What happens when some friendly hackers try to wirelessly tap into a Fiat Chrysler Jeep Cherokee and take control of it remotely? Well as we’re just now finding out, they succeed.
FCA released a software update last week saying it “offers customers improved vehicle electronic security and communications system enhancements.” It turns out, that software fix was a direct response to two hackers who managed to get through security measures and remotely take control of a Jeep.
The two professional hackers were, as they say, friendly, which means they weren’t out to steal info or cause harm, but expose problems with security. One of them used to work for the National Security Agency and both teamed up with Wired magazine on the story.
As reported in Wired magazine, hackers Charlie Miller and Chris Valasek took command of an unmodified 2014 Jeep Cherokee while it was being driven on a St. Louis highway by Wired journalist Andy Greenberg.
Using their laptops at home, the hackers managed to exploit a vulnerability in some versions of FCA’s Uconnect infotainment system, which connects to the Internet via a cellular data connection through Sprint. The Uconnect system is installed in 2013-14 Chrysler, Dodge, Jeep and Ram vehicles, and the 2015 Chrysler 200. Here’s what the hackers were able to do: blast the Cherokee’s radio, turn on the wipers and eventually shut off the Cherokee’s engine while it was traveling on the highway. Yikes.
Later, in a parking lot, the hackers demonstrated how they could take control of the Cherokee’s steering wheel, while the transmission was in reverse. They also managed to disable the brakes, sending Greenberg into a ditch.
The hackers told FCA about the vulnerability and worked with the automaker on a solution, which was that software fix released five days before news of the hacking attack. Owners can take their vehicle to a dealer for a free software upgrade and FCA discourages anyone from downloading a patch via internet.
“Under no circumstances does FCA condone or believe it’s appropriate to disclose “how-to information” that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” FCA said in a statement sent to Wired.
“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. The software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle.”
The hackers plan to release a portion of their code at a Black Hat security conference next month in Las Vegas.