Imagine driving down the highway at 70 mph and then suddenly losing control of certain functions one by one. First, it starts out as the loss of inconsequential things, like the radio and A/C controls. But then the wipers start to have a mind of their own and then the brakes cut out. Now you’re trapped in a two ton steel box rolling down the highway at rapid speeds with no way to stop. Sounds scary right? Well, it should. And what’s even scarier is the fact that it’s incredibly real and possible for this to happen.
Charlie Miller and Chris Valasek are hackers. Hackers that use their powers for good. They often hold conferences to teach people about how to avoid these kinds of dangerous scenarios. Well, Charlie and Chris decided to do a little experiment with the Jeep Cherokee and willing participant, Andy Greenberg.
The new Jeep Cherokee has a bit of an issue which allows it to be remotely hacked. A zero-day exploit allows hackers to wirelessly enter the infotainment system and from there can control dashboard functions, steering, brakes and even the transmission. So Miller and Valasek put Greenberg in a new Cherokee and sent him onto Route 40 in St. Louis, Missouri, and had him get the car up to 70 mph. That’s when the fun began.
Greenberg knew ahead of time that the two hackers were going to play with the car a little bit, wirelessly, but he had no idea to what extent. As he’s driving along, at highway speed, is when the A/C came on full blast, out of nowhere. No biggie, might make the cabin a bit too cold, but otherwise is not a real issue. Then the radio switched on full blast. Again, not too big of a deal, just annoying. But then the windshield wipers and washers kicked on and stayed on, clouding the glass. This can be dangerous as it can impede vision. But then it to even scarier.
It can be terrifying to know that this sort of thing can happen and the automakers wouldn’t be aware until it’s too late.
This stuff was all child’s play compared to what a hacker could really do if they so chose. Well the hackers decided to choose to do so and cut the transmission on Greenberg. No matter how hard he pressed the accelerator, no power was getting to the wheels. The rpms dropped, slowing the car down to a crawl on an overpass with no shoulder, which started blocking traffic. Cars behind him are honking and passing, but nothing worried Greenberg more than the approaching 18-wheeler which he hoped noticed his stillness. Though, after this ordeal, he was able to nurse the Jeep of an exit ramp and turn the car off and back on again, which reset the transmission.
Afterwards, he got back onto the highway and the hackers got back to hacking, testing other features. The last one they tested was probably the scariest, as they cut the brakes altogether, causing Greenberg to slide into a ditch. Ultimately Greenberg was unharmed, but only because this was a closed experiment with safety precautions in place.
This experiment shows how vulnerable certain automotive systems can be. It can be terrifying to know that this sort of thing can happen and the automakers wouldn’t be aware until it’s too late. Miller and Valasek made Chrysler aware of the issue have been working with Chrysler for the past nine months to help create a solution. But had it not been for these two hackers, who knows how long would have gone on and how many people would have figured this out and injured or even killed people.
As a result of this experiment, on Friday, Chrysler announced that it’s issuing a formal recall for 1.4 million vehicles that may be affected by a hackable software vulnerability in Chrysler’s Uconnect dashboard computers. The recall doesn’t actually require Chrysler owners to bring their cars, trucks and SUVs to a dealer. Instead, they’ll be sent a USB drive with a software update they can install through the port on their vehicle’s dashboard. Alternatively, Chrysler owners can download the patch to a computer right now, put it on a USB drive, and install it on the dashboard. Wired says the software fix can be found here.
Furthermore, Chrysler says it’s also taken steps to block the digital attack Miller and Valasek demonstrated with “network-level security measures,” including blocking attacks on the Sprint’s network. And according to a tweet by Valasek, that’s been successful.
Looks like I can’t get to @0xcharlie‘s Jeep from my house via my phone. Good job FCA/Sprint!
— Chris Valasek (@nudehaberdasher) July 24, 2015
Both Miller and Valasek will be speaking at a Black Hat Security conference in Las Vegas next month about this and also publishing their findings. This sort of thing can be prevented in the future and automakers will likely pay more attention to cyber security and software updates.