He was part of a group of high-school and college students that joined professional engineers, policy-makers and white-hat security experts for a five-day camp last July that addressed car-hacking threats.
"This kid was 14, and he looked like he was 10," said Dr. Andrew Brown Jr., vice president and chief technologist at Delphi Automotive.
With some help from the assembled experts, he was supposed to attempt a remote infiltration of a car, a process that some of the nation's top security experts say can take weeks or months of intricate planning. The student, though, eschewed any guidance. One night, he went to Radio Shack, spent $15 on parts and stayed up late into the night building his own circuit board.
The next morning, he used his homemade device to hack into the car of a major automaker.Camp leaders and automaker representatives were dumbfounded. "They said, 'There's no way he should be able to do that,'" Brown said Tuesday, recounting the previously undisclosed incident at a seminar on the industry's readiness to handle cyber threats. "It was mind-blowing."
Windshield wipers turned on and off. Doors locked and unlocked. The remote start feature engaged. The student even got the car's lights to flash on and off, set to the beat from songs on his iPhone. Though they wouldn't divulge the student's name or the brand of the affected car, representatives from both Delphi and Battelle, the nonprofit that ran the CyberAuto Challenge event, confirmed the details.
If car makers weren't taking cyber threats seriously before the demonstration, they were afterward.
"It was a pivot moment," said Dr. Anuja Sonalker, lead scientist and program manager at Battelle. "For the automakers participating, they realized, 'Huh, the barrier to entry was far lower than we thought.' You don't have to be an engineer. You can be a kid with $14."
She described the breach as more of a nuisance attack, and emphasized that, in this case, no critical safety functions, like steering, braking or acceleration, were compromised. But the incident underscored just how vulnerable cars have become.
Security analysts have long expressed concerns over the industry's preparedness in fending off a cyber attack. Those concerns have mushroomed in recent weeks, as German researchers infiltrated BMW's remote-services system and 60 Minutes demonstrated how another research team remotely commandeered control of a Chevy Impala.
Then last week, Sen. Ed Markey (D-Mass.) released a report that criticized automakers' preparations, noting only 2 of 16 car companies surveyed could describe how they would respond to a real-time hack of one of their vehicles.
Experts at Tuesday's conference, sponsored by the Center for Automotive Research, conceded the auto industry got off to slow start in responding to cyber weaknesses. But now, even as they approach the problem with more earnestness, problems remain.
For one, technology companies still have a grip on the experts who best understand cyber-security vulnerabilities in the automotive realm, and those problems are so new that colleges and universities aren't yet producing engineering students who understand the solutions. (Though we know of one student who deserves a scholarship in about three years).
"Those experts don't live in Detroit," said Shawn Slusser, vice president of the automotive business at Infineon.
Even if they were on hand, those engineers would need time to examine and re-draw the network architectures of their cars and bolster the security for every electronic control unit on a vehicle. In the product-planning life-cycle, it could take three to five years for those alterations to reach new vehicles. And that's to say nothing of the 230 million vehicles already on the road.
In short, the car-hacking problem will probably get worse before it gets better.