The thought of “hackers” being able to shut down cars was confined to the hyperbolic ranting of paranoid technophobes just a few years ago. But with digital control now woven into nearly every automotive system, from in-dash entertainment to engine and braking control, the door for exploitation is open wide. And two software engineers just barged right through it, bringing a Jeep Cherokee to a dead stop right from the comfort of their living room.
Charlie Miller and Chris Valasek reached out to Wired writer Andy Greenberg to demonstrate how in-car connectivity can leave vehicles vulnerable to exploits beyond just messing with the radio. The duo discovered that Uconnect, the cellular-based infotainment system in Fiat-Chrysler vehicles, has a vulnerability that allows unprecedented access to the vehicle.
Anyone with the proper knowhow, software, and the vehicle’s IP address can exploit this and engage in a multitude of attacks. From a laptop miles away, the duo can take over the entertainment system, cranking the radio volume up and displaying images on the dash-mounted LED interface screen. They can even control the wipers and influence the digital gauge cluster.
But things get more serious: The engineers can totally kill the engine at slow speeds, or shift the transmission to neutral and leave the engine to rev helplessly, halting the Jeep used in the demonstration. The Jeep Cherokee has an available park-assist system which was also fair game for hacking. Normally, sensors guide servos in the steering wheel into a selected parking spot, but when broken into, the engineers could also take hold of that system too, essentially driving the car themselves. Fortunately for owners, that particular trick seems to work only when the car is in reverse. For now, anyway.
“I’d just stomp on the brakes and get out,” you might say, but the hackers are a step ahead of you there, too. Not only can they engage the door locks, but they can remotely kill the brakes, taking that last shred of control away from the driver.
Miller and Valasek have notified Fiat Chrysler Automobiles (FCA) of the Uconnect vulnerability, and the manufacturer pledges to issue a patch to hopefully plug the hole. They also stress that this is a larger issue all automakers need to be aware of, particularly with the growing trend toward semi-to-fully autonomous systems being developed in passenger cars. Taking control of a car might be the more extreme result of this security hole, but possibly more scary is what can be done without the driver being aware. Breaking into the car’s system reveals the vehicle’s GPS location, as well as the VIN and other user data that could be used in nefarious ways.
“If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller says. “This might be the kind of software bug most likely to kill someone.”