In this day and age of the smartphones, the Internet of Things, and tying more and more products into the Internet in an attempt to make them smarter and automate even more processes for us comes with a risk. Not a week goes by without an online service or website being hacked, but what about the physical products that reside in your house? If you own a Keurig, you may have heard of the security measures added to the Keurig 2.0 to ensure usage of official Keurig K-Cups only… but that was quickly hacked.
Imagine driving down the highway at 70mph or 110kph and all of a sudden your air conditioning starts blasting on full, the volume on your radio gets cranked to maximum while your wipers start up on high speed, and then… your vehicle starts to lose power and slows to a grinding halt in the middle of traffic. We’ve all seen movies where hackers are able to do all sorts of crazy things, and while this sounds like something out of the latest Mission Impossible movie or episode of 24, the events described here happened to Andy Greenberg, a writer over at WIRED.
Working with Charlie Miller and Chris Valasek, a pair of hackers who have been focusing on taking advantage of zero-day exploits in vehicle software, Greenberg experienced all the events mentioned while driving down I-40 near St. Louis. For the past year, Miller and Valasek have been working specifically at targeting Chrysler’s newer Jeep Cherokee’s and were able to remotely bring Greenberg’s Cherokee to a halt on the interstate. As Greenberg states, even though he expected it, it was still a harrowing experience:
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.
This isn’t the first time that the pair have demonstrated their car hacking abilities to Greenberg. Back in 2013 they successfully demonstrated similar hacks on a Ford Escape and a Toyota Prius. In those cases however, the hackers PC had been connected to the onboard diagnostic port that technicians use to access the vehicle’s electronically controlled systems. Fast forward two years and the exploit can be handled remotely and wirelessly.
Aside from being able to control the vehicle, Miller and Valasek can also track the Jeep Cherokee’s GPS, measure its speed, and mark its route on a map. No more need for a clandestine placing of a GPS receiver on a vehicle that is popular in many spy movies, the day has come when hackers – and no doubt surveillance teams – can hack into and track a vehicle using its native GPS system.
These hacks are made possible due to the increasing push to make vehicles smart with both onboard entertainment systems and smartphone connectivity options. In Chrysler’s case, the Uconnect system in late 2013 models, all 2014 models, and early 2015 models can be accessed through the system’s cellular connection once the vehicle’s IP address is discovered. After the connection is established, an updated firmware can be sent to the unit from just about anywhere and allow a malicious user to take control over the vehicle. While Miller and Valasek have only tested it fully on a Jeep Cherokee, they feel that their code can be easily modified to work on other Chrysler, Dodge, RAM, and Jeep vehicles with Uconnect systems.
While the hack hasn’t been tested on other vehicle makes and models, other manufacturers aren’t sitting idly by as Range Rover recently fixed a security flaw that allowed for remote unlocking of a vehicle’s doors, and researchers at the University of California in San Diego have demonstrated similar hacks in the past.
The pair have been sharing their findings with Chrysler, and the company has just released an update which is supposed to fix the exploit and are recommending vehicle owners to contact their dealers to get the update to their Uconnect systems.
Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.
Check out the video below to see exactly what Greenberg experienced and hear Miller and Valasek speak about the exploit.
What do you think about these recent demonstrations of vehicle hacks? Is the risk of being hacked worth the convenience of Bluetooth and other smartphone connectivity in your new vehicle? Let us know in the comments below, or on Google+, Twitter, or Facebook.