Driving a Jeep today? Not to worry you, but unless the car has been updated in the last week, there’s probably a vulnerability or two in the vehicle, as there are in as many as 471,000 Chrysler automobiles, which could be abused by hackers sitting in front of a laptop anywhere on the planet.
According to researchers Chris Valasek of IOActive and Charlie Miller, a former NSA staffer, there are issues in the Uconnect system that provides the connected infotainment and other internet-powered systems in Fiat Chrysler automobiles. They were able to create attacks that could connect to that system, jump over to a chip powering the in-vehicle entertainment and rewrite the firmware on that little piece of hardware. From there, their exploit code could send commands across the car, from killing the brakes to shutting off the engine and playing with the steering, as shown in a video on Wired. It’s total car compromise.
Miller and Valasek were able to connect to the Uconnect system via an Android phone running on the Sprint network (only devices using the Sprint cellular network can “speak” with Uconnect). Using that phone, hooked up to a MacBook, they were able to scan for vulnerable vehicles too. After repeated scans, they believe as many as 471,000 vehicles are carrying the vulnerabilities the benevolent hackers uncovered.
Thus far they’ve only tested on a Jeep Cherokee, but they believe any Chrysler vehicle with Uconnect manufactured from late 2013, all of 2014, and early 2015 is affected. The long-time car hacking buddies plan to detail their full exploits at the Blackhat security conference in two weeks’ time in Las Vegas.
Pretty terrifying stuff and another example of a remote attack on a vehicle, which has been demonstrated before and will continue to be shown if car manufacturers continue to create insecure networks-on-wheels. But there is an update from Fiat Chrysler and drivers can either upload it to their vehicles by first downloading the patch onto a memory stick (via this link) and then plugging the device in, or taking it to a local dealership.
“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” read the advisory accompanying the Fiat Chrysler release.
The company had not responded to FORBES’ request for comment at the time of publication, though Miller seemed satisfied with the patch.
Checked patch, looks good. Well done Chrysler! Now, back to a vulnerable version for more testing! pic.twitter.com/RdBOyrRPuc— Charlie Miller (@0xcharlie)July 20, 2015
“This is the type of vulnerability that is, or at least should be, looked out when doing a 3rd party review… That type of vulnerability isn’t specific to that Jeep and it is why it is important to have responsible disclosure policies,” noted car security expert and Open Garages founder Craig Smith.
Miller and Valasek’s findings should act as a clarion call to the whole automotive industry, which has been repeatedly criticised for shortcomings in security over the last year. Just this year, other researchers have demonstrated attacks on vehicles from afar, whilst highlighting vulnerabilities in widely-used insurance dongles that could provide leverage on a car’s network. At Defcon, a security conference taking place down the road from Blackhat in the same week, researchers also plan to show off remote attacks on a Tesla car.
Miller and Valasek have been tooting their horns about vehicular insecurities for the last two years, whilst Senator Ed Markey issued a report in February slamming major manufacturers’ response to the issue. At the same time, vehicle owners want the right to be able to hack their own cars to make modifications, but automotive manufacturers, in particular GM, want to stop that practice. In both departments, it seems they’re letting customers down.