It’s a truly scary thought that someone sitting on their couch at home, armed with a computer, an internet connection, and the right know-how could remotely control a car and completely lock you, the driver, out.
In a special feature by Wired, senior writer Andy Greenberg collaborated with the two hackers, Charlie Miller and Chris Valasek, to show off just how deep their ability to remotely hijack a car goes. Greenberg had previously written about the hacking duo before, when they took control of a Toyota Prius and Ford Escape via their computers. Only, that attempt involved a wired connection via car’s diagnostics port.
It wasn’t enough to get the automotive industry to stand up and pay attention given that it involved physical access to the vehicle, and Miller says they needed to find a way to gain control remotely to spike the levels of concern.
This time, Miller and Valasek have returned with just that and have devised a demonstration involving Greenberg driving normally down a highway in St. Louis, Missouri. The duo will remotely hack the vehicle through a cellular connection via Chrysler’s on-board Uconnect system.
Once a connection has been established. They could toggle in-car functions, display content on the dash-mounted screen, turns on the wipers, mess with the stereo, even disable the transmission. All this while the driver can desperately press all the buttons and push all the pedals he wants, to no avail.
This is exactly what happened to Greenberg, and he was left on the highway with an unresponsive car, slowly coming to a halt with no hard shoulder to safety stop, with the stereo blaring and the windshield drenched in washer fluid. He hackers then instructed him to turn off the ignition and then back on again. From there, the hackers stopped their attack and Greenberg was able to drive the car away normally.
The demonstration was not over, though. In a parking lot after the rather tense ordeal, Greenberg met up with the hackers to show how they could, when the car is travelling at a low enough speed, disable the car from braking when the pedal is pushed, or when in reverse, to control the steering too. This allowed them to drive the car into a ditch with Greenberg, in the driver’s seat, helpless to stop it.
What’s more concerning is that they say it is possibly that all recently sold cars under the Fiat Chrysler umbrella have this vulnerability as they all share the Uconnect feature. Hundreds of thousands of Chrysler vehicles are at risk, between those manufactured after later 2013 and presently, with the hacker only needing the car’s IP address to exploit the vulnerability and begin the attack.
By Miller’s projections, around 471,000 vehicles in the United States are vulnerable to these attacks via the Uconnect system.
Miller and Valasek have been sharing their research with Fiat Chrysler for almost nine months now, which allowed them to silently develop a fix. However, the patch itself has to be installed manually, either at the dealership or via a USB drive. Given the glacial pace at which vehicles actually receive in-car infotainment system updates, the majority of at-risk cars will likely remain as such.
They have not attempted remotely hacking into other car makes, but it’s not inconceivable that, given enough time, any car with the right internal computer network, or CAN bus, could be hijacked in a similar way.
Which brings us squarely into the debate surrounding the increasing complexity of cars as we build in more computerized features and connectivity, thereby also making them very susceptible to cyber-attacks. Typically, the security aspect of a car’s computer system takes a back seat to make way for user-facing features that can marketed to the customer.
Perhaps that order of importance needs a very urgent shuffle. You can watch the entire video below.