You are driving your Cherokee Jeep like you normally do, you tune the radio on your favorite station, and you suddenly realize there is something completely wrong. The car does not follow your orders anymore: the radio tuner ignores your settings and chooses the radio station on its own, the windshield wipers turn on and, even worse, the car decides autonomously when steering, accelerating or braking.
What it could seem a science fiction movie (ideally an episode of The Twilight Zone) is getting real and, more in detail, is the result of a car-hacking research two well known security researchers had been doing over the past year.
Charlie Miller and Chris Valasek have exploited (and demonstrated on a busy highway) a severe vulnerability on Uconnect, an infotainment system “that brings interactive ability to the in-car radio and telemetric-like controls to car settings”. This vulnerability allows a potential attacker to take the control of the car from miles away, using its Sprint cellular connection.
The impact of this vulnerability is potentially devastating, considering that Uconnect is installed on millions of FCA (Fiat Chrysler Automotive) cars worldwide. In particular the researchers have discovered that a
weak vulnerable element (which the researchers won’t identify until their Black Hat talk), lets anyone who knows the car’s IP address gain access from anywhere via the Sprint cellular connection used by Uconnect. It’s quite uncanny, isn’t it?
From that entry point is it possible to rewrite the car’s head unit firmware to inplant the malicious code, which is capable of sending custom commands through the CAN bus, the car’s internal computer network, to the physical components like the engine and wheels.
Fortunately, during their presentation at Black Hat, the researchers won’t disclose the code that rewrites the chip’s firmware (this implies that an attacker could take months to reverse the firmware). Besides they have been sharing their research with FCA over the past months, enabling the company to release a patch (to be manually installed) before the Black Hat conference.
In any case, despite the automaker has already patched the vulnerability (but the manual installation procedure will likely leave many cars unprotected), it “did not appreciate” the decision of the two researchers to publish the exploit. Additionally, even the way in which the vulnerability was shown seems quite perplexing: the two researchers maybe went too far, deciding to demo the car hijacking in a busy highway (and several actions performed, such as cutting the transmission, could endanger the lives of the other drivers).
Two things are certain, it’s time for the automotive industry to make security play a central role when designing new models, and it’s also time for a new legislation to tighten car’s protection from cyber attacks. For this second aspect, something is moving though. In the meantime, if you own an FCA car, please update Uconnect as soon as you can.