Shock at the wheel: your Jeep can be hacked while driving down the road

July 23, 2015

Oops, they’ve done it again: after two successful breaches into the systems of Toyota Prius and Ford Escape, security researchers Charlie Miller and Chris Valasek have recently hacked a Jeep Cherokee.

This hack is even more stunning as the duo found a way to took over a car remotely. Their volunteer victim was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.”

Straight from the source Wired’s report reveals what was the driver’s reaction to compulsive behavior of his super-smart connected car. Journalist Andy Greenberg, who was behind the wheel, stated that researchers took control over the car’s brakes and accelerator, as well as other less-essential components like radio, horn and windshield wipers. To do that Chris and Charlie had to hack the entertainment system Uconnect through a cellular network.

Fortunately, the situation is not completely unattended. Both the operating system and the car manufacturers are now implementing important and necessary cyber security measures – you bet they would!

As Chris Valasek said, “When I saw we could do it anywhere, over the Internet, I freaked out, I was frightened. It was like, holy fuck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”

Unfortunately, all these important measures are insufficient. Software giants like Microsoft and Apple spent years developing efficient ways to patch security holes in their products. The car industry simply does not have this time. Besides, this is not the first time when cars get hacked, but there are still plenty of security problems that nobody seems to be eager to solve.

There could be other vehicles with the same flaw. Miller and Valasek did not check any cars made by Ford, General Motors or other carmakers. Worse, Miller says that “a skilled hacker could take over a group of Uconnect head units and use them to perform more scans — as with any collection of hijacked computers — worming from one dashboard to the next over Sprint’s network. The result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles“. A good basis for a terroristic sabotage or a state-initiated cyber attack.

“At Kaspersky Lab, we believe that to avoid such incidents, manufacturers should build the smart architecture for cars with two basic principles in mind: isolation and controlled communications,” said Sergey Lozhkin, Senior Security Researcher at GReAT, Kaspersky Lab.

“Isolation means that two separate systems cannot influence one another. For example, the entertainment system shouldn’t influence the control system in the way that it did with the Jeep Cherokee. Controlled communications mean that cryptography and the authentication for transmitting and accepting information from/to the car should be fully implemented. According to the result of the experiment with Jeep we witnessed, the authentication algorithms were weak/vulnerable, or the cryptography was not correctly implemented.”

Until security problems are solved on the industry level we all can think about switching to bikes and horses… or old cars. At least, they can’t be hacked. Security researchers are going to present their findings during the Black Hat conference in August 2015 and we will willingly listen to their report.