Last week, security researchers Charlie Miller and Chris Valasek did something extraordinary.
They hacked a Jeep, interfering with its entertainment system, engine and brakes, while it was being driven down a busy highway at 70mph.
And they didn’t do it while they were sat in the back seat, they did it from the comfort of a sofa in Miller’s basement 10 miles away.
The Jeep hadn’t been physically meddled with in anyway, the researchers had exploited zero-day vulnerabilities in the car’s vulnerable Uconnect head unit.
Wired journalist Andy Greenberg’s story of the hack – he was driving the Jeep at the time – made headlines around the world.
The researchers were criticised by some for conducting their test on a public highway, but there is no disputing that they raised public awareness of the danger of car hacking dramatically.
Fortunately, the hack is thought to be highly complex, and full details of how the researchers managed to exploit the system have not been made public. Right now, it’s highly unlikely that you will find yourself attacked by malicious hackers as you make your weekly trip down to the supermarket.
Shortly before the Wired story was published a software update was quietly released by Fiat Chrysler, manufacturers of the Jeep. But, unfortunately, that patch requires car owners to both *know* about it, and go to the effort of downloading it onto a USB stick and plugging it into their car.
What are the chances of many affected car owners doing that? Pretty low I would wager.
And yes, you’ve no doubt spotted the irony that security researchers are able to overwrite cars’ software with their own home-grown code via the internet – but Fiat Chrysler requires that the update is applied by someone with physical access to your vehicle.
With the publication of the Wired story, Fiat Chrysler couldn’t ignore the seriousness of the issue for long, and at the end of last week it announced a voluntary safety recall of 1.4 million vehicles to fix the security issue.
The following vehicles, if equipped with an 8.4-inch touch screen, might require the update:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
You can go to the Uconnect software download webpage to determine if your vehicle needs a software update.
Obviously it makes sense to update the software on your car if it is vulnerable, however small the chances that it might be hacked.
But there’s an important message for the rest of us here too.
As more and more technology becomes internet-enabled, whether it be your car, your fridge, your thermostat, your television, your baby monitor… the greater the opportunities for manufacturers to mess up, and do a poor job of security.
Of course, connecting devices to the internet can bring lots of cool features and benefits – but it also opens it much more to potential attack. And, sadly, the manufacturers building the devices are quite likely to be less focused on security issues than, say, operating system manufacturers who have been hardening their software against hackers for decades.
Unfortunately, for those of us worried about the security implications, the rising tide of the internet of things seems impossible to stop. It’s here to stay. In just a few years it will be impossible for us to buy a new car which isn’t internet-connected in some fashion – so we have to cross our fingers that manufacturers will learn how to better secure them quickly.
Meanwhile, according to a tweet by Jeep hacker Charlie Miller, Mercedes is perhaps being a little too cocky about the chances of its cars ever being remotely hacked:
Guess I’ll buy a Mercedes. “There is no way you could hack a Mercedes-Benz from outside the car,” a senior Daimler engineering executive said
Watch this space, it’s likely to have many more tales of internet-enabled devices being exploited by hackers – and next time it might not be security researchers deciding which will way events will turn.