Global hit Fate and the Furious gave us a sneak peak of the future many of us fear: a hacker taking control of thousands of cars simultaneously. But is that even remotely realistic?
Let’s set the scene: the flick’s villain, Cipher (Charlize Theron), takes control of a fleet of vehicles in what can only described as a scene straight out of Brad Pitt’s World War Z if you replace the zombies with an assortment of different cars. Zombie cars, if you will.
Cipher: “I want every chip with a zero day exploit in a two mile radius around that motorcade now.”
Hacker minion: “There’s over a thousand of them.”
Cipher: “Hack ’em all, it’s zombie time.”
It’s the type of glorious vehicular action we’ve come to expect from the Fast franchise, albeit, in a relatively unrealistic way.
Regardless, it highlights the growing fears we face as a society as self-driving cars and automated vehicles become the norm. These are the fears director F. Gary Gray (Straight Outta Compton, The Italian Job) and longtime Fast writer Chris Morgan tapped into while doing research for the film. “You have hacking, you have driver-less cars, you have all this stuff that’s happening in the news every day,” Morgan told Vanity Fair.
No one is going to be hacking thousands of cars in New York City any time soon, but Gray and Morgan have a basis for this idea. In 2015, just as the autonomous car craze was beginning, Chrysler recalled 1.4 million vehicles after two security researchers proved that they could remotely hack a Jeep driven by Wired journalist Andy Greenberg using exactly what Cipher said – a zero day exploit.
The two brains behind the film would be the first two tell you that this isn’t a realistic example of the security problem we are faced with today. Adam Boulton, CTO of BlackBerry Technology Solutions and Head of BlackBerry Product Security, explained exactly why it couldn’t be.
“In order to get command and control of a thousand vehicles at that level stretches the realism of the capabilities. You would effectively be building a vehicle-based botnet, which requires a pre-prepared compromise, such as infecting the vehicles with malware first,” said Boulton in a blog post about this very topic.
— Fast & Furious (@FastFurious) April 6, 2017
Stefan Savage, a University of California-San Diego professor of computer science and engineering, told The Ringer, essentially the same thing. A hack like this wouldn’t be as simple as hitting a few keystrokes that would give you command of every vehicle in the vicinity. However, when Savage indulged The Ringer on the topic, he admitted that while the scene is “wildly outside of anything that anyone has ever done” you might be able to create a “skeleton version of the scenario”.
And Savage knows his stuff. In 2009, he and his team of fellow researchers showed General Motors that “they could remotely take control of any of General Motors 2009 models, disable their brakes, and make their engines rev”. Similar to how Cipher does it in the movie, Savage and his team were able to use a single computer to take control of multiple vehicles using an exploit in General Motors’ OnStar dashboard operating system.
“There’s some truth to the notion that you can remotely gain access to normal non-Tesla vehicles, but it’s not a trivial undertaking. And then on top of that, getting the car to do something you want is even less trivial. Every time it’s specific to the make and model you’re going after. It’s like picking the world’s most complicated lock,” Savage told The Ringer.
While the actual act of hacking into a car may be possible, it wouldn’t be that simple, and it most likely couldn’t be done on the fly. Similar to Boulton’s comments, Savage points at all the legwork that is necessary for an attack like that.
“It’s the kind of thing where if you decided: Alright, this has become a national priority, Manhatten Project-style, we’re going to have the NSA put huge amounts of money and resources into reverse-engineering all of these different cars. And we’re going to somehow need to figure out what their network address, or cellphone, or IP address is. If you have huge resources, I can imagine you doing parts of the scenario,” Savage said.
And with no supervillains around to drop that kind of money on a project like this, we can effectively cross ‘zombie cars’ off the list of autonomous vehicle fears.
If anything, this insanely fun action sequence proves two things: vehicle security isn’t just a fear in our industry, but a mainstream one, and even if this isn’t possible on such a grand scale, it is indeed something that could happen on a smaller scale.
Sounds like there is no better time than the present to be an autonomous vehicle security vendor.