The hack was detailed in an article published Tuesday by Wired magazine. It was written by Andy Greenberg, who volunteered as a “digital crash-test dummy” to drive the hacked Cherokee on a Missouri highway.
“Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes and transmission, all from a laptop that may be across the country,” Greenberg wrote.
He reported that Miller, a former National Security Agency hacker, and Valasek, director of vehicle security research at the IOActive consultancy, have been sharing their research with Fiat Chrysler for nearly nine months, enabling the company to quietly release a fix ahead of the Black Hat security conference next month in Las Vegas. They plan to release redacted, yet detailed, information at that event.
Neither Miller nor Valasek could be reached by The Detroit News for comment.
Fiat Chrysler confirmed the company “has been in communications” with the hackers for the past several months, but declined to go into detail about the conversations. The company, which said it has fixed the security flaw, is adamantly against the hackers sharing their information with others.
“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” Fiat Chrysler said in a statement to The News on Tuesday.
Valasek, in an online video, said they want to release the information “because more people like us need to be focused on this problem.”
The men reportedly manipulated the vehicle through a vulnerability in a chip that provides a wireless and a cellular network connection. That opened the door to another component for the vehicle’s Uconnect infotainment system that allowed them to rewrite the car’s firmware and send commands through the car’s internal computer network.
They only tested their full set of physical hacks on a Jeep Cherokee, but “they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit,” according to the article.
“Of course we didn’t actually attack any vehicles except our own, cause we’re good guys,” Miller tweeted Tuesday.
Miller estimated as many as 471,000 vehicles with vulnerable Uconnect systems are on the road, according to Wired. Fiat Chrysler would not confirm this number.
Lawmakers poised to act
Concerns about vehicle cybersecurity and use of data collected by cars has caught the attention of lawmakers. Democrat Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., on Tuesday unveiled legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure cars and protect drivers’ privacy.
The legislation was first sparked when Markey took note of Miller and Valasek’s work in 2013, according to Wired.
Last week, many major automakers announced an Auto Information Sharing and Analysis Center that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threats and potential vulnerabilities in motor vehicle electronics or in-vehicle networks.
NHTSA Administrator Mark Rosekind said Tuesday in Ypsilanti that the agency doesn’t want to hinder new technologies, but emphasized the importance of security and privacy.
“We must reassure vehicle owners that their data is secure, that their vehicle is secure and that we are looking out for threats from hackers, thieves and anyone else that might seek to tamper with safety critical technology,” he said in a speech at Automated Vehicles Symposium 2015. “Cybersecurity and privacy must be high-priority items for the industry and for NHTSA.”
NHTSA on Tuesday also released a document outlining the agency’s privacy and cybersecurity efforts. “We’re not just aware of these threats, we’re working to defeat them,” Rosekind said. “We want Americans to know that we’re on it.”
Security breach fix
Fiat Chrysler earlier this month released a software update that it says fixes the security breach.
“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said.
Customers can either download and install this particular update themselves, or their dealer can complete the one-time update at no cost to customers. They can check if their vehicle needs an update and download the patch at Uconnect® Software Update - Update your Uconnect® System. Those with questions can call (877) 855-8400.
While Uconnect was singled out in the article, experts argue practically any modern vehicle could be vulnerable — a major concern, as automakers produce millions of connected cars with Internet capabilities.
“It is something that automakers have to worry about as they open up their vehicle to being connected to the Internet and cellular networks,” said Edmunds.com Senior Consumer Advice Editor and tech expert Ron Montoya. “It does introduce a vulnerability to the vehicle. It’s something consumers should be aware of, but I don’t think it’s something most people should worry about.”
Montoya said Miller and Valasek, who aren’t the first to crack into a car’s systems over the Internet, are two experienced, renowned hackers and the “chances are very thin” that a mass takeover by hackers could occur.
CBS News’ “60 Minutes” earlier this year aired a segment showing how vehicles can be subjects of remote hacking. In January, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have their doors remotely opened by hackers.