and at the end of november we're live for the 18th year in a row from florida for the miami book fair international and the national book awards from new york estimate just some of the fairs and festivals this fall on c-span 2's "book tv". happenedeenberg, what to you in st. louis? andrew: for a couple of years now, i had been talking to these hackers. brilliant hackers who found for mobilities in all kinds of

things from iphones to macbooks, and the last double years they have been focused on cars. they invited me to come down where charlie lived. he put me in a jeep, and told me to drive up the highway. i knew that they were going to launch some attack from his living room 10 miles away, i didn't know what. i was on the highway and the radio starts blasting kanye west. i can't turn it down or off. the windshield wipers start going of their own accord. fluid, obscuring my vision. a picture of the guys in track suits appears on the computer unit called -- unit called uc onnect on the dashboard. that was a good demonstration of what they could do, and then

they cut the transmission of the vehicle altogether. i found myself unable to accelerate with cars lining up behind me and wasn't by. was in my rearview mirror honking. i came close to panicking, but it was yelling into my speakerphone to these two hackers, begging them to make the car working. finally they told me i just had to restart it, and reengage the engine. even that did not work. i was basically paralyzed on the highway. finally, i rolled the vehicle and did get the transmission reengaged. but they proved their point. this is a terrifying experience to have someone take control of wheelso-ton computer on that we think is supposed to

obey our commands. host: how did they do it? andrew: it is a big piece of research with lots of steps, but the basic vulnerability is in this computer, the head unit known as the uconnect. internetuter has an connected entertainment system and even a wi-fi hotspot but it that wasone service basically left unprotected. they could call into it from a type of burner phone. a sprint phone they attached to their computers, attacking it remotely over the internet. exploit that vulnerability. from there, launch a second step of the attack that rewrote the firmwarea of another chip, but this time on the can network,

the controller area network, that controls all the physical components. every thing from steering, to breaks, to windshield wipers. they were able to send commands to all of those critical, physical components. they had spent months reverse engineering those components, the languages that they speak. they were able to trigger all of those features. they could at low-speed set off the diagnostic test that disables the brakes. that is supposed to be in a shop, but they did it while i was driving around a parking lot which caused me to crash into a ditch. they were able to trigger the self parking system to turn the steering wheel. they were able to unlock the doors which could be used for theft. and of course, they could

disable the transmission, which was easily the scariest thing that they demonstrated for me. host: how long had charlie miller and chris been working on this? andrew: they started in 2012. they got a grant from the defense agency, this science fictional wing of the pentagon that works on forward-looking things. they got a small grant to buy a couple vehicles. in 2013, they can to indiana where they demonstrated the first step. they put me inside a toyota --vious and a ford escape toyota prius and a ford escape. it didn't really matter to the industry.

they blew it off because they said that is not a real hack because you just connected your to the car like a mechanic. nevertheless they could disable the brakes of the suv or other things it was still scary to be behind the wheel. but it took them to bang more years to advance that to a wireless -- took them two more years to advance that to a wireless attack. someone could potentially attack a vehicle over the internet and cause the protector spread my really -- viraly. they could have used it to spread to other vehicles using this uconnect system, potentially disabling millions of cars or hijacking them to do their bidding.

host: they did not even have to be on a wi-fi network? is not a wi-fi attack, this is a cellular over a 3gr us -- connection. it was not a matter of feet it was hundreds of miles. they could have done this across the country and they did. charlie lives in st. louis, chris lives in pittsburgh. chris was able to turn on the windchill wipers of charlie street -- charlie's jeep. this is a true, remote, across the country attack. the only limitation is sprint's .etwork network? is it sprints andrew: the vulnerability isn't

really the network it is the uconnect computer. but as a result of the research, chrysler has had a full recall and fixed the vulnerability or at least sent out a usb to drivers to plug into their dashboard and update and fix it. this is not a sprint problem. this is a chrysler problem and the uconnect computer. if you have a 2014 chrysler vehicle, with a uconnect machine in the dashboard, you probably got one of these usbs. you should not just put it in a drawer, you need to update your software. charlie useris and any special equipment or computers? andrew: the hardware was simple stuff. they spent years working on the software.

i think chris used a windows machine and charlie used a macbook in the attached these cheap android, sprint enabled phones, but that stuff is available to anyone. this is not something that anyone could do. chris and charlie are brilliant hackers. charlie spent years working for the nsa. this is not something that a member of anonymous, or a teenager in a basement, will be able to replicate. nonetheless, it is also worth noting that this wasn't even something they were doing full-time. chris works for a security consultancy working on automotive security, but charlie works for twitter. this is really a side project. it is a must luck a hobby but in three years they were able to develop this full remote exploit. the hacking technique to take over the jeep that i was

driving. host: is the hacking vulnerability list -- limited to uconnect? andrew: in this case, yes. with this is not a story about a this is arysler, story about the whole automotive industry. in 2010, a group of academic researchers from the university of california at san diego and the university of washington performed their own remote takeover of a vehicle. they didn't say which vehicle they were attacking, it was only revealed years later that it was a 2009 chevy impala sold by general motors. they told general motors about this collection of bugs they had found in the vehicle, and how they took over the vehicle over the internet. to disable breaks at any speed. to turn on the brakes. they could enable one break in

the front left wheel, to make the car spin out of control. this is a dangerous attack and it took gm almost five years to fully fix that vulnerability. in millions of vehicles. this is certainly not limited to chrysler. chrysler was relatively responsive compared to gm, who for half a decade left millions of their vehicles ex post. there is no -- exposed. there is no reason to think that just chrysler or gm are vulnerable. as more and more vehicles are connected to the internet, there will only be more of these phone abilities that turn up. theseery one of these -- vulnerabilities that turn up. every one of these allows for the vehicle to be taken over on the highway. it is a new era, and something the automotive industry needs to

become aware of and take seriously. host: could chris and charlie see you in real-time on the road? could they have steered the car properly? andrew: they could not control steering very well. they had only really developed the ability to turn the wheel at low speeds in reverse. the transmission thing was probably the scariest thing they could do at high speeds. they could track the gps of the vehicle, and they had written a program that dropped pins as i drove around to show my location. that is scary in a different way because there is no telling who might have, under intelligence agencies or estate sponsored packers -- or state sponsored hackers, who have used the stick makes for espionage -- these techniques for espionage. sometimes they say there is a evidence they have been used in the wild on real victims.

that is mostly true, but we also don't know if they have been developed by government hackers and use for that kind of silent tracking. host: how connected are for cars today -- our cars today? andrew: it depends. pretty much every automaker has an internet connected system in partnership with some telecom carrier. but there arest, so many of these other systems like ford sync, and chrysler uconnect. it really depends which vehicle you have, which year, whether you bought the cellular upgrades. pretty much every make of car has an internet connected potential. that will only become more and more standard. there will be a time in the near future when every the ago has an

internet connection. will bey by then, it properly isolated from the physical components of the vehicle. there is no reason that the brakes should have any connection with the infotainment system that has a cellular connection. host: when your article came out in july, what was the response? andrew: this was a surprise to me, a pair of congressman released a piece of legislation tied to the story, to basically regulate automotive cyber security. they swore that this was not tied to the story, but it came out a matter of hours later. it seems to me like it was an attempt to piggyback on the public awareness of this problem. their legislation is calling for system thatting

would be publicly visible on any new car. how connected to the internet? how isolated are the systems? systems cyber physical does it have that could be hijacked by a hacker? that bill is still floating around in congress. announceds, chrysler this 1.4 million vehicle recall, which just means that they had to send out 1.4 million usb drives to their customers and publicize the fact you needed to plug this in and update the vehicle. chrysler mades, it clear that it was the national highway traffic safety administration that had put pressure on them to do that. i think that is the most important reaction. detroit a message to and automakers around the world

that there is accountability. actualu will face an ally demanded recall. gm did leaving this bug in the vehicle for five years will not fly anymore. this is a big wake-up call in the sense that if your vehicles can be hacked, you will face consequences and regulatory pressure. host: what has been the response of the carmaker? andrew: they don't talk to me very much. i hear that they are taking it seriously and that they have been secretly taking it seriously for a few years, but are incredibly shy about talking about the problem. they haven't even reached the stage where they believe they can get more positive press.

than the negative press they get by just talking about the fact that cars can be hacked in general. believe ino just shutting up and hoping that the problem goes away, which it won't. that they are say not doing important things behind the scenes. i hear that every automaker is developing the ability to send over the air software updates so that the next time there is some kind of security vulnerability in a vehicle they won't have to send out usb tribes, which is not the right way to patch software. if you send usb drives the people in the mail, then you are basically training them to fall for a trick in the future where hackers mail out usb drives and use it to infect machines.

that is kind of frowned upon in the security industry as a method of patching. the better way to do it is these over the air software updates. thatoes that, tesla does and this would be using the same connection, the cellular service that could make the cars vulnerable to push out those automatic software updates. ittead of downloading manually or putting it on usb you just click ok and it automatically updates itself over the air. are these bugs or vulnerabilities because of money? was it a cost that prevented them from being installed in the first place? andrew: all software has bugs. all software can be hacked. i would never accuse a software engineer of being lazy or a company of being cheap just because their software has bugs.

apple and google and microsoft -- the best tech companies in an endlesstill have supply of bugs in their software. what is important, and where resources need to be spent, is in testing for those bugs. hiring penetration testers and having a team of people who respond quickly to patch the software. having a system where you can patch it in a responsive way, not waiting for regulators to tell you about it or waiting years for it to come to light. google, for instance -- they have their own team of security researchers who find lots of bugs and software. when they do, they give those companies three months max to fix a problem before they go public with it. so the five years that gm spent

is really not acceptable. the automakers need to catch up with the silicon valley standard which is really a matter of weeks or even days. host: the democratic senator murphy is calling for federal standards? andrew: he is calling for a federal rating system. transparencyin the so that consumers can see the cyber security rating of the vehicle and make their own choices based on that i think that will be a difficult thing to do. legislating cyber security is always difficult. i really applaud the fact that he is thinking about this. it does seem like it might be possible for them to pressure companies to get serious about cyber security, but the closer

you get to telling them what to do, the more likely that it will be wrong. this is a dynamic game. it's not like you can just make a law that says everyone should have a safety belt in their vehicle. designed tot is deal with static car crashing into each other and people need to stay where they are sitting. that is not a problem that has its own adversarial brain. that problem doesn't adapt. cut -- eight cyber security problem, you fix one of these bugs and the hacker response. they find a new way to circumvent your patch. that is the real adversary. treat the kind of traditional safety of vehicles

which can be legislated, the same way you treat the cyber security vehicles that cannot be easily legislated. needs to be thought about as a continuing cat and mouse game. that traditional tech days like microsoft and google have been playing for years. automotiveat the industry needs to realize it is playing, too. host: i think i read and one of your articles that gm hired its first cyber security chief. andrew: that's right. they do have their own chief product officer of cyber security who it seems has been much more responsive and his whole team. and gm has released shape up. founder over the summer

we -- whenere part not properly securing their smart and that app is designed unlock theu to vehicle and turn on the engine. his little device would hijack the user's smartphone credentials. so he could recover his device or steal the car or the contents of the car. gm learned about this and actually patched their smartphone vulnerabilities in their smartphone app within 48 hours. that is a big improvement. it still shows they are taking this seriously and they have a real cyber security team.

everyone is improving, it is just a matter of how fast. in terms of the security that they are having with potentially vulnerable features that they are adding. host: potentially, how many hackable cars are on the road today, and for people who own a new model car, should they be afraid? andrew: i don't know the total number of internet enacted cars but it is absolutely in the tens or hundreds of millions. i do not want to say that people should avoid an internet connected vehicle or avoid a modern vehicle. that a lot of comments say, good thing i drive 81957 chevy -- good thing i drive a 1957 chevy. because this is

still a future threat. future harm, future deaths that could result from an actual in the wild hack of a vehicle on the road. whereas the safety features that have been built into cars including the internet connected safety features, the ability to send a car into a crash, that is a present-day problem and i would never want to convince anyone to buy an older less-safe vehicle because it does not have an internet connection or less computerized components. doubt, thenany modern vehicles are great. internet connected vehicles are also good. but we shouldn't have to give up that conductivity to achieve safety.

with our computers and with my a internet iphone is connected device always connected and always on. it has faced virtually no malware or hacker attacks that have been successful for its eight years of existence. so it is really just about achieving both of these things. i would not want to give up any of these potentially important safety features of the motter -- modern car. issues with driverless cars? andrew: of course. i asked researchers what happens when we go to an internet it -- internet connected vehicle to an internet connected autonomous vehicle, they say that everything gets worse. problem into this

turbo mode where instead of just a few automated features being isack double, now everything -- hijackable, now everything is automated. instead of just controlling the computer and the computerized features you can control everything. you can steer it entirely. this is just as much as a driver would in your normal car. this is something that will become vastly different when self driving vehicles hit the roads. the automakers that think about these cars or even the tech gp-packersthe two were hired by uber, who is

rumored to be building or buying their own fleet of autonomous vehicles which hopefully means they are thinking about this problem when it becomes a hacker driven car and trying to head it off before those cars are on the road. host: you mentioned earlier that the car companies are not talking to you much. have it in quiet or reticent to discuss this issue? andrew: i think they have. it wasn't jeep hack, something that the average american was aware of, that an internet connected vehicle could be hacked. a two ton smartphone on wheels. they still believe that by avoiding the subject they can kind of prevent people from thinking about cars in that way.

i think it is only a matter of that this is part of the mainstream awareness. and i know it is only a matter of time until the automotive companies are doing things to secure vehicles. i have heard since the research been no there has illusion within the car industry that this is possible. it is certainly something that they are internally aware of, and have been working on. pay are not sticking their heads in the sand, they just look like it, because they seem so afraid of speaking about this in public. host: andy greenberg of "wired" magazine. technology reporter and started quite the conversation with his article about driving a hacked jeep. thank you for being on "the communicators." "landmark cases"

examines the dred scott decision. then, republican presidential candidate jeb bush holds a town hall meeting in concord new hampshire. >> all persons having business before the honorable supreme court of the united states should draw near and give their attention. exploringrk cases" the human story and constitutional dramas behind 12 historic supreme court decisions. 759, maranda, petitioner versus arizona. >> arguments number 18, roe against wade. >>