First, I want to make it clear that the type of hack that the car-hacking superfriends Charlie Miller and Chris Valasek did this time is not remote. They had a laptop physically connected to the car via the OBD port. Let that temper your alarm as I tell you that they were able to get control of steering and braking, even once managing to crash their test Jeep.
Yes, this hack required a physical connection to the car, and as such is likely much less of a threat than the remote, UConnect-based hacks they demonstrated last year. What is more alarming about their more recent stunts is that this time they’ve gone deeper into the CAN bus, the network of interconnected computers (ECUs) that control pretty much everything in a modern car.
The previous remote hacks were all tempered by the fact that there were functioning ECUs in the car that were acting to make sure nothing really crazy was happening. For example, the parking-assist steering motors were able to be activated remotely via the hack, but the car’s uncompromised ECU’s prevented this from happening over 5 MPH. Same goes for things like keeping the electronic parking brake from being activated at speed, and so on. There was an electronic adult in the room, helping to keep order.
With this new hack, that adult has been drugged and dragged out back, behind a dumpster. Here’s how Wired describes what they did:
By putting that second ECU into “bootrom” mode—the first step in updating the ECU’s firmware that a mechanic might use to fix a bug—they were able to paralyze that innocent ECU and send malicious commands to the target component without interference. “You have one computer in the car telling it to do one thing and we’re telling it to do something else,” says Miller. “Essentially our solution is to knock the other computer offline.”
This means that parking brakes can be activated at speed, or the steering assist motors can be used to yank the wheel or try and prevent the driver from moving the steering wheel. A determined driver could likely overpower the motors fighting against them, but if caught by surprise, that yanked wheel can cause trouble. Here, look, they tried it:
I love that they’re laughing at the end there. They had to get towed out of a ditch.
So, sure, some angry neckbeard trying to kill you with a laptop hiding under the passenger floormat isn’t really a credible threat, but now that this level of intrusion deep into the CAN bus has been proven, Miller and Valasek have shown before that remote hacks can get access to more systems than you’d think. There certainly may be ways to get to these systems without a physical connection.
Chrysler issued a statement about the recent hack to Wired, saying:
“This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic (OBD) port and present in the vehicle. While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.”
The statement also claims that Miller and Valasek’s Jeep “appears to have been altered back to an older level of software,” the company adds. “It is highly unlikely that this exploit could be possible…if the vehicle software were still at the latest level.”
Miller and Valasek suggest that having some small physical switch that must be flipped before low-level access to the ECUs and CAN bus could solve a lot of the threat of remote hacks, and that does seem like a very logical, reasonable, and inexpensive idea. The likelihood of physical access for a hack like this is unlikely, so why not build in a physical component that must be interacted with before remote access is permitted to any of these sensitive systems?
Jeep owners are not going to have their vehicles remotely turned into killing machines en masse, at least not right now. But what Miller and Valasek have shown is that it actually is possible to make these vehicles dangerous, and there’s no reason for manufacturers to not take the issue of internal vehicle network security seriously.