Attack of zombie vehicles unlikely to play off-screen
Call it the worst promotional material ever produced for self-driving cars.
The newly released “The Fate of the Furious” depicts dozens of cars being hacked and controlled remotely to wreak havoc on the streets of New York City. The eighth installment in “The Fast and the Furious” movie franchise earned a record $532.5 million worldwide in its opening weekend, and it’s safe to say that many of those ticket-buyers left with an uneasy feeling about the susceptibility of their cars.
Charlize Theron plays the cyberterrorist Cipher, who utters the unforgettable line “It’s zombie time” before hacking into the on-board computers of cars in parking garages and showrooms around the city. With nobody at the the wheel, the zombie vehicles take out police cars, pursue the good guys and, in one scene, plunge off the upper floors of a parking garage to go crashing into the street.
Is it possible for someone to take that kind of control? Probably more possible than the scene in which Dwayne “The Rock” Johnson uses his bare hands to redirect a torpedo skidding across a frozen lake in a chase involving cars and a nuclear submarine.
But to take over a fleet of cars simultaneously and exhibit the level of control exerted in “Fate”? Absurd, security experts say.
“We generally say every vehicle can be hacked if a determined hacker sets their mind to it and is willing to take enough time ...,” says Meg Novacek, executive director of business development in North America for Argus Cyber Security. “What is unlikely at this moment is a whole group of vehicles being hacked at the same time.”
To control a larger number of vehicles would require some common piece of technology or software in a group of vehicles. But the ability to target a single car has been proven repeatedly.
Perhaps most famously, in 2015 a pair cybersecurity experts remotely hacked into a 2014 Jeep Cherokee. By going through the vehicle’s entertainment system, they were able to disable some of the SUV’s engine functions and control interior features such as air conditioning, locks and the radio. The demonstration led to Fiat Chrysler Automobiles recalling 1.4 million vehicles.
A year later, Charlie Miller and Mark Valasek were back, demonstrating their ability to accelerate, brake and steer the Cherokee.
In an interview with Wired magazine published last week, Miller reaffirmed there is still reason to worry about security issues — particularly as the drive toward autonomous vehicles picks up momentum.
“Autonomous vehicles are at the apex of all the terrible things that can go wrong,” Miller told Wired. “Cars are already insecure, and you’re adding a bunch of sensors and computers that are controlling them… If a bad guy gets control of that, it’s going to be even worse.”
Jeff Massimilla, chief product cybersecurity officer for General Motors Co., said, “You never want to say anything is impossible.” But he believes the scenario depicted in “The Fate of the Furious” is highly unlikely.
“When you talk about remote control of vehicles, at a more detailed level or a larger scale, obviously that is very, very complicated,” he said.
Andre Weimerskirch, vice president of cyber security for Lear Corporation’s E-Systems, is among those who described the hacking scene in “Fate” as beyond what’s possible — especially in cars that don’t have automated driving features.
“Doing it in such a widespread, controlled manner, it’s absurd,” said Weimerskirch, who previously worked with the University of Michigan’s Transportation Research Institute. “Think about it — there was a Crown Victoria in there.”
Ford ceased production of the Crown Victoria in 2011, meaning the on-board technology is primitive at best.
Several Fiat Chrysler vehicles, including a Jeep, are among those commandeered by the movie’s hackers. The automaker issued a statement this week about the film.
“Just like the previous films in the franchise, ‘The Fate of the Furious’ is entertainment, featuring fictional characters and a fictional storyline,” the statement said. “The scene involving vehicles from all manufacturers is only one of a much bigger storyline about remotely controlling just about anything in the world today with military-grade equipment.”
New pathways into vehicles are being identified. Argus Cyber Security demonstrated last week its ability to shut down the engine of an unspecified vehicle via a dongle (plug-in hardware used in some cases by insurance companies to track speed and location), a smartphone and a Bluetooth connection.
A growing percentage of people say they don’t trust self-driving car technology, according to a J.D. Power study released this week. Falling confidence in all age groups — with the exception of generation Y drivers born from 1977 to 1994 — poses a challenge to automakers and suppliers who want to roll out the capability in coming years, the study authors say.
The research company found that drivers are concerned about the added complexity, as well as privacy issues and the possibility of a car being hacked.
The past few years have seen cybersecurity increasingly emphasized by manufacturers, including new approaches to dealing with hacking.
A year after the initial Jeep hack demonstration, Fiat Chrysler began offering as much as $1,500 in bounties to people who could show vulnerabilities in vehicle software.
“If we get any information from this program that’s valuable for us in protecting the vehicle, then it’s paid for itself in my opinion,” Titus Melnyk, the automaker’s senior manager of security architecture, said in July.