ESET’s Stephen Cobb examines how close we are to the kind of jackware technology shown in the latest Fast and Furious film franchise, Fate of the Furious.
Car hacking takes center stage in the recently released eighth episode of the enormously popular Fast and Furious film franchise: Fate of the Furious (or #Fast8 if you’re into the whole brevity thing). Having coined the term “jackware” for malicious code used to hijack vehicles, I was excited when a Twitter friend tipped me to the film’s depiction of vehicular hacking mayhem and went to the cinema to see for myself. Fortunately, for those who don’t like watching movies in cinemas, you can watch scenes of “jackware at scale” on YouTube in the Fast and Furious 8 Official Trailer #2:
From Jeep to Jeepers!
If you’ve been following the evolution of car hacking, then you will know that the WIRED Jeep hack in 2015 was a landmark event (reported and discussed here on WeLiveSecurity). And if you watch the #Fast8 trailer closely you will notice, at around the 45-second mark, that the first vehicle to go bursting through a window is a Jeep (and it looks to be the same model hacked in WIRED).
“Think ransomware for cars and malware-enabled ransoming of vehicle occupants.”
Some while after the Jeep hack, I came up with the term “jackware” to describe the use of malware to take over a vehicle, whether to extort a ransom from the owner, or to take the car somewhere other than the destination intended by the legitimate owner or operator. Think ransomware for cars and malware-enabled ransoming of vehicle occupants.
Clearly, the folks who were making Fate of the Furious had already begun imagining what a mass deployment of jackware could look like, and their version is now entering popular culture via “the biggest opening weekend in cinema history” (Forbes). In #Fast8 you see vehicular mayhem unfold as the autonomous driving features in many of today’s cars and trucks are abused by cybercriminals to create a lethal army of four-wheeled drones.
But could that really happen?
This strikes me as a reasonable question to ask, especially when you see the scene where someone in a high rise office parking garage is about to get into their car – a car that might look a lot like yours – and suddenly it speeds away. Not only does it speed away, it blasts through the garage wall to land on the street several floors below. And then there’s the scene when someone who is just out driving in New York finds their car is taken over remotely, forcing them to participate in a coordinated vehicular assault on an armored limousine.
Fortunately, while elements of the car hacking you see in this movie are real, the scenarios depicted are, I would argue, well beyond current technology and logistics. Let’s start with the fact that very few vehicles in use today have sufficient autonomous driving capabilities to participate in the kind of high-speed motor mob that is so effortlessly organized by the geeky minions of Cipher, the arch villain in #Fast8, played by Charlize Theron (“the very definition of high-tech terrorism”).
”If the automotive industry doesn’t get its collective act together in the cybersecurity department we could find ourselves having to deal with jackware in the real world.”
I certainly haven’t heard of any cases in which cybercriminals remotely seized control of a road vehicle’s steering function for malicious purposes. Indeed, my coining of the term jackware was intended to be precautionary, a warning shot to alert the public to what could be coming down the pike, so to speak. In other words: IF the automotive industry doesn’t get its collective act together in the cybersecurity department we could find ourselves having to deal with jackware in the real world.
Of course, as the Wired article in July of 2015 demonstrated, hacking of cars that have a rich set of digital features is definitely a thing, and several ESET researchers have written about it here on WeLiveSecurity, for example:
- Jackware: When connected cars meet ransomware
- Connected car hacking: Who’s to blame?
- Car hacking: Defcon style
- Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals
- The great car hacking debate
- Car hacking at speed – where vulnerabilities turn from critical to fatal
- 7 things you need to know about car hacking
The two researchers behind the Jeep hack in the 2015 Wired story were Charlie Miller and Chris Valasekon, both of whom went on to work on autonomous transportation security for Uber, but not before publishing two very useful documents on vehicular hacking:
I consider these to be required reading for anyone seriously interested in this set of problems. For example, you can see that there are multiple barriers to the kind of hacking shown in #Fast8. When a feature like self-parking allows steering to be controlled remotely or autonomously, there will be a compensating control to restrict the speed at which this can happen. So, to do serious damage, you not only have to take over the code for the steering function, you also have to disable the code that limits the speed of the vehicle under various autonomous conditions.
Reading those reports also equips you to parse new developments in the field, like the growing list of potentially hackable features being proposed or even deployed. The news of the Jeep hack actually obscured one development, the announcement by UK-based Jaguar Land Rover that it had created a mobile app that lets drivers control their SUVs in sticky situations, from outside of their vehicles. My first reaction to this, as someone who has had to do some off-road driving in “sticky” conditions, was: “Cool!” But that was quickly followed by the question that haunts security experts, especially those who deal with malware infected mobile apps: “What could possibly go wrong?”
”One could hypothesize future abuse of V2V technology to organize the kind of motor mob that Cipher unleashes.”
In a slightly different technology development this March, Cadillac became the first carmaker to field vehicle-to-vehicle (V2V) communications in a production vehicle, which brings me back to #Fast 8. One could hypothesize future abuse of V2V technology to organize the kind of motor mob that Cipher unleashes.
You can learn more about V2V at the US Department of Transportation, which is promoting this technology. To explore how things might go wrong with V2V, check out this fascinating academic paper: Worm Epidemics in Vehicular Networks.
Zero days and movie magic
When Charlize Theron’s Cipher asks one of her hacking crew to “find all the zero days” as a prelude to remotely controlling hundreds of vehicles you know you’re in for some serious, if not entirely plausible, hacking. I would be dishonest if I said I didn’t enjoy watching #Fast8, despite its steady diet of implausibility (sorry, but zero days don’t work like that, EMP weapons don’t work like that, torpedoes don’t work like that, cars can’t be hacked like that, and no, cars can’t go as fast in reverse as they routinely do in these movies). But when did a lack of realism ever stop a movie? It’s certainly not slowing down #Fast8, which only took three weeks to hit the $1 billion mark in global box office earnings.
To be clear, I’m not endorsing either violence as a problem-solving strategy or the use of criminal means to achieve socially beneficial outcomes. I’m certainly not endorsing unsanctioned road racing or driving without a seatbelt. What I do endorse are diversity and mutual respect as keys to problem-solving, which is something these movies warmly embrace.
As for hacking cars, I encourage anyone who is inclined to do this to play to the rules, and there are rules, like these Vulnerability Disclosure Guidelines at HackerOne, which operates a bug bounty program for GM. You will find comparable Tesla and Fiat Chrysler programs at Bugcrowd.