As cars became wireless and smartphone accessible, the possibility of hackers overtaking vehicle controls became an increasing possibility. Car manufacturers have known since 2011 that system hacks are possible. University researchers demonstrated how they could disable a sedan’s locks and brakes wirelessly. Those results were only shared with carmakers and not the general public.
But this July, the threat became real—and public—when researchers Charlie Miller of Twitter and Chris Valasek of IO Interactive hacked a Jeep Cherokee remotely. WIRED writer Andy Greenberg asked two hackers to see what they could do with the car from ten miles away. The scary results have spurred the auto industry as a whole into action, and three days after WIRED published their car hacking story, Chrysler recalled 1.4 million vehicles and set up a wireless block to protect other vehicles with vulnerable software.
The Jeep Hack
While Greenberg traveled 70 mph down the highway, the hackers first cranked the AC and switched the radio station—frighteningly, Greenberg hit the power button and the radio didn’t turn off. The hackers turned on the wipers and then drenched the windshield with wiper fluid. But when the hackers cut the transmission and caused the Jeep to lose half its speed on an incline, with a tractor trailer barreling down, Greenberg—and soon the world—realized the very real danger security breaches pose. Then the hackers cut the brakes. Greenberg was able to safely roll the Jeep into a ditch, but he had to actually restart the car to gain back control.
The hackers created a code to hack into Jeep vehicles. According to WIRED, the hackers’ code is “an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.” Hackers broke in through Chrysler’s Uconnect cellular connection that, as WIRED reports, “lets anyone who knows the car’s IP address gain access from anywhere in the country.”
Insurance Plug-In Tracking Devices Hacked
Newer cars with any sort of computerized system have a computer port (called a OBD-II port), that’s usually located under the steering wheel. CNN Money says that these ports access “the computer networks in your car, so mechanics can identify problems.” These ports are also where tracking devices for insurance discount programs (like Progressive’s Snapshot) go. Student engineers at the University of California, San Diego, tried hacking into Metromile’s plug-in device and discovered they could remotely disable or engage the brakes–but only if the car was going 5 mph or less. Even more frightening, CNN Money reports, “It’s possible to find a specific car by its device’s IP address or phone number.” This particular device maker (Mobile Devices) has since issued a software update, cutting off access, but the larger problem remains: as CNN Money writes, “Modern day cars are smartphones on wheels—and just like any computer, vulnerable to hackers.”
How Bad Could it Get?
WIRED says that targeting a specific vehicle would still be difficult because Miller and Valasek’s system uses phones to scan for all potentially vulnerable vehicles (so far just vehicles in the Uconnect network, affiliated with Sprint). But if enough phones scanned together, WIRED reports that an individual could be found and targeted, and even more serious, hackers could gain control of a large group of cars, which could then gain control over even more cars, and “hundreds of thousands of vehicles” could then be controlled by remote hackers. Scary, to say the very least.
Keeping You Safe
On July 21, 2015—the same day WIRED published its car hacking piece—senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, introduced legislation meant to set federal security standards in vehicles across the nation. Importantly, the bill details that for every car sold in the US, “all entry points [must] be equipped with reasonable measures to protect against hacking attacks.” Called the Security and Privacy in Your Car (SPY Car) Act, it also establishes a rating system that would help drivers understand how well their car is protecting their privacy. In a statement shared with WIRED and detailed by Slate, Senator Markey wrote, “Drivers shouldn’t have to choose between being connected and being protected.”
From the Hackers Themselves
For the past 23 years, hackers have been convening in the desert to talk shop at the now-20,000-strong annual DefCon conference. This year, DefCon, and spin-off conference Black Hat, ran at the beginning of August in Las Vegas. All eyes were on Miller and Valasek, who spoke at both conferences, about their July Jeep Cherokee hack. ABCNews reports that they showed just four lines of the code they used to control Greenberg’s Jeep—a move which car manufacturers largely criticized as endangering public safety. Through WIRED, Miller and Valasek said the release was “warranted because it allows their work to be proven through peer review,” and not only that but they say it sends a message: “Automakers need to be held accountable for their vehicles’ digital security. ‘If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,’ Miller says. ‘This might be the kind of software bug most likely to kill someone.’”
Other car manufacturers got in on the game, hoping to head off potential security breaches at the pass. Tesla not only invited hackers to try to break into its software system, they actually began offering payments up to ten grand for anyone who finds a software bug in their cars.
Make sure your car’s security is up to date. If you own or drive one of the recalled vehicles, take it into your Chrysler dealership right away for the security patch. (The Chrysler mechanics will do it for free.) Or do it yourself by downloading the update here, moving the update onto a USB drive, and plugging it into your vehicle’s dashboard USB port. As of now, Chrysler cannot remotely update security. The issue isn’t going to go away, so owners of connected cars need to stay on their toes.
UCSD professor Stefan Savage, who worked on a comprehensive 2011 study on auto security, told WIRED: “The lesson of Miller and Valasek’s research isn’t that Jeeps or any other vehicle are particularly vulnerable, but that practically any modern vehicle could be vulnerable. ‘I don’t think there are qualitative differences in security between vehicles today,’ Savage says.”
Josh Corman, the cofounder of security organization I Am the Cavalry told WIRED, “They’re getting worse faster than they’re getting better,” he says. “If it takes a year to introduce a new hackable feature, then it takes them four or five years to protect it.”