Security Flaw in Uconnect Lets Hackers Remotely Kill Jeep's Engine

Aaron Cole
by Aaron Cole
security flaw in uconnect lets hackers remotely kill jeeps engine

If you’re like me, you may have found yourself asking “Why would Fiat Chrysler Automobiles release a patch for Uconnect if nothing is wrong?” last week.

The answer, provided by Wired today, is “They wouldn’t,” and that hackers could remotely kill a Jeep through a zero-day exploit in the system’s software. Additionally, hackers could take control of many other functions including steering, climate controls, brakes, throttle — the whole nine yards.

The Internet-based attack can remotely control just about any part of the car, according to the story. The two St. Louis men featured, Charlie Miller and Chris Valasek, can reportedly control any part of the car: stereo, windshield wipers, steering (only in reverse), braking, transmission and air conditioning.

The duo say they plan to release a portion of their exploit when they speak at a security conference in Las Vegas next month.

Chrysler isn’t happy.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.

FCA has a dedicated team from System Quality Engineering focused on identifying and implementing software best practices across FCA globally. The team’s responsibilities include development and implementation of cybersecurity standards for all vehicle content, including on-board and remote services.

As such, FCA released a software update that offers customers improved vehicle electronic security and communications system enhancements. The Company monitors and tests the information systems of all of its products to identify and eliminate vulnerabilities in the ordinary course of business.

Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. The software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.

Customers with questions may call Vehicle Care at 1-877-855-8400.”

Miller and Valasek say they’ll leave out important parts of their code that potentially malicious hackers would require to duplicate their feats.

Last week, FCA released an update for Uconnect addressing the vulnerability. That update must be installed at dealerships, or by owners with a USB stick, which could be an encumbrance for many owners, leaving many vulnerable Jeeps left out on the road.

According to the Detroit News, two U.S. Senators are proposing a bill that would specify federal standards for automotive computer systems to combat hacking.

(I asked Chrysler last week when the patch was released and heard that “nothing in particular” prompted the update and I bought it. I have failed you, TTAC readers, and I’m sorry.)

Join the conversation
5 of 89 comments
  • Hreardon Hreardon on Jul 22, 2015

    Glad to see this finally being made public. It's a big deal. It's one thing to require physical access to the ODB port or mechanical functions on the car if you intend to sabotage it. It's another thing entirely when it can be done with some malicious code and a few clicks from anywhere on the planet. While I have no doubt that this will prompt significantly better safeguards, this yet again highlights some of the dangers of living in a world where we place a higher value on convenience and entertainment than we do on security and simplicity. Not to sound alarmist, but we can extrapolate this example out to a scenario where someone with malicious intent takes control of thousands of cars simultaneously to create mass chaos and fear. No joke, one such event would have staggering repercussions on peoples' psyche and on the auto industry writ large. To quote Tommy Lee Jones: "A person is smart. *People* are dumb, panicky, dangerous animals, and you know it! "

    • Clivesl Clivesl on Jul 22, 2015

      @hreardon You want to see how fast a company can go for real bankrupt? Imagine 5000 separate accidents all over the country at the exact same time featuring 'Company Y' vehicles that have been remote hacked. People would be leaving their cars parked in the street. Talk about your orphan brand bargains. Might be time to look at Grand Cherokees again if this story gains enough traction...

  • So, a few years ago a journalist type investigating shady stuff just happened to off himself by driving his late-model C-Class,IIRC, blazing fast late night on the streets of the LA suburbs. At that time, there was chatter among my friends in the local chapter of the ATHC (American Tinfoil-Hat Club)that this wasn't necessarily an accident and there was more than meets the eye in the event. I believe the story even was discussed by Jack Baruth here on TTAC. So, a.) just idly wondering if there's any chance these two stories are linked? Government black-hat hackers are probably at least as advanced as these two....gentlemen....were, undoubtedly. Also, the vehicle hacked here was a Jeep, which until a few years ago was a closely related party to Mercedes. Possibly sharing electrical /software systems still, and thus sharing vulnerabilities? And, b.) Does a hack like this leave any electronic fingerprints? Will it be possible to forensically determine after that the vehicle was hacked which caused the accident? Or can potential hackers hack, cause an accident and unplug and be off without detection? Serious questions. Potential auto industry and insurance and law enforcement nightmare. If anyone knows the answers, I'd love to hear discussion.

    • See 1 previous
    • found it. from his Wikipedia page: Allegations of foul play, and assertions to the contrary[edit] Soon after his death, some described the circumstances surrounding the crash as suspicious.[66] Former U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard A. Clarke said that what is known about the crash is "consistent with a car cyber attack". He was quoted as saying "There is reason to believe that intelligence agencies for major powers—including the United States—know how to remotely seize control of a car. So if there were a cyber attack on [Hastings'] car—and I'm not saying there was, I think whoever did it would probably get away with it."[67] Earlier the previous day, Hastings indicated that he believed he was being investigated by the FBI. In an email to colleagues, which was copied to and released by Hastings' friend, Army Staff Sergeant Joe Biggs,[68] Hastings said that he was "onto a big story", that he needed to "go off the radar", and that the FBI might interview them.[69][70] WikiLeaks announced that Hastings had also contacted Jennifer Robinson, one of its lawyers, a few hours prior to the crash,[71] and the LA Weekly reported that he was preparing new reports on the CIA at the time of his death.[72] His widow Elise Jordan said his final story was a profile of CIA Director John O. Brennan.[73] The FBI released a statement denying that Hastings was being investigated.[60]

  • GrumpyOldMan No/almost no rust, yet all the floors have been replaced? Hmmmm.....
  • Wjtinfwb Great looking Supra, one of my all time favorites that "got away". In this era, I was driving a 280ZX which I really liked, but was more of a boulevardier than a sporting car. I looked at these Supra's from the '82 introduction but couldn't quite swing the price. Plus, I was sure the next Datsun Z would hit it out of the park. '84 came and Nissan gave us the disco 300ZX, which i disliked intensely. Supra's we're getting harder to find and more expensive as this generation wound down. Then, the howl of a small block Ford with a 4 barrel Holley caught my ear and I was sold. An '85 Mustang GT took the place a Supra should have occupied and that was it. The next gen Supra was, much like the 300ZX, more of a cruiser than the previous generation and more expensive. Several Mustang's and VR6 GTi's later I'm now back to looking for a Supra only to find out they're more expensive after almost 40 years than they were when new!
  • Kwik_Shift Knobs, buttons and even sliders would be good.
  • Syke Son of a Chevrolet dealer back then, grew up in the showroom. To this day, I cannot get the appeal of the '57 Chevy, must less it being the poster car of the rock and roll Fifties. The '55 was gorgeous, the '56 wasn't hurt too badly by the dealer-demanded restyle (full width grilles were in style, and the '55 didn't have one, so the dealers panicked), but the '57? A bad attempt to keep up with Ford and Plymouth, redeemed only by the continuation of the Tri-Five build quality (exceptional for it's day) while the '57 Ford and Plymouth turned out to be rust buckets.$35,000? No. Freaking. Way.Oh, by the way, that was the year Ford outsold Chevy for the first time since pre-WWII. Style was everything back then. As the son of the Ford dealer (in my grade school class) was more than happy to remind me constantly.All was redeemed by 1958. Even if the '58's weren't as well built as a Tri-Fives.
  • Pianoboy57 Green is my favorite color but I never owned an actual green car. Then I got a Subaru Outback in Wilderness green.