Thursday, October 22, 2015

Car hacking is as fake as the moonlanding

How can the flag stay up? There's
no wind on the moon!! #fake
David Pogue at the Scientific American has an article claiming that hacking cars is "nearly impossible" and "hypothetical", using the same sorts of arguments crazies use trying to prove the moon landing was faked.

Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.

Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.

The misunderstanding here is that Pogue believes the hack was a one time thing, that now that Jeep fixed the problem, no more hacks will be possible in the future.

The reality is that this hack proves that a whole new class of bugs exist. You don't patch your iPhone or Windows laptop once. Instead, you've been updating your iPhone and Windows computer once a month for over a decade because new hacks keep getting discovered. The relevance of the "car hacking" research is that cars are enormously complex computers full of flaws. It's a message that nobody will pay attention to until the first set of flaws are published. Now that those flaws have been exposed, it'd be insane to continue to ignore this message and pretend future flaws won't be found. Pogue is that insane.

The consequence is manifold. It means that car makers need to find an easier way to regularly update their software rather than the traditional "recall" process of taking the car to dealer and leaving it there for a few days. It means car makers need to change how they develop software, getting rid of the obvious bugs they have now (such as putting Jeeps on the Internet so that anybody can scan and find them).

This is the battle of cybersec. The issues are clear and obvious to us, yet we are unable to overcome the obstinate ignorance as demonstrated in Pogue's post.

Disclaimer of reasonableness: It's impolite to accuse an otherwise reasonable person as being one of those "fake moon landing" nuts. Indeed, he makes a cogent point that many will misinterpret things and be too fearful of car hacking. Automobile related deaths are unlikely to have a statistical increase due to car hacking. He's not crazy. However, Pogue is profoundly ignorant of the issue, his strong assertions are not born out by the facts, and this is indeed a danger that needs to be addressed. I don't know how to communicate the profoundness of his error without comparing it something like the moon landing.

Update: Many have argued Chris Valasek and Charlie Miller went too far, demonstrating their hack on a live freeway. They claim it would've been just as believable on a racetrack instead. Pogue article proves this wrong. It means Pogue would've added to his article "It wasn't in real traffic conditions, but only on a racetrack". We experts see no essential difference, but the ignorant like Pogue do. Obviously, Valasek and Miller didn't go far enough.

No comments: