Two US security experts have demonstrated security flaws in a Jeep Cherokee by taking wireless control of its systems from ten miles away.
Writing on technology website Wired, Andy Greenberg, who was driving the jeep at the time, tells how Charlie Miller and Chris Valasek first toyed with the vehicle’s air conditioning, entertainment system and windscreen wipers, before cutting the transmission and causing the jeep to slowly come to a halt.
Greenberg says, “The most disturbing manoeuvre came when they cut the jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”
The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the jeep is in reverse. Their hack enables surveillance too: They can track a targeted jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
According to Greenberg, all of this is possible only because1958 Chrysler, like many carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a wi-fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t currently identify, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.
“From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.
Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit.
After being contacted by Miller and Valasek nine months ago, Fiat Chrysler developed a patch which must be manually implemented via a USB stick or by a dealership mechanic.
Writing on technology website Wired, Andy Greenberg, who was driving the jeep at the time, tells how Charlie Miller and Chris Valasek first toyed with the vehicle’s air conditioning, entertainment system and windscreen wipers, before cutting the transmission and causing the jeep to slowly come to a halt.
Greenberg says, “The most disturbing manoeuvre came when they cut the jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”
The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the jeep is in reverse. Their hack enables surveillance too: They can track a targeted jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
According to Greenberg, all of this is possible only because
“From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.
Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit.
After being contacted by Miller and Valasek nine months ago, Fiat Chrysler developed a patch which must be manually implemented via a USB stick or by a dealership mechanic.