Now even cars aren’t safe from hackers
Hundreds of thousands of vehicles are said to be vulnerable after feature is tried and tested by cybersecurity experts
SAN FRANCISCO // A pair of veteran cybersecurity researchers have shown they can use the internet to control a car’s engine as it drives, sharply escalating the stakes in the debate about the safety of increasingly connected cars and lorries. Former national security agency hacker Charlie Miller, now at Twitter, and IOActive researcher Chris Valasek used a feature in the Fiat Chrysler telematics system Uconnect to break into a car’s electronics while it was being driven by a reporter for Wired.com.
In a controlled test, they turned on the Jeep Cherokee’s radio and activated other non-essential features before rewriting code in the entertainment system to issue commands to the steering, brakes and engine, including disabling the transmission.
“There are hundreds of thousands of cars that are vulnerable on the road right now,” Mr Miller said.
Fiat Chrysler issued a free software fix for the most serious vulnerability involved. The patch is available on the company’s website.
“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems,” the company said. Mr Miller and Mr Valasek have been probing car safety for years and have been among those warning that remote hacking was inevitable.
An academic team had previously said it hacked a moving vehicle from afar but did not say how or name the manufacturer, putting less pressure on the industry. National Highway Traffic Safety Administration chief Mark Rosekind said his agency was increasingly concerned about the security of vehicle control systems.
“We know these systems will become targets of bad actors,” he told a conference on autonomous and connected vehicle technology in Michigan. If consumers did not believe that connected vehicle systems were safe and secure, he said, they would not engage it. Members of the US congress have also expressed concern. On Tuesday, senators Ed Markey and Richard Blumenthal introduced a bill that would direct the NHTSA to develop standards for isolating critical software and detect hacking as it occurs.
Mr Miller and Mr Valasek said they had been working with Fiat Chrysler since October, giving the company enough time to construct a patch to disable a feature that the men suspected had been turned on by accident. They plan to release a paper at the Def Con hacking conference next month that includes code for remote access, which will no longer work on cars that have been updated.
They said the harder problem for an attacker, moving from the entertainment system to the core onboard network, would take months for other top-tier hackers to emulate.
Many Jeeps could remain unpatched, leaving them open to attack. But the researchers said hackers would need to know the internet protocol address of a car to attack it specifically, and that address changes every time the car starts.
Otherwise, “you have to attack random cars”, Mr Valasek said. The men said that it would be easy to make modest adjustments to their code and attack other types of vehicles.
They said that manufacturers, who are racing to add more internet- connected features, should work much harder on creating safe capability for automatic over-the-air software updates, segregation of onboard entertainment and engineering networks, and intrusion-detection software.
“Anything that connects to the outside world is an attack vector,” Mr Valasek said.
Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems
Fiat Chrysler