jeep
Security

Jeep hacker warns auto makers over "unhackable" claims

Last week, Wired reported two security researchers Chris Valasek and Charlie Miller hacking a Jeep Cherokee driven by one of Wired’s reporters. The hackers blasted the car radio at full volume, turned the windshield wipers on, and blasted cold air. If that wasn’t bad enough, they cut the transmission leaving the reporter helpless. Now, Fiat Chrysler has recalled 1.4 million of its vehicles in the US. As we enter the age of connected cars, should drivers and car manufacturers be concerned? We speak with Valasek to find out.

How did you hack into the Jeep Cherokee?

We really worked on the Jeep for about a year. Prior to that we had been doing automotive research for three years including the Jeep. Having all the expertise to figure this out really took us quite some time.

These cars have a 3G cellular connection, much like your phone. The car happened to have a flaw in some ways it did things while communicating with 3G. So we were able to compromise the infotainment system of the vehicle. From there, since the actual infotainment portion that communicates over cellular doesn’t talk to pieces in the car that do things like braking and transmission, we had to then move laterally and re-program another chip that was involved with in-car communications and from there we were able to send messages to do whatever we wanted. If you look at our research from 2013, we showed that if you can send these types of messages on networks and if the car has the technology, then you can do things like that.

Are there specific cars that are vulnerable?

Yes, as you saw Fiat Chrysler did a recall of 1.4 million vehicles that have this flaw so there is a variety of different vehicles you can see in the release. It goes through the list of the makes and models and year of all the vehicles they are recalling.

How vulnerable are connected cars as we enter this age of the Internet of Things?

I only like to speak on things that I have looked at, otherwise you are kind of speculating. But in my experience it’s been that the more connected the technology is, the more data it passes. Whether it be images or network communications there are greater possibilities for flaws and vulnerabilities. So more code equals more vulnerabilities, the way I see it.

Audi and Mercedes-Benz say they are not worried claiming their security systems are on a different level. Do you think car manufacturers are taking this issue seriously?

I don’t think you should ever use the word “unhackable”. They might not be vulnerable to this specific flaw but I found that most complex systems tend to have errors because as humans we are not that great at writing secure code. I think they are taking it seriously, because recalls are kind of a big deal and cost a lot of money so it’s probably a bigger issue now then it was a year ago.

I’m sure they are working diligently to always improve their security as most companies are. But making claims such as “unhackable” probably isn’t necessarily the truth.

Should cars have some sort of firewall to protect themselves?

As a consumer there is not much you can do. You really are at the will of whoever you brought the car from. But manufacturers should always be working on their security. Additionally we have made the suggestion that there probably should be devices or code in place that can detect and potentially prevent some attacks. We actually made a prototype of a primitive device that does this so we know it’s possible and would like to see things like that in the future.

Should drivers be worried since the hacking?

Right now it’s really hard to do and takes a lot of time, skill, effort, and money to do the research. So it’s not an opportunistic thing like it is, for say, PC hacking or viruses. As of now we need to get these systems more secure in the event that it does become more popular to look at cars.

What is your advice to car manufacturers?

A lot of the message that Charlie and I try to get across is, we are not bad guys. We like technology and cars, we just want the software security to improve. We are really out there to help people and believe that even by addressing this flaw, you saw that they released a patch, recalled the vehicles and they are going to get fixed now. I think it’s a process that we can help in where companies have gaps in the personnel that are doing security at the companies.

Will you be doing any more experiments in the future?

(Laughs) I don’t know! We just finished up a couple of years of research so I’m trying to relax a little bit. It’s like asking a rock star what their next album is going to be. I’m not sure what I’m going to do. 

PREVIOUS ARTICLE

« CMO Files: Rich Wilson, CMO, Relative Insight

NEXT ARTICLE

Japan's Kii unlocks the Internet of Things »
author_image
Ayesha Salim

Ayesha Salim is Staff Writer at IDG Connect

  • twt
  • Mail

Poll

Do you think your smartphone is making you a workaholic?