Remember those guys who hacked a 2014 Jeep Cherokee and were featured on Wired as a way to raise awareness over security of software-based car control systems? Well, they’re back and they recently hacked a Jeep again to see how far they could go in a second attempt.
Charlie Miller and Chris Valasek programmed their way into the centralized computer systems in the same 2014 Jeep Cherokee as last time and were able to compromise the operation of some very vital parts again, but to a greater degree.
In the original experiment with Wired, the security researchers gained control of the Cherokee wirelessly, causing a bunch of systems to go haywire after they uploaded malicious code from 10 miles away. With enough digging, they were even able to disable both the brakes and the transmission since both are electronically controlled.
This forced Fiat-Chrysler Automobiles to recall nearly 1.4 million vehicles to issue a software update to patch the weak spots in the software of their UConnect infotainment system.
Fast forward to today, Miller and Valasek were once again able to gain control of various crucial systems on the same 2014 Jeep Cherokee, gaining full control over the parking brake, cruise control, and even the auto-parking system, which can cause steering to go whack. You can see what that was like in their quick video sample below.
This whole thing might seem a bit scary, especially when you consider how computer-controlled cars are these days. But they were only able to severely alter the vehicle’s behavior with a physical connection to the Jeep’s computer through the OBDII diagnostic port, unlike the first attempt, which was done from a considerable distance away, through the car’s wireless connectivity capabilities.
There were also a few other caveats. The same 2014 Jeep Cherokee they hacked was still running on the original software prior to the firmware update released from FCA from the recall. This also decreases the chance that a malicious hacker can wreak havoc on a bunch of unsuspecting 2014+ Jeep Cherokee owners, because of the requirement of a physical connection and a need to bypass the latest patch.
But in a response to Wired’s coverage on Miller and Valasek’s latest attempt, The Verge pointed out the exploit still is possible if certain cars come equipped with OBD-connected wireless dongles, used by insurance companies.
Either way, FCA issued a statement, saying that this exploit in the second experiment is “highly unlikely” to be possible and “that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.”
Additionally, Engadget’s own software security expert says the hack itself is flawwed because it “requires ACTIVE (sic), PERSISTENT, INFORMED CONSENT of the target,” meaning the hacker has to be directly connected to the targeted victim and the chances of this happening leave little to no opportunity for danger to owners of these cars.
Still, this doesn’t hide the fact that software security issues are of great concern when cars are so computer controlled in nearly every aspect.
– By: Chris Chin