Hackers kill Jeep’s brakes whilst it’s driving
Alarming new flaw in Jeep Cherokee hands hackers control of brakes, transmission, steering and more
Hackers have managed to remotely disable the brakes on a Jeep Cherokee whilst the vehicle was moving, in the most alarming breach of car security to date. The hack was performed as part of an experiment on a public highway in the US, in which the hackers also managed to take control of the car’s transmission, entertainment system, air conditioning and windscreen wipers.
The hack was conducted by Charlie Miller and Chris Valasek, who have a long history of breaking into car computer systems. With a Wired reporter behind the wheel, the pair managed to remotely disable the brakes on the Jeep Cherokee, rendering the brake pedal useless and sending the car careering into a ditch.
During the experiment, the hackers also managed to cut the car’s transmission as it was travelling at 70mph along a motorway, causing the Jeep to quickly lose speed before slowing to a crawl. The hackers also took control of the air conditioning, blasting the driver with cool air; switched the car stereo up to maximum volume; and remotely engaged the car’s windscreen wiper and washers – all of which could easily force a driver to lose concentration whilst they’re travelling at high speed.
The pair can even take control of the steering, although currently only when the car is travelling in reverse. Wired reports the hacking duo are confident they can find a way to move the wheel whilst the Jeep is travelling forwards at speed.
Patching the car
The pair managed to take control of these various functions from ten miles away via the car’s Uconnect feature, which allows drivers to hook their smartphone to the in-car entertainment and navigation system. The pair plan to disclose full details of the vulnerability at next month’s Black Hat security conference in Las Vegas.
In the meantime, the researchers have shared their findings with Jeep manufacturer Chrysler, which has released a patch to fix the vulnerability. Alas, this patch has to be installed manually via a USB stick or at a dealership, meaning thousands of vehicles are likely to remain unpatched when full details of the flaw are published next month.
In a statement sent to Wired, Chrysler is urging the security researchers not to go public with their information. “Under no circumstances does FCA [Fiat Chrysler Automobiles] condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems,” the company said in a statement. “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”
Miller and Valasek still plan to publish, however, arguing it will force car manufacturers to improve their security. “If consumers don’t realise this is an issue, they should, and they should start complaining to carmakers,” Miller told Wired. “This might be the kind of software bug most likely to kill someone.”