In 2011, researchers from the University of Washington and the University of California at San Diego wirelessly disabled the locks and brakes on a sedan. In 2013, former NSA hacker Charlie Miller and director of vehicle security research at IOActive Chris Valasek, used an $80,000 grant from Darpa to demonstrate their wired-in attacks of cars. Frustrated by the lack of response to what they view as a huge security threat, Miller and Valasek began work on remotely and wirelessly hacking vehicles – and now they have succeeded.
After analyzing vehicle manuals and rating cars on their overall connection to the internet, as well as how interconnected the internet system is with critical driving systems, Miller and Valasek determined that the host hackable vehicle was the Jeep Cherokee.
Eric Greenberg, author of the source article on Wired, was used as a test subject, driving a Jeep Cherokee on a St. Louis highway, unsure what to expect from the two hackers sitting miles away. First, they took control over his air conditioner, then his radio and windshield wipers, and finally, Eric sat powerless as his transmission as cut off. Cars piled up behind Eric, who was unable to accelerate and stuck sitting in a vehicle over which he had no control.
The reason that this is now possible is because of the internet-connected computer used in the entertainment and navigation features of Fiat Chryslers called Uconnect. Through the same cellular network used by Uconnect, hackers can gain access to the car, and from there take control of the chip in the car’s head unit, rewriting it to send commands to the physical components of the car, like the engine. In theory, this should work on any Chrysler vehicle from late 2013, 2014, or early 2015: as many as 471,000 vehicles currently on the road. With a little more research, most modern vehicles are at risk.
Miller and Valasek plan to partially reveal their findings to the public, ahead of their talk at the Black Hat conference in Vegas later this month. They have also released their findings to Chrylser, to give them a chance to provide security updates: unfortunately, the updates that have been released require physical upload and it is unlikely that all cars will receive them. By making their findings public, Miller and Valasek hope that the automobile industry will be forced to confront their growing security threat. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller says.
Legislature is trying to keep on top of these new dangers, with senators Markey and Blumenthal currently in the midst of revealing new digital privacy and security standards for automobiles. However, with market-driven pressure to add more and more wireless features to cars, the industry will have to work hard to keep up with new security measures. Josh Corman of I Am The Cavalry has said, “If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it.”