Jeep hacking and the risks posed by the internet of things
Last week, security researchers Charlie Miller and Chris Valasek did something extraordinary.
They hacked a Jeep, interfering with its entertainment system, engine and brakes, while it was being driven down a busy highway at 70mph.
And they didn’t do it while they were sat in the back seat, they did it from the comfort of a sofa in Miller’s basement 10 miles away.
The Jeep hadn’t been physically meddled with in anyway, the researchers had exploited zero-day vulnerabilities in the car’s vulnerable Uconnect head unit.
Wired journalist Andy Greenberg’s story of the hack – he was driving the Jeep at the time – made headlines around the world.
The researchers were criticised by some for conducting their test on a public highway, but there is no disputing that they raised public awareness of the danger of car hacking dramatically.
Fortunately, the hack is thought to be highly complex, and full details of how the researchers managed to exploit the system have not been made public. Right now, it’s highly unlikely that you will find yourself attacked by malicious hackers as you make your weekly trip down to the supermarket.
Shortly before the Wired story was published a software update was quietly released by Fiat Chrysler, manufacturers of the Jeep. But, unfortunately, that patch requires car owners to both *know* about it, and go to the effort of downloading it onto a USB stick and plugging it into their car.
What are the chances of many affected car owners doing that? Pretty low I would wager.
And yes, you’ve no doubt spotted the irony that security researchers are able to overwrite cars’ software with their own home-grown code via the internet – but Fiat Chrysler requires that the update is applied by someone with physical access to your vehicle.
With the publication of the Wired story, Fiat Chrysler couldn’t ignore the seriousness of the issue for long, and at the end of last week it announced a voluntary safety recall of 1.4 million vehicles to fix the security issue.
The following vehicles, if equipped with an 8.4-inch touch screen, might require the update:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
You can go to the Uconnect software download webpage to determine if your vehicle needs a software update.
Obviously it makes sense to update the software on your car if it is vulnerable, however small the chances that it might be hacked.
But there’s an important message for the rest of us here too.
As more and more technology becomes internet-enabled, whether it be your car, your fridge, your thermostat, your television, your baby monitor… the greater the opportunities for manufacturers to mess up, and do a poor job of security.
Of course, connecting devices to the internet can bring lots of cool features and benefits – but it also opens it much more to potential attack. And, sadly, the manufacturers building the devices are quite likely to be less focused on security issues than, say, operating system manufacturers who have been hardening their software against hackers for decades.
Unfortunately, for those of us worried about the security implications, the rising tide of the internet of things seems impossible to stop. It’s here to stay. In just a few years it will be impossible for us to buy a new car which isn’t internet-connected in some fashion – so we have to cross our fingers that manufacturers will learn how to better secure them quickly.
Meanwhile, according to a tweet by Jeep hacker Charlie Miller, Mercedes is perhaps being a little too cocky about the chances of its cars ever being remotely hacked:
Guess I’ll buy a Mercedes. “There is no way you could hack a Mercedes-Benz from outside the car,” a senior Daimler engineering executive said
Watch this space, it’s likely to have many more tales of internet-enabled devices being exploited by hackers – and next time it might not be security researchers deciding which will way events will turn.
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
Mobile security threats: reality or myth?
June 13, 2021
FOLLOW US ON
You might also like
July 27, 2021
July 27, 2021
July 23, 2021