Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Hijack Jeep’s Steering, Brakes, Acceleration

Charlie Miller and Chris Valasek, the researchers who last year showed that cars can be remotely hijacked, are back with a new demonstration, and this time they managed to take over a vehicle’s acceleration, brakes and steering.

Charlie Miller and Chris Valasek, the researchers who last year showed that cars can be remotely hijacked, are back with a new demonstration, and this time they managed to take over a vehicle’s acceleration, brakes and steering.

Miller and Valasek started hacking cars in 2013, when they demonstrated on a Ford Escape and a Toyota Prius that an attacker with physical access to a vehicle’s computer systems can kill the brakes and power steering, honk the horn, spoof the GPS, hijack the speedometer, and take control of the steering wheel.

In 2015, the researchers went even further and showed how a hacker could remotely breach cars made by Fiat Chrysler Automobiles (FCA) and perform various actions via their Uconnect in-vehicle connectivity system. The duo demonstrated on a 2014 Jeep Cherokee that they could remotely take over the infotainment system, kill the engine and disable the brakes. Their research led to FCA recalling 1.4 million vehicles in order to update the vulnerable software.

The experts, who currently work for Uber, continued to analyze the 2014 Jeep and found new attack vectors that can be exploited by an attacker who has physical access to the car’s systems. The attack method, which they plan on detailing this week at the Black Hat security conference in Las Vegas, relies on Controller Area Network (CAN) bus message injections.

Miller and Valasek told Wired that they managed to perform various actions by sending specially crafted messages on the CAN, a vehicle bus standard that allows microcontrollers and devices to communicate with each other. The researchers said they bypassed CAN network safeguards and took over some of the vehicle’s functions by attacking electronic control units (ECUs).

An ECU controls one or more electrical subsystems in a vehicle. By putting critical ECUs in “bootrom” mode, the mode used when conducting firmware updates, the researchers managed to knock the legitimate ECU offline and send malicious commands to the targeted component. The method has allowed the experts to turn the steering wheel, including at high speeds, disable power steering, and control the brakes.

Using a different attack method, they also managed to take control of the Jeep’s cruise control and cause the car to accelerate quickly.

Advertisement. Scroll to continue reading.

FCA, which recently launched a bug bounty program, has been informed about the researchers’ findings, but the company is not too concerned due to the fact that the attack requires physical access to the targeted vehicle’s onboard diagnostic (OBD) port. The carmaker pointed out in a statement sent to SecurityWeek that the exploits require “extensive technical knowledge, extended periods of time to write code, and prolonged physical access.”

Fiat Chrysler also noted that the Jeep used by the researchers in their demo did not have the “security enhanced software” installed on it last year as part of the company’s safety recall. However, the hackers told Wired that the updated infotainment software was unlikely to block their attacks.

The company believes it’s not appropriate to disclose information that could help or encourage individuals to gain unauthorized access to a vehicle’s systems. Fiat Chrysler representatives told SecurityWeek that the latest research would qualify for the FCA US bug bounty program.

“However, since the researchers chose to make their findings public instead of proceeding with our facilitated disclosure program through Bugcrowd, their research would no longer be eligible for submission through the FCA US Bug Bounty Program,” the company said.

While the latest attack method requires physical access to the targeted vehicle, Miller and Valasek are concerned that someone might find a way to remotely exploit the vulnerabilities they have identified.

The work of Miller, Valasek and others have made the automotive industry and authorities realize that cybersecurity should be taken seriously. Last month, for instance, the Automotive Information Sharing and Analysis Center (Auto-ISAC) announced the development of vehicle cybersecurity best practices.

Research in this field has also led to the creation of security firms that specialize in protecting cars. For example, Karamba Security is working on solutions designed to harden ECUs and ensure that only authorized code and applications can be executed.

*Updated with clarification from FCA that the research would have qualified for its bug bounty program

Related: FBI Reminds That Cars are Increasingly Vulnerable to Remote Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.