Some questions for the researchers, or anyone else who thinks this was okay:
1) Were public roadways and speeds of 70mph absolutely necessary to demo this?
2) What was the plan if the trucker approaching at 70mph hadn't seen the Jeep stalled early and had to swerve or panic stop, possibly crashing and injuring themselves or others?
3) Anyone notify the Missouri State Highway Patrol about this? They may be contacting the researchers with questions about this demo if they weren't consulted in advance.
4) What's the plan if they trigger a bug in the car software of the people they had tested this with earlier? The article mentions them tracking people remotely as they attempt to learn more about the exploit.
I could go on but why bother? In case any of you think this was cool or even remotely (no pun intended) ethical, I'd like to know if you have a problem with letting these two test this on a loved one's car. How about they remotely poke around your husband or wife's car and explore, as long as they promise not to intentionally trigger anything?
If I ever learned this had been tested on a vehicle I was in, I'd make sure this cost the researchers dearly.
EDIT: I've just phoned 'Troop C' of the Highway Patrol at their main number, +1-636-300-2800 and they seemed pretty keen to follow up. The fact that the vehicle was disabled where there was no shoulder, was impeding traffic, and the demo not cleared with them in advance has them concerned. I'm all for testing exploits and security research, but this isn't the right way to do it. And to film it and post it to a high traffic site is nuts.
Calling the police on security researchers...I honestly cannot believe this is considered acceptable behavior. A much less aggressive (and thoughtful) move would be to contact the researchers directly. Wow.
Back to the article, I think that this type of exploit will become more and more common as vehicles become more connected and automated. We need to know that we can trust the software and firmware running on the devices that literally have the power of life and death over us. Unfortunately, this is a VERY complicated issue, and no one has a solution yet AFAIK.
I watched a talk by Cory Doctorow last year where he suggested validation at the hardware level (a la trusted platform modules), but unlike the typical TPMs that only allow vendor software to be authenticated, these TPMs would allow the user to directly authenticate the firmware. If you know the firmware is good, then each layer can validate the next layer up all the way to the OS.
I have yet to hear of a system that allows the user to directly authenticate software/firmware at the hardware level. Is anybody working on research of this nature? Or are there insurmountable problems with this approach?
> Calling the police on security researchers...I honestly cannot believe this is considered acceptable behavior.
But putting many lives in danger is considered acceptable behavior by security researchers? Does it actually matter that it was security researchers? Do security researchers working on banking software need to steal a million dollars in order to prove that they've found an issue? Would calling the police be acceptable in that situation?
Actual outrage is acceptable when there's actual danger. Calling the cops on a loud neighbor might not be acceptable, but calling the cops on a neighbor firing a gun in the general direction of your house certainly would be.
> Calling the police on security researchers...I honestly cannot believe this is considered acceptable behavior. A much less aggressive (and thoughtful) move would be to contact the researchers directly. Wow.
Reminds me of people who will call the police on a loud neighbor instead of just, you know, talking to them first.
Had my car stall on the highway once. Pretty scary because you lose power-brakes and power-steering as you're trying to pullover.
Was it a hacker? Nope, just a dumb mechanic that got trash deep into the air intake during a routine oil change.
How many (dumb mechanics)*(routine oil changes) are there in this country? Five-Six orders of magnitude more than auto hackers, which is why I don't see any harm in one more (where the driver knew ahead of time it was going to happen).
> Calling the police on security researchers...I honestly cannot believe this is considered acceptable behavior. A much less aggressive (and thoughtful) move would be to contact the researchers directly. Wow.
What would contacting the researchers achieve? They arbitrarily did the experiment in a public highway "to make the headline more shocking".
As much as I support any kind of security research, and as much as I support getting the attention of people to raise awareness, contacting the authorities was the correct move; a public highway is not a research lab without a proper permission from the authorities.
>Calling the police on security researchers...I honestly cannot believe this is considered acceptable behavior.
There is even a bigger problem. These researchers, even if they were negligent, are far more at risk of legal punishment for creating a small risk for the sake of increasing safety standards overall than the people who choose to cut security funding and put magnitudes more people at risk for the sake of making more money.
Isn't it odd that we have a legal system where the ones attempt to expose and fix the problem for the sake of safety are facing far greater legal trouble than those who knowingly allowed for the problem to first occur due to increasing profits?
Calling the police was completely inappropriate, but downvoting the comment as a way to signal your disapproval with his action in the real world isn't helpful. The comment itself is well written, on topic, and leading to good discussion.
I agree with what others have already said: Since nobody was actually hurt he should have contacted the researchers to make his point.
I was thinking about how dangerous it was while I was reading it too, but I came away far less concerned than you I guess. The deceleration on the highway was the most worrisome, but it's not even in the ballpark of common driving hazards like distracted folks on cellphones or flying debris. A crash from such a thing is unlikely and the inconvenience is pretty minimal.
Even you, the busybody who called the cops because you read an article, said "What was the plan if the trucker approaching at 70mph hadn't seen the Jeep stalled early..." which implies that the trucker would have been following too closely or not paying attention (or both).
It's worth pointing out that the driver was aware of the situation and they didn't do anything dramatic like lock the brakes or throw the car in reverse. They chose a gentle deceleration in a stretch of road that had no shoulder to make it feel dangerous, but, on the spectrum of hazards that most drivers face every time they take the car out of the garage, this is pretty tame.
The fact is, had something happened, it wouldn't have been the disabled car that was at fault.
I think the researchers are in the clear, and for you to have read the article and been bothered enough to call the cops (and post the number for, presumably, the convenience of other hyper-sensitive folk who might otherwise just go back to staring at the neighbor kids from their bedroom window with their phones in their hands and 911 on their speed dial) is nuts.
They intentionally disabled a car in an area with no shoulder. They intentionally introduced a large hazard on the highway. If something happened, they would have been partly responsible. You do not just stop on the highway just because you feel like it.
You called the cops on two security researchers and a journalist, because you disagreed with their methods and weren't sure what their plans were and what authorities they'd talked to? (And not just any cops, the cops in St. Louis, for bonus points.)
Are we still on Hacker News, or is the transformation to Enablers of Traditional American Power Structure News complete?
As much as it seem over the top, those researcher could have hurt people.
Calling the police will not have them go to jail or have their data deleted. It might (rightfully) get them a fine. It will however ensure that their next experiments are done in a safer, more legal way.
Calling the police isn't all about emergency. You can call them to talk about issues that worry you such as this one. They will take care of bringing the issue the the right entities, it's their job.
There's plenty of safe ways to accomplish this kind of demonstration. The fact they choose to do so in a way that endangered the public is in fact criminal.
Being a security researcher or journalist doesn't give you a license to put the public in physical danger.
I'm sure the police are even more ill-equipped to understand the ramifications of this demonstration and will over-react and start jailing anyone with a laptop and suspicious intent.
I can't wait for the pathetic outrage when "racial profiling" now means harassing white kids with laptops that fit the profile of hacker.
This is a matter for a company like Google to take on politically, not some beat cop in St. Louis of all places.
Are you not supposed to report dangerous, and possibly criminal, situations to the authorities? A witness to such events cannot know if it has already been reported or is known about, are they supposed to just go on with their day? Yep, just drive by that car accident with possible injuries without calling it in because I'm sure someone else has already taken care of it. What's the worse that could happen? The authorities tell you they are already aware of the situation, thank you? Are we now people who should no longer care what's going on around us or are we careless souls more worried about ourselves to not care over fellow human beings?
Sorry, but the cops lost that trust from me when the started sending swat teams and abusing power way to much. Since then, to me calling the cops has become a last resort. I dont trust ANY of them because of the few aholes that are abusing their power. Mainly caused because of their policies of shutting up and protecting each others. Until they fix this, i will not trust ANY cop again.
I'm not sure how this would make calgoo change his mind.
* Cops are under no obligation to go into harms way to protect the public.
* Cops primarily exist to collect evidence for prosecution after the fact.
* Just because criminals and crimes exist doesn't take away from cops' bad behavior.
* If calgoo becomes the victim of a crime, cops are unlikely to be able to make him whole again - for bodily injury, prosecution of the perpretrator can't restore his body or life - for property damage or theft, police usually can't be bothered with the small stuff.
There are problems with power and corruption.... But
Have you seen what happens to communities when police withdraw? They become overrun by gangs and other less accountable organizations.
Even favelas where cops act paramilitarily, say in Caracas, people still want cops because no cops is usually worse, unless you get a private version of cops, which is essentially cops by another name.
Can you expand a little on how calling the police about something is more or less self righteous than doing the (at least somewhat dangerous) experiment on a public highway?
The fact of the matter is that this is Startup News not Hacker news. Hardly anybody on this website is a hacker. Most are people that code html and php in their day job and go home and do normal shit. These are people that complain about how the industry "pressures" them into coding in their free time.
I agree: it was very poor judgment to demonstrate this on a public highway.
But when I read that you actually called the authorities and encouraged others to do the same by posting the number, a certain somewhat Tao-istic scene in The Big Lebowski [1] came to mind.
While I agree with the fact that what they did was dangerous, the fact they did it that way will garner much more attention to the root cause of this problem - connected cars allow remote control of car's most basic mechanical features, which they shouldn't. Hopefully, this will result in better safety measures in car systems in the long run.
Edit:
They could've done it on the parking lot and the article would be put in a pile "some geeks are doing some geeky stuff" and forgotten. 70 MPH on the public highway is like a billboard with ten foot letters saying "PAY ATTENTION" in your face.
This was my first thought. To repeat what others have said: why on earth did they do this on open roads and high speeds? I can only assume it was for additional 'shock impact' of the story.
Reckless in many, many ways, no matter how interesting the story actually is. In fact it's so reckless that it actually devalues the interesting and important core of the story itself.
Feynman had a nice story where he figured out a way to crack many of the safes in Los Alamos, then dutifully reported his method to some bigshot general. The general said "hmm interesting, thank you very much", and banned Feynman from entering rooms with safes or something. The safes stayed as unsafe as ever.
You remind me of that general. You should be hanging out on Catch The Hacker News, not Hacker News.
Blame the messenger hey?. How about calling the cops on the company that actually put that crap tech in your car instead?
To the OP: You don't have to scare me twice. I'm sporting pre 9/11 PC-hardware and now I'll be driving a pre 9/11 car.
If you tell me that someone can remote control my underwear then maybe I'll have to draw the line there because I'm not buying pre 9/11 undies dammit....not yet anyway.
You better have the Highway Patrol investigate every single person who doesn't maintain their car properly and takes it on the highway because they're causing far more risk than this demo came close to creating, IMHO.
Was it a stunt? Yes. Was it life threatening? Hardly. The real risk is the early 90s Civic with a torn up clutch and bald tires swerving between lanes.
Uhh what? It seems you cannot go a week without reading about a pile-up on a freeway. Just last week a big-rig lost a wheel, it rolled into the on-coming lane, and drivers swerving and braking to avoid it actually caused a pile up. Stopping even on the shoulder on a freeway is considered "risky" by most police officers and many (like triple digits) have been killed while stopped in the shoulder due to vehicles drifting, failing to pay attention, or otherwise being distracted.
I cannot remotely begin to fathom how anyone can think a car going 0-10 MpH on a freeway ISN'T dangerous. And it is absolutely life threatening. If a car behind didn't notice the change in speed, panicked and either hit you or the concrete barrier(s) that could very easily cost them their life. Or leave them with life-long disabilities. Bigger things like trucks and those "road-trains" are even bigger liabilities.
Honestly I'll defend security research strongly in almost all contexts, but when you put people's actual lives in danger you clearly cross a line. There's no shades of gray there, endangering people's lives and health to effectively show off is absolutely immoral and should be illegal (and likely is).
Saying "well nobody got hurt" completely misses the point. It is the intent that is wrong, not the result. The result could have multiplied the wrongness of the intent and resulting in tens of years of jail time, but luckily for them their only "crime" this time was the intent of their dangerous actions.
And let's be frank here luck is the only reason nobody got hurt. The only reason why these two won't be in jail for many years.
Poorly maintained vehicles that break down while driving surprise the driver. This happens daily on public roads. Should we fine them for failing to maintain their vehicle to your standards?
There are autonomous vehicles being tested on our roads with a failure mode of "coast to a stop". They may not even have a human inside to react to things around them. Do the operators deserve to be jailed?
People modify their cars with various after-market upgrades and take them onto the highway. If the car fails, do they deserve to be imprisoned?
They decelerated a car. The brakes weren't even applied. This happens all the time on highways. It is unfortunate that it happened where there was no shoulder on the road, but if an accident did happen then I'm not so sure the researchers or journalist would be at fault.
Here's a scenario:
Let's say a person is driving a car, when their car engine fails. There's no shoulder for them to drive onto, so they are just slowly decelerating when they are rear-ended by a vehicle behind them. Would you say that the car that had a mechanical failure is at fault, or the person behind them who wasn't paying attention is at fault?
> but if an accident did happen then I'm not so sure the researchers or journalist would be at fault.
So the people that purposely tried to cause the accident wouldn't be at fault for the accident if it occurred..?
I find it highly amusing that in your scenario you're using an unpredictable failure as an equal for an intentional act.
A better scenario would be:
I open your car bonnet while you go to the bathroom. I half-cut some cables knowing that they will fail when you knock them a few more times. You come out, get in your car, and drive down the freeway. A few miles later your car stops suddenly in the fast lane, and a big rig crashes into you while you sit there stopped going 70 MpH and you die. According to you I am not, at all, responsible for your death.
Or better yet still:
You just stop on the freeway just for fun/see what would happen. Someone drives into the back of you at 70 MpH and THEY die. According to you, you aren't at all responsible for that.
You're not gonna make the news unless the media can spin up a headline that scares people
People won't pay attention until they're scared
People won't demand action if they're not paying attention
Nothing will happened if people don't demand action.
If nothing happens the status quo (vulnerable systems) will remain. Until some bad actor (I'm sure several nations states would love that capability) gets into onStar and turns every connected vehicle (every GM made in the last 8yr or so) into a brick at an inconvenient time (rush hour on a monday).
>I've just phoned 'Troop C' of the Highway Patrol at their main number, +1-636-300-2800 and they seemed pretty keen to follow up. The fact that the vehicle was disabled where there was no shoulder, was impeding traffic, and the demo not cleared with them in advance has them concerned. I'm all for testing exploits and security research, but this isn't the right way to do it. And to film it and post it to a high traffic site is nuts.
I'm not sure if you're actually this dense or just trolling. What good can involving the police, after the fact, in a situation where nobody was harmed do?
To clarify: If a story involving events of questionable legality, no matter how small to were hit the news the police would be obligated to investigate on some level. Think about the kind of message that "we saw it on the news but we don't think it's worth investigating" would send. By informing them before it hits the general news, one enables the "swat teams and more" knee-jerk response that the police love (if I had cool toys I'd want to play with them too) but without any media scrutiny. For example, law enforcement was plenty eager to screw the guy that "hacked and airplane" (through similar means I might add) until the story became more widespread and they had to use their discretion to act in a manner that would not reflect poorly on them.
By alerting the State Police in advance they're
I don't expect this to hit the news. University of IIRC Michigan (something with an M) was doing similar things at closer range (bluetooth) on a test track back in 09(?) and nobody cared.
And for all the people saying they were "reckless and dangerous, etc, etc," sure, yeah, to a small extent. If they wanted to be reckless they'd have made the car go instead of stop, swapped left and right on the electronic power steering, disabled the brakes on one side or end of the car, etc, etc.
>I'm not sure if you're actually this dense or just trolling. What good can involving the police, after the fact, in a situation where nobody was harmed do?
I don't know, maybe if they get in trouble the next researcher who wants to do a test by disabling a car doing 70mph on a public road will maybe just alert a few people and make sure that it would be impossible for someone innocent to die during their testing.
I was with your comment until you called the GP dense or a troll. Because to follow your logic, to get action, they should've just actually killed a random person. Then you'd be right, we would get some changes, pretty quick.
Who do you think should be the random person to get killed for change?
They didnt have to do this on a public highway. A large parking lot would have be sufficient. Why should other motorists be subject to harm because a couple hackers and a reporter what to make a story. They could've easily gone on one of the 24hr news channels to scare the masses.
Or heck even a quiet public road. There are tons of inter-state roads that have single-digit numbers of cars an hour. Just drive out into the desert and play around.
PS - Plus due to the flatness of these roads, with large de-facto shoulders you can pull off onto, they're much safer even ignoring traffic levels.
I agree they may not make news if they did this in a safe manner.
However, the goal of people researching security, shouldn't be to make news. And these people while admittedly working with Chrysler to see it fixed, seem to be forgetting that. Especially since they plan to release their code, despite the fact that Chrysler has to get people to manually update their cars.
"The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review."
Their justification for releasing their code, as someone who works in peer reviewed industries is weak and they clearly are prioritizing attention over security at this point.
I saw a presentation at a departmental colloquium 3 years ago which demonstrated similar capabilities. The point is, car companies are not responding well to this threat even though it is well known to them. In such situations it is in the public's best interest that information about the vulnerabilities be widely disseminated in order to keep the general public safe. Those with know how can already exploit these flaws and likely have been for years. The car companies need to act to secure their customer's systems.
>> The point is, car companies are not responding well to this threat even though it is well known to them.
I think the problem is related to core competencies (sorry to throw in the MBA speak).
The old-school car companies are good at making cars, and not secure computer systems.
You can likely say the same about the skill sets of the decision-makers running these companies. Many of them just can't wrap their head around security implications, because they don't fully understand them.
> In such situations it is in the public's best interest that information about the vulnerabilities be widely disseminated
This assumes many facts not in evidence.
It may, in fact, be the best thing. But security people, as a rule, are strongly biased to love things that increase the social standing of security researchers, and chaos does that.
There are other ways of pressuring the car companies. I'd like to see companies failing to fix disclosed security holes in safety critical applications in a certain period of time face monetary damages, even without need to show harm was caused.
But lobbying is boring and getting on the top of HN is fun.
>> I agree they may not make news if they did this in a safe manner.
Maybe, maybe not. All they need to get eyeballs is a linkbaity FUD headline with a few extra scary sentences thrown in.
It's not as if the TV news doesn't already do this with their teasers for "Is eating too much XYZ going to kill you? Find out after the commercial break" only for you to find out that the story about XYZ is overblown and poorly vetted.
They could have made still made the news if they had taken a few extra precautions to reduce the risk of an accident.
However, they do need to make the news. Them making the news makers it easier and more likely that politicians will prioritize the political capital of working to solve this over the lobbyist from the automotive industry.
If Chrysler and other car manufacturers were taking this sufficiently seriously the releases might not be necessary. They gave Chrysler plenty of warning, Chrysler could have issued a recall (and still can), the consequences are on Chrysler, not on the security researchers.
Yes, yes. We wouldn't be having this big thread about the safety of the experiment, and consideration for other motorists, if they hadn't done it this way.
If they had done this in a parking lot at 25 MPH with a couple cops present, the way Mythbusters does things, they would have ONLY had a story about hacking a Jeep to shut it down. And if they played their cards right, they might even be able to start some LEO contracts for car-disabling equipment.
> I'm not sure if you're actually this dense or just trolling. What good can involving the police, after the fact, in a situation where nobody was harmed do?
People who do one reckless thing such as this demo are likely to do others. Calling the police about this incident means that they'll have a record of the people doing this, and if it becomes a pattern, handle it considerably harsher than an isolated incident.
So either the journalist/researchers did something highly dangerous to the reporter and others on the highway as a stunt, or the journalist has no qualms about making up details for shock value? Sounds ethical.
I believe people will need to be killed, or get their cars destroys before the rest of the population takes enough of a stance against "neglecting" security.
Nowhere near as reckless as missing oncoming traffic by mere feet at speed differentials exceeding 100MPH. Happens billions of times a day without anyone expressing the slightest concern. People are regularly killed and cars destroyed; the rest of the population doesn't care.
I was wondering why they wernt in constant communication(didnt he say he had to grab his phone and ask them to stop?), wjy the f*#@ would you test this at speed?
I agree with you, i hope that the author was lying to make his story more interesting (hows that for a bad wish).
I completly agree with you, seems to have a total disregard for anyone elses safety.
It's not that your points are irrelevant, it's that they needlessly draw attention from the issue at hand: that the car manufacturers are being criminally negligent.
I agree that they definitely took it too far and weren't being very safe, but calling the cops seems to be taking it a little too far, also. What laws were broken?
Edit: Actually I've thought it about it, and they could probably be charged with reckless endangerment.
There was a "documentary" of these guys when they were testing via a hardwire to the car's computers. They were also in the car with the driver as well as in a parking lot and on some non-busy country road.
I wonder if the reporter just added in those details about the highway to make it seem like more of a real threat or if they actually did test on a busy public roadway.
This is the kind of completely uninteresting side discussion that people on internet forums love to get into. "Somebody did something dangerous on a road" is not a relevant topic on HN.