Two security researchers have demonstrated that in-vehicle connectivity systems can be hacked, allowing remote attackers to take full physical control of a car.
Researchers Charlie Miller and Chris Valasek have conducted experiments on a 2014 Jeep Cherokee. The experts have demonstrated for Wired’s Andy Greenberg that they can hack into the car’s systems remotely and carry out various actions, such as kill the engine, turn on the air conditioning and the windshield wipers, track the vehicle via GPS, hijack the infotainment system, disable the brakes, and even take control of the steering.
The researchers carried out some of these actions while Greenberg was driving the car on a highway and, as a video published by Wired shows, there was nothing the reporter could do to block the attack until he stopped the engine.
All this is possible due to a vulnerability in Uconnect, a system that connects Fiat Chrysler Automobiles (FCA) cars to the Internet using Sprint’s cellular network. The system allows car owners to remotely start the engine, lock and unlock the doors, locate the vehicle via GPS, and control mobile app content straight from the touchscreen. Uconnect is available in the United States for Chrysler, Dodge, Ram and Jeep models.
The vulnerability, which Miller and Valasek will detail at the Black Hat conference in August, has been reported to Fiat Chrysler in October 2014. The company patched the bug on July 16 with the release of a software update that can be installed by customers via USB or at dealerships. The experts estimate that there are as many as 471,000 cars with vulnerable Uconnect systems.
The researchers have confirmed that the carmaker’s patch is good, but the point of their experiments is to show the risks associated with connecting cars to the Internet.
“Charlie Miller and Chris Valasek took a couple of years to completely compromise the systems of a popular car model. What if the resources of a nation state security service had been directed at the same task? The Chinese have apparently gone to great lengths to hack into US Government servers already. Scarily, this shows that they could also hack into US car networks, with the possibility of assassinating selected targets in an apparently accidental car crash? Personally I'm going to be driving my twelve year old and completely non-connected Toyota until it falls apart,” Andrew Conway, research analyst at Cloudmark, told SecurityWeek.
This is not the first time Miller and Valasek hack a car, but this is the first time they do it remotely. Their previous experiments have led the security research community to call on automobile industry executives to implement security programs to improve car safety and safeguard them from cyberattacks. In 2013, Miller and Valasek’s car hacks prompted an inquiry from U.S. Senator Ed Markey, who sent a letter to 20 automakers asking them about privacy and security protections in their vehicles.
Coincidentally, Senator Markey and Senator Richard Blumenthal today introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.
The new legislation, named the “Security and Privacy in Your Car (SPY Car) Act,” includes provisions on cybersecurity standards that should prevent hacking into vehicle control systems, and privacy standards on the data collected by vehicles.
The senators also want the NHTSA and the FTC to establish a “cyber dashboard” that displays an evaluation of how well each automobile protects the security and privacy of vehicle owners.
“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”