Imagine your car accelerator fails amid interstate traffic, with no shoulder to pull over. Cars are forced to slow behind you, lining up to pass and honk as they go by.
This was the scene during an experiment conducted by security researchers who have found an exploit in Chrysler's Uconnect system.
Researchers Charlie Miller and Chris Valasek are able to access a Chrysler vehicle by searching for devices using Sprint's cell network, which UConnect employs to connect to the Internet for entertainment and GPS uses. Once a hacker locates the device's IP, she can gain access from anywhere in the US. "From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code," Andy Greenberg wrote. "That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels."
The pair demonstrated the UConnect vulnerability for Greenberg, using it to "remotely toy" with his vehicle as he drove in the outskirts of St. Louis. "Immediately my accelerator stopped working," wrote Andy Greenberg. "As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun."
Miller and Valasek spared Greenberg, but they plan to take their findings – with crucial details withheld – to the Black Hat security conference in Las Vegas in August. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller said. “This might be the kind of software bug most likely to kill someone.”
Inspired by Miller and Valasek's work in 2013, US Senators Ed Markey and Richard Blumenthal introduced a bill on Tuesday that would establish digital security standards for vehicles. The bill would require the Federal Trade Commission and the National Highway Traffic Safety Administration to set standards that would ensure wireless access points of a vehicle remain protected and that vehicles can detect and halt a hacking attempt in secure fashion.
The researchers have shared their findings with Chrysler for nine months, allowing the company to release a manually-installed patch for the security vulnerability. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” a Chrysler spokesperson said in a statement. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”
Chrysler said it "appreciates" the researchers' work, but added that it does not "condone" their release of any information indicating how one can hack into a Chrysler vehicle equipped with Uconnect from late 2013, 2014, and early 2015. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” Chrysler told.
“We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.” Based on previous research of 24 cars, SUVs, and trucks, Miller and Valasek believe the Jeep Cherokee is easiest car to hack, followed by the Cadillac Escalade and the Infiniti Q50.
