Hundreds of thousands of Chrysler vehicles are likely vulnerable to hackers who can take over the car and potentially put the driver in mortal danger, according to new research.
The hack was demonstrated on a St. Louis highway where Wired journalist Andy Greenberg drove a Jeep Cherokee 70 miles per hour when it suddenly became apparent that he was losing control. First, the air conditioner went on full blast, the radio turned up to top volume, and then the engine died in the middle of the four-lane highway.
Researchers Charlie Miller and Chris Valasek broke into the car remotely through a feature called Uconnect that allows them to take over the car’s entertainment system and rewrite firmware that is capable of sending commands to all of the automobile’s components.
The patch for this issue was released last week. Got a Chrysler, Ram, Durango, or Jeep? Take it in and ask for all updates installed.
— Charlie Miller (@0xcharlie) July 21, 2015
Hackers can use the vulnerability in more subtle ways than killing the engine. An attacker who knows the car’s IP address can track its every move, turning the car into an effective surveillance machine.
The two researchers demonstrated just that when they scanned through Sprint’s cell network to find cars all around the U.S. running Uconnect, which operates exclusively on Sprint. Miller and Valasek were able to show Wired the location, movement, make, model, IP address, and vehicle identification number.
Because Miller and Valasek have been working with Chrysler for nine months on this exploit, the car maker has already patched the vulnerability. You can download it here.
However, the fix requires manually updating via USB stick or visiting a dealership to get the latest version of the software, a task that it’s easy to imagine most Chrysler owners skipping. That would leave most cars continuously vulnerable even after many of the specifics of the exploit are revealed in August at the Black Hat security conference. Failing to update now makes these vehicles even more vulnerable.
Although Miller and Valasek only tested their hack directly on a Jeep Cherokee, they say it should work on any Chrysler car with Uconnect. That software is available in cars from brands like Chrysler, Dodge, Jeep, SRT, Ram, and Fiat. You can visit Uconnect’s website to see if your car has a software update to install.
Miller estimated up to 471,000 vulnerable vehicles are on the road today.
Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) are introducing legislation that sets up standards of digital security for cars and trucks sold in the U.S., Wired reports. The researchers say the timing of the new bill, due out on Tuesday morning just hours after this new hack was revealed, is a coincidence.
H/T Wired | Photo via Jeep