CSI: Cyber is known more for absurd drama than technical coherence, but it’s a big deal that hacking’s become so visible that it’s the plot point of a network TV show. When we heard that last Sunday’s episode of CSI: Cyber, “Gone in Six Seconds,” was about car hacking, we had to tune in. It even featured a split-second cameo from car hackers Charlie Miller and Chris Valasek, who earlier this year assumed control of a Jeep as our own Andy Greenberg drove it down the highway. Here’s what CSI got right about car hacking, and some of its less plausible takes on how such hacks work.
The episode begins when a hacker named “Smokescreen” drag races a driverless vehicle remotely, forcing it into another car and killing the driver. Smokescreen’s real name is Kevin Cane, and he lost the use of his legs drag racing a fellow named Paul Martinez, who—gasp—leads a massive drug ring. Cane plants a phone in Martinez’s car in an effort to frame him for the fatal crash. The plot twists and turns from there: During a drag race set up by the FBI, hacker-turned-FBI agent Brody Nelson, a central character on the show, gets into a car under Cane’s control so he might disrupt Cane’s access to it. To do this, Nelson disables the car’s GSM chip, which links to a digital cell network, to kill the navigation. Eventually, the FBI Cyber Division uses the car’s event data recorder “black box” to track down Cane, who controlled the car using an open source microcontroller connected to its OBD-II diagnostic system.
It’s surprising to see that CSI: Cyber, in spite of its wild inaccuracies, has a firmer grasp on the possibility of car hacking than, say, Scientific American. “Anything that the car can do can be replayed, or spoofed, or impersonated,” says Joshua Corman, founder of I Am The Cavalry, which advises industries and policy makers on cyber safety. Given that many cars already have semi-autonomous technologies, “if you had the right series of controls, you could drive it remotely,” Corman says. “So it doesn’t stretch the realm of possibility right now.”
Car Systems Are Increasingly Interconnected
The show correctly notes that today’s cars are increasingly interconnected, and everything connected to the car’s onboard computer—headlights, steering, turn signals, brakes—is vulnerable. That’s because the latest models have a CAN bus, or controller area network, linking multiple electronic control units, such as parking assist and active cruise control, in a single network that allows everything to communicate with everything else. The trouble is, this network is not secure. “Because cars were never connected to the outside world, there was no need to have segmentation and authentication,” says Corman. That’s why all the systems trust each other. And that means someone who compromises the infotainment system could, for example, spoof commands sent to other systems, such as the brakes.
Although CSI: Cyber pointed out that it’s possible to hack a car through the an emergency response system like OnStar or an onboard diagnostic dongle, Cane’s character instead installed a remote device to hack the navigation system remotely. Nelson somehow fixes things by breaking the GSM chip, then the Feds trace Cane using the SIM card in the remote device, which communicates with his cell phone.
Kevin Mahaffey, co-founder and CTO of mobile security firm Lookout, knows a little something about this. He hacked a Tesla Model S during the summer and is quick to note that many cars have GSM radios. To hack the Tesla, he and fellow researcher Marc Rogers physically accessed the car to plant a backdoor, then used the car’s Internet connection to control the vehicle. “We didn’t even need to add any new equipment in the car,” he says. “We just modified the software running on the car’s servers. The car, indeed, was running on multiple servers. It was a data center on wheels.”
This is why it is important to isolate the myriad systems within a car. “If your security model is such that if you hack the infotainment system, you hack the car—that’s not good,” Mahaffey says. Just as you wouldn’t want anyone tocontrol an airliner’s avionics through its onboard Wi-Fi, you don’t want anyone controlling a car’s brakes by accessing its infotainment system. “Not all cars are architected in that way, and certainly going forward, we hope that all cars have a strong separation between infotainment and vehicle systems,” says Mahaffey.
The Black Box
In the show, FBI Cyber referred to the event data recorder as the car’s “black box” and used it to track down the hacker. Cars do have such a black box, but that’s not quite how they work. The EDR can indicate a car’s speed, whether the occupants are wearing seat belts, whether the airbag deployed, and other info, but it’s not going to tell you if someone’s hacked the car. “The EDR’s information is great for insurance companies, but [it] would not be able to tell if there was a software bug, hacker or some nation state assassination attempt,” Craig Smith, author of The Car Hacker’s Handbook, tells WIRED. “While this data tends to raise the ire of privacy advocates, it does little to actually detect a ‘hacked’ vehicle.”
Remote Drag Racing
There’s no doubt car hacking could threaten driver safety, but Corman thinks the far greater risk to automakers is consumers losing faith in their ability to secure their vehicles. And he thinks individual attacks are far less likely than someone taking control of emergency response vehicles while committing another crime. This isn’t beyond the realm of possibility. “Putin used cyberwarfare to jam communications in the nation-state of Georgia before he rolled his tanks in so that they couldn’t communicate with each other,” Corman says. Criminals also could upload ransomware or spyware to cars.
Automakers, for their part, are adding technology and faster than they are securing it, and it remains to be seen whether automakers will close all of the security holes before something serious happens. But there are signs that they’re taking this issue seriously. Chrysler recalled 1.4 million vehicles after WIRED publicized the Jeep hack. So even though CSI: Cyber didn’t get the details quite right, at least it warned mainstream audiences about the rising risk of car hacking.