Just when you thought it was safe to go out on the road, automotive cybersecurity researchers Charlie Miller and Chris Valasek have a whole new arsenal of attacks against the same 2014 Jeep Cherokee they hacked last year.
One year ago Chrysler announced a recall for 1.4 million Jeeps and other vehicles after the two demonstrated that they could remotely hijack connected car systems. They were able to remotely take control of the Jeep’s air-conditioning system, radio and windshield wipers, using the mobile phone network and the car’s internal 4G connection. They demonstrated this to an unaware journalist at 70 MPH as well. And even uploaded a picture of themselves to the affected car’s dash display, just to ratchet up the poor guy’s terror.
Using the mobile network improves reach, but requires specialized know-how and equipment. "We took over the infotainment system and from there reprogrammed certain pieces of the vehicle so we could send control commands," Valasek said at the time. "It takes a lot of time, skill and money. That isn't to say that there aren't large organizations interested in it."
But that was 2015. Jeep fixed the problem, recalling vehicles in two waves and launching a bug bounty program. Everything’s good, right? Well….no.
This year, they have been able to cause unintended acceleration, to slam the breaks on remotely and to turn the vehicle’s steering wheel at any speed. In other words, they’ve raised up an even more terrifying hacking-for-murder specter.
“Imagine last year if instead of cutting the transmission on the highway, we’d turned the wheel 180 degrees,” Valasek told Wired. “You wouldn’t be on the phone with us. You’d be dead.”
That said, they can’t do it remotely—the attacks must be done with a laptop plugged directly into the Jeep. That’s thanks to the patch that Chrysler pushed out last year disabling remote access to the control system. But the idea is to show what’s possible—a grim reminder that cyber-criminals could be out there right now, probing and testing, trying to find new weaknesses to exploit. It’s logical to assume that remote execution of these kinds of physically threatening gambits aren’t completely out of the picture—and car-makers, along with every IoT manufacturer out there, should be actively looking at defenses that they need to build, for now and the future.
“You need to know what hackers are going to do next, how to mitigate it, and how some mitigations don’t work, which is what we’ve shown,” Miller said.
Photo © Ed Aldridge/Shutterstock.com