Hackers gained remote control of a Jeep and crashed it into a ditch after breaking into its systems from a 10-mile distance while sitting comfortably on their sofa.
In the first ever breach of this kind, security experts shut down the Jeep Cherokee’s engine and applied the brakes, sending the vehicle into a spin.
The hackers explained that they only used a laptop and a mobile phone to gain control of the Jeep’s on-board systems, exploiting its wireless Internet connection.
They said that more than 470,000 vehicles made by Fiat Chrysler are vulnerable to similar attacks.
The breach was performed by two security experts: Charlie Miller, a former NSA staffer, and Chris Valasek.
They pair worked with Andy Greenberg, who writes for tech website Wired.com, and drove the vehicle as it was breached on roads in St. Louis, Missouri.
In his account of the incident, Greenberg said that the air vents began blasting cold air out and the radio came on full blast.
The windshield wipers then turned on with wiper fluid squirting, blurring his vision and an image of the two hackers appeared on the Jeep’s digital display to inform him that they had gained access of his vehicle.
1. In the first such breach of its kind, security experts cut out the engine and applied the brakes on the Jeep Cherokee — sending it into a spin.
Greenberg explained that the hackers proceeded to slow the vehicle down to a halt, just as he was getting on the highway, causing a tailback behind him — and then it got worse. Greenberg wrote:
The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.
The researchers say they’re working on perfecting their steering control — for now they can only hijack the wheel when the Jeep is in reverse.
Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
2. The hackers took control of the vehicle and crashed it into a ditch by remotely breaking into its systems from 10 miles away while sitting on their sofa.
The hack was made possible by the Uconnect — the Internet-connected computer installed in Fiat Chrysler cars since late 2013. The feature controls the entertainment system, deals with navigation and allows phone calls.
It also enables owners to start the car remotely, flash the headlights with an app and unlock doors.
Miller and Valasek said that the on-board Internet connection is a “super nice vulnerability” for hackers.
All the two experts needed to do was locate the vehicle’s IP address and learn how to break into its systems, so they can take control.
Independent security expert Graham Cluley commented:
Note that the researchers believe that, although they’ve only tested it out on Jeeps, the attacks could be tweaked to work on any Chrysler car with a vulnerable Uconnect head unit.
3. In the first such breach, security experts cut out the engine and applied the brakes on the Jeep Cherokee — sending it into a spin
In a statement to Wired.com, Fiat Chrysler said:
Under no circumstances does FCA condone or believe it’s appropriate to disclose “how-to information” that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.
We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.