Hackers Carjack Jeep in IoT Nightmare
Two hackers successfully took control of a Jeep Cherokee as it hurtled along a highway at 70 miles per hour, turning an Internet of Things nightmare into reality – albeit under experimental conditions.
As Andy Greenberg describes in today's Wired, he worked in cahoots with security researcher Charlie Miller and Chris Valasek, director of vehicle security research at IOactive – which develops technologies to protect our increasingly connected vehicles. For the past year, the two security experts have specifically targeted Chrysler's newer Jeep Cherokees and were able to bring the vehicle to a full stop on a highway.
First, as Greenberg reported, vents began blasting cold air despite any interference by the driver. The radio turned to a hip hop station, blasting at full volume, and wiper fluid smeared the glass and the blades swayed, back and forth, Greenberg wrote. Soon after, Miller and Valasek's faces filled the digital display – and Greenberg lost control of his vehicle's brakes, accelerator, and steering, as you can see in the Wired video, below.
The hackers gained access via Chrysler's Uconnect Internet-connected component available on many of the automaker's vehicles. On July 16, Fiat Chrysler Automobile released a 'technical service bulletin' for a software update designed to improve security and enhance communications.
"Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle," FCA wrote. "Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers."
Although automakers moved fast (Range Rover also updated its software), several senators are demanding that cars sold in the United States meet specific standards of protection against digital attacks and invasions of privacy. Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.
“We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century,” said Senator Markey, in a statement. “There are currently no rules of the road for how to protect driver and passenger data, and most customers don’t even know that their information is being collected and sent to third parties. These new requirements will include a set of minimum standards to protect driver security and privacy in every new vehicle. I look forward to working with my Senate colleagues to advance this important consumer protection legislation.”
The demonstration by Miller and Valasek comes about a year after the security duo revealed their list of the 20 most hackable cars, a list that included the top-ranked 2014 Jeep Cherokee, 2015 Cadillac Esplanade, and 2014 Toyota Prius. Likewise, the 2014 Infiniti Q50 is easy to hack since its telematics, radio, and Bluetooth all operate on the same network as the car's braking system and engine, according to Network World.
At next month's Black Hat security conference in Las Vegas, Miller and Valasek plan to reveal more about this exploit.
At the most recent Black Hat event in Singapore, former Tesla intern and current hacker Eric Evenchick showed off an open source toolkit that interacts with the Controller Area Network bus that operates most functions of today's connected cars, Network World wrote. He also made available a $59.95 piece of hardware – CANtact – that allows people to connect the toolkit to the car and released the source code and design files on Github.
Following this demonstrated hack, Chrysler recommends customers with vehicles that have Uconnect from late 2013 through early this year should update the software. In addition, 2013-14 Dodge Rams; 2013-14 Dodge Vipers, as well as 2014 and 2015 Jeep Cherokees and Jeep Grand Cherokees, and 2014 Dodge Durangos are susceptible to the Uconnect attack, too, as are 2015 Chrysler 200s.