Researchers demonstrate wireless attack that can disable brakes, hijack climate control and even controls steering.
Security researchers have demonstrated a vulnerability in Fiat Chrysler Automobiles' Uconnect system, which reportedly allows hackers to take control of a vehicle wirelessly.
FCA last week released a software update to "improve vehicle electronic security," however the company did not elaborate at the time. The software revision is now known to have been inspired by the demonstration of a particular vulnerability, as detailed in a Wired report.
After warning of the Jeep Cherokee's security vulnerabilities for nearly a full year, researchers Charlie Miller and Chris Valasek developed a hack that can remotely hijack a wide range of systems. The exploit can not only change the radio station or turn up the air conditioning, but also disable the brakes or take control of the steering and transmission.
To demonstrate the hack, Miller and Valasek sent journalist Andy Greenberg out in a Cherokee with instructions to head onto a highway. The duo had previously shown how systems could be hijacked via the onboard diagnostic port, but this time the attack was orchestrated from miles away via the Internet. While underway at low speed, Greenberg lost control after the brakes were disabled and ended up in a ditch, though remote steering intervention is said to only work when the vehicle is in reverse.
FCA's software fix can only be installed via a USB stick or by service technicians, and it is not being rolled out as a safety recall. It is unclear if owners will receive any notification of the patch. If not, and potentially even if so, a significant portion of vehicles will likely remain unfixed.
"Under no circumstances does FCA condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems," FCA said in a statement to Wired. Despite the company's critical tone, the researchers have not publicly identified the exploit and reportedly worked with FCA for months as the automaker developed a patch.
Miller and Valasek estimate that nearly a half million vehicles could be traveling around with the Uconnect vulnerability, all potentially hackable using the same exploit. The team suggests that many other modern vehicles are also likely vulnerable to hacks via cellular networks, Bluetooth or Wi-Fi.
"When I saw we could do it anywhere, over the Internet, I freaked out," said Valasek. "I was frightened ... Car hacking got real, right then."