Magazine Contributor Experiences Jeep Hacking Firsthand
Cherokee’s Uconnect System Taken Over From Ten Miles Away
A contributor from Wired experienced vehicle hacking firsthand in the name of a story when he willingly got into a Jeep Cherokee that would be hacked by electronic security experts from a location 10 miles away.
Andy Greenberg was driving down a St. Louis highway when Charlie Miller and Chris Valasek turned on the Jeep’s climate control, switched the radio stations and volume settings, and activated the windshield wipers and washers. Miller and Valasek carried out this tomfoolery from a location several miles away, laptops linked to the Cherokee via its Uconnect system’s cellular connection. All that’s required is the vehicle’s cellular IP address and a connection on the same data network (in this case, Sprint).
However, when the security researchers cut the engine altogether, their actions became substantially more real, causing the Jeep to slow down helplessly, holding up traffic. And once Greenberg coasted off the highway and met with the computer experts in a deserted parking lot, they were able to allegedly disable his brakes and leave him to coast slowly into a berm, according to the story. Luckily, Miller and Valasek haven’t figured out how to commandeer steering systems unless the vehicle is in Reverse, which likely permits hackers entrance to the helm via automatic parking features.
However, the story may not be as straightforward as it’s presented. After reaching out to representatives from Fiat Chrysler Automobiles (FCA), we confirmed that the Jeep Cherokee’s brakes are based on a mechanical setup, with electronics used for the parking brake and brake assist features. However, disabling those features would still leave the mechanical brakes intact, allowing a driver to press the brake pedal and slow the vehicle, albeit with potentially higher pedal effort thanks to the loss of the power brake booster and other brake assistance systems.
Jeep representatives said they were unsure of the methods used to cut the brakes, given the direct mechanical connection between the pedal and the brake components. This makes us worried that the article may be somewhat misleading, claiming that hackers can completely remove braking power from a vehicle, which may not be accurate. FCA has reached out to the hackers in an effort to better understand how the brakes were cut, so far with no response.
However, the brakes notwithstanding, hacking a vehicle represents a huge safety risk, and FCA isn't ignoring that risk at all. The company’s recent software update comes as a direct response to the security vulnerability Miller and Valasek were able to expose, according to Wired. The company confirmed it has been working with the two hackers for some time now on these kinds of electronic loopholes, and Miller and Valasek haven’t been able to replicate their security shenanigans on a car with updated software, at least so far. To install the update, owners can download it to a USB drive from their computers and then install it in their cars by plugging the drive directly into the Uconnect system. They may also take them into their local dealer for the free-of-charge software update, if desired.
For its part, the automotive industry seems to be reacting appropriately to newfound concerns over vehicle electronic security. Many automakers offer automatic over-the-air software updates, and some have electronic failsafes that actively prevent remote control over the vehicle. And Congress is pushing legislation through that will require a certain amount of privacy and security from every vehicle manufacturer, further helping people maintain control of their connected cars.
Today, FCA released a statement acknowledging Miller and Valasek’s involvement with the company. The statement also underscores the importance of keeping in-vehicle software updated to the most recent version available, but even with the old software, “there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle” [original emphasis].
Source: Fiat Chrysler Automobiles, Wired