Jeep drivers can be HACKED to DEATH: All you need is the car's IP address

Hackers can connect to brakes, engine over cellular network

By Iain Thomson in San Francisco

Posted in Security, 21st July 2015 19:11 GMT

Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car's brakes and engine can be remotely controlled by anyone with an internet connection.

At next month's Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car's engine, brakes, and minor systems from miles away simply by knowing the car's public IP address.

The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car's controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.

Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.

In short, make sure your car's software is up to date; check your manual for details on obtaining the latest firmware.

Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.

Better late than never

On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.

"Drivers shouldn't have to choose between being connected and being protected," said Senator Markey.

"We need clear rules of the road that protect cars from hackers, and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security, and privacy of drivers in the modern age of increasingly connected vehicles."

The legislation would require the National Highway Traffic Safety Administration and the Federal Trade Commission to establish a basic set of security standards that lock off critical systems, like steering and engine power, to ensure that they can't be remotely controlled.

These would come into effect two years after the legislation is passed and would be tested regularly by penetration experts to ensure that the security is current and practical. There would be a $5,000 fine for each violation of security standards.

In addition, the bill would require manufacturers to take reasonable steps to protect the data collected on a driver's habits from being slurped. They will also have to display a "cyber dashboard" sticker on new cars indicating what data is collected and how it is protected.

"As America's vehicles become more and more connected to the internet, and wireless vehicle to vehicle technology adds important safety to tomorrow's cars, vital security and privacy concerns need to be addressed as well," said Jack Gillis of the Consumer Federation of America.

"Senator Markey and Blumenthal's SPY Car Act will help prevent hacking attacks and ensure personal privacy as new vehicle safety and monitoring technology is introduced." ®

Sign up to our NewsletterGet IT in your inbox daily

102 Comments

More from The Register

Charlie Miller to tell Vegas punters how to hack your car

Lock up your SUVs, folks

Buggy software could lock a Jeep's cruise control

How's that 'self-driving' vision coming along, again?

Car hacking's dynamic duo offers to save others $1m in research

Miller and Valasek spread the word on hacking archive

WannaCry kill-switch hero Marcus Hutchins collared by FBI on way home from DEF CON

Updated Chap who stopped malware spread cuffed in Vegas

Black Hats control Jeep's steering, kill brakes

Black Hat video Tiny device could drive remote CAN bus assassinations

Generous Fiat Chrysler offers $1,500 for car security bugs – or two minutes of annual profit

Spends pennies to protect drivers' lives

Newsflash: Car cyber-security still sucks

You wanna hijack an ECU? It doesn't even have to be turned on, bruh

Jeep hackers: How we swerved past Chrysler's car security patches

Black Hat Clue: It involves physically breaking into a ride this time

Daft draft anti-car-hack law could put innocent drivers away for life

Rules proposed in Michigan perfect example of tech-illiterate politicians writing tech rules

Uber pulls up to the bumper, plonks Jeep hackers into driving seat

Make driver-free cars more secure? Good luck with that!