Vulnerabilities found in an internet-enabled in-car entertainment system could enable hackers to take control of a car over the internet.
Two security researchers demonstrated the hack to a reporter from Wired magazine. The researchers showed how a flaw in the Uconnect communications and entertainment system in a Jeep Cherokee could be used to disable the brakes of a Jeep Cherokee. The researchers also said the same hack can also take control of the vehicle's transmission, entertainment system, air conditioning and windscreen wipers.
The researchers, Charlie Miller and Chris Valasek carried out the exploit demonstration and have discovered other flaws plaguing car technology systems. As well as showing how the brakes could be disabled, sending a reporter into a ditch, the car's transmission system was also deactivated while the reporter was travelling along a road at 70mph, causing the car to grind to a halt.
The demo showed how the researchers could take control of the steering wheel when in reverse gear. The pair said that they were confident that they could find a way to take control of the steering wheel when the car is moving forward.
The researchers managed to seize control of the car from a location ten miles away from the car itself via a system called Uconnect. This technology allows drivers to connect their smartphone to the in-car entertainment and navigation system. The pair targeted a flaw in the system, allowing them to rewrite firmware and send commands to the car's internal network that controlled the car itself.
The pair will disclose how they used the flaw to gain control of the car at next month's Black Hat security conference in Las Vegas.
Car manufacturer Jeep has been told of the flaw by the pair and has released a patch to overcome the problem. However, the patch will need to be installed via a USB memory stick or at a car dealership, meaning that potentially thousands of cars could be unpatched and on the road when full details emerge of the vulnerability.
In a statement sent to Wired, Fiat Chrysler Automobiles, the firm behind Jeep, said that that it would not “condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems”.
"We appreciate the contributions of cyber-security advocates to augment the industry's understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety."
That said, the pair still plan to disclose details arguing that the move will force car manufacturers to enhance security on vehicles.
"If consumers don't realise this is an issue, they should, and they should start complaining to car-makers," Miller told the publication. "This might be the kind of software bug most likely to kill someone."
Many of the issues around connected cars remain unresolved, as SC has reported.
Richard Kirk, vice president of Telecoms and Service Provider at AlienVault told SCMagazineUK.com that the Uconnect hack shows that we need to start thinking seriously about the security implications of connected cars.
“What the security researchers showed is what we have been predicting for some time,” he said. “Connected car systems are vulnerable just like all other software systems, and although we do not know for sure, it is possible that other connected car platforms will have similar flaws.”
He added that unless governments start to consider the implications of cars being remotely controlled by unknown people, as if they were drones, “we will start to see cyber-criminals taking an interest in exploiting the situation. This is even more important given the development in driverless cars."
According to Andrew Conway, research analyst at Cloudmark, he was “shocked” to discover that major car manufacturers think it's perfectly acceptable to have the brakes, steering, and transmission of an automobile controlled by a network that is also connected to the Internet.
Conway told SCMagazineUK.com that while there are lots of good reasons to connect a car to the Internet - navigation, entertainment, phone calls, weather forecasts, etc., “there are no good reasons to have that network connected to the drive systems except to save a buck or two in the manufacturing process”.
“The controls needed to drive the car should be completely isolated from any external facing system - no Bluetooth, no WiFi, no 3G, no attack surface at all,” he said.
He added that the researchers took a took a couple of years to completely compromise the systems of a popular car model.
“What if the resources of a nation state security service had been directed at the same task?” Conway asked.
“The Chinese have apparently gone to great lengths to hack into US Government servers already. Scarily, this shows that they could also hack into US car networks, with the possibility of assassinating selected targets in an apparently accidental car crash? Personally I'm going to be driving my twelve-year-old and completely non-connected Toyota until it falls apart.”
Paul McEvatt, senior cyber-threat intelligence manager at Fujitsu UK and Ireland told SCMagazineUK.com that the exploit was “possibly due to an open service or compromise that allowed administrative control of the onboard Uconnect computer”.
“The most alarming aspect is this could be done wirelessly, ten miles from the car's location and even more alarming nearly 500,000 cars appear to be vulnerable to the exploit,” he said.
McEvatt said that rigorous security testing should be completed before cars are allowed to be put on the market. “Hardening of these systems should be mandatory and they should adhere to an industry benchmark as they have with safety testing. It would appear such a bill is coming for the automotive industry and that isn't soon enough.”
In an email to SC, Marta Janus, security researcher at Kaspersky Lab adds: "This story only proves the point, that everything connected to the Internet is prone to attacks and is potentially hackable. When it comes to transportation, such as cars, trains and airplanes, the consequences of a successful breach can be infinitely more serious than a computer or mobile device hack, as people's lives are directly at stake.
"In light of this recent research, we should definitely reconsider the concept of the Internet-of-Things, and think carefully about which devices should be a connected to one another....what is the real advantage of having a car with access to the Internet? For navigation and remote door opening, a centralised online system isn't necessary. Even for the few convenience features that would be impossible without Internet connection, are they really worth the dire risk of being hacked?
"In my opinion, transportation, together with industrial systems and other critical infrastructure, shouldn't make use of public Internet at all. Instead, they should build separate networks, featuring unique and custom-made secure protocols to reduce the risk of potentially fatal hacking."
Earlier story on next page:
Zero-day in Fiat Chrysler feature allows remote control of vehicles
A pair of hackers discover an exploit in Uconnect enable Fiat Chrysler vehicles that can allow an attacker to take control of the vehicle.
Fiat Chrysler owners should update their vehicles' software after a pair of security researchers were able to exploit a zero-day vulnerability to remotely control the vehicle's engine, transmission, wheels and brakes among other systems.
Chris Valasek, director of vehicle security at IOActive, and security researcher Charlie Miller, a member of the company's advisory board, said the vulnerability was found in late 2013 to 2015 models that have the Uconnect feature, according to Wired.
Anyone who knows who knows the car's IP address may gain access to a vulnerable vehicle through its cellular connection. Attackers can then target a chip in the vehicle's entertainment hardware unit to rewrite its firmware to send commands to internal computer networks controlling physical components.
Miller and Valasek only tested their complete set of hacks on a Jeep Cherokee but are confident they can replicate most of them on other vulnerable vehicles, the Wired report said. The update must be implemented via a USB or by a dealership mechanic. The duo notified Fiat Chrysler who released a notice last week but didn't specify the vulnerability.
Reports of the zero-day exploit comes as legislators introduced The Security and Privacy In Your Car or SPY Car Act to establish cyber-security standards as vehicles become more integrated with technology.
"Today's cars are increasingly being delivered to market with driver-assist technology such as auto-braking and parking assist," Carl Herberger, a former cyber-security officer in the US Air Force and currently vice president of security solutions at Radware), said in comments emailed to SCMagazine.com. "Couple this ability to coach and assist with vehicle control with the advanced wi-fi connections and today's drivers are open to remote malicious hacking attempts, allowing hackers to remotely take control of a vehicle."
Referring to what he called "a new frontier for cyber-threats," Herberger said consumers must understand the risks. "As the (US) senate prepares to debate these regulations and standards against the auto industry, one thing becomes clear: Your networked vehicle is potentially at risk and it's time something is done about it," he added.