Wired Jeep hack: Don’t let stunt storytelling eclipse the message

23 Jul 2015 | Author: | No comments yet »

Great, now hackers say they can probably take over your car.

Last year, Mr Charlie Miller and Mr Chris Valasek bought a Jeep that came with a car stereo head unit, which offers a radio display, traffic and navigation system, and in this case, connected to the Internet through a hardware chip that provides a wireless and a cellular network connection. Due to automakers rush to keep up with the demand of digitally connected cars, according to a recent Wired article, most cars have been converted into smartphones making a them an easy target for cybercriminals — specifically Chrysler vehicles, which utilize Uconnect. What they did not realise at the time was that their discovery would extend far beyond the Jeep and affect other vehicles with the same head unit made by Fiat Chrysler. In a live demo, attackers used the vulnerability to cut out a Jeep Cherokee’s transmission and brakes and, when the car is in reverse, commandeer the steering wheel — all without physical access to the vehicle. “This might be the kind of software bug most likely to kill someone,” said Charlie Miller, one of the researchers behind the exploit.

Although not tested on all of the Chrysler make and models, the two hackers have been able to remotely kill an engine, slam on the brakes or disable them and play around with dashboard controls just to name a functionality flaws detailed in the report. In an article posted Tuesday, Miller and Valasek demonstrate that they could take over the computer in the car of Wired reporter Andy Greenberg, as Greenberg drove on Highway 40 (Interstate 64) in St.

The full vulnerability will be presented next month at Defcon, although the researchers plan to withhold crucial details so that the bug cannot be exploited at scale. The author explains: “Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. “Next the radio switched to the local hip hop station … Louis, Miss. as the pair of code-crackers wirelessly infiltrate his jeep, blasting the radio and air conditioning, killing the hazard lights, cutting the car’s transmission, and generally delighting in the futility of his situation. There’s no apparent firewall, so once attackers have located the device’s IP, they can deploy previously developed exploits to rewrite Uconnect’s firmware and control the car as if they had physical access. Fusion called the act “a really, really dumb stunt that potentially threatened the lives of those involved and any unwitting bystanders.” A security researcher told Forbes, “We as a community need to [not] condone this sort of behavior.” And one agitated viewer, posting to Hacker News, apparently called the cops.

My Fortune colleague Daniel Roberts called it “awesome, ballsy, important journalism.” Cybersecurity researcher and blogger Robert Graham wrote that “Any rational measure of the risk of that stunt is that it’s pretty small — while the benefits are very large.” And mostly everyone praised the story’s narrative. Though veteran vulnerability-wrangler Charlie Miller, an ex-NSA hacker who is a security engineer at Twitter, claims in the accompanying video that the demo was done “in as safe a way as we could,” there’s no question it could have been done safer. One should not let the brazen manner of Wired‘s story-telling eclipse the piece’s central point: Automakers are, right now as you read, shipping increasingly connected cars to market that perform pitifully in terms of security. Miller and his associate, Chris Valasek, director of vehicle security research at the consultancy IOActive, estimates that hundreds of thousands of Fiat Chrysler vehicles on the road today could be vulnerable.

Instead, customers must independently download the patch to a memory stick, or take their cars to a mechanic to fix. “Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said in a statement. “Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.” Think what you will about Wired‘s escapade—there is a greater danger at play here.

Here you can write a commentary on the recording "Wired Jeep hack: Don’t let stunt storytelling eclipse the message".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site