Security Experts:

Connect with us

Hi, what are you looking for?



Automaker Releases Software Update After Hackers Remotely Hijack Car

Two security researchers have demonstrated that in-vehicle connectivity systems can be hacked, allowing remote attackers to take full physical control of a car.

Two security researchers have demonstrated that in-vehicle connectivity systems can be hacked, allowing remote attackers to take full physical control of a car.

Researchers Charlie Miller and Chris Valasek have conducted experiments on a 2014 Jeep Cherokee. The experts have demonstrated for Wired’s Andy Greenberg that they can hack into the car’s systems remotely and carry out various actions, such as kill the engine, turn on the air conditioning and the windshield wipers, track the vehicle via GPS, hijack the infotainment system, disable the brakes, and even take control of the steering.

The researchers carried out some of these actions while Greenberg was driving the car on a highway and, as a video published by Wired shows, there was nothing the reporter could do to block the attack until he stopped the engine.

All this is possible due to a vulnerability in Uconnect, a system that connects Fiat Chrysler Automobiles (FCA) cars to the Internet using Sprint’s cellular network. The system allows car owners to remotely start the engine, lock and unlock the doors, locate the vehicle via GPS, and control mobile app content straight from the touchscreen. Uconnect is available in the United States for Chrysler, Dodge, Ram and Jeep models.

The vulnerability, which Miller and Valasek will detail at the Black Hat conference in August, has been reported to Fiat Chrysler in October 2014. The company patched the bug on July 16 with the release of a software update that can be installed by customers via USB or at dealerships. The experts estimate that there are as many as 471,000 cars with vulnerable Uconnect systems.

The researchers have confirmed that the carmaker’s patch is good, but the point of their experiments is to show the risks associated with connecting cars to the Internet.

“Charlie Miller and Chris Valasek took a couple of years to completely compromise the systems of a popular car model. What if the resources of a nation state security service had been directed at the same task? The Chinese have apparently gone to great lengths to hack into US Government servers already. Scarily, this shows that they could also hack into US car networks, with the possibility of assassinating selected targets in an apparently accidental car crash? Personally I’m going to be driving my twelve year old and completely non-connected Toyota until it falls apart,” Andrew Conway, research analyst at Cloudmark, told SecurityWeek.

This is not the first time Miller and Valasek hack a car, but this is the first time they do it remotely. Their previous experiments have led the security research community to call on automobile industry executives to implement security programs to improve car safety and safeguard them from cyberattacks. In 2013, Miller and Valasek’s car hacks prompted an inquiry from U.S. Senator Ed Markey, who sent a letter to 20 automakers asking them about privacy and security protections in their vehicles.

Coincidentally, Senator Markey and Senator Richard Blumenthal today introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.

The new legislation, named the “Security and Privacy in Your Car (SPY Car) Act,” includes provisions on cybersecurity standards that should prevent hacking into vehicle control systems, and privacy standards on the data collected by vehicles.

The senators also want the NHTSA and the FTC to establish a “cyber dashboard” that displays an evaluation of how well each automobile protects the security and privacy of vehicle owners.

“Drivers shouldn’t have to choose between being connected and being protected,” said Senator Markey. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”

Related: Self-Driving Cars Vulnerable to Cyberattacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet