CIA Crash Killing?
11th March 2017
In 2011, researchers at the University of California San Diego and the University of Washington first published a report claiming that automotive electronics could be remotely hacked. Then in August 2014 Miller and Valasek published a damning survery of car electronic security mechanisms. They found that the increasing complexity of wirelessly controllable car entertainment systems creates a possibility of remote exploitation. In a 2015 report by Senator Ed Markey of Massachusetts, it was stated that
- Almost all cars on the market include wireless communication interfaces which could act as an attack vector.
- Security measures against remote access vulnerabilities were inconsistent and haphazard.
- The report concluded that “These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”
Aside from remote exploitation, a skilled attacker with physical access to a car may be able to modify the Engine Control Unit (ECU). For example, hobbyists were able to dump and analyse the firmware of a commonly used ECU when investigating the Volkswagen “Diselgate” scandal.
This week Wikileaks revealed (amongst many other things) that a few months after Miller and Valasek’s paper was published, the CIA discussed the exploitation of “vehicle systems” in a branch direction meeting.
Michael Hastings was a controversial journalist known for his reporting on the Iraq War, the US surveillance state and the Obama Administration’s suppression of the press. On the 18th June, 2013, Hastings died in a car crash.
CCTV footage of the crash shows that there was a small explosion inside Hasting’s car, after which the lights in the car went out (16 seconds into the video). This first explosion occurred before the car collided with a tree and exploded several times (17 to 19 seconds). The explosion prior to the collision was also reported by witnesses to the crash. Former US National Coordinator for Security, Richard Clarke, told the Hufington Post that the details of the crash were “consistent with a car cyber attack”.
At the time of the crash, Hastings was working on a profile of CIA Director John Brennan. Hastings had emailed colleagues, warning that they may be interviewed by the FBI in connection with an investigation into him. The FBI investigation into Hastings has been confirmed through a freedom of information request. Furthermore, Wikileaks have claimed that Hastings contacted their lawyer hours before he died.
The Los Angeles police department concluded that there was no sign of foul play in Hastings' death. Friends of Hastings have said that he was a "nervous wreck" on the run up to the crash and so he may not have been driving safely.
It is unclear whether Hastings’ death was a tragic accident or something more sinister. However, this case remains a clear example of both the dangers of allowing governments to horde vulnerabilities in widely used devices and the dangers inherent in the integration of wireless communication equipment into cars.
Even if you believe that you have nothing to hide from your own government, please consider the possibility of other governments finding and exploiting these vulnerabilities to assassinate dissidents in their own territories. The same argument stands for the CIA's cache of vulnerabilities in desktop and mobile operating systems. Government agencies which find flaws in computer systems should engage responsibly with the developers to ensure that the problem gets fixed so as to keep us all safe.
The growing Internet of Things only makes this problem more concerning. Let us all hope that no dissidents find themselves a victim of an exploding smart meter.