10 p.m. and sunday at 9 p.m. eastern. you can watch all previous "after words" programs on our website, booktv.org. >> you are watching booktv on c-span2 with top nonfiction books and authors every weekend. booktv, television for serious readers. ..

>> c-span, brought to you as a public service by your local cable or satellite provider. >> host: well, cars are increasingly being called computers on wheels and increasingly being connected to the internet of things. joining us to talk about some of the issues surrounding that is andy greenberg of "wired." mr. greenberg, what happened to you in st. louis? >> guest: well, i, for a couple of years now, three years, in fact, i've been talking to these two hackers, charlie miller and chris, who are two very brilliant hackers who have found vulnerabilities in all kinds of things, you know, from an iphone to mac books to the last couple of years they've been focused on cars and attacking the network inside of a vehicle through the internet. so they invited me to come down to st. louis where charlie

lives, and he put me in a jeep, told me to drive onto the highway. i knew they were going to launch some sort of attack from charlie's living room 10 miles away. i didn't know what they were going to do, so i was on the highway. the radio starts blasting kanye west without me touching it, i can't turn it down, i can't turn it off. the wind child wipers -- windshield wipers start going of their own accord and spraying windshield wiper fluid kind of obscuring my vision on the highway. a picture of the two guys in track suits appears on the dashboard. and all that was kind of cute, you know, i thought that was a good demonstration of what they could do. and then they cut the transmission to the vehicle altogether which i really was not expecting. and i found myself unable to accelerate on a highway as cars were, you know, lining up behind me, whizzing by.

an 18-wheeler was in my rearview mirror honking at me, and i, you know, came close to panicking. i think i held it together just barely, but i was yelling into my iphone speakerphone to these two hackers, just begging them to make the car work again. finally, they told me that i just had to restart it and reengage the engine. in fact, even that didn't work. i was basically paraized on the highway. -- paralyzed on the highway. finally, i rolled the vehicle off an offramp and did get the transmission reengaged. but they had proven their point that this is a terrifying exing appearance, to have -- terrifying experience, to have someone take control of this two-ton computer on wheels that we think is supposed to obey our commands. >> host: how did they do it? >> guest: well, it's a big piece of earning with lots of steps -- of research with lots of steps,

but the basic vulnerability was in this computer, the so-called head unit in the dashboard of the vehicle known as a u-connect. it has, this computer has an entertainment system, even a wi-fi hot spot. unfortunately, it also has this one service that was basically left unprotected. so they could call into it, essentially, through its cellular connections over the sprint network from a kind of burner phone, a sprint phone that they had attached to their computers, you know, basically attack it remotely over the internet, exploit that vulnerability. from there launch basically a second step of the attack that rewrote the firmware of another chip aegis sent to the head -- adjacent to the head unit but this time on the network that controls all the physical components of the vehicle, everything from steering to brakes, transmission, windshield

wipers, everything. from there we're now able to send commands to all of those really critical physical components. they had spent months reverse engineering the sort of protocol, the language that those components speak. and so they were able to trigger all of these automated functions. so, you know, they could at low speeds, for instance, set off a diagnostic test that can disabled the breaks. that's supposed to happen inside a mechanic's shop. they did it to me while i was driving around a parking lot, and it caused me to crash into a ditch. they could also pretty much do everything that, you know, the vehicle could do automatically. they were able to trigger the self-parking system to turn the steering wheel. they were able to unlock the doors which could be used for theft, and, of course, they could also disable the transmission as they did to me on the highway which wassizely the scariest -- was easily the

scariest thing they demonstrated for me. >> host: how long had they been working on this? >> guest: they started in 2012, and they got a grant from the defense advance source projects agency, this wing of the pentagon that works on these forward-looking things. they got a small grant to buy a couple of vehicles n. 2013 they had me come to indiana where they demonstrated the first step of their car hack. they put me inside of a ford prius and a ford escape, and they showed they could, with their laptops plugged into the bash -- dashboard, do a lot of these same things. it didn't really count to a lot of the security community, the automotive industry blew the thing off in some ways because they said you've just connected your laptop to the car like a mechanic might do. nonetheless, they had reverse engineered all these things. they could slam on the brakes of the prius at high speed, they

could disable the brakes of this ford suv. it was still a scary thing to be behind the wheel of those vehicles. but it took them two more years to advance that to a full wireless, over the internet attack that is, you know, a whole order of magnitude scarier, the idea that somebody across the country or potentially across the world in a different nation even could attack a vehicle over the internet and even cause it to spread virally, spread an attack virally. charlie and chris could have used their attack to spread from chrysler vehicle to other chrysler vehicles, attacking this u-connect system and, you know, taking over millions of cars. at least disabling them, but potentially hijacking them to do their bidding, more or less. >> host: so they did not even have to be in a wi-fi network, correct? >> guest: it's not a wi-fi attack, this is a cellular

attack. over a, i believe, 3g connection. so the proximity wasn't a matter of feet, it was a matter of miles or hundreds of miles. they, in fact, could have done this across the country, and they did at some points. between the two of them, charlie lives in st. louis, chris lives in pittsburgh, and chris was able to turn on the windshield wipers of charlie's jeep, you know, from pittsburgh to st. louis. so this is definitely a true remote, across-the-country attack. the only limitation is sprint's network. if sprint's network extended to europe or china for that matter, it would have been possible to have done the attack from there. >> host: why is it sprint's network that is showing this vulnerability? >> guest: the vulnerability isn't really in sprint's network, it's in this u u-connect computer. and it's been patched. chrysler has had a full recall and fixed the vulnerability or

at least sent out a usb to 1.4 million drivers that they're supposed to update their software to fix this. but regardless, this isn't sprint's problem. this is a chrysler problem and specifically a problem with that u-connect exciter. so if you have a -- computer. so if you have a, you know, 2014 chrysler vehicle and it has this u-connect machine in the dashboard, you probably got one of these usbs, and you should not just put it in a drawer. you need to plug it in and update your software to be protected from this serious, potential attack. >> host: andy greenberg, did chris and charlie use any special equipment, any special computers or just off the rack? >> guest: so the hardware was really simple stuff. they spent years working on the software. all they really used was, you know, i think -- it seemed like chris used a windows machine and charlie used a mac book, and they attached these cheap an droild, sprint-enabled phones,

but that stuff is available to anyone. i mean, i should be clear. this is not like something anybody could do. chris and charlie are brilliant hackers. charlie, for instance, spent years working for the nsa. so, you know, this is not something that a member of anonymous or, you know, at least not the unskilled ones, these teenagers in a basement somewhere, are going to be able to replicate. nonetheless, it's also worth noting it wasn't even something they were doing full time. chris works for a security consultancy working on automotive security, but charlie works for twitter or worked for twitter at the time, and this was almost like a hobby for the two of them. and yet in three years, they were able to develop this full remote exploit, the hacking technique to take over the jeep that i was driving. >> host: is the hacking vulnerability limited to u-connect and, thus, chrysler vehicles? >> guest: in this case, yes. but there's really -- this is not a story, i don't think,

about a jeep or about chrysler even. this is a story about the whole automotive industry. you know, they all have a lot of catching up to do. back in 2010 a group of academic researchers from university of california at san diego and the university of washington performed their own remote takeover of a vehicle, and they didn't say which vehicle they were attacking. it only was revealed years later that it was a 2009 chevy impala sold by general motors. and they told general motors about this, about the whole, you know, the whole collection of bugs that they had found in their vehicle and how they'd taken over this impala over the bear net to -- internet to, you know, disable brakes at any speed. they could enable, for instance, like one brake in the front be left wheel to make the car spin out of control or turn it, you know? this is a really dangerous attack. and it took gm almost five years

to fully fix that vulnerability. in millions of vehicles. so this is certainly not limited to chrysler. in fact, chrysler was relatively responsive compared to gm who left millions of their vehicles more or less exposed to this. there's no reason to think just chrysler, just gm are vulnerable. as more and more vehicles are connected to the internet, there's only going to be more of these vulnerables that turn up. every one of these internet-connected features is a potential bug that can be used to take over, you know, a vehicle on the highway. so it's a new era, and it's certainly something that the whole automotive industry needs to become aware of and start taking seriously. >> host: could chris and charlie see you in realtime on the road? could they see where you are going? could they have steered your car properly?

>> guest: they couldn't control steering very well. they had only developed the ability to turn the wheel at low speeds, actually only in reverse even. so the transmission thing was probably the scariest thing they could do at high speeds. they could, of course, actually track the gpso the vehicle, and they'd -- gps of the speak, and they'd written a program to show my location. and that is scary in a different way because this is no telling who might have, you know, especially among intelligence agencies, state-sponsored hackers have developed these kinds of hacks and used them in that stealthy manner for surveillance rather than sabotage, you know? so, you know, sometimes the automotive industry says there's no evidence that these attacks have ever been used on, you know, in the wild on real victims. that's mostly true, but we also don't know if they've developed by government hackers and used for that kind of silent tracking. >> host: how connected are are

our cars today? >> guest: well, it really fends. pretty much every -- depends. pretty much every automaker has an internet-connected system in partnership with some telecom carrier. so, you know, in fact, gm was the first, but this is so many of these other -- there's so many of these other systems like ford sync and, of course, chrysler u-connect. and it really just fends on which vehicle -- just depends on which vehicle you had, whether you bought cellular upgrade. pretty much every make of car has an internet-connected potential. and that's only going to become more and more standard over the years. and i think that's, you know, there will be a time in the near future when every vehicle has an internet connection. and hope my by then, that internet connection will be isolated from the physical

components of the vehicle. there's no reason the brakes should have any connection with the infotainment system. >> host: andy greenberg, when your article came out in july, what was the response? >> guest: the very first thing that happened, and this was a surprise to me, a pair of congressmen released a piece of legislation tied to the story to basically regulate automotive cybersecurity. and they swore that this wasn't tied to the story, but it came out a matter of hours later. and it seemed to me like i was probably an attempt to, you know, to piggyback on the public awareness of this problem. and their legislation is calling for a kind of rating system that would be publicly visible on any new car when it's sold for its cybersecurity. you know, how connected to the internet is it, how isolated are its systems, how many sort of cyber physical systems does it

have, automated features that could be hijacked by a hacker. so that bill is still, you know, still kind of floating around in congress. but then within days, chrysler announced this 1.4 million vehicle recall which actually is just, you know, means that they had to send out 1.4 million usb drive drives to all of their customers and publicize that you needed to update your vehicle. and it turned out within 24 hours chrysler kind of made clear that it was the national highway traffic safety administration that had put pressure on them to do that. and i think that that is, you know, the most important reaction to this, is -- because it sends a message to detroit and automakers around the world that there is accountability here, that, you know, you will face an actual regulatory,

regulatorily-demanded recall if you leave these vulnerabilities in your cars. what gm did, leaving this hackable bug in their onstar vehicles for five years, that's not going to fly anymore. you know, i think that this is a big wake-up call in the sense that this is going to be -- if your vehicles can be hacked, you're going to face consequences and scandal and regulatory pressure. >> host: what's been the response from the carmakers? >> guest: well, they don't talk to me very much. [laughter] i think that they're -- i hear that they are taking this very seriously, that, in fact, they're secretly been taking it seriously for a few years. but they are incredibly shy about talking about the problem. i think they haven't even reached the stage yet where they believe that they can get more sort of positive press by talking about the good things they're doing than the negative press they get by just talking about the fact that cars can be hacked in general. they seem to just believe in

shutting up and hoping that the problem goes away, which it won't. so that's not to say that they're not doing really important things behind the scenes. i hear that pretty much every automaker is, for instance, developing the ability to send over-the-air software updates to all their vehicles so next time there is some sort of vulnerability, security vulnerability demonstrated in a vehicle like this jeep, they won't have to send out usb drives which is not the right way to patch software, by the way. if you send usb drives in the mail and tell them to plug them into their cars or computers, then you're basically training them to fall for a trick in the future where hackers mail out usb drives and use it to infect machines. so that's really, you know, kind of frowned upon in the security industry as a method of patching. the better way to do it are these over-the-air software updates. that's something that a few

automakers already know how to do. bmw does it, tesla does it x this would be using the same internet connection, the cellular service that could make the cars vulnerable to also push out those automatic software updates so that instead of having to download it manually and put it on a usb or get one in the mail, you just click o.k., and it sort of automatically updates itself oaf the air. >> host: andy greenberg, with these bugs or vulnerabilities in the systems because of money? was it cost that prevented them from being installed in the first place? >> guest: well, all software has bugs, all software can be hacked. i would never, you know, accuse a software engineer of being lazy or a company being cheap just because their software had bugs because every, you know, apple and google and microsoft, you know, the best tech companies in the world still have almost it seems like an endless supply of bugs in their

software. what's important is where the resources really need to be spent is in testing for those bugs, hiring penetration testers, then having a team of people who respond quickly to patch the software, having a system where you can patch it, you know, in a responsive way, not waiting for regulators to tell you about it and/or waiting years for it to come to light. you know, google, for instance, gives companies -- google has its own team of security researchers who find lots of bugs in other companies' software. and when they do, they give those company three months max to fix the problem before they go public with it. so the five years that gm spent is really not acceptable, and the automakers need to catch up with this silicon valley standard of bug fixing which is really a matter of weeks or even

days. >> host: now, you referenced senator ed markey, a democrat of massachusetts, a little bit earlier. he is calling for federal standards, is it, with regard to security in cars? >> guest: he's calling for at least a kind of federal rating system. a sort of increase in the transparency so that consumers could see the cybersecurity rating of a vehicle and make their own choices based on that. i think that's probably going to be a very difficult thing to do. legislating cybersecurity always difficult. i really aproud the fact -- applaud the fact that he's thinking about this. it does seem like it might be possible for washington to have some effect in pressuring the companies to get serious about cybersecurity. however, the closer you get to telling them exactly what to do, the more likely it is that it's going to be wrong. because the, this is a dynamic game. it's not like you can just make a law that says everyone should

have a safety belt in their vehicle because, you know, when -- a safety belt is designed to deal with a sort of static problem which is that cars crash into each other and, you know, people need to stay where they're sitting, you know? that's not a problem that has its own adversarial brain, you know? that problem doesn't adapt and require you to adapt, again, whereas a cybersecurity problem, you know, you fix one of these bugs, and the hacker responds. they find a new bug to circumvent your patch. that's a real adversary. it's a dynamic problem. so it's to treat the traditional safety of vehicle which can be pretty well legislated the same way you treat the cybersecurity vehicles which probably can't be that easily legislated. that would be a mistake. this needs to be thought about

in, as a continuing cat and mouse game. that's a game that, you know, traditional tech companies like apple and microsoft, google have been playing for years. it's just one that the automotive industry needs to realize that it's already playing too and kind of build its own professional team of hackers to deal with it. >> host: yeah. i think i read in one of your articles, mr. greenberg, that gm hired its first cybersecurity chief. >> guest: that's right. they have their, they do have their own chief product officer of cybersecurity who, it seems has been much more responsive in -- his whole team. gm has really shaped up. for instance, a hacker over there found that they weren't appropriately kind of securing the connection between their ios or android smartphone app and the vehicle. that app was, is designed to allow you to remotely unlock the

vehicle and even turn on the engine, and a hacker had shown that the app could be basically hijacked with this little twice he created that you could plant on a vehicle. his little device would sort of hijack the user's smartphone credentials and then send them to the hacker so that the hacker could track the car, unlock it, you know, recover his device or even steal the car, steal the contents of the car. so gm learned about this, and they actually patched their smartphone vulnerabilities in their smartphone app that would have allowed this attack within 48 hours. and that's a big improvement over five years. of course, it's a much easier problem to fix in a smartphone than in a car, but it still shows that they're taking this seriously, they have a real cybersecurity team. you know, it's encouraging, and i don't want to entirely chastise these company. it seems like in general everyone's improving, it's just a matter of how fast and if they, you know, are really

improving as fast in terms of the security that they're adding as they are with potentially vulnerable features that they're adding. >> host: so potentially how many hackable cars are on the road today, and should people who own a newer model car, should they be afraid when they get in their car? >> guest: well, i don't know the total number of internet-connected cars, but it's absolutely in the tens or hundreds of millions. and i, but i do not want to say that people should not, should avoid an internet-connected vehicle or avoid a modern vehicle. i get a lot of comments on my stories that say, well, good thing i drive a 1957 chevy. and i get kind of a chill when i read that, because it's a really dangerous attitude. this is still a future, a future threat, future harm, future deaths that could result from an actual, you know, in the wild

hack of a vehicle on the road. whereas, you know, the safety features that have been built into cars over the last decades, including the, you know, the internet-connected safety features, the ability to respond to a crash in realtime and locate vehicles, that -- that's a present-day problem. and i would never want to convince anyone to buy an older, less safe vehicle because it doesn't have an internet connection or doesn't have computerized, you know, components. so if there's any be, you know, if there's any doubt, then, yes. modern vehicles are great. and internet-connected vehicles are also good. but we shouldn't have to give up, you know, that connectivity to achieve safety. with our computers and, you know, with my iphone, for instance, an iphone is an internet-connected device, like always on, always

internet-connected, and it has basically faced virtually no malware, no hacker attacks that have been successful for its eight years of existence. i think that that should be possible with a car too. so it's really just about achieving both of these things. i wouldn't want to tell people to give up those internet-connected features or any over of this potentially important safety features of a modern car. >> host: andy greenberg, are there any additional issues with regard to this hacking when it comes to driverless cars? >> guest: oh, of course. you know, i asked researchers about this, what happens when we go from just an internet-connected vehicle to an internet-connected autonomous vehicle, and they just say everything gets worse. it's just like, you know, it puts the problem, you know, into this turbo mold where sudden -- mode where suddenly instead of just a few automate bl features

being hijack bl, now everything is automated. when you control the computer, the kind of exciterrized features of the -- computerized features of the car, now you control everything. you can steer it entirely instead of just hijacking the self-parking feature, now it has an entire self-driving feature. you control the steering wheel just as much as a driver would in a normal car. so this is absolutely something that's going to become vastly more important as self-driving vehicles hit the roads. and, you know, i think that's something that the automakers that are thinking about self-of driving cars or even the tech companies that are are aware of charlie and chris, the two jeep hackers, for instance, were hired by uber who is rumored to be building its own autonomous vehicles or potentially buying a fleet of autonomous vehicles. so hopefully that means they're thinking about this problem of a what happens when a self-driving car becomes a sort of

hacker-driven car and trying to head it off, you know, before those cars are actually on the road. >> host: you mentioned earlier that the car companies, mr. green persian aren't talking to you much -- greenberg, aren't talking to you much. have they been reticent to discuss this issue? >> guest: i think they have. i mean, until this jeep hack it wasn't, i don't think, something that the average american was aware of, that an internet-connected vehicle could be hacked, that a car is basically a, you know, two-ton smartphone on wheels. and, you know, they're still, i think, they still believe that by avoiding the subject, they can kind of just prevent people from thinking about cars in that way. you know, but i think that's -- it's only a matter of time until this is sort of part of the mainstream awareness. and then i would really like to hear about the good things that

i know the automotive companies are doing to secure vehicles, you know? i have heard that at least since the research in 2010 that took over a chevy impala, there's been no illusion within the car industry that this is possible. so, you know, it's certainly something that they're internally aware of and that they've been working on, and it's just, you know, it's -- they're not sticking their heads in the sand, they just look like it because they seem so afraid of speaking about this in public. >> host: andy greenberg of "wired" magazine. he's a technology reporter. he started quite the conversation with his article about driving a hacked jeep. thanks for being on "the communicators." >> guest: thanks for having me. >> c-span, created by america's cable companies 35 years ago and brought to you as a public service by your local cable or satellite provider.

>> congress returns this week, and the house members considering a measure to default on the national debt and another reauthorizing federal school vouchers for students in washington d.c. later in the week we expect work on a budget reconciliation package that would repeal sections of the health care law and defund planned parenthood. you can watch the house live on c-span starting tomorrow at noon eastern. meanwhile, the senate returns today with no votes scheduled. tomorrow they consider a judicial nomination in the morning before voting on where to move forward on a bill that would withhold federal money from cities that do not prosecute undocumented immigrants. watch the senate live here on c-span2. >> c-span has your coverage of the road to the white house 2016. where you'll find the candidates, the speeches, the debates, and most importantly, your questions.

this year we're taking our coverage into classrooms across the country with our student cam contest, giving students the opportunity to discuss what important issues they want to hear the most from the candidates. follow c-span's student cam contest and road to the white house kohage 2016 on -- coverage 2016 on tv, on the radio and online at c-span.org. >> earlier this month the european union's highest court struck down an international agreement that allowed companies to transfer personnel data between the e.u. and the u.s. next, a discussion on the ramifications of that decision. the u.s. chamber of commerce and the e.u.'s delegation to the u.s. this was hosted by the caucus advisory committee. it runs an hour.