A Jeep Cherokee like the one Charlie Miller and Chris Valasek were able to hack into. Credit:Creative Commons Lic.
Two hackers successfully gained access to a Jeep Cherokee recently and were able to take control of the car's radio and windshield wipers and eventually shut the car down.
Drivers need not panic though, the hackers were security experts who took a year to figure out how break into the car's computer systems. Still, they warn that such an act could occur on hundreds of thousands of cars on the road today.
The car was being driven by Andy Greenberg, a writer for the online magazine Wired, which collaborated with the two security experts to show how they could wirelessly take control of the 2015 model's vital functions from 10 miles away.
The two hackers, Charlie Miller a former NSA hacker and security researcher for Twitter, and Chris Valasek, research director at the security consulting firm IOActive, informed Chrysler of the vulnerability so the auto maker could patch the flaw.
The hackers gained access to the car through a cellular network connection to the Jeep's infotainment system while Greenberg was driving on a highway in St. Louis.
Miller and Valasek found a remote vulnerability in Chevrolet's UConnect telematics system. From there, they were able to gain access to the car's other computer systems through an Internet connection over Sprint's cellular network. (Car makers often collect data on vehicles through cellular networks to inform drivers of the need for maintenance or repairs.)
"We gained access by exploiting a vulnerability that was present on the head unit (i.e. the radio/navigation thingie) that was accessible over the Internet," Miller said. "It did not require any physical access or changes to the vehicle."
While the flaw that led to the hack is found only in the Chrysler UConnect head unit, there are probably similar types of security vulnerabilities in other car maker's telematics systems, Miller said.
While the hack of a running car on a highway is alarming, there are steps that can be taken, and are under way, to make cars more secure:
- Auto makers need to isolate a car's driving functions from infotainment systems;
- Auto makers could upgrade software to detect malicious messages and order critical vehicle systems, such as brakes, to ignore them;
- There's an effort in Congress to require auto makers to install technology that protects drivers against vehicle cyberattacks.
The ideal solution, Miller said, is an intrusion detection system for the car that can detect, report and stop hacking attempts in real time.
On a more positive note, these types of attacks from malicious hackers are unlikely because there is little to gain financially and the hacks take a lot of work.
(With reports by Lucas Mearian at Computerworld.)
Sign up for CIO Asia eNewsletters.