JEEP JACKING
The remote hacking and stopping of a Jeep on a U.S. highway revealed flaws in wireless networks,
The Jeep Cherokee brought to a halt by hackers last week exposed wireless networks as the weakest link in high-tech vehicles, underscoring the need to find fast over-the-air fixes to block malicious intrusions.
Features that buyers now expect in most modern automobiles, such as driving directions and restaurant guides, count on a constant connection to a telecommunications network. But that link also makes cars vulnerable to security invasions like those that threaten computers in homes and businesses.
“The Jeep case was a great example of how it’s not about the vehicle itself, but the network,” said Thilo Koslowski, an automotive-technology analyst at Gartner Inc. “Once these systems are connected to the outside and start talking to each other, that’s when the problems start.”
The hack forced Fiat Chrysler Automobiles to recall 1.4 million vehicles and ask Sprint Corp. to issue a temporary fix over its network. In that controlled demonstration, two security experts accessed the Jeep’s Uconnect infotainment system via Sprint’s network, hijacking basic functions and stopping the vehicle from miles away. The duo is scheduled to show their feat again at the Black Hat USA 2015 hackers conference, which starts Saturday.
Previous hacking demonstrations took place with a direct cable link into cars’ diagnostics ports, but the over-the-airwaves hack by Charlie Miller and Chris Valasek, conducted for Wired magazine, required no physical access to the Jeep to shut it down. Miller and Valasek informed Chrysler of the flaws they exploited, giving engineers time to make fixes. When they discuss the car hack again at Black Hat next Wednesday in Las Vegas, security professionals will get a look at the duo’s discoveries, while automakers and telecom companies will get a peek into a possibly unpleasant future.
After the initial hack, Sprint pushed out a network-level fix to block this specific attack, although the researchers said they could still access the Jeep in different ways, leaving open the possibility for other attacks. Fiat Chrysler said it’s not aware of any real-world unauthorized remote hacks into any of its automobiles.
General Motors has a team working on cybersecurity and has hired Harris Corp.’s Exelis and other firms to develop anti-hacking systems, according to Mark Reuss, the Detroit automaker’s executive vice president for global product development. GM has also worked with the U.S. military and with Boeing on securing systems, he said.
Sprint’s fix appears to work by blocking access to the specific port used to penetrate the Jeep’s computer systems, which means the attack can now only work over Wi-Fi connections, significantly limiting its usefulness, according to Valasek, director of vehicle security research for IOActive, a Seattle- based computer security consultancy.
“This matter was related to software in certain vehicles equipped with 8.4-inch touch screens and not to Sprint, the carrier providing connectivity to the touch screens,” said a Sprint spokeswoman, Stephanie Vinge Walsh.
“At the automaker’s direction, we provided assistance by developing and implementing a network-level measure to prevent unauthorized remote network access to the software in the touch screens.”
Unlike Internet service providers, which have more limited technical ability to manipulate users’ machines to block security threats, wireless operators have a great deal of control over what happens on devices on their networks. The tools for adding or removing software, blocking ports or banning certain software is baked into the design of mobile networks and the devices that run on them.
As a result, smart cars end up sharing many attributes with mobile phones, which require that hardware and software makers work closely with wireless operators to make sure devices work flawlessly. Google and Apple have “kill switches” embedded in their mobile software that allows the companies to reach in and remove malicious or unauthorized programs from their devices, a littleknown and little-used tool.
A kill switch in a car would be more problematic because of the potential for causing accidents or leaving passengers stranded.
Still, auto and telecom companies have to make sure security updates can be pushed out immediately, Gartner’s Koslowski said. “The automotive industry will be very much at risk if it doesn’t implement a mechanism to do that wirelessly going forward,” he said.
At Verizon Communications Inc., the company has had to develop technologies for parsing different types of wireless traffic to help deflect car-hacking attempts, an executive said. Verizon’s automaker clients include Toyota Motor Corp., Hyundai Motor Co. and Volkswagen.
“We’ve been working with our clients on this — everyone in the industry is very sensitized to security,” said Mark Bartolomeo, the vicepresident of connected solutions at Verizon. “It is probably the numberone issue to be cared for and it can be the most brand-damaging.”