A recent experiment set up by Wired magazine has brought to light just how easy it is for hackers to hijack and gain control of a vehicle. Security researchers, Charlie Miller and Chris Valasek managed to use a design flaw within Fiat Chrysler’s UConnect infotainment system to wirelessly hack into a Jeep Cherokee, which was being driven by Wired reporter, Andy Greenberg. With simply a laptop and a mobile phone they showed just how easy it was for them to gain complete control of the vehicle, drive it for 10 miles along a public round and then steer it into a ditch.
The pair were also able to gain control of the car’s windscreen wipers, change the climate control settings and play different music through the infotainment system. However, most alarmingly, they demonstrated how they could deactivate the accelerator whilst the car was traveling at motorway speeds and how at lower speeds they could also apply the brakes, deactivate them and even stop the engine completely.
Valasek commented, “From an attacker’s perspective, it’s a super-nice vulnerability. If consumers don’t realise this is an issue, they should, and they should start complaining to car makers. This might be the kind of software bug most likely to kill someone.” The vulnerability stems from the fact that the system, like many others, uses a mobile data network connection. The UConnect system, made by the FCA group, has been installed in hundreds of thousands of cars since it’s production in late 2013. The app allows car owners to start their car remotely, unlock doors and flash the headlights to make finding the car in a busy car park a lot easier. All sounds great, right, but as Miller and Valasek have proved there are significant, potentially life threatening flaws with the system.
Having shared their data and research with the FCA, an official recall has been issued of the 1.4 million vehicles that were considered vulnerable. Security expert, Graham Cluley expanded by explaining, “that the researchers believe that, although they’ve only tested it out on Jeeps, the attacks could be tweaked to work on any Chrysler car with a vulnerable UConnect head unit. You should consider installing a security update that Jeep has issued for cars fitted with a model RA3 or model RA4 radio/navigation system.” What’s important to note is that this is currently only affecting vehicles in the US market and not the models sold in the UK, but it does raise the worrying question of how safe our technologically advanced, autonomous cars really are and what will be done to protect against hackers in the future?
According to a senior member of the Institute of Electric and Electronics Engineers, Professor Kevin Curran, “I’d say there’s a rush to market and security is almost an afterthought. I would urge manufacturers to think, and I would hope there would be a think tank or body which can oversee the security of these devices. We’ve never been in the position before where someone can cause so much destruction to a car from such a great distance.” In the UK, the Department for Transport has set out a new code of practice for the new breed of autonomous vehicles, one of which states that “Manufacturers providing vehicles, and other organisations supplying parts for testing will need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.” But with modern cars having more than 50 separate electronic control units, which collect vehicle data and improve performance and with most having wireless entry points it seems hackers have got it easy and unless digital security is taken a whole lot more seriously the consequences could be unthinkable.
Miller and Valasek have previously hacked into a Toyota Prius and a Ford Escape and in a previously published paper in the US, they identified both the systems and vehicles most vulnerable to hacking. Cars considered some of the easiest to hack into were the Jeep Cherokee and Infiniti Q50. Alongside this is the concern of data protection and how personal information is stored and as many as 50 of the top car manufacturers including BMW, Chrysler, General Motors and Ford, were shown to treat and protect potentially sensitive technology and information in an “alarmingly inconsistent and incomplete” manner.