Car hacking is the future – and sooner or later you'll be hit

“Car companies are finally realising that what they sell is just a big computer you sit in,” says Kevin Tighe, a senior systems engineer at the security testing firm Bugcrowd. It’s meant to be a reassuring statement: proof that the world’s major vehicle manufacturers are finally coming to terms with their responsibilities to customers, and taking the security of vehicles seriously. But given where Tighe and I are talking, it’s hard not to be slightly uneasy about the idea that it’s normal to sit inside a massive computer and trust it with your life. We’re meeting at Defcon, the world’s largest hacking conference, just outside the “car-hacking village”, a recent addition to the convention’s lineup, where enthusiasts meet to trade tips on how to mess about with those same computers for fun and profit. The village, one of a number of breakout areas (others include biohacking, lock picking and “social engineering” – the art and science of talking people into doing stuff they shouldn’t), was instituted last year. Also in 2015, two researchers, from the security consultancy IOActive and Twitter, turned car hacking from a vaguely theoretical pursuit into one with terrifying consequences. At that year’s Defcon, Twitter’s Charlie Miller and IOActive’s Chris Valasek demonstrated they were able to wirelessly take over a Jeep. They used a laptop connected to the internet miles from the vehicle to seize control of it, cutting the brakes and transmission at the flick of a switch. It sparked a worldwide recall for the affected cars – which included much of Fiat Chrysler’s range. It also exposed serious problems with how the car companies planned to handle such software flaws. Even though the hack could be executed remotely, it could only be fixed with physical access to the car, forcing Fiat Chrysler to post USB keys to affected owners, or ask them to bring their cars in for maintenance. Posting USB keys brought its own problems: plugging an untrusted USB key into anything, whether car or computer, carries serious risks. It’s also hard for anyone to easily verify that a drive received in the post is malware-free.