Security Researchers Wirelessly Hacks Jeep
Two security researchers wirelessly hacks Jeep and turns the automotive industry on the defensive with respect to cyber security. Living the Detroit Metropolitan area, the automotive capital of the world, obviously the news of two security researchers wirelessly hacking into Chrysler Jeep is big news. Charlie Miller and Chris Valasek, two individuals fairly known for their research with automotive security, developed a hacking technique for a zero-day vulnerability which allowed them to target a Jeep Cherokee. This technique gave them wireless control via the internet of various automobile functions which they were able to manipulate from a distance.
The video produced by Wired Magazine shows how Miller and Valasek wirelessly hacks Jeep driven by a Wired Magazine reporter, while he was driving 70 mph on the edge of St. Louis. The researchers were able to wirelessly cause the Jeep to blast cold air at the maximum setting, blast the local hip hop station at full volume, and then turn the windshield wiper on while spraying the wiper fluid. The researchers also displayed an image of themselves on the car’s digital display.
But this was just child’s play. Things got a little more serious when the researchers cut the transmission, which caused the accelerator to stop working. This caused the Jeep to slow down to a crawl, which definitely became a safety hazard for the reporter as cars and a 18-wheeler came up from behind before passing. The reporter was able to get the Jeep to an empty lot. Some more safety critical items were attacked at the lot including have the engine killed at lower speeds, abruptly engaging the brakes and disabling them all together. With the brakes disabled, the video shows the reporter frantically pumping the brakes with no avail as the Jeep slid uncontrollably into the ditch. The hack the researchers use also enabled them to track a targeted Jeep’s GPS coordinates and track their route.
When researchers wirelessly hacks Jeep vehicle, it becomes a big issue because this is the first time it has been demonstrated that a researcher doesn’t have to be directly linked to a vehicle electronic system. Miller and Valasek have been conducting automotive security research for a couple of years. They have demonstrated in the past what they are able to control and manipulate in a vehicle if they are physically connected to the vehicle’s onboard diagnostics port, a feature that normally gives repair technicians access to the automobile’s electronically controlled systems. Thus, the reality in the past was that the hacker would have to be in the car to take over control of the automobile. But with Miller and Valasek’s continued research and demonstration that they can now hack the vehicle without physically plugged into the diagnostics port, the vulnerability has become more of a reality for consumers. And the Automotive companies are taking note.
Now the researchers did the responsible thing and have been sharing their research with Chrysler over the last nine months. This allowed Chrysler to develop a software patch to address the vulnerability before the researchers reported it to Wired Magazine. Chrysler quietly released a software update for a collection of its vehicles that have their Uconnect service installed. Uconnect is an internet connected computer feature which controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. A vulnerable element to the Uconnect’s cellular connection lets anyone who knows the car’s IP address to gain access from anywhere in the country. Once the researchers had access, they modified firmware in an adjacent chip which allowed them to control the functions mentioned above. This software update that Chrysler released included a patch designed to prevent the attack developed by the researchers utilizing the Uconnect feature.
Once the story of the researcher’s exploits hit the web though, the story was picked up by many news agencies and spread quickly. This caused Jeep’s parent company, Fiat Chrysler Automotive (FCA), to issue a formal voluntary recall of 1.4 million cars including some popular vehicle models including:
- 2013-15 Dodge Vipers
- 2013-15 Ram 1500, 2500 and 3500 pickups
- 2013-15 Ram 3500, 4500, 5500 chassis cabs
- 2014-15 Jeep Grand Cherokees and Cherokees
- 2014-15 Dodge Durangos
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challengers
The two researchers plan to publish a portion of the exploit at the yearly Black Hat Security conference next month. FCA wanted to make clear in their released statement that “To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle”. But once the researchers publish the portion of their exploit, the code provided will enable many of the dashboard manipulations that were demonstrated as well as GPS tracking to be used by other hackers. Rewriting the chips firmware took a quite a bit of effort though, and this part of the hack won’t be released at Black hat by the researchers. Thus, hackers won’t be able to copy exactly what the researchers did, but they will have the knowledge to use for future exploits.
Working in cybersecurity, I read stories daily on how security researchers find flaws or vulnerabilities in many hardware and software components. This is what they do for their daily job, but they usually have extensive knowledge of the systems they are trying to identify vulnerabilities with and extensive knowledge of attack vectors for the systems they are trying to hack into. And unless you work in Cybersecurity, some of their methods get quite complicated and difficult to follow if you don’t have knowledge of basic hacking skills. In this case, Miller and Valasek were funded by a grant from DARPA (Army Research Agency) to find vulnerability in vehicles. It took them considerable time, money, and resources to pull off this wireless hack of a vehicle. But as researcher gain knowledge and share that knowledge with other hackers, future hacks will become easier and quicker if not addressed. But it’s these research efforts that cause the automakers to take note and step up their game in designing security into their future automobiles.
So, what does Homecybersifu recommend for our readers? First, if you own one of the vehicles listed in the recall, then we recommend you either download and update the software yourselves or set up an appointment at your dealership to have it updated. Here’s how you can check if the software update is available for your vehicle: Visit this link, enter your vehicle identification number and download the update. Move the update onto a USB drive, and plug it into your Chrysler vehicle’s dashboard USB port. The Uconnect system will ask if you want to update its software, and confirm that you do. You can also take your Chrysler to your dealership, whose mechanics will update its software for free.
Unfortunately, unlike the automatic software updates you receive on your home computers and laptops, automobile software patches must be manually implemented via a USB stick or by a trip to the dealership for update by a technician. As with your home computer systems, you should always have the most up to date software installed on your automobile. Also, the consumers need to realize that security will become more of an issue with automobiles as more information technology is integrated into your vehicle system. Research on vulnerabilities such as the one demonstrated by the two researchers sends a message to the automakers that they need to be held accountable for their digital security.
Now, maybe you think you are fine since you don’t drive one of the Chrysler vehicles that were exposed in the hack. But the truth is that practically any modern vehicle could be vulnerable, as there is no qualitative differences in security between vehicles today. Just like all computers are vulnerable to exploits, some are targeted more because there are more of those models out there. Hackers will target popular vehicle models and ones which may be a little more vulnerable. But automotive hacking is in its infancy and will become more prevalent as more research work is done. We should all be more aware of the threats to automobiles and take that into consideration when purchasing our next vehicle.
I went to the dealership and help someone purchase a car last year, and jokingly said we should ask to car dealer what cybersecurity features were included just to mess with him. I am pretty sure we would either have heard a slick dealer dance around the question or have a dealer with a look of confusion and ignorance about the question concerning cybersecurity. Maybe someday in the near future this will be a common question we all ask when we purchase a vehicle.