Researchers Charlie Miller and Chris Valasek recently took Wired writer Andy Greenberg on a ride he won't soon forget
Chrysler has quietly released a Jeep software update to fix a major security vulnerability that could allow hackers to remotely hijack your vehicle.
Nextcar Bug artThe flaw, discovered by security researchers Charlie Miller and Chris Valasek, affects an Internet-connected computer feature in the dashboard called Uconnect—an optional upgrade that does not come standard in Chrysler vehicles. The duo recently demonstrated how they can leverage the flaw to remotely hack into a Jeep, taking Wired writer Andy Greenberg on a ride he won't soon forget.
Greenberg agreed to be the researcher's "digital crash-test dummy" and willingly got behind the wheel of a Jeep Cherokee on public roads in St. Louis. That's when things started getting weird.
"Though I hadn't touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting," he wrote in his account of the incident. "Next the radio switched to the local hip hop station ... I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass."
The hackers—sitting comfortably on the couch in Miller's basement 10 miles away—flashed an image of themselves on the car's digital display. Greenberg didn't panic; the hackers had assured him they wouldn't do anything life threatening. Then they cut the transmission.
"Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. The experiment had ceased to be fun," Greenberg wrote.
He then grabbed his iPhone and started to "beg" the hackers to stop. They had one more trick up their sleeves, though.
"The most disturbing maneuver came when they cut the Jeep's brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch," Greenberg wrote.
The hackers said they're still working on "perfecting steering control," and for now can only hijack the wheel when the car is in reverse. They can also track the vehicle's coordinates, measure its speed, and drop pins on a map to track its route.
The attack is especially notable because the hackers executed it wirelessly, while not physically connected to the car with a laptop, which is how other car hacks have been carried out in the past. Miller and Valasek said they plan to reveal more details about the flaw at the Black Hat Conference next month.
For now, owners of vehicles with the Uconnect feature should install the update as soon as possible. The patch must be manually installed via USB stick or by a dealership mechanic. The flaw is said to affect several 2013-2014 models of Dodge Ram; the 2013-2014 Dodge Viper; the 2014 Jeep Cherokee, Jeep Grand Cherokee, and Dodge Durango; the 2015 Jeep Cherokee and Jeep Grand Cherokee; and 2015 Chrysler 200s.
In a statement, Chrysler didn't seem thrilled about how the researchers disclosed the problem.
"Under no circumstances does [Fiat Chrysler Automobiles] condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems," the company said.
Chrysler did, however, tell Wired that it "appreciates" Miller and Valasek's work. "We appreciate the contributions of cybersecurity advocates to augment the industry's understanding of potential vulnerabilities," Chrysler said. "However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety."
The software update is free; customers with questions can call Vehicle Care at 1-877-855-8400.
No comments:
Post a Comment