Last year, security researchers Charlie Miller and Chris Valasek demonstrated the threat of car hacking in a dramatic way, by taking control of a Jeep Cherokee’s transmission and brakes while the car was moving. Now they’re back with new hacks that seem more sinister, but may not pose an actual threat in the real world.
Miller and Valasek can now mess with more than the transmission and brakes. They can activate the parking brake, tamper with the cruise control, and use the Cherokee’s automated parking system to jerk the steering wheel 180 degrees while the car is in motion, according to Engadget. That doesn’t sound good.
However, that ability to sow mayhem comes with an asterisk. After Miller and Valasek revealed their first Jeep hack, Fiat Chrysler Automobiles (FCA) initiated a recall of 1.4 million cars to update software and eliminate the weak point the two security researchers exploited. For this second demonstration, though, Miller and Valasek used the same 2014 Cherokee as before. FCA claims the vehicle did receive the software update as part of last year’s recall, but that it had been “altered back to an older level of software.”
Unlike the previous hack, this one also required a physical connection: a laptop was plugged into the Cherokee’s OBD-II diagnostic port the whole time. Miller and Valasek also had to install their own firmware, which disabled some of the car’s built security features, before they could gain control of the steering and other systems. Given that, it’s unlikely someone would be able to execute this hack in the real world without the target’s knowledge.
It’s worth noting that, as The Verge points out, hackers could gain access to a car’s OBD-II port through diagnostic devices like the Verizon Hum and Automatic Adapter, or the devices issued by insurance companies to track driver behavior in exchange for the possibility of rate discounts. The proliferation of these devices further erodes the wall that used to separate car systems from the world at large.
Updated on 08-03-2016 by Stephen Edelstein: FCA issued a statement in response to the latest Miller and Valasek hack. The carmaker noted that accomplishing the hack required “extensive technical knowledge” and physical access to the OBD-11 port. FCA also said that the Jeep Cherokee used in the demonstration had been updated to address the security issue exposed last year, but that its had been “altered back to an older level of software.”
“Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA U.S. vehicles,” the company said.