Two renowned automobile hackers – security researchers Charlie Miller and Chris Valasek – have done it again.
They’ve previously hacked a Toyota Prius and a Ford Escape, and now they’ve hacked a Jeep Cherokee.
Except this time, instead of taking over a vehicle’s systems by plugging directly into a car’s network (called the CAN bus) via a port under the dashboard, the pair have discovered a way to take over a car remotely.
Miller and Valasek, who’ve received funding from the US military’s DARPA research arm, will demonstrate a remote attack against an unaltered Jeep Cherokee at next month’s Black Hat USA 2015 conference.
The duo previewed their Black Hat talk in a 21 July Wired article, in which journalist Andy Greenberg recounts how the hackers wirelessly took control of a Jeep he was driving – from a location 10 miles away.
According to Greenberg’s report, Miller and Valasek were able to control the Jeep’s brakes and accelerator, as well as other less-essential components like radio, horn and windshield wipers.
They did so by exploiting the Jeep’s entertainment system, called Uconnect, through a cellular network.
It’s an impressive stunt, but it’s not entirely unprecedented – researchers demonstrated a remote attack against an unnamed vehicle back in 2011.
Miller and Valasek say they have worked with Jeep’s owner – Fiat Chrysler Automobiles – to come up with a patch (customers can download the patch from Fiat Chrysler’s website).
It’s not just Jeep that has a problem: 10 models of Fiat Chrysler vehicles equipped with the 8.4 inch touchscreen Uconnect system are vulnerable, the automaker confirmed on Wednesday, 22 July.
Other car manufacturers have been put on notice as well.
Two other security researchers will be presenting their findings at Black Hat next month detailing six vulnerabilities in the Tesla Model S, only one of which has been patched, according to Forbes.
It’s taken a few years, but the auto industry is finally beginning to respond to the threat.
Last week, the Alliance of Automobile Manufacturers announced the formation of an Auto ISAC (information sharing and analysis center) that will officially launch later in 2015.
The ISAC will serve as a central hub for “timely sharing of cyber threat information and potential vulnerabilities,” the alliance said.
At this point, participation in the Auto ISAC is voluntary, but the US Congress is taking an active interest in automobile cybersecurity, in part because of Miller and Valasek’s research, and may force more regulation on the industry.
US Senator Edward Markey issued a report in February 2014 that criticizes the auto industry’s so-far weak response to addressing security vulnerabilities, as well as the lack of privacy protections for the data collected from vehicles by the manufacturers.
Markey introduced legislation on Tuesday (21 July) seeking to establish mandatory security standards for all cars and trucks.
Congress is also keeping an eye on cybersecurity in the airline industry, which has had its own vulnerability to hackers exposed in recent months.
United Airlines has taken steps to improve security of its web properties, introducing a bug bounty program in May, and just recently paying out one million free air miles to a hacker who informed the airline of a remote code execution vulnerability in its network.
Tesla has launched a bug bounty program, too – but like United, it restricts the program to paying researchers who find bugs in its websites and apps, not onboard systems.
That might not be good enough.
As Sophos security expert James Lyne is fond of saying, if you can connect to it, you can own it – and just about anything can be made “smart” by connecting it to the internet, from home appliances and security systems to vending machines.
We’re now beginning to see the size of the risk to the Internet of Things (IoT) and industrial control systems (ICS/SCADA) – and it’s not a pretty picture.
Naked Security writer and Sophos expert Paul Ducklin, in writing about the lack of security in a car insurance company’s device for tracking drivers’ location and driving habits, defined the problem thusly:
... it is a wake-up call for the ICS/SCADA/IoT world, which seems to be going down exactly the same path as many mobile apps: putting security in second place, and hoping no-one will notice.
It’s taken years – decades even – for software companies like Microsoft and Apple to work out efficient ways to patch security holes in their products.
Manufacturers of other connected things – including cars and airplanes – need to work out how to keep them secure against hackers as well.
Hopefully, the spotlight on the work of researchers like Miller and Valasek will get people in high places to wake up.
[UPDATE: Wednesday, 22 July, 15:26 EDT]
Fiat Chrysler now says that 10 vehicles from its 2013, 2014 and 2015 model years are vulnerable to hacking, including five 2013-2014 Ram truck models, the 2014 Jeep Cherokee and Grand Cherokee, the 2014 Dodge Durango and 2014 Dodge Viper, and some 2015 Chrysler 200s.
The automaker said it has fixed the hacking vulnerabilities in its 2015 models, and is working with suppliers to implement additional protocols to block remote access.
Owners of affected vehicles can download a software update that eliminates the vulnerabilities discovered by Miller and Valasek.
To find out if you have a vulnerable vehicle, enter your 17-digit vehicle identification number (VIN) at the Uconnect software update site.
If your vehicle needs the security update, you can download the update to a USB stick and install it yourself; or you can get the update installed for free at a Chrysler Fiat dealership.
Image of cyber attacks road sign courtesy of Shutterstock.com
MrGutts
I am shocked still that FCA even bothered to work with them or even responded at all to them. Maybe the FIAT buy out was a positive thing.
Phil Roberts
I didn’t want the high end Uconnect because of the expensive subscriptions and I like my phone for navigation better than their apps. Now this is another great reason to save < $1000 on your radio.
John
Why would the entertainment system and vehicle control systems ever be connected in a way that compromising one would allow access to the other? Vehicle control should be an island; completely inaccessible remotely.
TonyG
I wondered what the security of the eCall system is like? After all, it is supposed to be compulsory shortly for all new cars in the EU. So I looked it up. The compulsory part is actually dormant until called into use in the case of an accident, so it is fairly secure, but it would appear that some car makers will offer value added services that might use some of the same infrastructure, and could potentially be more vulnerable.
So it looks like the more you pay for your car, the more systems you get, and the more potential security issues you have.
DaveK
I’m expecting the next article in this saga to be “Clever hackers take down Uconnect firmware distribution site” or “Phishing schemes direct consumers to fake Uconnect firmware update” just about a week after BH USA 2015.