If you drive a car made by Fiat Chrysler, you may want to go to your dealership ASAP and get a software patch.
It seems the company’s internet-connected platform Uconnect, which is used to bring entertainment and navigation features to cars, has a big security hole. In fact, researchers were able to remotely take over a reporter’s car. All the while the hackers sat more than ten miles away on a couch tiptapping away at their computers.
The problem, according to Wired, lies in one huge vulnerability, which makes it possible to not only connect to a car remotely using cellular connections but then rewrite the firmware in the car’s chip so that it can communicate with “physical components like the engine and wheel.”
While Wired’s Andy Greenberg was driving a Jeep Cherokee, the radio suddenly turned to a rap station, began blasting the music, the car’s vents went on full, the windshield wipers turned on.
And then the hackers cut the transmission.
So Greenberg was riding in a car that was taken over and nearly completely controlled by hackers.
The two researchers/hackers behind this stunt are Charlie Miller and Chris Valasek. They have been researching car hacks for years. But this finding is by far the most alarming. It even surprised them.
First, they were surprised at the scope of the attack. “When I saw we could it anywhere, over the Internet, I freaked out,” Valasek told Wired.
But worse is the fact that these car’s entertainment systems are able to be reprogrammed to communicate with critical driving functions.
The researchers estimate that as many as 471,000 vehicles are vulnerable to this type of attack, mostly 2013 or newer models. Although Chrysler has issued a fix (which Miller endorses), it must be done either by using a USB stick or by going to a physical dealership. This makes it highly likely that many cars will remain vulnerable and on the road.
We have reached out to Fiat Chrysler for comment and will update if they respond. The company said in the Wired article that it “appreciates” Miller and Valasek’s work, but admonished the duo for publishing the results. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage or help hackers gain unauthorised and unlawful access to vehicle systems,” it told Wired.
It’s likely that other entertainment systems may have similar vulnerabilities. Researchers and lawmakers are calling for more active regulation when it comes to connected car security.
Miller and Valasek will be presenting their findings at Black Hat conference next month.