CIO Today HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR MONDAY MARCH 27

Close Search Box
CIO Today
NETWORK SECURITY
Jeep Software Flaw Gives Hackers Total Control
Posted July 21, 2015
Jeep Software Flaw Gives Hackers Total Control
Next Story
EARLIER
Microsoft Pushes Emergency Security Fix for Windows
THIS STORY
Jeep Software Flaw Gives Hackers Total Control
Next Story
LATER
DHS Officials Put National Security at Risk with Webmail
YOU ARE HERE:   HOME arrow NETWORK SECURITY arrow THIS STORY
NEWS OPS

By Jennifer LeClaire. Updated July 21, 2015 1:33PM

SHARE

ALSO SEE

If you drive a Jeep, beware of hackers. There is a security flaw in the Jeep’s Cherokee’s Uconnect vehicle-connectivity system. Two white hat hackers -- Charlie Miller and Chris Valasek -- tapped into the flaw while a reporter drove the vehicle down the highway.

The hackers successfully -- and remotely -- turned up the radio as loud as it would go and turned on the windshield wipers. If that seems fairly benign, wait until you hear this: They also cut off the transmission and disconnected the brakes. The Jeep ended up in a ditch.

It took a year for Miller and Valasek to figure out a way to exploit the vulnerability. The duo will share how they did it at the Black Hat security conference in Las Vegas in August, but the short story is the flaw allowed them to inject malware into the system for remote control. Fiat Chrysler issued a software patch for the flaw last week.

Shocked and Dismayed

We caught up with Andrew Conway, research analyst at intelligent network security firm Cloudmark, to get his reaction to the Jeep hack. He told us he was shocked to discover two months ago that the entertainment systems on some airliners were on the same networks as their flight control systems.

There is no justification for passengers to have access to ports that could potentially give them the ability to control the engine or steering, Conway said. Now, he’s even more shocked to discover that major car manufacturers apparently think it’s acceptable to have the brakes, steering, and transmission of an automobile controlled by a network that is also connected to the Internet.

“There are lots of good reasons to connect a car to the Internet -- navigation, entertainment, phone calls, weather forecasts -- but there are no good reasons to have that network connected to the drive systems except to save a buck or two in the manufacturing process,” Conway said.

The Frightening Truth

Conway argued that the controls needed to drive the car should be completely isolated from any external facing system -- no Bluetooth, no Wi-Fi, no 3G, no attack surface at all. That seems like common sense, even for consumers who are not in the security industry.

Next, Conway pointed out a chilling truth: Charlie Miller and Chris Valasek took a couple of years to completely compromise the systems of a popular car model. What if the resources of a nation state security service had been directed at the same task?

“The Chinese have apparently gone to great lengths to hack into U.S. government servers already,” he said. “Scarily, this shows that they could also hack into U.S. car networks, with the possibility of assassinating selected targets in an apparently accidental car crash? Personally I'm going to be driving my 12-year-old and completely non-connected Toyota until it falls apart.”

Tell Us What You Think
Comment:

Name:

Andrew:
Posted: 2015-07-23 @ 1:13am PT
Obama is gonna drive 'em all to Mexico by mote-control while you're sleeping to pick more illegals.

Phil Cooper:
Posted: 2015-07-23 @ 12:41am PT
If Chrysler screwed this up, there's a good chance that all other auto manufacturers did as well. Maybe it was even done at the request of certain government agencies, a sort of remote "kill switch".

SelfDrivingCloudCar:
Posted: 2015-07-21 @ 4:16pm PT
Maybe the reason to connect the controls of the car to the internet is that the manufacturer is planning to drive the cars remotely? Instead of carrying the computers for self-driving cars on-board, let the cloud send commands to it via the net. Scary thought, but commercially interesting.

MORE IN NETWORK SECURITY

Next Article >

INSIDE CIO TODAY NETWORK SITES SERVICES BENEFITS