There’s a hacking technique that can target Jeep Cherokees, giving the hackers wireless control of your vehicle via the internet.
And it could cost you your life.
The software was developed by Charlie Miller and Chris Valasek, two professional hackers, through their recent car-hacking research.
Essentially, it allows hackers to send commands through the Jeep’s entertainment system to its dashboard functions, steering abilities, brakes, and transmission. Hackers are able to fully kill an engine and disable braking systems all together. They’re also able to track a targeted Jeep’s GPS coordinates and drop pins on a map to track its route.
Oh, and this can all be done through a laptop that could be across the country.
Remote carjacking has been an experimental thing for a few years now – but only recently has it gone wireless. And yes, it’s a terrifying thing.
And it’s also the reason why senators Ed Markey and Richard Blumenthal introduced an automotive security bill to set new digital security standards for cars and trucks.
The impressive (depending on who you ask) work of the hackers is possible thanks to Chrysler’s initiative to turn the automobile into a smartphone, much like many other auto manufacturers. When it comes to Chrysler, thanks to a vulnerability in Uconnect – an Internet-connected computer feature in hundreds of vehicles – its cellular connection allows anyone who knows the car’s IP address to gain access from anywhere in the country.
In fact, it’s actually pretty easy for them to do so too.
Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015.
The researchers will reveal the intricacies of their work at next month’s Black Hat security conference in Vegas, but plan to omit the details on the attack that rewrites the chip’s firm hardware. The code they plan to release, however, will enable many of the disabling features, as well as the GPS tracking.
The unfortunate part for Chrysler users is that the patch must be manually implemented via a USB stick or by a dealership mechanic. Meaning, most of the vulnerable Jeeps will remain vulnerable.
Not surprisingly, the company isn’t thrilled with the decision to publish a how-to-hack-a-car guide.
“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company’s statement reads. “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
As for the researchers, they claim that the release of their code is necessary because it validates their work via peer review and sends a powerful message to automakers that they need to be ever-accountable for the digital safety of their vehicle.
The major wake-up call here is that any modern vehicle could be at-risk in the future. Uconnect is just one of many similar systems, which include Lexus Enform, Toyota Safety Connect, Hyundai Bluelink, GM Onstar, and Infiniti Connection.
Perhaps auto companies should take a page from United Airlines’ book, and reward hackers for detecting bugs in security features, rather than publicly damning them.