The media has been reporting the demonstration done by two security researchers and a Wired magazine reporter where they completely controlled a Jeep, including the brakes and accelerator. To quote Wired:
I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.
There have been a number of reports of hacking of cars through their online cellular connection, called telematics in the trade.
In this case, Chrysler’s UConnect is the culprit and it is pretty amazing what the hackers can do.
If they can find the IP address of the car, through the UConnect cellular connection, they can completely control the car remotely from anywhere in the world.
In this case, they were able to disable both the brakes and the accelerator, among a number of other things.
Due to a vulnerability, the hackers are able to rewrite the firmware in the car’s entertainment system. From there, they are able to send commands on the CANBus and take over the car.
Part of the problem, as I have written before, is that the CANBus architecture has been described as the best car network we could design in 1980. It has not changed much since.
Quietly, Chrysler has issued a patch – since the researchers are good guys and have been sharing their data with Chrysler for 9 months. What if they were bad guys. It is an interesting way for a nation state actor to kill people that they want to get rid of. Likely, no accident investigator is going to examine the firmware in the car’s entertainment system for symptoms of an attack.
This is all due to the fact that cars are no longer hardware. True, there still is some metal and plastic in the frame and body, but more and more, cars are a rolling computer. Or, more accurately, tens of computers. High end cars might have 50 computers or more. Those computers contain millions of lines of software.
And, just like your iPhone or Android phone, which you patch regularly, often behind the scenes, cars need to be patched too. Unfortunately, for the most part, that does not happen unless researchers like these guys plan to make a big splash at the security convention Black Hat in Las Vegas next month.
Senator Markey, who has been a big critic of auto safety (see post), has introduced the SPY Car Act (Safety and Privacy in Your CAR). The bill, which was just introduced this week aims to both set standards and rate cars numerically on their cyber security. While no one knows how this legislative sausage will wind up, you can count on the fact that no car manufacturer wants their rating to be at the bottom of the heap. Unfortunately, if it is anything like the government’s miles per gallon numbers, it may wind up being mostly a myth. No matter what, it will likely take years.
Oh, I forgot, If you have a 2013-2015 Chrysler vehicle with UConnect, you should patch it. You can do that via a USB stick with a patch downloaded from the Chrysler web site (details in the Wired article below) or take it to your dealer.
Unlike the BMW patch from a few months ago (see post) where they could patch it over the air (which adds even more security concerns), the Chrysler patch requires physical contact.
Earlier this month Range Rover issued a patch that allowed a hacker to unlock the car.
So now, just like with your phone and your laptop, you may need to plan on patching your car every month. in car makers’ defense, their software has generally been pretty reliable. In part this is due to the fact that unlike your iPhone, there are no standards when it comes to your car’s computers. Not only won’t a hack designed for your 2013 Chrysler work on a 2013 Ford, it likely won’t work on your 2012 Chrysler.
Chrysler, while happy that the researchers told them about the problem, are unhappy that they told the world. They would have been much happier if they could have quietly released a software update with no one the wiser.
Consumers, on the other hand, need to understand how much software exists in their car and the fact that likely it is no less buggy than any other software in the world.
As car manufacturers continue to add computers and software to new vehicles, this is likely to continue to be a problem.
And for those people who said, after the Toyota accelerator pedal crashes a few years ago “why didn’t they just turn off the car?”, in many cars turning off the key is just software and does not really turn off anything. Unlike you old desktop computer, where unplugging it would really turn it off, you cannot do that in many cars any more. A brave new world.
Information for this post came from Wired Magazine.