An ongoing investigation into the security of Chrysler vehicles bears some pretty startling conclusions. In a couple of weeks, security researchers will reveal the details of a zero-day exploit that affects some 471,000 cars. Put bluntly: Hackers can take complete control of the cars from thousands of kilometres away.
Long-time car hackers Charlie Miller and Chris Valasek recently demonstrated the dangerous possibilities of the Chrysler exploit to Wired‘s Andy Greenberg. The journalist actually took a Jeep Cherokee onto the highway outside St Louis, while the hackers took over control of the car. Using the Jeep’s Uconnect system, which plugs into a cellular network, the security researchers were able to gain control of the car’s entertainment system and then rewrite the firmware to send commands to critical systems like the brakes, steering and transmission. Greenberg describes the experience:
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
What’s especially worrisome about this situation is that Chrysler knows about the vulnerability and doesn’t seem to be taking it too seriously. The company recently released a patch to the Uconnect software that addresses the issue, but it needs to be installed via USB drive or by a dealer. (Visit this link to download the software update that will fix the exploit.)
Meanwhile, Chrysler sort of scolded the researchers for sharing information about the exploit publicly. “Under no circumstances does [Fiat Chrysler Automotive] condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems,” the company said in a statement.
Although this is not the first time that security researchers have discovered and shared details of a car hack, it’s starting to get pretty real. When there are almost half a million cars that could be commandeered or bricked with just a few key strokes, it’s time for auto companies to take notice, and embrace the community of researchers and politicians trying to make sure our cars are safe.