles<\/a> or potentially buying a fleet of Autonomous Vehicles<\/a>. So hopefully that means theyre thinking about this problem of a what happens when a selfdriving car becomes a sort of hackerdriven car and trying to head it off, you know, before those cars are actually on the road. Host you mentioned earlier that the car companies, mr. Green persian arent talking to you much greenberg, arent talking to you much. Have they been reticent to discuss this issue . Guest i think they have. I mean, until this jeep hack it wasnt, i dont think, something that the average american was aware of, that an internetconnected vehicle could be hacked, that a car is basically a, you know, twoton smartphone on wheels. And, you know, theyre still, i think, they still believe that by avoiding the subject, they can kind of just prevent people from thinking about cars in that way. You know, but i think thats its only a matter of time until this is sort of part of the mainstream awareness. And then i would really like to hear about the good things that i know the Automotive Companies<\/a> are doing to secure vehicles, you know . I have heard that at least since the research in 2010 that took over a chevy impala, theres been no illusion within the car industry that this is possible. So, you know, its certainly something that theyre internally aware of and that theyve been working on, and its just, you know, its theyre not sticking their heads in the sand, they just look like it because they seem so afraid of speaking about this in public. Host Andy Greenberg<\/a> of wired magazine. Hes a technology reporter. He started quite the conversation with his article about driving a hacked jeep. Thanks for being on the communicators. Guest thanks for having me. Cspan, created by americas Cable Companies<\/a> 35 years ago and brought to you as a Public Service<\/a> by your local cable or satellite provider. Congress returns this week, and the house members considering a measure to default on the National Debt<\/a> and another reauthorizing Federal School<\/a> vouchers for students in washington d. C. Later in the week we expect work on a budget reconciliation package that would repeal sections of the Health Care Law<\/a> and defund planned parenthood. You can watch the house live on cspan starting tomorrow at noon eastern. Meanwhile, the Senate Returns<\/a> today with no votes scheduled. Tomorrow they consider a judicial nomination in the morning before voting on where to move forward on a bill that would withhold federal money from cities that do not prosecute undocumented immigrants. Watch the senate live here on cspan2. Cspan has your coverage of the road to the white house 2016. Where youll find the candidates, the speeches, the debates, and most importantly, your questions. This year were taking our coverage into classrooms across the country with our student cam contest, giving students the opportunity to discuss what important issues they want to hear the most from the candidates. Follow cspans student cam contest and road to the white house kohage 2016 on coverage 2016 on tv, on the radio and online at cspan. Org. Earlier this month the European Unions<\/a> highest court struck down an International Agreement<\/a> that allowed companies to transfer Personnel Data<\/a> between the e. U. And the u. S. Next, a discussion on the ramifications of that decision. The u. S. Chamber of commerce and the e. U. s delegation to the u. S. This was hosted by the caucus advisory committee. It runs an hour","publisher":{"@type":"Organization","name":"archive.org","logo":{"@type":"ImageObject","width":"800","height":"600","url":"\/\/ia801300.us.archive.org\/33\/items\/CSPAN2_20151019_120000_The_Communicators\/CSPAN2_20151019_120000_The_Communicators.thumbs\/CSPAN2_20151019_120000_The_Communicators_000001.jpg"}},"autauthor":{"@type":"Organization"},"author":{"sameAs":"archive.org","name":"archive.org"}}],"coverageEndTime":"20240623T12:35:10+00:00"}

© 2025 Vimarsana