This week, Wired published a fantastic and unsettling report on the current state of automotive hacking. Senior Writer Andy Greenberg put himself at the mercy of two digital security researchers as they wirelessly took over control of the Jeep Cherokee he was driving, messing with the car’s climate control, stereo, windshield wipers, and eventually stalling the engine. Greenberg was left helpless, coasting nearly to a stop in the right lane of a busy highway as traffic scrambled to avoid him.
The Wired report is the most credible evidence yet that our increasingly tech-laden vehicles are ripe for hacking, with scanty security measures and an astounding lack of automaker foresight providing avenues for hackers to gain control of a car’s functions from anywhere in the world. Whereas previous car hacking stories contained some pretty big caveats—like the fact that evildoers would need to disassemble a car’s dashboard and physically plug in a laptop to take over the vehicle’s controls—the Jeep that Greenberg was driving was unmodified from how it left the factory. And the researchers who took over its controls were 10 miles away.
That, frankly, is terrifying. Greenberg’s article in Wired is nuanced and even-handed, and he carefully and purposefully avoids fearful exaggeration, but the evidence he so thoroughly presents is deeply troubling. It set off a frenzy in the automotive press, and rightly so.
But you probably don’t need to panic. And here’s why.
Related link: Read more about connected cars
The Methodology Is Sound
Greenberg’s terrifying hacker roller coaster ride was carried out by Charlie Miller and Chris Valasek, a duo that’s been doggedly poking at holes in modern cars’ computer systems for years. Miller and Valasek are the team behind most of the “car hacking” news stories of the past few years. In 2013, they took Greenberg (then writing for Forbes) for a thrill ride in a Toyota Prius and a Ford Escape, both wired with laptops in the back seat to take over the driver’s controls. Last year, Miller, a security researcher at Twitter, and Valasek, a director at digital security firm IOActive, published a white paper naming what they thought were the most hackable new cars on the U.S. market. Not surprisingly, their number-one hackable car, the 2014 Jeep Cherokee, is the car of choice in this experiment.
Miller and Valasek’s latest and most frightening exploit is completely wireless. Thanks to a vulnerability in Fiat Chrysler’s Uconnect dashboard infotainment system, which offers in-car WiFi through Sprint’s cellular network, a smartphone connected to Miller’s laptop lets him look around the cellular network for Uconnect-equipped vehicles. Using software he and Valasek designed, Miller can see a vulnerable car’s vehicle identification number, make, model, and IP address, along with its GPS location, in real-time. Once they’ve found a target vehicle, Miller and Valasek can worm their way into the entertainment system’s firmware, implanting malicious code they designed that can transmit commands to any system connected to the car’s network of computers—including the devices that control the car’s steering, brakes, and engine and transmission.
Miller and Valasek say that Uconnect systems installed from late 2013 through early 2015 are vulnerable, and while they’ve only tried their remote-takeover techniques on their own Jeep Cherokee, they estimate that nearly 500,000 vehicles carry the compromised system. FCA issued a statement in response detailing which models of Chrysler, Dodge, Jeep and Ram vehicles are affected.
But while the Wired video that goes alongside Greenberg’s Wired piece makes the hacking process look astoundingly simple—just two dudes on a couch, tapping away at their laptops, wreaking havoc on a Jeep on a highway 10 miles away—it was a long and arduous road that led up to that scene. And that’s good news for drivers of potentially-vulnerable Uconnect-equipped vehicles.
The Good Guys
Miller and Valasek’s methodology is a marathon, not a sprint. After first finding the one small vulnerability point that allows them to tap into a Uconnect-equipped car’s electronics, it took the duo months of arduous coding to develop the code that lets them rewrite the firmware and take over the car’s driving controls. And every step of the way, Miller and Valasek have gone about this the ethical way.
The slightly unsettling aspect of all this is that Miller and Valasek plan to publish their findings online, in conjunction with a talk they’re giving at the Black Hat digital security conference next month. In fact, that’s the best tool to protect us from the dystopian horror of a future of hackable cars.
Greenberg points out that Miller and Valasek have been sharing their findings with Chrysler for nearly nine months, allowing the automaker to devise a software update that closes the loophole that allowed the hackers entry in the first place. FCA notified affected owners on July 16th, though they did not acknowledge the hacking duo that discovered it. You can see FCA’s list of affected vehicles, and download the patch to update your Uconnect-equipped car, right here. By the time the digital security community learns the details of Miller and Valasek’s exploit, the fix to prevent it will be widely available, thanks to the hackers’ cooperation with FCA.
Secondly, the car-hacking duo is only revealing a small portion of their findings. They won’t publish the code that gives them access to the car’s engine and braking controls; neither will they identify the (now-patched) vulnerability that let them in.
In other words, armed with Miller and Valasek’s published findings, a malicious hacker would still need to figure out how to hack into a Uconnect-equipped vehicle, and reverse-engineer the code that allows control of the vehicle, two tasks that took months for these expert-level security hackers. Additionally, Miller and Valasek’s method requires them to know the IP address of the car they’re trying to hack; as Jason Torchinsky at Jalopnik points out, that drops the likelihood of a hacker targeting one specific vehicle down to near-zero.
Why publish anything, though? Greenberg explains:
The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review. It also sends a message: Automakers need to be held accountable for their vehicles’ digital security. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller says. “This might be the kind of software bug most likely to kill someone.”
Help Is On the Way
Simply by virtue of making their findings public, Miller and Valasek helped kick off a fix that will eliminate the vulnerability that made their hack possible. FCA says it has rectified the loophole that allowed the hack in its 2015 models, and released a software update to close the vulnerability in 2013 and 2014 vehicles. When Miller and Valasek publish and discuss their findings at Black Hat, they’ll be giving out an incomplete recipe that hinges on a software flaw that has since been patched. And the work of hackers like Miller, Valasek, and others is finally bringing the right kind of attention to the subject: On the same day that Greenberg published his Wired article, Senators Ed Markey and Richard Blumenthal introduced new legislation creating the first-ever automotive cybersecurity standards, which would require greater security measures to prevent malicious code from jumping from infotainment systems to vehicle controls, and establish real-time monitoring to “immediately detect, report, and stop” hacking attempts.
And as more and more cars get the capability to receive over-the-air software updates, manufacturers will be able to more quickly and efficiently patch vulnerabilities like the one that let Miller and Valasek hack into their Cherokee. That day is coming—Ford and Tesla already have systems capable of automatic over-the-air software updates, and more will soon follow.
So, should you be scared? That’s up to you. Is there a hacker out there who knows your Chrysler vehicle’s IP address, possesses masters-level computing skills, and has months to devote to reverse-engineering a way to take over your car? If you’re not some kind of international spy, the answer is probably “no.”