Jeep Cherokee On-Board System Hacked, More Than 470,000 Vehicles at Risk

We have heard about hacking websites, computers, planes, and other devices, but hacking a moving car? Well, it happened and it happened live.

Hackers have tried and tested an exploit which was found in the onboard system of a Jeep Cherokee. They managed to remotely take over the control and crash the vehicle into a ditch while sitting on their sofa about 10 miles away.

To gain complete access over the Jeep, all they really need is a laptop and a cellular phone, and then the results can be devastating.


Folks behind this hack

This security breach was revealed by a couple of security researchers, namely Charlie Miller and Chris Valasek. The breach was discovered right after the recent incident of a passenger jet in which the hacker took control of the jet. These kinds of incidents show that how exposed we are to modern technology.

Charlie Miller, left, a security researcher at Twitter, and Chris Valasek, director of Vehicle Security Research at IOActive, have exposed the security vulnerabilities in automobiles by hacking into cars remotely, controlling the cars' various controls from the radio volume to the brakes. Photographed on Wednesday, July 1, 2015 in Ladue, Mo. (Photo © Whitney Curtis for
Charlie Miller, left, a security researcher at Twitter, and Chris Valasek, director of Vehicle Security Research at IOActive, has exposed the security vulnerabilities in automobiles by hacking into cars remotely, controlling the cars’ various controls from the radio volume to the brakes. Photographed on Wednesday, July 1, 2015, in Ladue, Mo. (Photo Source: Whitney Curtis for WIRED)

The security researchers, right after the discovery of this vulnerability in the vehicle’s onboard infotainment system, have already warned that more than 470,000 vehicles that are manufactured by Fiat Chrysler could be at a risk of being attacked in a similar manner.

Demonstration of hack

Miller and Valasek selected Andy Greenberg, who is a Senior Security Writer at Wired, to demonstrate how the hacking is going to be carried out.

Hackers gave Greenberg a compromised vehicle and instructed him to take the vehicle onto the St. Louis highway. He wasn’t aware of the hackers’ plans – but for security reasons, he was told to remain calm regardless of what happens.

Just visualize, how you are going to feel if your vehicle’s accelerator fails right in the middle of the highway, that too without any space to pull over. The approaching traffic will be enforced to slow behind you and blocking the traffic, which might cause some serious traffic accidents too.

The scene was almost identical to the one we have described above. And believe it or not, this whole demonstration was not carried out on some closed roads but on the actual highway.

Greenburg wrote about his experience in his article:

“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

“Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”

Source: Andy Greenberg Wired
Source: Andy Greenberg Wired

The vulnerability

According to the security researchers, the vulnerability is found in every other vehicle. Because this is the 21st century and every vehicle manufacturer is trying their best to transform a simple vehicle into a smart vehicle by providing it an access to the Internet.

The feature is added to the vehicle using a console known as Uconnect. It is basically an Internet-connected computer which is being installed on thousands of newly manufactured vehicles, SUVs and even of trucks.

This device controls the entertainment as well as the navigation system of the vehicle, even allows the user to initiate phone calls. Apart from that, it even offers a Wi-Fi hotspot.

The security researchers have decided not to disclose a vulnerability found in the Uconnect system until their Black Hat Security Conference talk which is scheduled for August.

So what actually happens is the security researchers make use of Sprint’s cellular network to search for devices after which they were able to gain access to the Jeep’s console. Actually, the console remains connected to the Sprint’s Internet to provide improved GPS guidance and vehicle’s entertainment system uses.

All the hacker actually require is the IP address of the device located inside the vehicle. Once he is able to find that out, he can gain access to the vehicle’s control system from anywhere in the country. Miller says, “From an attacker’s perspective, it’s a super nice vulnerability.”

According to the Greenberg:

“From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels.”

The researchers also said that they are still working on the more advanced firmware using which they would be able to steer the targeted vehicle. This vulnerability also allowed the researchers to make it work as a surveillance system. Once enabled, they will be able to measure the speed of the targeted vehicle as well as the GPS coordinates.

US Senators’ Reaction

US Senators are lucky enough because the hackers behind this were actually the security researchers. A couple of US Senators, Edward Markey, and Richard Blumenthal, are concerned about the safety of vehicles as well as the drivers so they want increased security and protection for the vehicle’s onboard vehicle. They said that vulnerabilities like these can put the drivers in a life-threatening condition.

Senator Markey said in the statement:

“Drivers shouldn’t have to choose between being connected and being protected We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”

Both Senators passed a law known as “SPY Car Act” which will allow the Federal Trade Commission (FTC) and National Highway Traffic Safety Administration (NHTSA) to ensure the safety and security of the data of vehicle as well as the driver behind the wheel.

The digital copy of the Spy Car Act is available here (PDF version).

Watch the video how the hackers did it:

Related Posts