Fiat Chrysler Recalling 1.4M Vehicles to Address Hacking Threat

24 Jul 2015 | Author: | No comments yet »

Chrysler issues patch to keep car hackers at bay.

St Louis, Missouri – The triumphant shout of “You’re doomed!” came in an iPhone call from the hacker who had remotely hijacked a Jeep Cherokee on a motorway, cutting the transmission and leaving its driver powerless.Fiat Chrysler is offering a software patch for some of its internet-connected vehicles after a report showing hackers seizing control of a moving 2014 Jeep Cherokee.Cybersecurity experts Chris Valasek and Charlie Miller have publicly exposed a serious vulnerability that would allow hackers to take remote control of Fiat Chrysler Automobile (FCA) cars that run its Uconnect internet-accessing software for connected car features.

There was just one documented real-world case of remote car hacking in 2010, but that was an inside job by a disgruntled car dealer employee, who bricked over 100 vehicles by taking advantage of technology designed to allow remote repossession. The accelerator stopped working and the Jeep slowed to a crawl on a flyover where there was no hard shoulder to pull over and the traffic was moving at a steady 115km/h.

Fiat Chrysler claimed no first-hand knowledge of any of its vehicles being hacked and released a statement yesterday saying that software updates were sometimes required “for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems”. Uconnect allows owners of cars such as the Jeep Cherokee to remotely start and stop the engine and flash the lights (to find the car on a parking lot) and lock and unlock doors via a smartkey or smartphone. But earlier this week, two security researchers who have made exposing connected car vulnerabilities somewhat of a crusade showed in dramatic and somewhat dangerous fashion how they were able to remotely disable critical systems of a 2014 Jeep Cherokee while the vehicle was on a St.

A Wired story by Andy Greenberg this week told of hackers Charlie Miller and Chris Valasek remotely commandeering a Cherokee as part of an arranged demonstration of a vulnerability. The Jeep incident was the latest warning to the auto industry, which is rapidly adding Internet-connected features like WiFi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks. However, as the researchers demonstrated to Wired’s Andy Greenberg, the system also allows those in the know to remotely hijack the signal and run the car off the road even when someone else is meant to be at the wheel.

Greenberg described how hackers working from laptop computers at home tinkered with the Cherokee’s steering and brakes as well as the radio, windshield wipers and more. Such an act might be deemed irresponsible but the researchers, who uncover theses flaws for a living, first notified FCA about the problem nine months ago and until now have remained silent about the discovery. Fiat Chrysler released free software updates for computerised UConnect systems in Chrysler, Dodge, Jeep and Ram models made in 2013 and last year, and some versions of the 2015 Chrysler 200. However, the wording of the update: “Today, [the cybersecurity program] at FCA released a Technical Service Bulletin (TSB) for a software update that offers customers improved vehicle electronic security and communications system enhancements,” plus the fact that the update needs to be downloaded onto a USB key and physically installed by the owner, fails to highlight the potential seriousness of the problem.

The hackers could have killed the engine altogether, slammed on the brakes or, worse, disabled them – as they did later. “The most disturbing manoeuvre came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the two-ton vehicle slid uncontrollably into a ditch,” he says. Vehicle recalls have been receiving a lot of media attention in recent months, yet according to Autotrader data, only 56% of drivers can be counted upon to take their vehicle in for servicing or correction every time.

While sitting in Miller’s basement miles away, the pair used a security vulnerability in the vehicle’s Uconnect infotainment system to blast the AC, tune to a hip-hop radio station and crank the stereo system, turn on the windshield wiper and washer, and post a snarky picture on the in-dash display of themselves in matching track suits. To drive home their point about the vulnerabilities of modern connected cars, they disabled the transmission, causing the Jeep to lose acceleration on the highway, with a semi bearing down on it. From his terrifying account, it would appear that Miller and Valasek have worked out how to control a car remotely, over the internet, without having physical access to the vehicle in any shape or form. In it, they concluded at the time that hacking a car would be too time consuming, expensive and complicated to be worth the reward, except in very specific situations.

Modern cars typically contain 50 low-powered computers – enabling services such as wifi, Bluetooth, satnav and even the information screen – which can offer tempting entry points to criminals. All of which is what makes the Uconnect exploit so serious and is why Miller has taken to Twitter to urge the public to download the software update. – AFP Relaxnews

Their latest publicity stunt is a prelude to presenting their remote hacking research at the Black Hat security conference in Las Vegas next month, without revealing the details to malicious hackers. In Britain, tens of thousands of cars are stolen or broken into every year by thieves using electronic hacking equipment bought from websites based mainly in Bulgaria. Instead of smashing windows or forcing door locks, the criminals arm themselves with equipment that can intercept signals from key fobs to get into cars or that plugs into onboard computers remotely. Technology researchers, seeking to push the frontiers of their knowhow – and force the motor industry to take its head out of the sand over the issue – have for several years been seeking ways to hack cars’ computers and bypass their security systems. The duo proved this week that they can wirelessly carjack Jeep Cherokees via the internet, armed with just a basic mobile phone and a laptop loaded with their own software, from just about anywhere.

This week, researchers in England found a way into a car’s electronics through the Digital Audio Broadcasting (DAB) radio feature commonly used in Europe and Asia that could allow a hacker to send malicious code to take over an infotainment system. Countermeasures such as OTA updates are becoming more common, as Tesla has shown, and automakers have been trying to stay ahead of the car-hacking threat by hiring dedicated security experts.

There’s also currently not much incentive for hackers to target cars, beyond pulling off malicious pranks. “Given the [monetary] motivation of most hackers, the chance of [car hacking] is very low,” observed Damon McCoy, an assistant professor of computer science at George Mason University and a car security researcher. According to Greenberg, the hackers are “perfecting their steering control – for now, they can only hijack the wheel when the Jeep is in reverse”.

The threat of car hacking has been compared to the nascent Internet 20 years ago, when computers first started to become connected and the Black Hats started exposing and exploiting vulnerabilities. The first and easier method involves procuring a small box of electronic tricks the size of a credit card called a CANtact, which can be bought online from the US for just $60 (R755). Companies like Microsoft, in turn, were forced to go on the defensive and issue security patches and even reward nerds who uncovered a vulnerability with “bug bounties.” But it’s not 1995 and hackers are more plentiful and more sophisticated, and there could be more connected cars on the road now that they were connected computers two decades ago. This device must be physically connected to a car, via one of the connection points on the vehicle’s Controller Area Network (CANbus): this is the maze of wires and computers that forms your car’s electronic brain and is normally accessed by a garage mechanic, who plugs in a laptop to diagnose any faults.

Similarly, a would-be hacker must connect the CANtact and then attach it, either with a cable or wirelessly, to a computer, which is then used to control your vehicle. Last summer, a 14-year-old schoolboy stunned delegates at a conference of car engineers and computer security experts in the US when he controlled a car with his iPhone and a mere R200 worth of electronics similar to a CANtact. Straight off the showroom floor.” In 2013, they demonstrated an attack on a Toyota Prius and a Ford Maverick, using electronic components to take control of the cars’ smart steering, braking, acceleration, engines and lights.

They urged the makers to take notice of what they had done, pointing out that “drivers and passengers are strictly at the mercy of the code running in their automobiles and, unlike when their web browser crashes or is compromised, the threat to their physical well-being is real”. And while they have so far experimented only on Jeeps, they believe most of their attacks could be tweaked to work on any Chrysler vehicle equipped with Uconnect, an internet-connected computer feature found in more than 400 000 Fiat Chrysler cars, SUVs and trucks. According to Wired magazine, they have identified a vulnerable element of the Uconnect mobile phone connection that lets anyone who knows the car’s IP address (a unique string of numbers that identifies each computer) to gain access from anywhere in the country. “From an attacker’s perspective, it’s a super-nice vulnerability,” says Miller. FCA said that it was “committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability” and lamented Miller and Valasek’s decision to go public with their findings. However, we caution advocates that in the pursuit of improved public safety they [do] not, in fact, compromise public safety.” In the Some progress is being made, with the House Committee on Energy and Commerce questioning all major car makers to see what they are doing to thwart hackers.

In the UK, the issue was addressed in a speech last year by the Home Secretary Theresa May. “We can now work with industry to improve electronic resilience to include this kind of resilience in the vehicle’s overall security ratings and work out the extent to which the same threat applies to other physical assets such as building security systems,” she said. Many British car manufacturers, such as Ford, say they are taking the issue ‘very seriously’ and doing all they can to ensure that new cars are as hack-proof as possible. In the future, it is likely that car makers will introduce vehicle-to-vehicle (V2V) communication, in which our cars would be able to talk to each other electronically, sending warnings of an accident or a build-up of traffic. Verified email addresses: All users on Independent Media news sites are now required to have a verified email address before being allowed to comment on articles.

Here you can write a commentary on the recording "Fiat Chrysler Recalling 1.4M Vehicles to Address Hacking Threat".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site