Car Hacking: Funny or Dangerous?

How would you feel if someone took control of your car while you were driving it? Well that’s exactly what happened to Wired’s Andy Greenberg when he let two hackers remotely take control of his car while he was driving it. While the experiment was obviously done in good faith, the ordeal sheds some light on the remote capabilities of hackers to mess with vehicles as driving software continues to improve.

Hackers Chris Valasek of IOActive and Charlie Miller, a former NSA staffer, accessed Greenberg’s Jeep’s computer brain through its Uconnect infotainment system. There are issues in the Uconnect software system that powers the connected infotainment and other internet-powered systems in Fiat-Chrysler automobiles. Because of this, they were able to create an attack that could connect to the system and use a chip powering the in-vehicle entertainment to rewrite the firmware. From there, their exploit code sent commands across the car. They were able to do all this simply by using a MacBook connected to a cell phone.

To test their hacking skills, Greenberg drove the Jeep Cherokee down the expressway, gearing up to about 70 mph. Once the hackers were able to take control of the car, they began to test some of its features. This included playing with the car’s air conditioning, blasting loud music, and even killing the transmission and brakes. Despite being in on the “test,” Greenberg was freaked out when the vehicle began to drive itself even though he was still behind the wheel and on the expressway. He was able to gain control of the car again, only after he turned the car off and back on. Once he exited the expressway and tried to park the car in a parking lot, his brakes were hacked as he parked directly in front of a ditch, and was forced into it.

Even more notably, once the hackers were able to access Uconnect, they were also able to scan for other vulnerable vehicles. After repeated scans, they believe as many as 471,000 vehicles are carrying the same vulnerabilities that would allow them to get hacked. They have only actually tested their hacking skills on this Jeep Cherokee, but they believe any Chrysler vehicle with Uconnect manufactured in late 2013, all of 2014, or early 2015 is affected.

As crazy as this sounds, Miller and Valasek aren’t the first to hack a car over the internet. In 2011 a team of researchers from the University of Washington and the University of California at San Diego showed that they could wirelessly disable the locks and brakes on a sedan. 

Regardless of how funny the act may have been in this context, Miller and Valasek’s demonstration should alert drivers to the potential danger they could be facing if their car was hacked while they were driving a vehicle.  The entire automotive industry has been repeatedly criticized for various systems’ lack of security over the last year. Former National Security Agent, Charlie Miller says,

If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone.

Other researchers have demonstrated attacks on vehicles from afar, while highlighting vulnerabilities in widely-used insurance dongles. At a recent Senate Commerce Committee hearing on The Internet of Things, senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) announced legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy.

So what does this say about the types of vehicles we drive and their vulnerabilities that provide hackers access? Even though it was just a demonstration, Greenberg was clearly extremely uncomfortable not being in control of his car. In 2011, the team of researchers from the University of Washington and the University of California San Diego took a more discreet approach in their research, keeping the identity of the hacked cars a secret and only sharing the details with the carmakers. Now, carmakers who failed to take heed of polite warnings in 2011 have been exposed for their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. While it is fortunate all cars are not subject to these vulnerabilities, it is clear that car manufactures must finally address the potential dangers of car hacking.

Angel Idowu

Angel Idowu is a member of the Beloit College Class of 2016 and was a Law Street Media Fellow for the Summer of 2015. Contact Angel at staff@LawStreetMedia.com.