A hacker duo pretty much just made the case for going old school and steering clear of "smart" and "connected" vehicles as they remotely attacked one. Charlie Miller and Chris Valasek revealed 20 of the "most hackable" vehicles last year, but this year at Black Hat they will blow people's mind when they present "Remote Exploitation of an Unaltered Passenger Vehicle."
It's not the first remote hack; when DARPA's Dan Kaufman remotely hacked a car for 60 Minutes, he triggered the windshield wipers, blasted the car's horn and then disabled the brakes. That and a report (pdf) claiming that nearly all new cars can be hacked led to a lawsuit against GM, Ford and Toyota for "dangerous defects in their hackable cars."
But car hacking seems even more real after Wired's Andy Greenberg served as Miller and Valasek's guinea pig by driving a Jeep the hackers remotely tweaked by fiddling with the windshield wipers, radio, air conditioning and more. They came up with a zero-day exploit that "can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker's nightmare: software that lets hackers send commands through the Jeep's entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country."
Miller and Valasek's full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep's brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they're working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep's GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
Remotely hacking a vehicle is possible due to a vulnerability in Uconnect systems which "brings your world into your vehicle using WiFi+ access, personalized app, local search guides and more." It basically adds vehicles to the Internet of Things. Entertainment, phone, navigation, voice commands and controls are listed under the "about Uconnect" section.
At Black Hat, the duo will not reveal how to rewrite chip firmware, but they plan to publish code that will enable "dashboard hijinks" and "GPS tracking." Miller and Valasek have been sharing their security findings with automakers, which is why Fiat Chrysler Automobiles (FCA) recently released a security update. The bummer is that the Uconnect fix needs to be "manually implemented via USB or by a dealership mechanic."
FCA's release in part reads:
Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today's software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.
A service bulletin (pdf) issued on July 16 deals with "radio enhancements" and applies to various Ram, Grand Cherokee, Durango, Viper and Cherokee vehicles equipped with Uconnect 8.4A AM/FM/BT/ACCESS and Uconnect 8.4AN AM/FM/BT/ACCESS/NAV. The following vehicle models are named in the bulletin:
A long list of potential symptoms and conditions a driver might experience kicks off with "Improved Radio security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems (U.S. Market Only)."
Charlie Miller tweeted:
Go here and enter your VIN number to determine if you can obtain the FCA Uconnect software update.
Some people won't even keep their PC patched and secured, but in a nutshell, if a car hacker advises you to patch your car…it would be extremely unwise to ignore such wisdom. If someone malicious were to target you and your vehicle, a best-case scenario might be that it gets bricked…a worst-case scenario might involve a wreck that kills someone. Miller and Valasek's revelations go hand in hand with a new Senate bill "that's designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy."
"If consumers don't realize this is an issue, they should, and they should start complaining to carmakers," Miller told Wired. "This might be the kind of software bug most likely to kill someone." By his calculations, there are "as many as 471,000 vehicles with vulnerable Uconnect systems on the road."