The exploit was revealed in an interesting WIRED article by Andy Greenberg today. Greenberg was “invited” by cybersecurity advocates Charlie Miller and Chris Valasek to take an affected Jeep Cherokee out onto a highway in St. Louis to witness what the pair could do with their discovery.
As it turns out, they could take complete control of the car that Greenberg was driving, as he was driving it. Sitting over 10 miles away in their lounge, Miller and Valasek used laptops to initially start off with some fairly minor hacks of the car’s entertainment system, switching the radio to hip-hop, disabling all of the media controls and setting the air conditioning to the coldest, most ferocious setting. As a sign that the attack had begun – as if all of that wasn’t enough – a photo of the two quickly replaced the car’s digital instrument gauge display.
Proceeding onto Interstate 64, Greenberg witnessed the hackers continuing to wreak chaos with the Jeep’s climate control, radio and windscreen wipers, before finding that the accelerator was no longer responding to any input. In a move that could cause fatalities in busy urban environments, Miller and Valasek had cut the car’s transmission, leaving Greenberg slowing to a crawl on an overpass with no hard shoulder to pull onto.
The car eventually rolled to a halt, as an 18-wheeler truck swept into view behind. Greenberg writes that now “the experiment had ceased to be fun,” as he was left stranded on the interstate with nowhere to go.
Off the interstate and in a safer parking lot, the duo demoed some of their even scarier “features”, which go so far as to allow them to steer the car. This apparently only currently works when in reverse as it is still “being perfected”. As they cut the brakes to the SUV, Greenberg describes how the car simply rolled into a ditch, leaving him “frantically pumping the pedal” but gaining no response as the Jeep’s software ignored the input. If the researchers had chosen to, they could have instead abruptly engaged the brakes with full force while travelling at speed.
The demonstrations could be seen as a sign of what is to come in the connected future that technology manufacturers envision and that automotive brands are a key part of. All of the hacking was enabled by major vulnerabilities in Chrysler’s Internet-connected Uconnect feature, available across many of its vehicles and installed in hundreds of thousands of cars.
Chrysler has released a software fix that prevents remote access but cars have to visit a dealership to have it applied. Alternatively, owners can update their cars themselves with a USB stick but many are likely to be unaware of the availability of the patch. As such, most of the affected cars are still at risk of attack.
The vehicles are connected to Sprint’s mobile network. By repetitively scanning the network, Miller has estimated that there could be as many as 471,000 vulnerable vehicles on the road.
Miller and Valasek can track and trace these cars on their laptops by asking the car for its GPS coordinates at regular intervals. They found that a skilled and motivated enough individual could use Sprint’s mobile network to hijack several Uconnect servers, using each to reveal the vulnerable cars that are connected to it. The cars could then be linked together to create a massive rolling botnet of several hundred thousand real, moving cars.
It’s possible that similar flaws exist in the software used in the Internet-connected cars of other manufacturers. In the case of Uconnect, Miller and Valasek gain access from a currently undisclosed vulnerable entry point.
From there, the attack focuses on the car’s entertainment system. Their code rewrites the entertainment firmware so that it can send CAN commands to other parts of the vehicle. These commands can trigger actions such as braking, acceleration and steering.
Miller and Valasek have hacked cars before. In 2013, Greenberg experienced them hijacking a Ford Escape and Toyota Prius to gain control of the steering, brakes, horn and more. Back then, they were sat in the back, their laptops plugged into the car’s diagnostic port though.
At the time, this led to criticism from the manufacturers involved that the researchers’ demonstration wasn’t realistic as it couldn’t be easily exploited by attackers. People would surely notice an intruder with a laptop in the back of their car. Now, Miller and Valasek sit 10 miles away, connected to the Jeep wirelessly, over the Internet. The threat has become a lot more serious.
Initially, the pair thought that the vulnerability in Chrysler’s Uconnect system could only be exploited over a direct WiFi link with the car, meaning that they could travel just a few yards away from the target vehicle. They later realised that Uconnect’s open cellular data link meant that it could be attacked from further away within a range of a few dozen miles, when connected to the same cell tower as the car.
They discovered that the possibilities are actually even greater though. It turns out that cars with Uconnect have unrestricted access to the entire Internet. Hackers can hijack them from anywhere in the world.
In Greenberg’s WIRED article, Valasek explains how this realisation was more of a scare than a triumph moment. He said: “When I saw we could do it anywhere, over the Internet, I freaked out. I was frightened. It was like, holy f**k, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”
Miller added: “We shut down your engine – a big rig was honking up on you because of something we did on our couch. This is what everyone who thinks about car security has worried about for years. This is a reality.”
It is believed that all of the hacks carried out on the Jeep Cherokee could also be run on any of Chrysler’s other cars equipped with the Uconnect system. They have not yet tried the exploit on any other vehicles to prove this theory though.
The Jeep Cherokee was chosen as the test car based on extensive research conducted by the pair last year. Creating mechanic’s accounts with every major manufacturer, they downloaded technical manuals and wiring diagrams for all of the most popular cars in the US.
24 vehicles were rated to determine the most suitable for hacking. The rating was based on the number and type of Internet-connected radios, how isolated the radios were from the core driving systems and whether the radios could control the vehicle’s motion by triggering actions such as activating the brakes, throttle, clutch or steering wheel. Eventually, they concluded that the Cherokee was likely to be the best to experiment with, followed by the Cadillac Escalade and Infiniti Q50.
Miller and Valasek are going to be presenting a talk on their findings at the Black Hat security conference next month. The details of how the hack works will be revealed to fellow programmers but the pair will withhold two vital components required to successfully perform the engine management actions demonstrated to Greenberg.
Instead, the pair will be publishing working code to allow anyone to control the dashboard functions of the car. To gain access to the transmission, brakes and other critical systems, a potential hacker would have to write their own software to rewrite the car’s firmware, something that took Miller and Valasek “months” to successfully achieve.
Chrysler doesn’t seem best pleased at the pair making their findings public. It told WIRED that it “appreciates” their work but does not “condone or believe it’s appropriate” to disclose the details, saying that it could “help or enable hackers to gain unauthorized and unlawful access to vehicle systems.”
Miller and Valasek disagree, saying that the release is required to send a message to car manufacturers that they must be responsible for the security of vehicles that people drive and expect to be in full control of. They also want their methods to be approved through peer review from other researchers.
The pair have been working with Chrysler for nine months so the company is well aware of what can be achieved with their code. The disclosure led to the release of the patch that is now available to customers when their car next visits a dealership.
In perhaps the most thought-provoking aspect of this story, Valasek said to Greenberg: “For all the critics in 2013 who said our work didn’t count because we were plugged into the dashboard, well, now what?” Now what indeed, as the focus turns to the automotive industry with an expectation that work needs to be done on security as soon as can possibly be achieved.
