Hackers can remotely control your car and orchestrate an accident: Video

Charlie Miller, an ex-NSA hacker and current security researcher for Twitter and his friend Chris Valasek, director of vehicle security research at consultancy firm IOActive, have been researching on the vulnerabilities of modern day vehicle infotainment systems to hacking.

Car hacking brake failure
A digital command via internet to a hacked vehicle can orchestrate an accident! (Image: Whitney Curtis for Wired.com)

Their findings will make you have second thoughts about buying that funky set of wheels with so called hi-tech entertainment system which lets you connect to the internet on the go. The hacker duo have been working to persuade the automakers to beef up their vehicle’s cyber security but so far, they have encountered indifference. However their latest demonstration is sure to shock the vehicle owners and OEMs alike.

Before delving into their latest stunt, let us have a brief look into their first demonstration which highlighted a modern car’s dangerous week point. In 2013, the duo applied for US Department of Defence’s DARPA grant of USD 80,000 using which they bought a Ford Focus and a Toyota Prius for research purposes. After studying the vehicles’ wiring, software and CAN (Controller Area Network), they successfully managed to hack the system by plugging into the diagnostic port. This gave them complete control of the car’s functions including steering, brakes, horn, music, AC and what not!

When they approached the respective automakers with their finding, they were steamrolled. The car makers argued that the hackers were able to commandeer the vehicles only after physically accessing them and this can’t qualify as lapse of vehicle security.

Not to be unsettled, Miller and Valasek continued their research into possible vulnerabilities in latest infotainment systems by downloading technical manuals and wiring diagrams of several new models. They rated 24 vehicles based on their cyber security, considering these three factors: How many radio’s connected the car’s system to internet (and types of radios); how isolated are these internet-connected onboard computers from critical driving systems; and if those critical systems have cyberphysical components (the ones that enable controlling steering, braking etc, by means of digital commands).

Based on the rankings, they found new Jeep Cherokee to be the most hackable model, closely followed by Cadillac Escalade and Infiniti Q50. Both GM and Infiniti issued a statement, saying that they are continuously working towards improving the security of their vehicles against cyber attack. Chrysler too have responded by introducing a security patch for Cherokee but it needs to be manually installed using a USB stick and it’s doubtful that it will reach each and every one of the vulnerable models.

Coming to Miller and Valasek’s latest stunt, they put Wired.com’s senior writer Andy Greenberg behind the wheel of a new Jeep Cherokee and sent him on a public road in the US. While Greenberg was very well aware that the car will be remotely hacked through its UConnect infotainment system, the hackers didn’t tell him what sort of intervention to expect.

Car hacking by Charlie Miller and Velasek
Hackers Charlie Miller (left) and Chris Valasek managed to expose the hackability of UConnect system in Jeep Cherokee. (image: Whitney Curtis for Wired.com)

When driving at about 70 mph (112 kmph), the hackers who were sitting on a cozy couch some 10 miles away from the car activated the climate control system at full blast before turning the audio system on with full volume. Driver’s attempt to reduce the volume using dashboard controls proved futile! That’s not all, the duo even displayed one of their pictures on the car’s infotainment display.

Just when Greenberg thought that Miller and Valasek have made their point, the pair had another nasty trick up their sleeves. The Cherokee suddenly suffered an engine failure right in the middle of the road and started coasting, dangerously losing momentum. With no road shoulder to escape, the SUV started limping on the left most lane with motorists honking and changing lanes to avoid a collision! The driver was then asked to restart the vehicle to move ahead again. In a controlled environment, they also demonstrated how the brakes can be remotely controlled too!

Such a grave vulnerability on mass produced connected cars is definitely a reality now and it needs to be plugged at once or it could emerge as a potential killer. All it takes is a group of wrong persons figuring out what Miller and Valasek did! The duo are in fact intending to publish a portion of their technique at the upcoming Black Hat security conference in an attempt to urge automakers to take the issue of cyber security very seriously.

So how did they manage to hack Chrysler’s UConnect? The system’s cellular and internet connectivity suite apparently allows anyone who know’s the car’s IP address to gain access from anywhere in the country! With this super nice vulnerability as a back door, a skilled hacker can remotely reach the chip in the head unit which is responsible for the entertainment system. By rewriting the chip’s firmware to accommodate his/her codes, one can carjack any targeted vehicle via internet from thousands of miles away and do whatever they want. Even steering control will no longer be under driver’s jurisdiction! Having a GPS trace on a vehicle is a child’s play.

While the hackers have tried it only on Cherokee so far, they are certain that, with suitable modification in codes, almost all Chrysler vehicles that employ UConnect are prone to remote carjacking! And the sad part is, it’s not just UConnect, with a exception of very few, most of the OEMs’ current connected infotainment systems have some bugs or back doors for the hackers to exploit and they need to be addressed promptly.

After following the work of these two hackers/security researchers, US Senators Edward J. Markey and Richard Blumenthal introduced a legislation yesterday, directing the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.

Car hacking via connected infotainment system
Most connected infotainment systems in vehicles have bugs or backdoors which allows hackers to penetrate the system and launch a full scale ‘zero-day’ attack. (Image: Whitney Curtis for Wired.com)

Dubbed as Security and Privacy in Your Car Act (SPY Car), a rating system has been established which informs the consumer on how well their cars protect their security and privacy beyond the minimum standards.

As connected infotainment system has become a globally accepted and appreciated feature on a premium cars, this important issue is not just limited to the US but is spread across the world including India! It’s only a matter of time before this technology and its negative side effects have a level of penetration it now has in the states.

So what needs to be done to curb it? Well, for starters, stringent government policies governing the security standards of such systems should be in place world over to encourage automaker to invest in cyber security. From the automaker’s side, we need safer design to reduce the number of possible attack points, a comprehensive internal monitoring system of CAN which alerts of any suspicious digital commands and third party testing of vehicle’s digital security. Instead of fighting hackers like Miller and Valasek, OEMs should focus on receiving vital inputs from them on possible weaknesses in their systems and work towards plugging it.

So, do you drive or planning to buy a car which has any sort of wireless connectivity such as wi-fi hotspot, cellular internet, LTE, etc.? Then ask questions about its ability to withstand a skilled cyber attack, for OEMs have this general tendency to sit on a potential life-threatening flaw unless the consumers start asking the right kind of questions! As to existing sytems, we are hoping to see a string of world wide software update (patch) recalls by several automakers!

Via – Wired.com