Jeep Cherokee Hacked, Carjacked In Real-World Test: Are You Next?
Trinity, professional hacker [from The Matrix]
It’s finally happened: a vehicle has been remotely hijacked by hackers.
We’ve seen attempts at vehicle hacking before — none of which were especially awe-inspiring or frightening — but this? Well, as Wired reports, this is a little different.
Thankfully, the mischief was carried out by two good guys, Charlie Miller and Chris Valasek — the same duo that hacked a Toyota Prius two years ago. In the case of the Prius, though, Miller and Valasek had to dismantle large portions of the vehicle and plug directly into its computer, remaining onboard to do their dirty work.
That made the real-world implications of the hacking less daunting: if the missing sections of dashboard didn’t tip-off a driver that something was up, she’d probably notice the two guys in the backseat, their grins illuminated by the glow of a laptop. As a result, the Prius incident didn’t raise alarms in the auto industry the way that Miller and Valasek had hoped.
And so, they decided to up their game.
They called up the same driver/writer/guinea pig who drove the Prius, Andy Greenberg, and invited him to Miller’s hometown of St. Louis. They handed him the keys to a Jeep Cherokee and told him to drive. And before he hit the highway, they provided him with some sage advice, courtesy of Douglas Adams: “Don’t panic”.
Then, Miller and Valasek sat down in Miller’s living room, and using some off-the-shelf hardware and some custom software, they began to scare the crap out of Mr. Greenberg.
The entire article is well worth a read — especially if you own a vehicle from 2013, 2014, or 2015 that’s equipped with Chrysler’s Uconnect. Here are some of the high points:
- Miller and Valasek chose the Jeep Cherokee after surveying technical manuals and wiring diagrams for a range of vehicles. They determined that Chrysler’s Uconnect infotainment system was the most vulnerable of all such systems, and among vehicles with Uconnect, the Cherokee was the easiest target. (Don’t feel bad, Cherokee fans: the Cadillac Escalade and Infiniti Q50 weren’t much safer.)
- The duo exploited a vulnerability that allows hackers to rewrite code on a chip linked to the Cherokee’s entertainment system, which then allowed them to send information to the vehicle’s entire computer network.
- As a result, they were able to do innocuous things to Greenberg, like turning up the radio and futzing with the A/C. More troubling, they also disabled the Cherokee’s brakes and the transmission, effectively rendering the accelerator useless. They say that they can also apply the brakes, track a vehicle, and in limited cases, control steering.
- They can carry out these attacks on any car, so long as they know its IP address (i.e. the unique number that identifies a particular computer on a network). Although IP addresses aren’t widely publicized, finding them isn’t hard, if you know what you’re doing.
- At next month’s Black Hat security conference in Las Vegas, Miller and Valasek will reveal most of their findings, including a blow-by-blow account of how they did what they did. For the safety of Uconnect users, though, they’ll leave out the specifics of rewriting the Cherokee’s entertainment chip code.
The good news is that Miller and Valasek have been sharing their info with the folks at Fiat Chrysler Automobiles for some time, and FCA has taken the matter very seriously, issuing software updates to address vulnerabilities. (Though as Greenberg points out, the most recent Uconnect update has to be done via a jump drive or at a dealership, which means that owners may be slow to get it. You can download it and put it on your own USB drive here.*)