It took eight installments of the Fast & Furious franchise – and almost $4 billion of box office – to get around to it, but ‘The Fate of the Furious’ finally addresses a hot topic on moviegoers’ and, frankly, the general public’s mind: is the next generation of connected cars safe?
The villain, a hacker called Cipher played by Charlize Theron, commandeers a fleet of unrelated vehicles in one scene, ostensibly using their autonomous driving software as a breachable point of entry.
Given that The Fast & the Furious franchise is based on killer cars, outstanding stunt driving, amazing pyrotechnics and bleeding-edge computer graphics, it only makes sense that the hacking of semi-autonomous cars should become a major plot point in this latest sequel.
But how feasible is the hacking? Can cars really be turned into driverless missiles to attack other cars and people? And if so, can the right security solutions help prevent this?
I spoke with Adam Boulton, CTO BlackBerry Technology Solutions (BTS, a division of BlackBerry) and Head of BlackBerry Product Security, to get his thoughts on Hollywood versus reality. I also got some thoughts from Chris Taylor, a senior product manager at BlackBerry QNX, the makers of the mission-critical operating system for connected and autonomous cars – listen to the audio snippet below.
Warning: some spoilers ahead. And for the record, we are not trying to debunk ‘movie magic.’ The premise is that, sometimes, fictionalized technology allows us to gauge where real-world technology is right now. Let’s jump in…
Jason: There’s a scene in the movie, a set piece, that is also in the trailer, where the villain, Cipher, asks her fellow hacker: “How many cars in a 2-mile radius can we control?” And he answers “A thousand.” And then, with a couple of keystrokes, they take control. What’s the tech behind that? Is that likely, or even possible?
Adam: No. In order to get command and control of a thousand vehicles at that level stretches the realism of the capabilities. You would effectively be building a vehicle-based botnet, which requires a pre-prepared compromise, such as infecting the vehicles with malware first.
That omniscient software system they had, GodsEye … that could probably be a movie sequel in itself to show how that might work.
I mean, they not only got control of all those cars, but they used that system to control a nuclear submarine.
Jason: In the movie (and trailer) when Cipher gains control of those driverless cars, she says ‘Let’s make it rain’ and then remotely directs cars parked in high-rise parking garages to drive off the edge and plunge onto cars below. What about that scenario?
Adam: There will be a time when, say, I’m in my office and I want my car to come to my work to pick me up. But that’ll clearly require authentication. So getting around all of those levels of security is being glossed over in the film, of course.
In the future, that’s clearly where things are going to be. Authentication is going to go way past passwords, you know. It’ll involve PKI (Public Key Infrastructure) technology to be able to make that happen.
Jason: So can car makers install low-level code that ensures that cars cannot become weaponized from afar?
Adam: Absolutely. That’s a fictionalization of some people’s fears, but it’s what our QNX secure platform and our Certicom managed PKI technology and tools can guard against. Our multi-level security platform featuring our Operating System (OS) with a policy-driven security model, along with a whole host of internal tools and best practices which incorporates BlackBerry’s best-in-class security technologies, all help establish a car security platform that would make Cipher’s gang focus on other non-BlackBerry-secured cars, just as it happened in the handset market.
(Listen to an excerpt of my interview with BlackBerry QNX expert Chris Taylor for more on car hacking, including the movie’s use of zero-day vulnerabilities.)
Adam: That’s an old movie trick, right? You have to go back to that premise where she could seize just about anything using their GodsEye software. Typically, the ability for that kind of takeover is limited to one of the three-lettered governmental or law-enforcement agencies. However, there are several cases where hacks like this have been achieved by security researchers, so it is becoming an increasing concern.
Jason: Another broader security question for you. There’s a moment in the movie where the Fate of the Furious gang, to break in somewhere, require two people to authenticate to verify their identities. That sounds a bit like BlackBerry’s Hardware Root of Trust, in which two trusted parties digitally sign chips running on our software platform in the factory to ensure their authenticity.
Adam: That’s right. A lot of the tech in the film exists today, just in different forms or in different stages of development.
Being able to have that root of trust and signing something with a private key — it’s something only you have access to, your private key — that’s now. You could generate a public key and sign a certificate with that. And the only way to that you can authenticate is to sign it with your original private key. Very, very doable.
You’re layering different technologies of authentication so you can create a two-person security scheme. It’s seen in very well-secured governmental — and even private enterprise — applications.
Jason: Thanks, Adam. Let’s talk again after the next Fast & Furious flick.
If you’re interested in learning more about how BlackBerry QNX’s platform helps carmakers and auto suppliers make their cars BlackBerry Secure, read these pieces by BTS Senior VP, Kaivan Karimi, and BlackBerry COO Marty Beard.