Tweet
A new security vulnerability has been discovered for Chrysler's UConnect infotainment system. Basically a hacker can REMOTELY connect to your vehicle and do some real damage like disabling your brakes. Fortunately FCA has released a patch to fix this. A link to the download is at the bottom of my posting here.
You can get the update for UConnect here: http://www.driveuconnect.com/software-update/
As more and more cars become mobile, internet-connected appliances, they become more likely targets for remote hacking. Chrysler is hopefully realizing the seriousness of this, as a new Jeep Cherokee has been remotely hacked and pretty severely compromised, according to a story in Wired. But donât panic just yet.
Wired arranged for car-hacking superteam Charlie Miller and Chris Valasek to gain access to a brand new Jeep Cherokee via a zero-day exploit (as in, a vulnerability the manufacturer has spent zero days fixing) in the software of the carâs Uconnect cellular-based internet infotainment and connectivity system.
The hack uses the Uconnect system as a gateway into the car, and then gains access to the Jeepâs infotainment system headunit. Once there, the firmware of the headunit is re-written, which allows access to the entire CAN bus of the car â essentially, the carâs nervous system â and that access is what allows for the really scary stuff, like control of the wipers, brakes, throttle and even some limited control (in reverse only, for now) of the steering.
This, of course, is absolutely a big deal. Unlike the teamâs previous, widely-publicized hack that involved the removal of most of the dash of a Prius, this time the car has been compromised via commands sent over the cellular network to the car.
While itâs possible to remotely hack the hundreds of thousands of Uconnect-equipped cars, itâs pretty improbable. Miller and Valasek had access to the Uconnect systemâs IP address to gain access to the car. As they say in the article:
Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicleâs entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek wonât identify until their Black Hat talk, Uconnectâs cellular connection also lets anyone who knows the carâs IP address gain access from anywhere in the country. âFrom an attackerâs perspective, itâs a super nice vulnerability,â Miller says.
Super nice vulnerability, sure, but itâs not exactly an easy one to just find. Having that IP address is a pretty big initial helping hand, and itâs not the sort of thing thatâs decalâd onto the side of every new Jeep Cherokee, right under the âTrail Ratedâ badge. Some chronic masturbator in a basement with a vendetta against you isnât likely to just be able to rapidly type onto his keyboard and cut off your brakes.
Still, even the protection of each carâs unique IP address is, at best, security through obscurity, and a determined attacker could eventually find it out, given either direct access or some massive effort and computing resources. Actually, a simple phishing attack could do it, hypothetically, if you can get a driver to click on a spoofed link on their carâs screen, somehow, perhaps via an installed web browser. Itâs still a pretty huge hole that Chrysler needs to fix, and, thankfully, they already have.
Miller and Valasek arenât supercriminals, so theyâve shared their findings with Chrysler before they published anything, giving Chrysler the chance to produce a patch to close this hole, which, if you have such a Uconnect-enabled system, you can download and install here via USB. It would be better if Chrysler would make this available via cellular download to all the cars, because Iâm sure many people wonât go to a dealer to do this or feel comfortable installing it themselves.
The big take-away from all this is that as more and more cars become connected to the internet, they inherently open themselves up to hacking and unwanted access. If you want to play in the giant connected playground of the internet, thatâs the risk, and car makers need to protect their vehicles accordingly, like computer and OS makers have been doing for years. Itâs a constant struggle that requires constant vigilance.
You donât need to panic yet. Itâs still a lot of effort to do this and it relies on key data thatâs not easy to get. Not every misguided teen is going to try and impress a girl by running a Jeep into a wall. But itâs real, and these tests and stunts should at least cause one group to moisten their trousers: the car companies. Itâs time for real security on internet-connected cars.
Wired arranged for car-hacking superteam Charlie Miller and Chris Valasek to gain access to a brand new Jeep Cherokee via a zero-day exploit (as in, a vulnerability the manufacturer has spent zero days fixing) in the software of the carâs Uconnect cellular-based internet infotainment and connectivity system.
The hack uses the Uconnect system as a gateway into the car, and then gains access to the Jeepâs infotainment system headunit. Once there, the firmware of the headunit is re-written, which allows access to the entire CAN bus of the car â essentially, the carâs nervous system â and that access is what allows for the really scary stuff, like control of the wipers, brakes, throttle and even some limited control (in reverse only, for now) of the steering.
This, of course, is absolutely a big deal. Unlike the teamâs previous, widely-publicized hack that involved the removal of most of the dash of a Prius, this time the car has been compromised via commands sent over the cellular network to the car.
While itâs possible to remotely hack the hundreds of thousands of Uconnect-equipped cars, itâs pretty improbable. Miller and Valasek had access to the Uconnect systemâs IP address to gain access to the car. As they say in the article:
Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicleâs entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek wonât identify until their Black Hat talk, Uconnectâs cellular connection also lets anyone who knows the carâs IP address gain access from anywhere in the country. âFrom an attackerâs perspective, itâs a super nice vulnerability,â Miller says.
Super nice vulnerability, sure, but itâs not exactly an easy one to just find. Having that IP address is a pretty big initial helping hand, and itâs not the sort of thing thatâs decalâd onto the side of every new Jeep Cherokee, right under the âTrail Ratedâ badge. Some chronic masturbator in a basement with a vendetta against you isnât likely to just be able to rapidly type onto his keyboard and cut off your brakes.
Still, even the protection of each carâs unique IP address is, at best, security through obscurity, and a determined attacker could eventually find it out, given either direct access or some massive effort and computing resources. Actually, a simple phishing attack could do it, hypothetically, if you can get a driver to click on a spoofed link on their carâs screen, somehow, perhaps via an installed web browser. Itâs still a pretty huge hole that Chrysler needs to fix, and, thankfully, they already have.
Miller and Valasek arenât supercriminals, so theyâve shared their findings with Chrysler before they published anything, giving Chrysler the chance to produce a patch to close this hole, which, if you have such a Uconnect-enabled system, you can download and install here via USB. It would be better if Chrysler would make this available via cellular download to all the cars, because Iâm sure many people wonât go to a dealer to do this or feel comfortable installing it themselves.
The big take-away from all this is that as more and more cars become connected to the internet, they inherently open themselves up to hacking and unwanted access. If you want to play in the giant connected playground of the internet, thatâs the risk, and car makers need to protect their vehicles accordingly, like computer and OS makers have been doing for years. Itâs a constant struggle that requires constant vigilance.
You donât need to panic yet. Itâs still a lot of effort to do this and it relies on key data thatâs not easy to get. Not every misguided teen is going to try and impress a girl by running a Jeep into a wall. But itâs real, and these tests and stunts should at least cause one group to moisten their trousers: the car companies. Itâs time for real security on internet-connected cars.
Comment