Skip to content

Hackers take control of a Jeep — over the Internet

July 21, 2015
The waekest link in Jeep Cherokee security may be its link to the Internet.

The weakest link in a Jeep Cherokee’s security may be its link to the Internet.

Jeepers! Hackers on the Internet took control of a Jeep Cherokee while someone was driving it!

In a prearranged demonstration, two hackers security experts siting in a house, used a laptop and a mobile phone connected to the Internet over the Sprint network to take control of the Fiat Chrysler vehicle while it was being driven 112 km/hour, some 16 kilometres away by Wired magazine reporter Andy Greenberg, who wrote at length about the somewhat harrowing experience of being played like he was a character in some PC racing game.

Ultimate backseat drivers

Charlie Miller and Chris Valasek, were showing how they could exploit a known security flaw in the Jeep Cherokee’s Uconnect infotainment system in order to commandeer the vehicle’s dashboard controls; everything from GPS, A/C, windshield wipers and choice of radio station, to steering, transmission and brakes — the works.

The Wired reporter, Greenberg, was almost completely powerless behind the wheel as Miller and Valasec wrested control of the vehicle away from him.

The pair remotely fiddled with the climate controls, the radio and the windshield wipers and even transmitted their picture to the vehicle’s digital dash display. Then the transmission was shut off and the accelerator stopped working. Ultimately the brakes were disabled, sending the compromised Jeep into a ditch.

Game over man, game over!

Miller and Valasek have been publicly hacking cars since at least 2013, when they showed Greenberg how they could manipulate both a Toyota Prius and a Ford Escape by hooking their laptops directly to the cars’ onboard diagnostic ports.

This latest stunt with the Jeep is apparently the first time that they’ve demonstrated a remote hack over the Internet.

According to the Guardian, the two security researchers informed Fiat Chrysler about the security hole in their Uconnect system nine months ago, giving the car manufacturer time to release a security update, which it did on July 16.

The Uconnect system has reportedly been installed in hundreds of thousands of cars sold around the world by the FCA group since late 2013. It is not known if the vulnerability is limited to certain makes, models, or countries but Miller and Vallasek believe that there are 471,000 Hackable automobiles out there.

It is also not known how many owners of Fiat Chrysler vehicles have installed the update or are even aware of it.

The July 16 notice of the update from Fiat Chrysler Automobiles, entitled: “FCA US LLC Releases Software Update to Improve Vehicle Electronic Security and Communications System Enhancements” explains that customers can either download and install the update themselves or have their dealer perform the update at no charge. However, the notice does not (so far as I can tell) include a direct link to the software update (d’oh!).

Uconnect-equipped vehicle owners can download the patch from the Uconnect software update site once they have supplied their 17-digit vehicle identification number (VIN).

The Guardian explains that car owners can perform the update manually by downloading it to a flash drive and then inserting the flash drive into their car’s USB socket.

Charlie Miller and Chris Valasek will be showcasing the Uconnect hack at next month’s Black Hat security conference in Las Vegas.

And today, U.S. Senators Ed Markey and Richard Blumenthal (who have closely followed the work of Miller and Valasek) introduced their Security and Privacy in Your Car (SPY Car) Act, which would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our motor vehicles and protect drivers’ privacy.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: