Hackers Burrow Into a Jeep Again - Will FCA Give Them $1,500?
The same two guys who brought you last year’s remote hacking of a Jeep Cherokee on a Missouri highway (and resulting 1.4 million vehicle recall) are at it again.
This time, Charlie Miller and Chris Valasek entered the same Cherokee’s electronic brain, bypassing security software to gain control over key driving functions, according to Wired.
Both men are security researchers, and take pride in finding new ways to defeat electronic walls put up by automakers. FCA added a patch to its Uconnect software last year after their discovery, but hackers gonna hack, you know.
One the surface, their latest hack is alarming. The two were able to control the Jeep’s cruise control and steering, even at high speeds. In practice, the hack isn’t anything like the earlier one — to do it, they needed to be inside the vehicle, with a laptop plugged into the Jeep’s electronic network via a port under the dash.
Once plugged in, they were able to override commands from the vehicle’s electronic control module.
“You have one computer in the car telling it to do one thing and we’re telling it to do something else,” says Miller. “Essentially our solution is to knock the other computer offline.”
Every piece of software has a back door, which is why FCA launched a “bug bounty” cyber-threat tip line last month. By offering fledgling hackers and seasoned experts up to $1,500 in exchange for tips on software vulnerabilities, the automaker hopes to safeguard its vehicles from evildoers.
Both researchers note that while potentially dangerous, drivers can physically cut short any hacking attempt — assuming they notice it in time. If a hacker takes control of a vehicle’s accelerator, a driver can still depress the brake, slowing the car. The same goes for steering.
In a statement, FCA said it admired the hackers’ creativity, but added that their Jeep “appears to have been altered back to an older level of software.” The automaker continued, stating, “It is highly unlikely that this exploit could be possible…if the vehicle software were still at the latest level.”
Does this mean Miller and Valasek won’t get a $1,500 check in the mail?
[Image: Fiat Chrysler Automobiles]
More by Steph Willems
Comments
Join the conversation
I'm all in favor of electric steering, since a computer chip is best for speed sensitive steering effort. But does it have to be the same programmable chip that controls the ignition, fuel system, transmission shifting, anti-lock braking, and other discrete auto functions? It seems that a separate hard-wired chip for each auto function would be more secure. Most of those functions don't need to be connected to a super-brain with wireless access. With chip prices today, keeping systems separate wouldn't cost much more, if any more. Automakers just have an engine CPU and are piggy-backing every new feature onto that system, rather than create independent subsystems that would be easier to diagnose, repair and/or replace. Tying in wireless communications from the entertainment module to basic controls is further laziness.
The fact that the same two guys hacked into the same system is more than a little bit fishy. The first step after hacking a system is to create a way to get back in the next time. It sounds like the method used by these guys was simple code that allowed them to reflash the software back to the earlier hackable version. This time it was probably more like a parlor trick than a real accomplishment.