Today’s cars give drivers power and convenience through the use of software and automation, but the increasingly digitized auto industry could potentially show a dark side – cars that broadcast their presences into the Internet can be hacked and overtaken, maybe even stopped mid-drive.
That’s exactly what happened to journalist Andy Greenberg, who traveled to St. Louis to help hackers Charlie Miller and Chris Valasek test their takeover of a Jeep Cherokee. Their zero-day exploit could attack any of the thousands of the Jeep Cherokees on the road through the Internet, giving hackers control over the steering, brakes, transmission, and dashboard functions from anywhere in the country.
Greenberg was on the highway when the hack hit, slowing the Jeep to a crawl as well as controlling some aspects of the car which were less dangerous and more mischievous, such as turning up the radio, blasting the air conditioning, and cueing the windshield wipers. At worst, the hack could disable the breaks or hijack the steering. (For now, the latter is only possible when the car is in reverse – but one year ago, wireless hacking wasn’t viable for vehicles at all.)
Using the Jeep’s GPS, the hackers could also track the car’s location and measure its speed.
This is all because the car is so generous when it comes to the internet, offering the driver wireless phone calls, connected entertainment and navigation, and Wi-Fi hotspots.
So far, the two hackers have only tested their most dangerous physical hacks on the Jeep Cherokee, although they say that the techniques could be applied to any Chrysler with the Uconnect connectivity system. Chrysler listed several models of Dodge Ram, Dodge Viper, Jeep Grand Cherokee, and Dodge Durango as potentially vulnerable.
Luckily, Miller and Valasek are on Chrysler’s side. They present their research at security conferences, shorn of the details which would allow less savory hackers to easily replicate their methods. They have also been sharing their information with the car company for about nine months, helping Chrysler protect against these very types of attacks. Drivers are advised to download a patch that should add security to their vehicles.
The company has mixed feelings about this help, and Miller and Valasek won’t restrict their information to corporate eyes. The two told Wired that it is the responsibility of the car maker to be sure their products are secure, and that releasing information about the hack to the computer security community helps it improve and gain credence. Chrysler’s relationship to the hackers involves some compromise too: the company told Wired in a statement that ”…we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
With more and more vehicles connected to the Internet, it will indeed be the responsibility of the car companies to make sure their connected features are locked down, preventing drivers from suffering the sort of attacks for which Greenberg volunteered.
