Fiat Chrysler Recalls 1.4 Million Autos to Defend Against Hacks

24 Jul 2015 | Author: | No comments yet »

Chrysler issues patch to keep car hackers at bay.

Until now, car hacking demos were done only while security researchers were hard-wired into a vehicle’s electrical system. St Louis, Missouri – The triumphant shout of “You’re doomed!” came in an iPhone call from the hacker who had remotely hijacked a Jeep Cherokee on a motorway, cutting the transmission and leaving its driver powerless.

Fiat Chrysler is offering a software patch for some of its internet-connected vehicles after a report showing hackers seizing control of a moving 2014 Jeep Cherokee.Cybersecurity experts Chris Valasek and Charlie Miller have publicly exposed a serious vulnerability that would allow hackers to take remote control of Fiat Chrysler Automobile (FCA) cars that run its Uconnect internet-accessing software for connected car features.As major automakers continue to roll out cars with Wi-Fi features connecting the vehicles with smartphones and other devices, their innovations are likely to catch the eye of hackers as well as tech-hungry customers, opening up a new asphalt playing field in the arena of cybersecurity. “My concern is where we are heading in the future.

There was just one documented real-world case of remote car hacking in 2010, but that was an inside job by a disgruntled car dealer employee, who bricked over 100 vehicles by taking advantage of technology designed to allow remote repossession. The accelerator stopped working and the Jeep slowed to a crawl on a flyover where there was no hard shoulder to pull over and the traffic was moving at a steady 115km/h. Fiat Chrysler claimed no first-hand knowledge of any of its vehicles being hacked and released a statement yesterday saying that software updates were sometimes required “for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems”. Uconnect allows owners of cars such as the Jeep Cherokee to remotely start and stop the engine and flash the lights (to find the car on a parking lot) and lock and unlock doors via a smartkey or smartphone.

As we head toward more automated drive systems, then the possibilities for hacking open up even more,” says Akshay Anand, an analyst with automotive research company Kelley Blue Book. But earlier this week, two security researchers who have made exposing connected car vulnerabilities somewhat of a crusade showed in dramatic and somewhat dangerous fashion how they were able to remotely disable critical systems of a 2014 Jeep Cherokee while the vehicle was on a St. A Wired story by Andy Greenberg this week told of hackers Charlie Miller and Chris Valasek remotely commandeering a Cherokee as part of an arranged demonstration of a vulnerability. The Jeep incident was the latest warning to the auto industry, which is rapidly adding Internet-connected features like WiFi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks. However, as the researchers demonstrated to Wired’s Andy Greenberg, the system also allows those in the know to remotely hijack the signal and run the car off the road even when someone else is meant to be at the wheel.

Such an act might be deemed irresponsible but the researchers, who uncover theses flaws for a living, first notified FCA about the problem nine months ago and until now have remained silent about the discovery. Through a flaw they discovered, Miller and Valasek gained access to the vehicle’s computer network through the wireless Uconnect system, which let them control the steering, brakes and transmission of the Jeep while the reporter was driving. Fiat Chrysler released free software updates for computerised UConnect systems in Chrysler, Dodge, Jeep and Ram models made in 2013 and last year, and some versions of the 2015 Chrysler 200.

However, the wording of the update: “Today, [the cybersecurity program] at FCA released a Technical Service Bulletin (TSB) for a software update that offers customers improved vehicle electronic security and communications system enhancements,” plus the fact that the update needs to be downloaded onto a USB key and physically installed by the owner, fails to highlight the potential seriousness of the problem. The hackers could have killed the engine altogether, slammed on the brakes or, worse, disabled them – as they did later. “The most disturbing manoeuvre came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the two-ton vehicle slid uncontrollably into a ditch,” he says. Vehicle recalls have been receiving a lot of media attention in recent months, yet according to Autotrader data, only 56% of drivers can be counted upon to take their vehicle in for servicing or correction every time.

While sitting in Miller’s basement miles away, the pair used a security vulnerability in the vehicle’s Uconnect infotainment system to blast the AC, tune to a hip-hop radio station and crank the stereo system, turn on the windshield wiper and washer, and post a snarky picture on the in-dash display of themselves in matching track suits. To drive home their point about the vulnerabilities of modern connected cars, they disabled the transmission, causing the Jeep to lose acceleration on the highway, with a semi bearing down on it.

Automakers are testing driverless car features as the next stage of innovation for their industry, and Anand says such technology could help hackers remotely steal a car. In it, they concluded at the time that hacking a car would be too time consuming, expensive and complicated to be worth the reward, except in very specific situations. The danger to consumers stems in large part from the rapid increase of companies, including automakers, who are making connected devices without putting the same effort into cybersecurity protections for those devices. Modern cars typically contain 50 low-powered computers – enabling services such as wifi, Bluetooth, satnav and even the information screen – which can offer tempting entry points to criminals. All of which is what makes the Uconnect exploit so serious and is why Miller has taken to Twitter to urge the public to download the software update. – AFP Relaxnews

Companies put in requirements to make sure that if you are a firm that wants its device to be interoperable with a software ecosystem like a smartphone network, they will have to assure they have security safeguards.” In response to such concerns, Federal Trade Commission Chairwoman Edith Ramirez has been pushing for more privacy and cybersecurity standards in the growing Internet of Things ecosystem – a sector of devices connected to wireless signals that includes not only cars but blenders, watches, thermostats and refrigerators. Their latest publicity stunt is a prelude to presenting their remote hacking research at the Black Hat security conference in Las Vegas next month, without revealing the details to malicious hackers. In Britain, tens of thousands of cars are stolen or broken into every year by thieves using electronic hacking equipment bought from websites based mainly in Bulgaria.

That ecosystem is growing, as an estimated 4.9 billion connected things will be used in 2015, up 30 percent from 2014, according to market research firm Gartner. Instead of smashing windows or forcing door locks, the criminals arm themselves with equipment that can intercept signals from key fobs to get into cars or that plugs into onboard computers remotely. Technology researchers, seeking to push the frontiers of their knowhow – and force the motor industry to take its head out of the sand over the issue – have for several years been seeking ways to hack cars’ computers and bypass their security systems. The duo proved this week that they can wirelessly carjack Jeep Cherokees via the internet, armed with just a basic mobile phone and a laptop loaded with their own software, from just about anywhere. According to research published by Markey’s office earlier this year, only two or three of 16 studied car companies appeared to be able to detect or respond to a hack, and customers often don’t know information from their car is being collected and sent to third parties. “Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes,” Blumenthal wrote in a press statement. “Security and safety need not be sacrificed for the convenience and promise of wireless progress.” Republicans like Sen.

This week, researchers in England found a way into a car’s electronics through the Digital Audio Broadcasting (DAB) radio feature commonly used in Europe and Asia that could allow a hacker to send malicious code to take over an infotainment system. Countermeasures such as OTA updates are becoming more common, as Tesla has shown, and automakers have been trying to stay ahead of the car-hacking threat by hiring dedicated security experts. There’s also currently not much incentive for hackers to target cars, beyond pulling off malicious pranks. “Given the [monetary] motivation of most hackers, the chance of [car hacking] is very low,” observed Damon McCoy, an assistant professor of computer science at George Mason University and a car security researcher. According to Greenberg, the hackers are “perfecting their steering control – for now, they can only hijack the wheel when the Jeep is in reverse”.

The threat of car hacking has been compared to the nascent Internet 20 years ago, when computers first started to become connected and the Black Hats started exposing and exploiting vulnerabilities. The first and easier method involves procuring a small box of electronic tricks the size of a credit card called a CANtact, which can be bought online from the US for just $60 (R755). Companies like Microsoft, in turn, were forced to go on the defensive and issue security patches and even reward nerds who uncovered a vulnerability with “bug bounties.” But it’s not 1995 and hackers are more plentiful and more sophisticated, and there could be more connected cars on the road now that they were connected computers two decades ago. This device must be physically connected to a car, via one of the connection points on the vehicle’s Controller Area Network (CANbus): this is the maze of wires and computers that forms your car’s electronic brain and is normally accessed by a garage mechanic, who plugs in a laptop to diagnose any faults. Similarly, a would-be hacker must connect the CANtact and then attach it, either with a cable or wirelessly, to a computer, which is then used to control your vehicle.

Last summer, a 14-year-old schoolboy stunned delegates at a conference of car engineers and computer security experts in the US when he controlled a car with his iPhone and a mere R200 worth of electronics similar to a CANtact. Straight off the showroom floor.” In 2013, they demonstrated an attack on a Toyota Prius and a Ford Maverick, using electronic components to take control of the cars’ smart steering, braking, acceleration, engines and lights.

They urged the makers to take notice of what they had done, pointing out that “drivers and passengers are strictly at the mercy of the code running in their automobiles and, unlike when their web browser crashes or is compromised, the threat to their physical well-being is real”. And while they have so far experimented only on Jeeps, they believe most of their attacks could be tweaked to work on any Chrysler vehicle equipped with Uconnect, an internet-connected computer feature found in more than 400 000 Fiat Chrysler cars, SUVs and trucks. According to Wired magazine, they have identified a vulnerable element of the Uconnect mobile phone connection that lets anyone who knows the car’s IP address (a unique string of numbers that identifies each computer) to gain access from anywhere in the country. “From an attacker’s perspective, it’s a super-nice vulnerability,” says Miller. FCA said that it was “committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability” and lamented Miller and Valasek’s decision to go public with their findings. However, we caution advocates that in the pursuit of improved public safety they [do] not, in fact, compromise public safety.” In the Some progress is being made, with the House Committee on Energy and Commerce questioning all major car makers to see what they are doing to thwart hackers.

In the UK, the issue was addressed in a speech last year by the Home Secretary Theresa May. “We can now work with industry to improve electronic resilience to include this kind of resilience in the vehicle’s overall security ratings and work out the extent to which the same threat applies to other physical assets such as building security systems,” she said. Many British car manufacturers, such as Ford, say they are taking the issue ‘very seriously’ and doing all they can to ensure that new cars are as hack-proof as possible. Verified email addresses: All users on Independent Media news sites are now required to have a verified email address before being allowed to comment on articles.

Here you can write a commentary on the recording "Fiat Chrysler Recalls 1.4 Million Autos to Defend Against Hacks".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site