Chrysler's UConnect can be hacked, disabling vehicles
The internet-connected entertainment systems included in hundreds of thousands of recent models of Chrysler, Fiat, and Jeep vehicles could potentially be hacked.
Chrysler vehicles with Uconnect systems built in late 2013, all of 2014, and early 2015 are at risk of this attack.
In a test for Wired Magazine, two computer programmers who explore "Zero Day" bugs in computer systems for major corporations, the hackers were able to access the connected entertainment system and push their own software onto a chip, and through that, gaining access to the vehicle's main control systems including transmission, brakes, and even accelerator.
The driver of the vehicle lost control of everything except the steering while moving forward. When the vehicle was placed in reverse, the hackers were even able to wrest steering control from the driver.
[be sure and read the Wired article!!
...
Sitting on a leather couch in Miller’s living room as a summer storm thunders outside, the two researchers scan the Internet for victims.
Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.
A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.
When Miller and Valasek first found the Uconnect flaw, they thought it might only enable attacks over a direct Wi-Fi link, confining its range to a few dozen yards. When they discovered the Uconnect’s cellular vulnerability earlier this summer, they still thought it might work only on vehicles on the same cell tower as their scanning phone, restricting the range of the attack to a few dozen miles. But they quickly found even that wasn’t the limit. “When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek says. “I was frightened. It was like, holy fsck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”]
The internet-connected entertainment systems included in hundreds of thousands of recent models of Chrysler, Fiat, and Jeep vehicles could potentially be hacked.
Chrysler vehicles with Uconnect systems built in late 2013, all of 2014, and early 2015 are at risk of this attack.
In a test for Wired Magazine, two computer programmers who explore "Zero Day" bugs in computer systems for major corporations, the hackers were able to access the connected entertainment system and push their own software onto a chip, and through that, gaining access to the vehicle's main control systems including transmission, brakes, and even accelerator.
The driver of the vehicle lost control of everything except the steering while moving forward. When the vehicle was placed in reverse, the hackers were even able to wrest steering control from the driver.
[be sure and read the Wired article!!
...
Sitting on a leather couch in Miller’s living room as a summer storm thunders outside, the two researchers scan the Internet for victims.
Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.
A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.
When Miller and Valasek first found the Uconnect flaw, they thought it might only enable attacks over a direct Wi-Fi link, confining its range to a few dozen yards. When they discovered the Uconnect’s cellular vulnerability earlier this summer, they still thought it might work only on vehicles on the same cell tower as their scanning phone, restricting the range of the attack to a few dozen miles. But they quickly found even that wasn’t the limit. “When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek says. “I was frightened. It was like, holy fsck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”]