So yah, the big news this week everyone is shouting about is about the Fiat Chrysler Automobiles (FCA) owned Jeep Hack involving the new Cherokee which has remote control software which allows access to the engine, aircon, audio system and brakes – basically the whole car can be controlled remotely as long as you know the IP Address.
Pretty scary? To prove a point Wired even did a story with a live hack while the journalist was riding in the car at 70mph on the freeway – it sounds pretty terrifying:
Hackers Remotely Kill a Jeep on the Highway—With Me in It
The Wired article is a good read with some details about how the exploit hops between systems and how it was developed. It also highlights just how dangerous this can be as cars get more and more connected.
Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car’s brakes and engine can be remotely controlled by anyone with an internet connection.
At next month’s Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car’s engine, brakes, and minor systems from miles away simply by knowing the car’s public IP address.
The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car’s controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.
This is the first time a car hack has gone fully wireless though and it works over the Internet, which makes it really scary for owners of the effected vehicles. I’d imagine other cars with similar features might be equally vulnerable too, just that no-one is focusing on them yet.
Or people are, but it’s in the underground – that’s impossible to know.
It’s an ugly part of the car industry though, car experts developing software and operating systems with old outdated technology and models when they could just adopt peer reviewed operating systems and software.
I for one welcome our Android Auto overlords.
Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.
In short, make sure your car’s software is up to date; check your manual for details on obtaining the latest firmware.
Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.
On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.
“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey.
There’s an updates available for it, so yah please don’t pass it up – it’s kinda important. It’s only available to install via a USB stick or an authorised mechanic though, no push OTA updates like BMW did for the door-lock flaw earlier this year so it’s likely a lot of cars are going to remain vulnerable.
The software update is available here: uConnect Software Update Site.
So if you have one of these cars, ya – please update and secondly..perhaps reconsider your choice of vehicles.
Source: The Register
Joshua Partogi says
Wow this bug is so scary. Professionalism is required in software development to prevent this kind of thing from happening.
Ben says
seems to me that an owner ought to have the ability to TURN OFF your vehicle’s Internet connectivity, yeah? Is this not an option? The Internet Insecurity of Things…
su says
Two things: 1.) I hate having computers in my vehicles, especially ones I can’t control. 2.) I want a device which will apply a small amount of increased speed, as needed, to vehicles blocking the passing lane, (that’s the one on the left, folks), as I go down the road.
Valamis says
Holy sh*t, this is starting to remind me movies about cyber attacks. I really hope organizations developing these softwares put 110% focus on security and encrypting. Just can’t even imagine all the bad accidents these kind of bugs may lead to…