As more and more cars become mobile, internet-connected appliances, they become more likely targets for remote hacking. Chrysler is hopefully realizing the seriousness of this, as a new Jeep Cherokee has been remotely hacked and pretty severely compromised, according to a story in Wired. But don’t panic just yet.
Wired arranged for car-hacking superteam Charlie Miller and Chris Valasek to gain access to a brand new Jeep Cherokee via a zero-day exploit (as in, a vulnerability the manufacturer has spent zero days fixing) in the software of the car’s Uconnect cellular-based internet infotainment and connectivity system.
The hack uses the Uconnect system as a gateway into the car, and then gains access to the Jeep’s infotainment system headunit. Once there, the firmware of the headunit is re-written, which allows access to the entire CAN bus of the car — essentially, the car’s nervous system — and that access is what allows for the really scary stuff, like control of the wipers, brakes, throttle and even some limited control (in reverse only, for now) of the steering.
This, of course, is absolutely a big deal. Unlike the team’s previous, widely-publicized hack that involved the removal of most of the dash of a Prius, this time the car has been compromised via commands sent over the cellular network to the car.
While it’s possible to remotely hack the hundreds of thousands of Uconnect-equipped cars, it’s pretty improbable. Miller and Valasek had access to the Uconnect system’s IP address to gain access to the car. As they say in the article:
Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.
Super nice vulnerability, sure, but it’s not exactly an easy one to just find. Having that IP address is a pretty big initial helping hand, and it’s not the sort of thing that’s decal’d onto the side of every new Jeep Cherokee, right under the ‘Trail Rated’ badge. Some chronic masturbator in a basement with a vendetta against you isn’t likely to just be able to rapidly type onto his keyboard and cut off your brakes.
Still, even the protection of each car’s unique IP address is, at best, security through obscurity, and a determined attacker could eventually find it out, given either direct access or some massive effort and computing resources. Actually, a simple phishing attack could do it, hypothetically, if you can get a driver to click on a spoofed link on their car’s screen, somehow, perhaps via an installed web browser. It’s still a pretty huge hole that Chrysler needs to fix, and, thankfully, they already have.
Miller and Valasek aren’t supercriminals, so they’ve shared their findings with Chrysler before they published anything, giving Chrysler the chance to produce a patch to close this hole, which, if you have such a Uconnect-enabled system, you can download and install here via USB. It would be better if Chrysler would make this available via cellular download to all the cars, because I’m sure many people won’t go to a dealer to do this or feel comfortable installing it themselves.
The big take-away from all this is that as more and more cars become connected to the internet, they inherently open themselves up to hacking and unwanted access. If you want to play in the giant connected playground of the internet, that’s the risk, and car makers need to protect their vehicles accordingly, like computer and OS makers have been doing for years. It’s a constant struggle that requires constant vigilance.
You don’t need to panic yet. It’s still a lot of effort to do this and it relies on key data that’s not easy to get. Not every misguided teen is going to try and impress a girl by running a Jeep into a wall. But it’s real, and these tests and stunts should at least cause one group to moisten their trousers: the car companies. It’s time for real security on internet-connected cars.
Contact the author at firstname.lastname@example.org.