If you drive a Jeep, beware of hackers. There is a security
flaw in the Jeep’s Cherokee’s Uconnect vehicle-connectivity system. Two white hat hackers -- Charlie Miller and Chris Valasek -- tapped into the flaw while a reporter drove the vehicle down the highway.
The hackers successfully -- and remotely -- turned up the radio as loud as it would go and turned on the windshield wipers. If that seems fairly benign, wait until you hear this: They also cut off the transmission and disconnected the brakes. The Jeep ended up in a ditch.
It took a year for Miller and Valasek to figure out a way to exploit the vulnerability. The duo will share how they did it at the Black Hat security conference in Las Vegas in August, but the short story is the flaw allowed them to inject malware into the system for remote control. Fiat Chrysler issued a software patch for the flaw last week.
Shocked and Dismayed
We caught up with Andrew Conway, research analyst at intelligent network security firm Cloudmark, to get his reaction to the Jeep hack. He told us he was shocked to discover two months ago that the entertainment systems on some airliners were on the same networks as their flight control systems.
There is no justification for passengers to have access to ports that could potentially give them the ability to control the engine or steering, Conway said. Now, he’s even more shocked to discover that major car manufacturers apparently think it’s acceptable to have the brakes, steering, and transmission of an automobile controlled by a network that is also connected to the Internet.
“There are lots of good reasons to connect a car to the Internet -- navigation, entertainment, phone calls, weather forecasts -- but there are no good reasons to have that network connected to the drive systems except to save a buck or two in the manufacturing process,” Conway said.
The Frightening Truth
Conway argued that the controls needed to drive the car should be completely isolated from any external facing system -- no Bluetooth, no Wi-Fi, no 3G, no attack surface at all. That seems like common sense, even for consumers who are not in the security industry.
Next, Conway pointed out a chilling truth: Charlie Miller and Chris Valasek took a couple of years to completely compromise the systems of a popular car model. What if the resources of a nation state security service had been directed at the same task?
“The Chinese have apparently gone to great lengths to hack into U.S. government servers already,” he said. “Scarily, this shows that they could also hack into U.S. car networks, with the possibility of assassinating selected targets in an apparently accidental car crash? Personally I'm going to be driving my 12-year-old and completely non-connected Toyota until it falls apart.”