AUTOS

Hackers remotely hijack, shut down Jeep on highway

Nicholas Maronese Autofocus.ca
Published Wednesday, July 22, 2015 11:14AM EDT

This product image provided by Chrysler shows the 2014 Jeep Cherokee Limited. (AP Photo/Chrysler)

Text:

A pair of expert hackers have demonstrated it's now possible to remotely tap into a car's computer systems and disable functions like its steering, braking and transmission, as long as they have the vehicle's IP address.

Cyber-security experts Charlie Miller and Chris Valasek showed Wired writer Andy Greenberg firsthand how it was possible for them to hack into the Jeep Cherokee he was driving and control everything from climate controls and stereo volume to brake pressure and transmission operation.

Miller and Valasek, working on a laptop miles away from Greenberg's Jeep, were even able to track the vehicle's location via GPS, and trace its route.

"All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone," wrote Greenberg.

"Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat-Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element [...] also lets anyone who knows the car’s IP address gain access from anywhere in the country."

Miller and Valasek were able to use the Uconnect as a point of entry to the vehicle's head unit, which controls the entertainment system, and plant their own code in it. That chip's rewritten firmware gave them access to the CAN bus, the car's internal computer network, and control just about everything.

The pair of expert hackers first demonstrated this sort of capability years ago, though at that time they had to be plugged into the vehicle's dashboard and sitting in its back seat.

This recent demonstration served to prove these sorts of attacks can now be launched wirelessly; the Jeep's only defence would have been the relative anonymity of its IP address.

Miller and Valasek selected the Jeep Cherokee because they identified it as the vehicle most vulnerable to these sort of cyber-attacks based on how it's programmed, but noted the Infiniti Q50 and Cadillac Escalade were almost as vulnerable.

The two shared the results of their vehicle security research with Fiat Chrysler Automobile (FCA) nine months ago, and the automaker in turn, released a patch on July 16 available for download via USB from most Chrysler dealers, to fix the flaws in their cars' code.

Miller and Valasek also plan to outline their method of attack at an upcoming hackers' conference in Las Vegas next month, while obscuring the specific vulnerabilities that let them break into the Jeep's Uconnect system, since they don't want copycat hackers to attempt similar experiments.

They're trying to make clear the message that a greater emphasis on vehicle security is needed in today's connected cars, and are hoping to reach both automakers and consumers.

"If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller told Wired. “This might be the kind of software bug most likely to kill someone.”