Could you hack a car?

Next story

A vulnerability in the infotainment system of a Jeep Cherokee was exploited by two hackers who were able to take control of the brakes and other critical systems.

You might well remember our previous blog posts on hacking a train and hacking a plane? Consider this part three of our trilogy.

Chris Valasek and Charlie Miller demonstrated to Wired magazine how they could control the brakes, air condition and even the engine: as in killing the engine whilst driving at 70mph on a freeway.

 

Uconnect… or perhaps don’t


The exploit was performed using the Uconnect system found in the ‘smart’ head-unit. Mark James, ESET IT security specialist, fills us in on the basics.

“Many different car manufacturers are now developing and using in car electronics for not only entertainment but real time information and management of the automotive systems.

“The ability to help the driver save fuel by showing them a better way to drive or the ability to have a real time health report or alert when things may be going wrong could all make the driving experience better but being connected to the internet has its downsides.

“We now have an operating system in the car that’s capable of being compromised and in some cases even taking complete control of the vehicles operation.”

The exploit itself relied on a zero-day vulnerability in the Jeep’s systems. Chrysler have since released a patch.

“A zero day exploit is or has been downloaded or installed onto the internal operating system of the vehicles, it will then enable someone over the internet to gain complete control of their systems.

“These new systems have the ability to report their location back using GPS Navigation, Voice commands and direct control over certain areas of the vehicles operation including acceleration, braking and many auxiliary systems.”

 

Symptomatic

 

Uconnect is not the only internet connected head unit however and in theory it is possible that they too could be exploited in a similar fashion at some point in the future.

“Car manufacturers are starting to take note and tighten up their systems but often these upgrades can only be done physically from inside the car using USB or direct connection and some people will just not be aware they are available or how to get them.

“Any car that has advanced electronics with internet connectivity “could be” at risk, the more advanced it is the higher the risk.

“The car manufacturers need to understand the importance of segregating controls that can be accessed from the different systems, car security is no different than IT security, all car manufacturers have an obligation to protect the driver and passengers no matter how small the chance of attack could be.”

 

Owner’s Club

 

If you own a car with an Internet connected head-unit then you should be on the lookout for possible updates.

“Always ensure you are fully aware of any updates that need doing from your car manufacturer, if any do become available get them patched right now, not at the weekend or when you next service your vehicle.

Treat every patch with the utmost urgency even if they don’t state it fixes any security vulnerabilities, some may not want to broadcast there was a problem in the first place.”

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our new ‘In the news’ section.

Have you ever been effected by a security vulnerability in anything other than a computer?