The Jeep HACK – What You Need To Know

So yah, the big news this week everyone is shouting about is about the Fiat Chrysler Automobiles (FCA) owned Jeep Hack involving the new Cherokee which has remote control software which allows access to the engine, aircon, audio system and brakes – basically the whole car can be controlled remotely as long as you know the IP Address.

Jeep HACKED - Anyone Driving A Cherokee Is In Danger

Pretty scary? To prove a point Wired even did a story with a live hack while the journalist was riding in the car at 70mph on the freeway – it sounds pretty terrifying:

Hackers Remotely Kill a Jeep on the Highway—With Me in It

The Wired article is a good read with some details about how the exploit hops between systems and how it was developed. It also highlights just how dangerous this can be as cars get more and more connected.

Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car’s brakes and engine can be remotely controlled by anyone with an internet connection.

At next month’s Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car’s engine, brakes, and minor systems from miles away simply by knowing the car’s public IP address.

The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car’s controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.

This is the first time a car hack has gone fully wireless though and it works over the Internet, which makes it really scary for owners of the effected vehicles. I’d imagine other cars with similar features might be equally vulnerable too, just that no-one is focusing on them yet.

Or people are, but it’s in the underground – that’s impossible to know.

It’s an ugly part of the car industry though, car experts developing software and operating systems with old outdated technology and models when they could just adopt peer reviewed operating systems and software.

I for one welcome our Android Auto overlords.

Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.

In short, make sure your car’s software is up to date; check your manual for details on obtaining the latest firmware.

Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.

On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.

“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey.

There’s an updates available for it, so yah please don’t pass it up – it’s kinda important. It’s only available to install via a USB stick or an authorised mechanic though, no push OTA updates like BMW did for the door-lock flaw earlier this year so it’s likely a lot of cars are going to remain vulnerable.

Jeep Cherokee Remote Access Fix

The software update is available here: uConnect Software Update Site.

So if you have one of these cars, ya – please update and secondly..perhaps reconsider your choice of vehicles.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking

Latest Posts:

Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc

4 Responses to The Jeep HACK – What You Need To Know

  1. Joshua Partogi July 23, 2015 at 10:29 am #

    Wow this bug is so scary. Professionalism is required in software development to prevent this kind of thing from happening.

  2. Ben July 24, 2015 at 2:18 am #

    seems to me that an owner ought to have the ability to TURN OFF your vehicle’s Internet connectivity, yeah? Is this not an option? The Internet Insecurity of Things…

  3. su July 25, 2015 at 3:52 am #

    Two things: 1.) I hate having computers in my vehicles, especially ones I can’t control. 2.) I want a device which will apply a small amount of increased speed, as needed, to vehicles blocking the passing lane, (that’s the one on the left, folks), as I go down the road.

  4. Valamis July 27, 2015 at 6:44 pm #

    Holy sh*t, this is starting to remind me movies about cyber attacks. I really hope organizations developing these softwares put 110% focus on security and encrypting. Just can’t even imagine all the bad accidents these kind of bugs may lead to…