Car hacking is a relatively new phenomenon, but it is evolving at a frighteningly quick pace. While just a year or two ago security researchers were still trying to work out exactly how the internal electronics and communications gear in vehicles works, now a pair of researchers has discovered a method to compromise some Chrysler vehicles remotely and do things such as disable the transmission, and control the steering and brakes.
The research is the work of Charlie Miller and Chris Valasek, who have been working on car security projects for several years. Their previous research, some of which was sponsored by DARPA as part of the Cyber Fast Track program, has resulted in discoveries of vulnerabilities and attack methods in other vehicles. Those methods generally required the attackers to have physical access to the target vehicle, although Miller and Valasek last year at Black Hat discussed some scenarios for remote exploitation, as well.
At Black Hat next month, the pair will reveal details of a vulnerability they discovered in some Chrysler models that enables them to connect to the vehicle’s on-board computer and then jump to a separate chip. They can then overwrite the firmware on that chip, which enables them to send commands that can affect the operation of the vehicle, according to a report in Wired. Miller and Valasek also found a method to track affected vehicles via their IP addresses.
The researchers have discussed their findings with Fiat Chrysler, which makes the vulnerable vehicles, and the automaker last week released a patch that fixes the vulnerability. The bug that the researchers exploited relates to the Uconnect computer in some Chrysler vehicles, which controls much of the internal and external communication.
“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle,” the company’s statement says.
While this vulnerability affects cars from just one automaker, the possibility of a serious flaw in many vehicle lines is something that Miller and Valasek have said could cause serious problems.
“It’s going to be really hard when an exploit comes out and everyone has a vulnerability that needs to be fixed,” Valasek, director of vehicle security research at IOActive, said during the Black Hat 2014 talk.
Automakers have been somewhat slow to respond to security concerns raised by researchers. Chrysler’s update is unusual, and lawmakers have begun to take notice of the security problems facing cars and other vehicles. Two Senators on Tuesday introduced a new bill that would establish some minimum security and privacy standards for vehicles.
“Drivers shouldn’t have to choose between being connected and being protected,” said Sen. Ed Markey (D-Mass.), one of the sponsors of the new bill. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century.”