Car hacking has been around a while, but new research reveals wireless control of a vehicle is entirely possible – and it’s been done already.
Computer hackers Charlie Miller and Chris Valasek were given the chance to show just how much control of a Jeep Cherokee they could gain from a couch while Wired journalist Andy Greenberg drove the vehicle on public roads.
To start with, the hackers toyed with the music volume and track selection, blasted out cold air from the air conditioning system and turned on the wipers – all relatively harmless. But then the report says the accelerator was disabled, causing the Cherokee to grind to a halt on freeway.
Not only that, the researchers said they could hijack the steering when the vehicle is in reverse, cut the brakes or apply them sharply and track the vehicle’s location, trace its route and measure the speed of travel.
The exploit, known as a Zero Day in security speak (basically the ‘oh s$%$’ of hacks, the name of which is derived from the zero days of time between a security vulnerability being discovered and taken advantage of), was performed using fairly modest equipment list and a not so modest amount of time, knowledge and effort.
It involves using the UConnect infotainment system present in Jeep and Fiat vehicles, a computer system that essentially provides smartphone functionality and connectivity. By hacking the car’s internal computer network (known as a CAN bus), the hackers were able to rewrite code and therefore gain access to various electronically-controlled systems and control them.
The most worrying fact is that once a car’s IP address is known it can be accessed from absolutely anywhere. Hackers need not even be nearby – potentially not even the same country.
The pair actually hacked a car in 2013 but manufacturers seemingly dismissed their findings because of the need to connect a laptop directly to the car, based on the fact if you can access the inside of a vehicle you could just cut the brakes or sabotage the vehicle in some other way.
“When you lose faith that a car will do what you tell it to do, it really changes your whole view of how the thing works,” Miller said at the time.
Security consulting firm NCC Group has also been working on hacking cars and its findings are just as worrying. It was able to seize control of a vehicle’s brakes and other critical systems using digital audio broadcasting (DAB) radio signals.
NCC research director Andy Davis told the BBC: “As this is a broadcast medium, if you had a vulnerability within a certain infotainment system in a certain manufacturer’s vehicle, by sending one stream of data, you could attack many cars simultaneously.”
“[An attacker] would probably choose a common radio station to broadcast over the top of to make sure they reached the maximum number of target vehicles,” he added.
No wonder, then, the US government is already pushing through an automotive security bill that will set a digital standard for cars and trucks in a bid to ensure there is a base level of security manufacturers will have to adhere to.
Fiat Chrysler Automobile, which has been privy to the security problem for nine months, has already released a patch to remove the exploit from the Cherokee (available here), but unfortunately the patch requires a download and a USB stick so there’s no over-the-air option, which means a portion of the vehicles on the road will likely go on being exploitable.
The car manufacturer has since issued a recall of 1.4 million vehicles.
There is, of course, the argument why a hacker would choose a random citizen, but there’s nothing to stop a more targeted approach for any car that connects to the internet – whether that’s by criminals, the government or police.
A number of commenters on the Wired article labelled the stunt dangerous, which technically it was. But without a bit of shock it is likely car manufacturers would do much to prevent hacking from being possible in the first place.
The trend towards connected and more electrically-dependent cars has already had tragic consequences. Journalist Michael Hastings was killed after his Mercedes C230 randomly sped up and crashed.
Hastings had ruffled a number of feathers during his career, leading to theories his car was hacked and made to crash to silence him permanently. Although his death was ruled as nothing suspect by authorities, it is pretty clear the connected car brings with it whole host of new problems.
The question, then, is whether the pros of a connected car outweigh the potential cons? We’re not so sure.