Last night I watched one of the most disappointing videos I’ve seen, where a Jeep Cherokee was remotely hacked. Initially I thought the headline ‘Hackers Remotely Kill a Jeep on the Highway—With Me in It’ was the typical link bait we’re used to these days, but sadly it wasn’t. After watching
Andy Greenberg from Wired spent some time with Charlie Millier, a Security engineer at Twitter and Chris Valasek, Director of vehicle safety research at IOActive. These guys discovered an exploit in the UConnect system built into a Jeep Cherokee, at this point I knew this was going to reach main-stream news headlines, and it has, all day today.
While the specific vulnerability was exploited on the Jeep, UConnect is actually the in-dash system across the Chrysler range, including Jeep, Dodge, Ram, SRT and FIAT.
Now for the problem. Driverless vehicles and full automation is in its infancy. At this point, it’s a race and basically every auto manufacturer is working on the problem. As the technology improves, the problem will increasingly be consumer trust in the systems. Incidents and international coverage of issues like this, doesn’t just affect Jeep, or Chrysler, it effects the whole industry.
An unpublished vulnerability allowed the researchers / hackers to access the UConnect system remotely via cellular connection. Once on-board the car, they were able to walk their way to the CAN Bus (Controller area network) and access the vehicle interfaces. First the air conditioner, then the stereo, windscreen wipers, then on to the dangerous stuff, control of the steering wheel, transmission and brakes. Scary stuff.
What we don’t know is what they knew about the car, how did they pin point this vehicle over the thousands that drove down the highway at that time? The likely answer is the cell phone SIM details, so how likely this hack is in the real world, is hard to say at this point. Problem is, none of your 6pm nightly news stories care enough to consider how, they just report that vehicles were hacked.
The issue is reportedly fixed in an optional software update, but that in itself is another problem. Much like the update issue Microsoft is fixing in Windows 10 with forced updates to ensure users do update when problems are found, software in cars, should also be forced. By leaving it up to humans, there will be thousands of 2014 Jeeps on the road that never get updated.
So if UConnect was the flaw in the system that allows all for this exploit to be possible, I started thinking about why. Why would the engineers at Chrysler, ever want to take the risk of connecting the on-board systems to the CAN Bus, this seems like a recipe for disaster and clearly the last 24 hours has found that to be the case.
After researching UConnect on their website, I found it delivers all the typical in-car entertainment options you’d expect of modern vehicles. Entertainment services like Satellite radio from SeriusXM, voice commands for hands-free calling and texting, navigation, and music, climate control, steering wheel and touchscreen controls as well as a reversing camera.
As you can tell there’s nothing here that requires remote connection to vehicle systems.. then here’s the kicker.. UConnect allows drivers to start your engine from outside the door, unlock your door, or flash your headlights. Plenty of cars have these features, but instead of requiring you to be 30 feed away, these guys offer the feature ‘from almost anywhere’.
Just send a remote command from your computer or the Uconnect Access smartphone app.
Part of the services you get is a vehicle health report.. guess how that works, you guessed it, remotely through UConnect. The only way to measure something like tyre pressure, oil warnings, lights and more is for the dealership to remotely connect to your vehicle. While the concept of the service is a good one and something Jeep can no doubt charge more money for, what they’ve done is introduced a huge opportunity for this kind of hack to be possible.
I know from talking to other auto manufacturers, that they take the separation of entertainment and vehicle systems so seriously, an air gap is usually enforced to absolutely ensure that hacks that effect vehicle operation and safety are not possible. It seems Jeep and Chrysler engineers didn’t take that level of care and now the industry will pay with consumer confidence.
These cars head units expose a particular service that they probably didn’t want to. It lets you to do things like query things like the GPS, but it also lets you just run commands.
While moving around their website, I found it strange they have a help page on the software update that advises users to disregard a warning and just click ‘Load unsafe script’. It seems their web developers pay the same amount of detail to security. If you’re website produces a scary warning to users, don’t fix it by teaching them how to ignore it.
Some very serious questions should be being asked at Chrysler and if you own one of these vehicles, please don’t delay, install the update before you drive the vehicle again. However unlikely it may be that you were targeted, it’s simply not worth taking the risk.
We’ll know more about the exploit after next month, when the hackers are planning on releasing a portion of their code at the annual BlackHat conference. This tells us that they’re not happy with how Chrysler is responding to this.
Watch and read the full story at Wired.