It's finally happened: a vehicle has been remotely hijacked by hackers.
We've seen attempts at vehicle hacking before -- none of which were especially awe-inspiring or frightening -- but this? Well, as Wired reports, this is a little different.
Thankfully, the mischief was carried out by two good guys, Charlie Miller and Chris Valasek -- the same duo that hacked a Toyota Prius two years ago. In the case of the Prius, though, Miller and Valasek had to dismantle large portions of the vehicle and plug directly into its computer, remaining onboard to do their dirty work.
That made the real-world implications of the hacking less daunting: if the missing sections of dashboard didn't tip-off a driver that something was up, she'd probably notice the two guys in the backseat, their grins illuminated by the glow of a laptop. As a result, the Prius incident didn't raise alarms in the auto industry the way that Miller and Valasek had hoped.
And so, they decided to up their game.
They called up the same driver/writer/guinea pig who drove the Prius, Andy Greenberg, and invited him to Miller's hometown of St. Louis. They handed him the keys to a Jeep Cherokee and told him to drive. And before he hit the highway, they provided him with some sage advice, courtesy of Douglas Adams: "Don't panic".
Then, Miller and Valasek sat down in Miller's living room, and using some off-the-shelf hardware and some custom software, they began to scare the crap out of Mr. Greenberg.
The entire article is well worth a read -- especially if you own a vehicle from 2013, 2014, or 2015 that's equipped with Chrysler's Uconnect. Here are some of the high points:
- Miller and Valasek chose the Jeep Cherokee after surveying technical manuals and wiring diagrams for a range of vehicles. They determined that Chrysler's Uconnect infotainment system was the most vulnerable of all such systems, and among vehicles with Uconnect, the Cherokee was the easiest target. (Don't feel bad, Cherokee fans: the Cadillac Escalade and Infiniti Q50 weren't much safer.)
- The duo exploited a vulnerability that allows hackers to rewrite code on a chip linked to the Cherokee's entertainment system, which then allowed them to send information to the vehicle's entire computer network.
- As a result, they were able to do innocuous things to Greenberg, like turning up the radio and futzing with the A/C. More troubling, they also disabled the Cherokee's brakes and the transmission, effectively rendering the accelerator useless. They say that they can also apply the brakes, track a vehicle, and in limited cases, control steering.
- They can carry out these attacks on any car, so long as they know its IP address (i.e. the unique number that identifies a particular computer on a network). Although IP addresses aren't widely publicized, finding them isn't hard, if you know what you're doing.
- At next month's Black Hat security conference in Las Vegas, Miller and Valasek will reveal most of their findings, including a blow-by-blow account of how they did what they did. For the safety of Uconnect users, though, they'll leave out the specifics of rewriting the Cherokee's entertainment chip code.
The good news is that Miller and Valasek have been sharing their info with the folks at Fiat Chrysler Automobiles for some time, and FCA has taken the matter very seriously, issuing software updates to address vulnerabilities. (Though as Greenberg points out, the most recent Uconnect update has to be done via a jump drive or at a dealership, which means that owners may be slow to get it. You can download it and put it on your own USB drive here.*)
The bad news is that Miller and Valasek are planning to publish plenty of juicy details about the Cherokee hack, which could encourage other tinkerers to carry out their own mischief. Not surprisingly FCA is staunchly opposed to the idea.
Coincidentally, this story broke on the same day that auto-watching Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced legislation to set federal standards to protect the privacy of drivers and potentially thwart hackers' attacks. Whether their bill will gain any traction among regulation-wary Republicans in the Senate or House remains to be seen.
ARE YOU AT RISK?
Even if you have Uconnect, Cadillac CUE, Infiniti InTouch, or some other infotainment system in your car, the sort of mayhem that Miller and Valasek have wrought depends largely on individual IP addresses and thus, individual attacks. So, unless you're a well-known public figure or have some well-seasoned hacker friends (or enemies), there's probably no need to worry -- at least not yet.
However, as more and more of our cars become linked to vehicle networks, the risk begins to soar. Banging out some code that can automatically harvest IP addresses and tinker with cars en masse is just a hop, skip, and jump down the road.
What can you do? You could, of course, forego the convenience of these infotainment systems, removing your vehicle from the networks. You could also rely more heavily on your smartphone for music, navigation, and such (either via auxiliary cable or by using Apple's CarPlay or Android Auto). That would put the added barrier of your handheld device between hackers and your car's onboard computer. There are ways around such hurdles, but the process is more complicated.
Perhaps the best thing for Average Joes and Janes to do is to be vigilant about getting software updates from your vehicle's manufacturer. Also, we should all continue pressuring car companies and federal officials to beef up vehicle security.
As autonomous cars and vehicle-to-vehicle technology roll out, the potential for disruption will grow exponentially. Let's be prepared.
* As FCA points out, the current update is targeted to vehicles equipped with 8.4 inch touchscreen radio systems, including:
- 2013-2014 Ram 1500 Pickup
- 2013-2014 Ram 3500 Cab Chassis
- 2013-2014 Ram 2500 Pickup
- 2013-2014 Ram 4500/5500 Cab Chassis
- 2013-2014 Ram 3500 Pickup
- 2014 Grand Cherokee
- 2014 Durango
- 2013-2014 Viper
- 2014 Cherokee
- Some 2015 Chrysler 200s