Top Stories

Researchers take over moving car in hacking test

'INEVITABLE' THREAT: The two researchers managed to break into a Jeep Cherokee being driven along the highway by a reporter. Fiat Chrysler says it has issued a fix for the most serious vulnerability involved.


    Jul 23, 2015

    Researchers take over moving car in hacking test


    A PAIR of veteran cyber-security researchers have shown they can use the Internet to switch off a car's engine as it is being driven, sharply escalating the stakes in the debate about the safety of increasingly connected cars and trucks.

    Former National Security Agency hacker Charlie Miller, now at Twitter, and IOActive researcher Chris Valasek used a feature in the Fiat Chrysler telematics system Uconnect to break into a car being driven on the highway by a reporter for technology news site

    In a controlled test, they switched on the Jeep Cherokee's radio and activated other non-essential features, before rewriting code embedded in the entertainment system hardware to issue commands through the internal network to steering, brakes and engine.

    "There are hundreds of thousands of cars that are vulnerable on the road right now," Dr Miller told Reuters.

    Fiat Chrysler said it has issued a fix for the most serious vulnerability involved. The software patch is available for free on the company's website and at dealerships.

    "Similar to a smartphone or tablet, vehicle software can require updates for improved security protection, to reduce the potential risk of unauthorised and unlawful access to vehicle systems," the company said. It did not immediately answer other questions.

    Dr Miller and Mr Valasek have been probing car safety for years, and were among those warning that remote hacking was inevitable. An academic team had previously said it hacked a moving vehicle but did not say how or name the manufacturer, putting less pressure on the industry.

    National Highway Traffic Safety Administration (NHTSA) chief Mark Rosekind on Tuesday said his agency is increasingly concerned about the security of vehicle control systems.

    "We know these systems will become targets of bad actors," he told a conference on autonomous and connected vehicle technology in Ypsilanti, Michigan. If consumers do not believe that connected vehicle systems are safe and secure, he said, "they will not engage it".

    Members of the United States Congress have also expressed concern and, on Tuesday, senators Ed Markey and Richard Blumenthal - both Democrats - introduced a Bill that would direct NHTSA to develop standards for isolating critical software and detect hacking as it occurs.

    Dr Miller and Mr Valasek said they had been working with Fiat Chrysler since October, giving the company enough time to construct a patch to disable a feature that the men suspected had been switched on by accident.

    They plan to release a paper at the Def Con security conference next month that includes code for remote access, which will no longer work on cars that have been updated.

    They said the harder problem for an attacker, moving from the entertainment system to the core onboard network, would take months for other top-tier hackers to emulate.

    Many Jeeps could remain unpatched, leaving them open to attack. But the researchers said hackers would need to know the Internet Protocol address of a specific car in order to attack it, and that address changes every time the car starts.

    Otherwise, "you have to attack random cars", Mr Valasek said. The men stressed that it would be easy to make modest adjustments to their code and attack other types of vehicles.[ ]


    For more reports on the go, check out the "MyPaper" iOS and Android apps.