Baby, you can hack my car: researchers take over a Jeep from 10 miles away

Two renowned automobile hackers – security researchers Charlie Miller and Chris Valasek – have done it again.

They’ve previously hacked a Toyota Prius and a Ford Escape, and now they’ve hacked a Jeep Cherokee.

Except this time, instead of taking over a vehicle’s systems by plugging directly into a car’s network (called the CAN bus) via a port under the dashboard, the pair have discovered a way to take over a car remotely.

Miller and Valasek, who’ve received funding from the US military’s DARPA research arm, will demonstrate a remote attack against an unaltered Jeep Cherokee at next month’s Black Hat USA 2015 conference.

The duo previewed their Black Hat talk in a just-published Wired article, in which journalist Andy Greenberg recounts how the hackers wirelessly took control of a Jeep he was driving – from a location 10 miles away.

According to Greenberg’s report, Miller and Valasek were able to control the Jeep’s brakes and accelerator, as well as other less-essential components like radio, horn and windshield wipers.

They did so by exploiting the Jeep’s entertainment system, called Uconnect, through a cellular network.

It’s an impressive stunt, but it’s not entirely unprecedented – researchers demonstrated a remote attack against an unnamed vehicle back in 2011.

Miller and Valasek say they have worked with Jeep’s owner – Fiat Chrysler Automobiles – to come up with a patch (customers can download the patch from Fiat Chrysler’s website).

It’s not just Jeep that has a problem – as cars and trucks become more connected with Bluetooth, Wi-Fi, and high-tech communications and entertainment systems, they are increasingly vulnerable to hackers.

Two other security researchers will be presenting their findings at Black Hat next month detailing six vulnerabilities in the Tesla Model S, only one of which has been patched, according to Forbes.

It’s taken a few years, but the auto industry is finally beginning to respond to the threat.

Last week, the Alliance of Automobile Manufacturers announced the formation of an Auto ISAC (information sharing and analysis center) that will officially launch later in 2015.

The ISAC will serve as a central hub for “timely sharing of cyber threat information and potential vulnerabilities,” the alliance said.

At this point, participation in the Auto ISAC is voluntary, but the US Congress is taking an active interest in automobile cybersecurity, in part because of Miller and Valasek’s research, and may force more regulation on the industry.

US Senator Edward Markey issued a report in February 2014 that details the auto industry’s so-far weak response to addressing security vulnerabilities, as well as the privacy implications of the data collected from vehicles by the manufacturers.

According to Wired, Markey plans to introduce legislation as early as today (21 July) seeking to establish security standards for all cars and trucks.

Congress is also keeping an eye on cybersecurity in the airline industry, which has had its own vulnerability to hackers exposed in recent months.

United Airlines has taken steps to improve security of its web properties, introducing a bug bounty program in May, and just recently paying out one million free air miles to a hacker who informed the airline of a remote code execution vulnerability in its network.

Tesla has launched a bug bounty program, too – but like United, it restricts the program to bugs in its websites and apps, not onboard systems.

That might not be good enough.

As Sophos security expert James Lyne is fond of saying, if you can connect to it, you can own it.

Our TVs and watches constantly watch us, and just about anything can be made “smart” by connecting it to the internet – from home appliances and security systems to vending machines.

It’s taken years – decades even – for software companies like Microsoft and Apple to work out efficient ways to patch security holes in their products.

We’re now beginning to see the size of the risk to the Internet of Things (IoT) and industrial control systems (ICS/SCADA) – and it’s not a pretty picture.

Naked Security writer and Sophos expert Paul Ducklin, in writing about the lack of security in a car insurance company’s device for tracking drivers’ location and driving habits, defined the problem thusly:

... it is a wake-up call for the ICS/​SCADA/​IoT world, which seems to be going down exactly the same path as many mobile apps: putting security in second place, and hoping no-one will notice.

Hopefully, the spotlight on the work of researchers like Miller and Valasek will get people in high places to wake up.


Image of cyber attacks road sign courtesy of Shutterstock.com

Leave a Reply