The Jeep HACK – What You Need To Know

The New Acunetix V12 Engine

So yah, the big news this week everyone is shouting about is about the Fiat Chrysler Automobiles (FCA) owned Jeep Hack involving the new Cherokee which has remote control software which allows access to the engine, aircon, audio system and brakes – basically the whole car can be controlled remotely as long as you know the IP Address.

Jeep HACKED - Anyone Driving A Cherokee Is In Danger

Pretty scary? To prove a point Wired even did a story with a live hack while the journalist was riding in the car at 70mph on the freeway – it sounds pretty terrifying:

Hackers Remotely Kill a Jeep on the Highway—With Me in It

The Wired article is a good read with some details about how the exploit hops between systems and how it was developed. It also highlights just how dangerous this can be as cars get more and more connected.

Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car’s brakes and engine can be remotely controlled by anyone with an internet connection.

At next month’s Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car’s engine, brakes, and minor systems from miles away simply by knowing the car’s public IP address.

The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car’s controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.

This is the first time a car hack has gone fully wireless though and it works over the Internet, which makes it really scary for owners of the effected vehicles. I’d imagine other cars with similar features might be equally vulnerable too, just that no-one is focusing on them yet.

Or people are, but it’s in the underground – that’s impossible to know.

It’s an ugly part of the car industry though, car experts developing software and operating systems with old outdated technology and models when they could just adopt peer reviewed operating systems and software.

I for one welcome our Android Auto overlords.

Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.

In short, make sure your car’s software is up to date; check your manual for details on obtaining the latest firmware.

Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.

On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.

“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey.

There’s an updates available for it, so yah please don’t pass it up – it’s kinda important. It’s only available to install via a USB stick or an authorised mechanic though, no push OTA updates like BMW did for the door-lock flaw earlier this year so it’s likely a lot of cars are going to remain vulnerable.

Jeep Cherokee Remote Access Fix

The software update is available here: uConnect Software Update Site.

So if you have one of these cars, ya – please update and secondly..perhaps reconsider your choice of vehicles.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking

Latest Posts:

Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.

4 Responses to The Jeep HACK – What You Need To Know

  1. Joshua Partogi July 23, 2015 at 10:29 am #

    Wow this bug is so scary. Professionalism is required in software development to prevent this kind of thing from happening.

  2. Ben July 24, 2015 at 2:18 am #

    seems to me that an owner ought to have the ability to TURN OFF your vehicle’s Internet connectivity, yeah? Is this not an option? The Internet Insecurity of Things…

  3. su July 25, 2015 at 3:52 am #

    Two things: 1.) I hate having computers in my vehicles, especially ones I can’t control. 2.) I want a device which will apply a small amount of increased speed, as needed, to vehicles blocking the passing lane, (that’s the one on the left, folks), as I go down the road.

  4. Valamis July 27, 2015 at 6:44 pm #

    Holy sh*t, this is starting to remind me movies about cyber attacks. I really hope organizations developing these softwares put 110% focus on security and encrypting. Just can’t even imagine all the bad accidents these kind of bugs may lead to…