Charlie Miller and Chris Valasek do not need any introduction, they are two stars of the hacking community that have alerted several times automotive industry regarding the risks related to the hack of connected cars.
To demonstrate the feasibility of a cyber attack on a connected car and the related risks, the two experts have demonstrated hot to exploit weaknesses in an automobile system with cellular connectivity to hack the vehicle. The experts attacked Uconnect automobile system which is installed in many connected cars, including nearly 471,000 vehicles in the US. Charlie Miller and Chris Valasek demonstrated the attack by hacking a Jeep Cherokee equipped with the Uconnect system.
They have hacked the connected car remotely while the popular journalist Andy Greenberg was driving it.
“To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.” wrote Greenberg.
The Uconnect is the connected car system chosen by Fiat Chrysler for its vehicles in the US market. This system allows the owners of the connected cars to interact with the vehicle remotely, it uses the Sprint cellular network to remain connected to the Internet. Car owners can dialog with their car by simply using their Smartphone, typical operation allowed are remote engine start, querying the vehicle to obtain the location, and activating anti-theft features.
Charlie Miller and Chris Valasek have exploited vulnerabilities in the connected car system in the Fiat Chrysler model that could allow hackers to scan Sprint’s cellular network for Uconnect-equipped vehicles to obtain car identification information and its location.
The experts demonstrated that they use these data to attack the connected car systems, by knowing their IP address the two hackers were able to to turn the engine of the car off, activate and de-activate the brakes, take remote control of the vehicle’s information display and entertainment system, and activate the windshield wipers.
Miller and Valasek also discovered that they could remotely control the steering of the Jeep Cherokee.
“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun. ” continues Greenberg.
The hack demonstrated by the two researcher id disconcerting, the flaws (now patched) affecting the Uconnect connected car system could allow a hacker to run a cyber attack against any vehicle from practically everywhere, and it isn’t a sci-fi movie.
On July 16, Fiat Chrysler informed its customers of the vulnerability affecting its Jeep model, the company published a notice on its website, the worrying aspect of the story is that the patch issued by the company must be manually installed by using a USB drive.
Not sure that this is an operation that any customer is able to do autonomously.
(Security Affairs – connected car, Uconnect system)