The Jeep HACK – What You Need To Know

So yah, the big news this week everyone is shouting about is about the Fiat Chrysler Automobiles (FCA) owned Jeep Hack involving the new Cherokee which has remote control software which allows access to the engine, aircon, audio system and brakes – basically the whole car can be controlled remotely as long as you know the IP Address.

Jeep HACKED - Anyone Driving A Cherokee Is In Danger

Pretty scary? To prove a point Wired even did a story with a live hack while the journalist was riding in the car at 70mph on the freeway – it sounds pretty terrifying:

Hackers Remotely Kill a Jeep on the Highway—With Me in It

The Wired article is a good read with some details about how the exploit hops between systems and how it was developed. It also highlights just how dangerous this can be as cars get more and more connected.

Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car’s brakes and engine can be remotely controlled by anyone with an internet connection.

At next month’s Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car’s engine, brakes, and minor systems from miles away simply by knowing the car’s public IP address.

The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car’s controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.

This is the first time a car hack has gone fully wireless though and it works over the Internet, which makes it really scary for owners of the effected vehicles. I’d imagine other cars with similar features might be equally vulnerable too, just that no-one is focusing on them yet.

Or people are, but it’s in the underground – that’s impossible to know.

It’s an ugly part of the car industry though, car experts developing software and operating systems with old outdated technology and models when they could just adopt peer reviewed operating systems and software.

I for one welcome our Android Auto overlords.

Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.

In short, make sure your car’s software is up to date; check your manual for details on obtaining the latest firmware.

Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.

On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.

“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey.

There’s an updates available for it, so yah please don’t pass it up – it’s kinda important. It’s only available to install via a USB stick or an authorised mechanic though, no push OTA updates like BMW did for the door-lock flaw earlier this year so it’s likely a lot of cars are going to remain vulnerable.

Jeep Cherokee Remote Access Fix

The software update is available here: uConnect Software Update Site.

So if you have one of these cars, ya – please update and secondly..perhaps reconsider your choice of vehicles.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking

Latest Posts:

dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.

4 Responses to The Jeep HACK – What You Need To Know

  1. Joshua Partogi July 23, 2015 at 10:29 am #

    Wow this bug is so scary. Professionalism is required in software development to prevent this kind of thing from happening.

  2. Ben July 24, 2015 at 2:18 am #

    seems to me that an owner ought to have the ability to TURN OFF your vehicle’s Internet connectivity, yeah? Is this not an option? The Internet Insecurity of Things…

  3. su July 25, 2015 at 3:52 am #

    Two things: 1.) I hate having computers in my vehicles, especially ones I can’t control. 2.) I want a device which will apply a small amount of increased speed, as needed, to vehicles blocking the passing lane, (that’s the one on the left, folks), as I go down the road.

  4. Valamis July 27, 2015 at 6:44 pm #

    Holy sh*t, this is starting to remind me movies about cyber attacks. I really hope organizations developing these softwares put 110% focus on security and encrypting. Just can’t even imagine all the bad accidents these kind of bugs may lead to…