Hacked Jeep: cybersecurity flaws in connected cars

Screen capture from Wired video at https://video.wired.com/watch/hackers-wireless-jeep-attack-stranded-me-on-a-highway

TOO MUCH of a good thing can be bad.  The web-connected infotainment systems of new automobiles are becoming more advanced, and consequently, more vulnerable to hacking.

Last month, it finally happened in the United States, according to The New York Times.

Two respected security researchers, Charlie Miller and  Chris Valasek, hacked wirelessly into a Jeep Cherokee through its dashboard connectivity system and gained control of the engine, the brakes and the steering aside from the radio and air-conditioning.

This forced Fiat Chrysler Automobiles and the National Highway Traffic Safety Administration (NHTSA) to recall 1.4 million vehicles last July 15.

Staff specialists of the NHTSA and the automaker held a series of discussions as they tried to grasp the full scope of the breach.  The NHTSA was alarmed that the hacking could allow someone to deliberately crash a vehicle.
Congressmen demanded action to root out and guard against cybersecurity flaws in other cars that could pose a similar danger.

Forewarned
Miller and Valasek had earlier forewarned Fiat Chrysler that they planned to make their findings public.
Other Chrysler cars and trucks using the same system, Uconnect, are consequently also vulnerable to hacking.
The recall affects certain vehicles with 8.4-inch touchscreens from the 2013 model year onward, including some Jeep Cherokees, Grand Cherokees, Chrysler 200 and 300 sedans, and Dodge Durangos.
Fiat Chrysler software specialists immediately made a patch available to plug the hole; affected owners will be sent a USB drive they can plug into their vehicles to install an update to block the hacking vulnerability. The update can also be downloaded directly onto a portable drive.

Miller and Valasek have been hacking away at various cars over the last two years, trying to find a way to control them remotely.

They plan to demonstrate this month at the annual Black Hat and Def Con how, after two years of research, they discovered a way to control hundreds of thousands of cars remotely.

In the 2013 Black Hat conference, they described how they could control a Ford and a Toyota by plugging into a diagnostic port that could control steering and speed.

But carmakers told them anyone with physical access to the car could just as easily cut the brakes.
So last year, the researchers bought a Jeep with a stereo head unit connected to the Internet through a hardware chip that provides a wireless and a cellular network connection.

Chip vulnerability
The two men discovered a vulnerability in that chip that allowed them to scan the Internet for affected vehicles, hack into the car stereo head unit, and run their own code.  Then they were able to change the radio station and adjust the air-conditioning.
After two months, Miller and Valasek found a way to access another chip in the same head unit that controlled the car’s electronics.  From the Internet, they then could control the locks, windshield wipers, speedometer, lights and blinkers, and even engage and disengage the brakes and steering, as long as the car was driving slowly, around six miles an hour or less.

Their research is likely to be one of the first discoveries in a new chapter of vulnerabilities and attacks directed at the Internet of Things, the billions of products, machinery and infrastructure expected to come online in the next five years.

A Verizon report found that 14 carmakers accounted for 80 percent of the global auto market, and each had a connected-car strategy.

Meanwhile, a spokesperson for Fiat Chrysler said it did not believe that it was responsible for the researchers to disclose the vulnerability to the public.