If you drive a late-model (2013 or newer) FCA US LLC (Fiat Chrysler) vehicle, take warning: unless you've updated your vehicle's Uconnect software or had a Fiat/Chrysler dealer do so in the past five days, hackers anywhere in the country can take advantage of a security vulnerability to remotely hijack control of your vehicle.
They could affect systems ranging from the in-car entertainment to the dashboard functions, brakes, steering and transmission. Up to 471,000 vehicles in the United States might be affected.
Security researchers Charlie Miller of IOActive and former NSA worker Chris Valasek, who discovered this vulnerability, demonstrated it by remotely seizing control of a Jeep Cherokee driven by Wired reporter Andy Greenberg (with Greenberg's knowledge and consent).
The two researchers, who have been sharing their findings with Fiat Chrysler for the past nine months, intend to publicly identify the vulnerability at an upcoming Black Hat convention.
Car hacking is easier than ever
The threat of car hackings isn't new, but from a hacker's perspective it's easier now than it ever was. Last summer, security researchers attending the Black Hat USA convention in Las Vegas presented a study showcasing security vulnerabilities in modern computer-controlled (and therefore hackable) cars. Specifically, the researchers focused on those cars whose operating systems had the potential for remote rather than “hands-on” hacking (usually via wireless connections).
In February, the Senate Commerce, Science and Transportation Committee released a report showing that “Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”
The vulnerability that Miller and Valasek exploited to remotely seize control of Greenberg's Jeep is part of the vehicle's Uconnect system, which uses the Sprint cellular network to connect the car to the Internet and allows owners (and hackers, it turns out) to control certain vehicle functions with their smartphones.
Or, as Greenberg put it for Wired: “Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect … controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.”
When asked for comment, Fiat Chrysler Automobiles said it “appreciates” Miller and Valasek's efforts, but does not “believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.”
FCA did alert customers to the vulnerability – sort of – on July 16, when it posted a densely written announcement headlined “FCA US LLC Releases Software Update to Improve Vehicle Electronic Security and Communications System Enhancements.” (Note the wording: they're not “fixing a problem” or “patching a major security hole,” merely “Improv[ing] Vehicle Electronic Security etc. etc.”)
Nor does the announcement itself admit to any security vulnerabilities, software flaws or hackable exploits; the closest it gets to that is when it says:
...FCA released a Technical Service Bulletin (TSB) for a software update that offers customers improved vehicle electronic security and communications system enhancements.
Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.
To install the update yourself, visit this website to download the update onto a flash drive, which you can then insert into your car's USB socket.
Hacking test reveals real danger
Greenberg agreed to serve as a guinea pig on whom Miller and Valasek could demonstrate the security flaw. Here's what he said happened when the hackers took control of the vehicle while he drove it on the Interstate:
I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.... I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape....
As Greenberg went on to explain, that wasn't the first time Miller and Valasek took control of a car he'd volunteered to drive. The first was in summer 2013, when the duo demonstrated their ability to take control of a Ford Escape and a Toyota Prius. But, as Greenberg pointed out, “Back then, however, their hacks had a comforting limitation: The attacker’s PC had been wired into the vehicles’ onboard diagnostic port, a feature that normally gives repair technicians access to information about the car’s electronically controlled systems. A mere two years later, that carjacking has gone wireless.”
Fiat Chrysler – and almost half a million of their American customers – got lucky this time: the people who discovered the security flaw were good-guy hacker researchers, who did not take advantage of the exploit for evil purposes. Instead, they promptly and privately informed Chrysler of the problem, then waited nine months for Chrysler to develop and release the security patch, before going public with the knowledge that the exploit even exists. They were also sure not to provide specific details for hackers to exploit. The next people who discover how to remotely hijack or brick various models of fast-moving smartphones on wheels might not be so trustworthy.