As cars and the wider automotive industry shifts from mechanical to electronic means and measures in the digital age, there are new challenges and vulnerabilities that come with the change.
According to a report in Wired, two white-hat security researchers have remarkably engineered and demonstrated a hack which gave them the means to take control of a Jeep Cherokee while the vehicle was on the road. The car was being ‘driven’ by a Wired writer who won’t be forgetting the ride anytime soon.
Security researchers Chris Valasek of IOActive and Charlie Miller, a former NSA employee, initially discovered a critical flaw in the Uconnect system, a software-based infotainment system that comes bundled in with Fiat Chrysler cars. The system also allows car owners to remotely communicate with their vehicles through Sprint’s network. It’s done over-the-air, essentially. The Uconnect system thereby allows car owners to remotely turn on the engine, locate their vehicle using GPS and also includes a number of anti-theft features.
Here’s how the hack unfolded:
- Miller and Valasek began the hack with an Android phone running on Sprint’s cellular network, 10 miles away from the targeted car.
- Using the phone, they were able to connect to the Uconnect system of a Jeep Cherokee which was being driven at the time, through its IP address.
- Now plugged in, they were able to access a chip that powered the Uconnect system before tweaking the firmware to the hardware with a rewrite.
- With complete control over the system, the researchers were now able to kill the car’s brakes and affect driver visibility by activating the windshield wipers.
- Significantly, they were even able to completely shut off the vehicle’s engine.
- With the phone connected to the vehicle, they were also able to hook up a Macbook to scan for vehicles that were vulnerable on the same network.
The researchers believe that up to 471,000 vehicles are vulnerable to the complete car-compromising hack.
Affected models include:
- 2013-14 models of the Dodge Ram.
- 2013-14 Dodge Viper.
- 2014 Jeep Cherokee, Jeep Grand Cherokee and the Dodge Durango.
- 2015 Jeep Cherokee and Jeep Grand Cherokee.
- 2015 Chrysler 200s
“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting,” wrote Wired writer Andy Greenberg, describing the incident. “Next the radio switched to the local hip hop station … I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”
The inevitable software patch
Understandably, Chrysler wasn’t thrilled about the stunt pulled by the cybersecurity researchers but they did “appreciate” the work done by the duo and have rolled out a patch to fix the vulnerability.
“We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities,” Chrysler said. “However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
Chrysler vehicle owners with the Uconnect feature are advised to install the update which can be installed via a USB stick or with the help of a mechanic at a dealership.
Customers call also call vehicle care at 1-877-855-8400.