Connected Car Security Vulnerabilities – Part 1

The Internet of Things connects machines to other machines in a wide variety of fields and industries. In our digital lives, we are connecting devices to our networks at work and at home. In addition to work and home, however, we spend much of our waking time in transit from one place to another, often in our private automobiles. The Internet of Things is extending our digital lives to our cars, trucks, and other road vehicles. With this new integration comes privacy, security, and other legal issues.

A 2015 episode of the CBS television show “60 Minutes” vividly illustrates what can happen when we connect cars with information technology networks. In the show, reporter Lesley Stahl sat behind the wheel of a nondescript dark gray sedan while driving through a tree-lined suburban parking lot. She appeared on a 60 Minutes segment aired on February 8, 2015. In the driver’s seat next to her was Kathleen Fisher, a veteran of the Defense Advanced Research Projects Agency or “DARPA” for short. As Stahl navigated one end of the cleared parking lot, two men stood at the other end – Karl Koscher, a University of Washington Ph.D. student, and Dan Kaufman, who was then Director of DARPA’s Information Innovation Office. Koscher used a laptop sitting on black boxes of what appeared to be equipment, while Kaufman provided instructions.

Kaufman told Koscher, “You wanna hit the fluids?” Koscher typed something on the laptop and suddenly the windshield wiper fluid sprayed onto the windshield on Stahl’s car and the wipers started moving back and forth. Stahl said “I did nothing” to turn on the spray. And yet, without Stahl doing anything, Koscher had taken control of the wipers and fluid. In a cut-away scene, Stahl explained that hackers had contacted the car’s emergency communications system, flooded it with sound data, and inserted a piece of code, which reprogrammed the car’s software so the researchers could take complete remote control of the car. Further demonstrating this control, Koscher caused the horn to sound, again without Stahl’s knowledge or action.

Fisher then instructed Stahl to drive up to a set of cones in the lot and stop in front of them. As Stahl drove forward, at Kaufman’s direction, Koscher disabled the brakes remotely. A close-up showed Stahl’s black pump shoe pressing down on the brake pedal. Nonetheless, the brakes would not work and Stahl called out “Oh, no. No. No. No. No. No. No. No!” Notwithstanding Stahl’s vigorous attempt to apply the brakes, the car wouldn’t stop and instead bowled over the cones Stahl was trying to avoid.

This television segment showed the vulnerability of contemporary cars to hacking. Cars are increasingly connected to various kinds of communications systems. While connected cars have the promise of making our lives easier, safer, more comfortable, and more entertaining, connecting information technology to cars also has a dark side. In the future, with even tighter integration of cars with external information technology systems, security risks will only increase. Moreover, security vulnerabilities give rise to legal issues, and data security raises just one set of issues.

My next post will talk about one particular lawsuit arising from vulnerabilities in cars.

Stephen Wu is a shareholder with Silicon Valley Law Group. Mr. Wu advises clients on information technology matters in areas including establishing information governance policies and practices, agreement drafting and negotiation, information security, data breach response, computer fraud, computer investigations, privacy, and records management.  For more information on legal assistance for your Internet of Things products and servces, please contact Stephen Wu by completing the web form here.

Contact Information