[osconfused]

I appreciate your call to the cops and your reasoning. I also have driven a significant number of miles for work and have seen a number of people killed in traffic accidents. This "test" was extremely irresponsible. I know I will be downvoted for saying this, but I think you made the correct decision.

[bengali3]

Agreed. I missed the video the first time and didn't believe the text that described the shutdown, video shows the stupidity here, let alone release a recording of it. I expect that will come down soon.

Important research but very poorly tested. Wired and Chrysler (research was funded by Chrysler?) legal teams would not like the contents of this video.

edit: wired's link to video, jump to 2:00: http://dp8hsntg6do36.cloudfront.net/55ad80d461646d4db7000005...

[kbenson]

Reporter: "Seriously, this is fucking dangerous. I need to move."

And that was while the security researchers caused the radio to blare so loud that he couldn't hear them on the other end of the phone. The more I see, the more I think they were really negligent in how they planned this out, and I was already firmly in that camp.

[waterlesscloud]

So watching the video, I don't see a vehicle stalled on the highway.

What I see is a vehicle slowed considerably, but at least nominally over the legal minimum speed of 40 MPH on highways, and without the driver being able to accelerate on his own. He's travelling in the rightmost lane, explicitly with his hazard lights on. This is not an unusual occurrence on highways. He's then told that to regain control he needs to stop and restart the car, which he does while remaining in motion.

I was surprised, since this is quite different from the way it's being talked about here, as if he was stopped in the middle of the freeway. See GGP comment about "a car stopped in the middle of a multi-lane interstate."

That's not what happened here.

[Natsu]

Here's my attempt at a partial transcript starting from shortly after they disable the accelerator:

  Driver: "It says 43 miles an hour, but it's not really that fast."
  [voiceover omitted]
  Driver: "Guys, I'm stuck on the highway."
  Researcher A: "I think he's panicking."
  Researcher A: "He's not going to be able to hear us with that radio.  So loud."
  Driver: "Guys, I need the accelerator to work again."
  Researcher A: "The accelerator..."
  Researcher B: "It won't work!  You're doomed!"
  Driver:  "Seriously [beep] dangerous, I need to move."
  Researcher A: "You gotta turn the car off!"

Many cars can be seen passing them on the left in the video during the test.

[waterlesscloud]

Right, but the video never shows the car stalled on the highway. It's moving in every highway shot. It's in the righthand lane, not in the center. The driver is somewhat panicked. We can see how fast he's moving relative to the background.

This discussion has been distorted and sensationalized, and it has not been based on observable recorded facts.

[kbenson]

A car stalling does not necessarily indicate it is stopped. Stalled can indicate the vehicle is stopped, or it can also indicate the motor has stopped. Airplanes stall, and obviously they are not entirely stopped, it's just an indication that the motor has stopped. It's unclear as to whether the motor actually stopped, but it's not without precedent to use "stall" to indicate no power available for propulsion.

I don't think this discussion has been distorted. It's based on the information they provided. They put a vehicle on a public highway traveling at the faster end of what's legal in the US on public roads, and then removed a large portion of the drivers ability to control the vehicle. It's unclear whether this affected the steering or brakes, which in a modern vehicle would both be power assisted, generally through the vacuum system of the vehicle. The vacuum is provided by the engine, so if the engine was actually off (which is unknown, but I think it's more likely they just forced the car into neutral), then they removed a large portion of his ability to control the car.

The bottom line is that they put a driver in a situation not only unsafe to himself (which they could have gotten consent to), but unsafe for the other drivers on the road. They did not have consent from the other people on the road to do this (indeed, it's not possible they could have), and if what they purport to happen in the article and video did happen, then they endangered those people. I've seen accidents from stopped cars being hit by others. If the highway is busy enough, the initial accident isn't even necessarily the largest damage, but it moves vehicles into even more obstructing positions and causes follow-on accidents.

https://www.google.com/search?q=stalled+car+accident&tbm=isc...

[Natsu]

I can agree that the car is not shown at a full stall in the video, however it is the case that the driver reports that they are unable to control the vehicle during the test. I cannot agree that this would matter regarding the idea that this is "[beep] dangerous" as was stated by the driver, because that is supported by the driver's own statements as well as observable facts.

[dchichkov]

They've risked people's lives to produce real life looking footage documenting a life threatening event.

Without such event present in the footage, car manufacturers can just say "Meh - no big deal". And continue recklessly risking lives by manufacturing unsafe cars without air gap between CAN bus and Internet.

Remember, it's the car manufacturers that are the bad guys here, not the white hats... And just think how hard was this decision. It's a choice between risking lives and having footage that doesn't catch attention and thus allows car manufacturers to continue making unsafe cars with horrible security vulnerabilities. Amazing.

[JabavuAdams]

So demo it at a race track. The essential point here is that the uninvolved public were placed at real risk of maiming or death.

Your argument is ludicrous, because you're attempting to cast the actors as either good or bad. IMHO they are guys with a good idea and motivation who did a bad thing.

[dchichkov]

We are a very visual culture, unfortunately. Unless there's a video of your average Joe driving on a regular highway and a regular car going wild, everyone would just dismiss the problem as limited to "race track" and would not connect the vulnerability to his/her own car.

edit: as per the article "researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.".

[differentView]

>We are a very visual culture, unfortunately. Unless there's a video of your average Joe driving on a regular highway and a regular car going wild, everyone would just dismiss the problem as limited to "race track" and would not connect the vulnerability to his/her own car.

If optics is your justification for this, then perhaps having these two irresponsible researchers arrested would bring even more attention to this.

>edit: as per the article "researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.".

Where do you see that in the article? Only thing I read was manufacturers downplaying a wired-in attack they demoed.

[dchichkov]

> "researchers arrested would bring even more attention to this."

Yep.

> Where do you see that in the article? Only thing I read was manufacturers downplaying a wired-in attack they demoed.

No "air gap" between "CAN bus and Internet" equals vulnerable.

We know that. Auto manufacturers know that.

Yet they dismiss the possibility of a hack and continue producing unsafe vehicles. And the trend is toward more vulnerabilities.

I was to lazy to search a direct quote, but here it is now: "Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws.".

[genericuser]

That is very much NOT a quote from this article, if you are quoting another article by mistake please link it. As this article does not even use the word "presented"

In this article it mentions how Chrysler is working with them and has developed a patch, indicating that they did not dismiss previously done tests. So basically saying the opposite of what I take your point to be.

[pavel_lishin]

You don't get to say that it's fine to put me and my family in danger because hey, in the end it'll make someone somewhere pay attention.

[dchichkov]

Yeah, you and your family. Well, you are lucky. These researchers and this reporter had already risked their reputations, lives and their livelihoods. So you, now, don't have to. And maybe you'll be even able to benefit from all their hard work, because were would be fewer vulnerable cars around. Although you would probably never know that.

[sigzero]

No. They absolutely did not have to produce a life threatening event. They could have done it 5MPH and car manufacturers would still take notice because it would still spread like wildfire on the Internet. What they did was supremely irresponsible and the cops should have been called.

[yellowapple]

They already did do it at slower speeds in parking lots. Manufacturers didn't care. They probably still won't care, which means that it's a matter of time before someone even less morally-bound decides to wreak havoc on traffic.

[vehementi]

> Without such event present in the footage, car manufacturers can just say "Meh - no big deal". And continue recklessly risking lives by manufacturing unsafe cars without air gap between CAN bus and Internet.

Oh really, can you point to the responsible tests that were done in the past that proved inconsequential necessitating this reckless alternative? Or are you just inventing that the car manufacturers would ignore this and somehow the story would just go away?

[vehementi]

Haha, in fact, from the article, Chrysler already fixed one of the issues.

[SonicSoul]

That's borderline like saying using crash test dummies is useless because it's not realistic enough for car manufacturers to take it seriously

[yellowapple]

The actions - according to the article - of auto manufacturers in response to prior more-controlled tests is exactly equivalent to that. The manufacturers basically said "hey, thanks for showing us this crash-test footage that shows our vehicles are literal fucking coffins on wheels; we don't really care", leaving the researchers with no results after taking more "sane" measures.

Researchers perform controlled experiments. Controlled experiments are ignored. Researchers opt for more damning (though less controlled) experiments to further prove their point, and now they're suddenly the bad guys here.

[maxerickson]

Researchers opt for more damning (though less controlled) experiments to further prove their point, and now they're suddenly the bad guys here.

Much of the commentary here focuses on the recklessness of the highway test and doesn't weigh in too heavily on who the bad guys are.

I think people mostly find the idea of remotely exploitable and controllable cars so terrible that there isn't anything to discuss about that aspect of it, it's nearly universally considered unacceptable (hence the epic thread about the side issue).

Maybe try reading the comments without imputing a side that the writer is taking.

[CamperBob2]

What they should have done was involve the police from step #1. If the video had been conducted on a closed section of roadway with ambulances standing by, police escorts, and lots of badges and sirens, it would have been even harder for the automakers to blow off.

It wouldn't have been difficult to do this right. Cops love drama and publicity. It wouldn't have taken much convincing to get them on board, and the video would gained a lot of credibility.

[yellowapple]

I agree completely; there were a lot of formalities that were neglected - and had they not be neglected, there would be less backlash against the researchers.

However, this doesn't change the fact that vulnerabilities were demonstrated, nor does it change the implication that auto manufacturers are excessively sluggish about security patches on things that can and do kill people on a regular basis. Even an imperfectly-conducted demonstration like this particular case is preferable to such a demonstration not occurring at all.

[danielweber]

"I have to act bad because of the nature of my enemies." <-- says everyone

> And just think how hard was this decision

Given that they did the easy thing, it wasn't very hard at all.

[elektromekatron]

Blocking the visibility through the windscreen, then shutting off the transmission of a car, that is driving on an interstate overpass in traffic, is not white hat by any stretch of the imagination.

[yellowapple]

Perhaps not, but it's necessary to get the attention of auto makers so that they stop building such trivially-compromisable systems. This was a couple of security researchers on one car for a proof-of-concept; better to demonstrate these flaws early and with a more limited sample than to watch the pileup of epic proportions that would happen should someone even less scrupulous acquire such control over vehicles on the road.

I don't exactly condone the ethics (or lack thereof) of the researchers, either, but if that's the only way to get proper attention (after previous, more polite and reasoned attempts were simply dismissed by manufacturers), then so be it.

[acaloiar]

Had that Jeep run into you or you ran into it as a result of this experiment, you may have found that you have a profoundly different threshold for what is, "necessary to get the attention of auto makers".

Just because automakers are seemingly keen on ignoring security vulnerabilities does not justify putting people's lives at risk. And let's face it – a multi-ton vehicle that is not entirely in its driver's control puts lives at risk in just about any situation. The reason you and others argue that the demo's methodology is effective is precisely because of the risks involved; not in spite of them.

It is the responsibility of researchers to demonstrate risks without exercising the extent of those risks. Imagine if virologists regularly demonstrated communicability risk by injecting humans with disease outside of the lab.

[yellowapple]

> Just because automakers are seemingly keen on ignoring security vulnerabilities does not justify putting people's lives at risk.

So condemn the auto manufacturers for putting hundreds of thousands - if not millions - of lives at risk instead of yammering about a couple of nerds who put at most 2 vehicles in probably-nonfatal danger in a worst-case scenario.

[modfodder]

Why can't we condemn both?

And as busy as that highway was in the video, it was far more than just 2 vehicles, especially if one of those vehicles was the 18 wheeler.

At the very least they could have done this on a less busy stretch of highway that had a wide shoulder and with control vehicles in front and behind with paramedics at the ready (just like a movie production that is shooting on public streets). Instead the researchers and the journalist chose to be reckless.

[andrewfong]

> it's necessary to get the attention of auto makers

That's mere conjecture. And it's an assertion you could easily test by first doing the remote hack in a controlled environment (e.g. a racetrack) and seeing if automakers respond before trying this on an actual freeway!

[yellowapple]

If you read the article, you'd know full well that the researchers already did test these exploits in controlled environments and presented these tests to auto manufacturers. Said tests were dismissed by said manufacturers.

[andrewfong]

I've read the article. Where does it mention controlled environments? The only mention of exploits being dismissed by manufacturers was in regard to a wired exploit, not a remote one.

[sp332]

Did you miss the link in the article to the webpage where you can already download a fix? It's not the manufacturers they were trying to convince.

[elektromekatron]

If you want to get their attention, you demonstrate it on a test track, for a court, as part of a lawsuit against them, for introducing such dangerous features into their vehicles.