Article Lead Image

Hackers can kill the engine on a Jeep mid-drive

Buckle up!

 

Patrick Howell O'Neill

Tech

Posted on Jul 21, 2015   Updated on May 28, 2021, 7:53 am CDT

Hundreds of thousands of Chrysler vehicles are likely vulnerable to hackers who can take over the car and potentially put the driver in mortal danger, according to new research.

The hack was demonstrated on a St. Louis highway where Wired journalist Andy Greenberg drove a Jeep Cherokee 70 miles per hour when it suddenly became apparent that he was losing control. First, the air conditioner went on full blast, the radio turned up to top volume, and then the engine died in the middle of the four-lane highway.

Researchers Charlie Miller and Chris Valasek broke into the car remotely through a feature called Uconnect that allows them to take over the car’s entertainment system and rewrite firmware that is capable of sending commands to all of the automobile’s components.

Hackers can use the vulnerability in more subtle ways than killing the engine. An attacker who knows the car’s IP address can track its every move, turning the car into an effective surveillance machine.

The two researchers demonstrated just that when they scanned through Sprint’s cell network to find cars all around the U.S. running Uconnect, which operates exclusively on Sprint. Miller and Valasek were able to show Wired the location, movement, make, model, IP address, and vehicle identification number.

Because Miller and Valasek have been working with Chrysler for nine months on this exploit, the car maker has already patched the vulnerability. You can download it here.

However, the fix requires manually updating via USB stick or visiting a dealership to get the latest version of the software, a task that it’s easy to imagine most Chrysler owners skipping. That would leave most cars continuously vulnerable even after many of the specifics of the exploit are revealed in August at the Black Hat security conference. Failing to update now makes these vehicles even more vulnerable.

Although Miller and Valasek only tested their hack directly on a Jeep Cherokee, they say it should work on any Chrysler car with Uconnect. That software is available in cars from brands like Chrysler, Dodge, Jeep, SRT, Ram, and Fiat. You can visit Uconnect’s website to see if your car has a software update to install.

Miller estimated up to 471,000 vulnerable vehicles are on the road today.

https://twitter.com/csoghoian/status/623482995110973440

Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) are introducing legislation that sets up standards of digital security for cars and trucks sold in the U.S., Wired reports. The researchers say the timing of the new bill, due out on Tuesday morning just hours after this new hack was revealed, is a coincidence. 

H/T Wired | Photo via Jeep

Share this article
*First Published: Jul 21, 2015, 11:06 am CDT