More disturbing details about the Jeep hack

24 Jul 2015 | Author: | No comments yet »

A hacked Jeep should be a wake-up call to automakers.

Fiat Chrysler is offering a software patch for some of its internet-connected vehicles after a report showing hackers seizing control of a moving 2014 Jeep Cherokee. PITTSBURGH (AP) – Chris Valasek celebrated his new-found fame as part of a two-man team that successfully hacked into a high-end Jeep Cherokee by downing a Primanti’s sandwich and a 22-ounce Iron City Light.

Security fears could put a dampener on future self-driving cars after hackers showed they could wirelessly take control of hundreds of thousands of US-built cars built by FCA, owners of the Fiat, Jeep and Chrysler car brands.Two men used a laptop and a mobile phone to seize control of the Cherokee model as it drove at 70mph along the motorway – and turned off its engine, slammed on the brakes and ramped its wind-screen wipers to maximum speed. Fiat Chrysler claimed no first-hand knowledge of any of its vehicles being hacked and released a statement yesterday saying that software updates were sometimes required “for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems”. As writer Andy Greenberg sped down the highway in a Jeep Cherokee, the radio started blasting hip hop, the air conditioning unexpectedly turned on, the wipers activated — and then the SUV switched itself into neutral. The Jeep incident was the latest warning to the auto industry, which is rapidly adding Internet-connected features like WiFi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks.

This was swiftly followed by his music system springing into noisy life and his windscreen wipers suddenly whipping back and forth at their fastest speed. Greenbery wrote: “Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. “Next the radio switched to the local hip-hop station and began blaring Skee-lo at full volume. Greenberg described how hackers working from laptop computers at home tinkered with the Cherokee’s steering and brakes as well as the radio, windshield wipers and more. Then came the worst bit by far – without him doing a thing, the Jeep’s engine died, leaving the car crawling along at a snail’s pace on a busy freeway. They notified FCA of the vulnerability in the Uconnect infotainment system in the US-built cars, and drew the car firm’s ire by planning to release part of the code at a security conference next month in Las Vegas.

Fiat Chrysler released free software updates for computerised UConnect systems in Chrysler, Dodge, Jeep and Ram models made in 2013 and last year, and some versions of the 2015 Chrysler 200. Then the windshield wipers turned on, and wiper fluid blurred the glass. “As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display … wearing their trademark track suits. Yet both Audi and Mercedes-Benz say they remain unconcerned, insisting their security development is at a different level to the potentially impacted Chryslers, Dodges, Rams and Jeeps. “Safety-critical systems get a lot of work from us,” Audi’s head of electronics said, while Mercedes-Benz insisted there was no way their cars could be hacked from the outside. A nice touch, I thought.” Security experts Miller and Valasek say they accessed the Jeep’s on-board controls via its wireless internet connection, called Uconnect, used by 470,000 cars made by Fiat Chrysler, SUVs and trucks, including some in Britain.

He worked at a job in Atlanta for a few years before his employer allowed him to start working from home. “They said I could move anywhere in the world, and I came back here,” Valasek, 33, told the Tribune-Review Wednesday. “I love it. The two German premium carmakers have insisted it’s not possible today to use the internet connectivity of their cars to hack into its control systems. They say that Uconnect – which controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot – needs to make urgent security upgrade. Greenberg, with his permission, by two “white hat” hackers – computer security specialists who break into protected systems and networks to test and assess their security.

He had agreed to be hacked by two of his tech buddies who, though miles away, had taken control of his vehicle’s on-board computer in order to highlight the security vulnerabilities of modern cars that are hooked up to the internet. Audi, pointedly, regularly uses professional hackers to test their electronics security work, Hudi admitted. “We pay companies to take our cars away to hack them, before they get to production. Chrysler has issued a patch to deal with the security breach – but it must be implemented via a USB stick or by a dealership mechanic, meaning many vehicles are unlikely to remain vulnerable. And with a growing number of internal car functions being controlled by chips and software, the list of things that could conceivably be commandeered by hackers is steadily expanding.

We give them our cars and say ‘Take as long as you want but please try to attack it, in whatever way you can’. “Basically we tell them they can use all ways available including straight vandalism to get access to control the car’s electronic systems. Granted, it took Greenberg’s hackers — a pair of security researchers who warned him in advance about what they were doing — months to find a way to take over a Jeep through its entertainment system, and Chrysler has already issued a software update to plug that hole. Unsurprisingly, Fiat Chrysler, this particular vehicle’s manufacturer, has now issued a “patch” that befuddled car owners must download or beg their local dealer to do for them. For what I can see, that’s the best way to improve security. “Connectivity is a way of life, but the systems are not the same as the car’s systems.

Nevertheless, the incident should set off alarms throughout the industry, which still relies on protocols developed long before cars could connect electronically to other, potentially hostile devices. There is networking as one point and the other is how you do your modularity and scalability and safety functions across the system.” While the Jeep hacking scandal has caused widespread public concern, it hasn’t slowed Mercedes-Benz’s push for autonomous and semi-autonomous driving, according to the company’s head of transmissions. “Even when you have a remote start, there is a link there from the phone. Security experts say there has been no concerted effort by automakers or parts suppliers to redesign internal communications channels to guard against attackers. Mercedes Me can open the doors of the car, but this is only for unlocking the doors, not starting the engine or driving away or disabling safety features. Edward Markey of Massachusetts and Richard Blumenthal of Connecticut introduced legislation tasking the National Highway Safety Administration and Federal Trade Commission with developing standards that prevent hacking of vehicle control systems.

For the Wired article, Valasek and Miller took the journalist through a bit of a freak-out moment by first controlling the radio, wipers and washer fluid on the Cherokee as he was driving on a St. That hasn’t stopped two US Senators from introducing a bill to mandate minimum levels of security for cars that have any kind of internet connection.

Personally, I think it’s too easy when something like this happens to moan and mourn the days when you, and you alone, had control of your car, or who saw your saucy honeymoon snaps. The bill, which would ultimately affect all US-built cars exported to other markets, including those from Mercedes-Benz and BMW’s US plants, wants real-time monitoring of hacking threats and attempts on cars. One of the drafting senators polled 16 carmakers on security policies earlier this year and found inconsistencies and vagueness on data collection from telematics, internet connectivity and security threats Senator Edward Markey also wants to give drivers the ability to disable data collection for vehicle tracking and marketing reasons, and banning carmakers from cancelling navigation systems for drivers who opt out.

Valasek wore a Pitt T-shirt.) By merely typing the right series of computer commands, the researchers said they could hack into these vehicles, almost anywhere they might be driving. Although mandating a specific security approach would be a bad idea — lawmakers and regulators can’t keep pace with ever-changing technology — having the agency shepherd the industry’s efforts to identify and respond to vulnerabilities would be welcome. And putting a security grade next to the mileage estimate on a new car’s sticker would bring needed pressure on the industry to make vehicles more resistant to hackers before they hit the showroom floor. Automation, to varying degrees, has offered salvation to billions – from those of us profoundly grateful for the domestic dishwasher all the way through to the patients of doctors performing “telesurgery” – remotely operating on patients miles away.

The deal of this modern age must be that if we consumers put our faith into the hands of companies using cutting edge technology, these businesses need to meet us half way with assurances of total security. Government and industry officials are racing to add protections before techniques demonstrated by Miller, Valasek and other researchers join the standard tool kits of cybercriminals. In this battle, defensive forces have one clear strength: Connected devices run many types of software, meaning that an attack on one may not work on others. Even cars from a single manufacturer can vary dramatically from one model year to the next, hindering hackers. “They haven’t been able to weaponize it. For instance, while I love how Google continues to push the boundaries with driverless cars and its forays into artificial intelligence, I don’t much like it when it randomly collects people’s information without their prior consent.

Nor do I feel assured about putting my family photos into Apple’s iCloud soon after intimate images of Hollywood A-listers have been hacked (and no before you ask, they aren’t those kind of snaps) – even though I’m an iPhone and Mac fan. You can’t yet do it on a 100,000-car basis.” Valasek acknowledged that it has taken years of research for him and Miller to reach this point, and executing the hack still requires detailed knowledge of not only computers, but also how the vehicle software works. “If you’re concerned about someone assassinating you, then, yes, you should be concerned,” Valasek said. “Otherwise, it’s not to the point where it’s opportunistic.” They will hack our cars, our emails and in years to come, no doubt, our thermostats, fridges, pacemakers, even airliners – anything and everything that will be connected to the so-called “internet of things”.

Here you can write a commentary on the recording "More disturbing details about the Jeep hack".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site