Image caption: The 2014 Montreal International Auto Show displays a 2014 Jeep Cherokee. | Image courtesy of Bull-Doser via Wikimedia Commons.
A security writer at Wired, Andy Greenberg recently provided details about his experience of driving a hacked Jeep Cherokee down I-64 and Route 40 near St. Louis.
Hackers Charlie Miller and Chris Valasek had previously completed experiments with the Cherokee’s on-board entertainment system, which carries a feature called Uconnect that provides for remote access through a smartphone. From anywhere with an Internet connection, users can control entertainment and navigation features; if you’re a hacker, you can also use that feature to get access to the transmission, engine, and braking systems through reverse-engineered firmware.
This leads us back to Greenberg’s situation where he was traveling along I-64 and Miller/Valasek activated the Cherokee’s radio and air conditioning from their remote location about 10 miles away. They then escalated the situation by making the SUV’s transmission inaccessible. Greenberg had no power and soon came to a halt on an I-64 on-ramp. Traffic backed up behind him as he came to a stop on a part of the road with no shoulder. Later, they disabled his brakes on a stretch of Route 40 which resulted in the driver’s loss of control of the car.
Miller and Valasek’s interference with the Jeep is not the first of its kind. They had previously attacked Greenberg in a more controlled situation — a South Bend, Indiana parking lot — while he drove a Ford Escape and a Toyota Prius. Those two experiments did not work through Internet-based access; the hackers sat in the back seats of the vehicles as they drove.
As auto manufacturers basically turn their cars into smartphones, they allow both users and hackers to interact with those vehicles from any location. This leads to the frightening possibility that malicious individuals could cause havoc to unsuspecting motorists. In fact, the hackers here assert, anyone in a car with the Uconnect system could be vulnerable.
Chrysler has issued a fix for its Jeep Cherokee with the hacker’s help because they have been working with the auto manufacturer for several months. Drivers can now download a copy of the patch or visit their local dealerships to have it installed. Miller and Valasek intend to reveal many details of their work at the upcoming Black Hat conference in Las Vegas, but they will not reveal how they reverse-engineered the firmware because that would leave motorists open to attack and would otherwise require months of work for any other hackers to achieve.
Although those months of work could deter potential assailants, the point stands that motorist should be aware of their vehicles’ capabilities. They are now, more than ever, greater than just a mode of transportation. They are media centers with powerful computers that address all systems — the drivetrain as the most influential and potentially hazardous.
Following this episode, Jeep owners should take note and patch their vehicles. Many manufacturers are also remaining vigilant and are reportedly working to bolster their systems to keep hackers out, yet there is no such thing as perfect security, so the reality may be that we are always partially vulnerable.
