This Is How A Jeep Can Be Hacked
In the rush to offer consumers the latest connected features, it looks like the auto industry forgot to lock the back door. Hackers recently brought to light exactly how vulnerable a modern car could be by using nothing more than a bit of code and a laptop connected to the Internet. The hackers created code that allowed them to remotely operate functions like the climate control, entertainment system, windshield wipers, transmission, engine and brakes, raising (or answering) questions about vehicle cybersecurity.
In a recent article from Wired, Charlie Miller, security engineer at Twitter, and Chris Valasek, director of vehicle safety research at IOActive, successfully hacked into a 2014 Jeep Cherokee and assumed control of the vehicle’s various functions, dramatically demonstrating the extreme vulnerabilities of the modern connected vehicle.
What exactly did they do, and how did they do it? And more importantly, what does this mean for the future of the auto industry? Read on to find out.
Continue reading for the full story.
What they did
Miller and Valasek spent the last year developing software that allowed them to wirelessly hack into the car. The car was not altered in any way, but rather, the hackers took advantage of a vulnerability in the onboard UConnect infotainment system, which connects to the Internet via a cell network.
To demonstrate, a senior writer from Wired drove the Jeep on a highway in ST. Louis while the hackers did the deed sitting in a residential home several miles away.
First, the hackers screwed with the climate control, turning on the fan and A/C. Then, the hackers uploaded a picture of themselves onto the screen in the central dash. Next, the stereo system was turned on, playing a local radio station at full volume. Following this, the wipers were activated, spreading cleaner fluid across the windshield. For the coup de grace, the transmission was thrown into neutral and the car slowed to a stop. Meanwhile, the driver could do nothing but sit and watch the chaos unfold.
How they did it
According to the hackers, hundreds of thousands of FCA models could be vulnerable via the UConnect system exploit. The system is intended to allow users control over the car’s entertainment and navigation features, make phone calls, and provide a wireless Internet connection hotspot. However, it also enables hackers to query the car for things like GPS data and the VIN, and most frighteningly, issue commands. All it takes is knowledge of the car’s IP address and a bit of programming knowledge to gain access to the entire system and attack it from anywhere in the country.
They’ve only tested it on the 2014 Cherokee, but believe the attack could be altered to work against any FCA vehicle equipped with the vulnerable UConnect head unit.
The hackers say the exploit seems to work on any FCA vehicle equipped with UConnect from late 2013 though early 2015. They’ve only tested it on the 2014 Cherokee, but believe the attack could be altered to work against any FCA vehicle equipped with the vulnerable UConnect head unit.
In a bid to find the most vulnerable vehicle for the demonstration, Miller and Valasek downloaded technical manuals and wiring diagrams for 24 cars, trucks and SUVs. The Jeep Cherokee was deemed the most hackable, while the 2015 Cadillac Escalade and 2014 Infiniti Q50 were found to be nearly as vulnerable.
First, Miller and Valasek broke into the car remotely over the cell network, then moved “laterally” to issue commands to the car’s various systems. From the vulnerable entry point, the hackers could rewrite the firmware in the car’s head unit, which can then issue commands through the car’s internal computer network.
Miller estimates that as many as 471,000 UConnect-equipped vehicles currently on the road are vulnerable to the same attack, while similar attacks could be engineered for many other makes and models.
The hackers plan on publishing a portion of the exploit on the Internet next month, coinciding with a talk they’ll give at the Black Hat security conference in Las Vegas. The published work will leave out the particularly malicious bit of code that enables hackers to rewrite the head unit firmware, which is a piece that would take months to recreate, but the published material will still allow for some of the more benign shenanigans.
What this means for the industry
Miller and Valasek have been working with FCA for months to improve the security of the UConnect system, enabling the automaker to issue a recall ahead of the Black Hat conference. In a statement to Wired, FCA says it appreciates the work of hackers like Miller and Valasek, but wants to “caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
Now, it’s been demonstrated that a car can be hacked over the Internet from virtually anywhere.
Miller and Valasek respond that the release of their code is a necessary step, as it allows their work to be proven through peer review. It also makes it clear that digital safety for vehicles is a problem with dire circumstances, and not something to be brushed under the rug. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller told Wired. “This might be the kind of software bug most likely to kill someone.”
At first, hacks required a physical connection to the car’s CPU, prompting automakers to downplay the vulnerabilities. Now, it’s been demonstrated that a car can be hacked over the Internet from virtually anywhere.
On the government side of things, Senators Ed Markey and Richard Blumenthal are expected to introduce a new automotive security bill that sets higher standards when it comes to digital security for cars and trucks.
Meanwhile, despite the proliferation of connected models, few automakers have taken steps to improve security, with only a handful hiring independent security firms to test for vulnerabilities. Even fewer have vehicle-monitoring systems in place to check for malicious commands.
Looking to the future
As we gradually hand over control to fully autonomous drive systems, exploits like this will only get more and more dangerous. We could eventually see hacks on a truly massive scale, with entire grids of vehicles rendered useless through a few simple keystrokes. Forget about lost data – now it’s lives that hang in the balance.
While some may question the methods of folks like Miller and Valasek, it’s gonna take theatrics to prompt the changes needed. Hopefully, the industry will recognize the importance of vehicle cybersecruity instead pushing ahead blindly with connected systems that could leave consumers vulnerable.
Read our full review here.