3 min read

Jeep hacking and the risks posed by the internet of things

Graham CLULEY

July 27, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Jeep hacking and the risks posed by the internet of things

Last week, security researchers Charlie Miller and Chris Valasek did something extraordinary.

They hacked a Jeep, interfering with its entertainment system, engine and brakes, while it was being driven down a busy highway at 70mph.

And they didn’t do it while they were sat in the back seat, they did it from the comfort of a sofa in Miller’s basement 10 miles away.

The Jeep hadn’t been physically meddled with in anyway, the researchers had exploited zero-day vulnerabilities in the car’s vulnerable Uconnect head unit.

Wired journalist Andy Greenberg’s story of the hack – he was driving the Jeep at the time – made headlines around the world.

The researchers were criticised by some for conducting their test on a public highway, but there is no disputing that they raised public awareness of the danger of car hacking dramatically.

Fortunately, the hack is thought to be highly complex, and full details of how the researchers managed to exploit the system have not been made public. Right now, it’s highly unlikely that you will find yourself attacked by malicious hackers as you make your weekly trip down to the supermarket.

Shortly before the Wired story was published a software update was quietly released by Fiat Chrysler, manufacturers of the Jeep. But, unfortunately, that patch requires car owners to both *know* about it, and go to the effort of downloading it onto a USB stick and plugging it into their car.

What are the chances of many affected car owners doing that? Pretty low I would wager.

And yes, you’ve no doubt spotted the irony that security researchers are able to overwrite cars’ software with their own home-grown code via the internet – but Fiat Chrysler requires that the update is applied by someone with physical access to your vehicle.

hacked-dashboard

With the publication of the Wired story, Fiat Chrysler couldn’t ignore the seriousness of the issue for long, and at the end of last week it announced a voluntary safety recall of 1.4 million vehicles to fix the security issue.

The following vehicles, if equipped with an 8.4-inch touch screen, might require the update:

  • 2013-2015 MY Dodge Viper specialty vehicles
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

You can go to the Uconnect software download webpage to determine if your vehicle needs a software update.

Obviously it makes sense to update the software on your car if it is vulnerable, however small the chances that it might be hacked.

But there’s an important message for the rest of us here too.

As more and more technology becomes internet-enabled, whether it be your car, your fridge, your thermostat, your television, your baby monitor… the greater the opportunities for manufacturers to mess up, and do a poor job of security.

Of course, connecting devices to the internet can bring lots of cool features and benefits – but it also opens it much more to potential attack. And, sadly, the manufacturers building the devices are quite likely to be less focused on security issues than, say, operating system manufacturers who have been hardening their software against hackers for decades.

Unfortunately, for those of us worried about the security implications, the rising tide of the internet of things seems impossible to stop. It’s here to stay. In just a few years it will be impossible for us to buy a new car which isn’t internet-connected in some fashion – so we have to cross our fingers that manufacturers will learn how to better secure them quickly.

Meanwhile, according to a tweet by Jeep hacker Charlie Miller, Mercedes is perhaps being a little too cocky about the chances of its cars ever being remotely hacked:

charlie-miller-tweet

Guess I’ll buy a Mercedes. “There is no way you could hack a Mercedes-Benz from outside the car,” a senior Daimler engineering executive said

Watch this space, it’s likely to have many more tales of internet-enabled devices being exploited by hackers – and next time it might not be security researchers deciding which will way events will turn.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read