By on August 5, 2016

20-2014-jeep-cherokee-chrome-grille

The same two guys who brought you last year’s remote hacking of a Jeep Cherokee on a Missouri highway (and resulting 1.4 million vehicle recall) are at it again.

This time, Charlie Miller and Chris Valasek entered the same Cherokee’s electronic brain, bypassing security software to gain control over key driving functions, according to Wired.

Both men are security researchers, and take pride in finding new ways to defeat electronic walls put up by automakers. FCA added a patch to its Uconnect software last year after their discovery, but hackers gonna hack, you know.

One the surface, their latest hack is alarming. The two were able to control the Jeep’s cruise control and steering, even at high speeds. In practice, the hack isn’t anything like the earlier one — to do it, they needed to be inside the vehicle, with a laptop plugged into the Jeep’s electronic network via a port under the dash.

Once plugged in, they were able to override commands from the vehicle’s electronic control module.

“You have one computer in the car telling it to do one thing and we’re telling it to do something else,” says Miller. “Essentially our solution is to knock the other computer offline.”

Every piece of software has a back door, which is why FCA launched a “bug bounty” cyber-threat tip line last month. By offering fledgling hackers and seasoned experts up to $1,500 in exchange for tips on software vulnerabilities, the automaker hopes to safeguard its vehicles from evildoers.

Both researchers note that while potentially dangerous, drivers can physically cut short any hacking attempt — assuming they notice it in time. If a hacker takes control of a vehicle’s accelerator, a driver can still depress the brake, slowing the car. The same goes for steering.

In a statement, FCA said it admired the hackers’ creativity, but added that their Jeep “appears to have been altered back to an older level of software.” The automaker continued, stating, “It is highly unlikely that this exploit could be possible…if the vehicle software were still at the latest level.”

Does this mean Miller and Valasek won’t get a $1,500 check in the mail?

[Image: Fiat Chrysler Automobiles]

Get the latest TTAC e-Newsletter!

Recommended

36 Comments on “Hackers Burrow Into a Jeep Again — Will FCA Give Them $1,500?...”


  • avatar
    indi500fan

    If I’m ever driving and notice a stranger riding shotgun with a laptop and interface cable plugged into my OBD port, I’ll get nervous.

    • 0 avatar
      MBella

      Exactly this. This is sensationalism. People watch to many movies and don’t actually understand how things work.

    • 0 avatar
      derekson

      What If they attach one connected to a cellular modem when you run into the convenience store to grab some eggs?

      • 0 avatar
        VoGo

        One more reason to go vegan.

        • 0 avatar
          derekson

          And yet so many reasons not to…

          http://www.second-opinions.co.uk/vegetarians-have-smaller-brains.html#.V6VewcKZNE4

          “Scientists at the Department of Physiology, Anatomy and Genetics, University of Oxford, recently discovered that changing to a vegetarian diet could be bad for our brains — with those on a meat-free diet six times more likely to suffer brain shrinkage.[18]

          Using tests and brain scans on community-dwelling volunteers aged 61 to 87 years without cognitive impairment at enrolment, they measured the size of the participants’ brains. When the volunteers were retested five years later the scientists found those with the lowest levels of vitamin B12 intake were the most likely to have brain shrinkage. Not surprisingly, vegans who eschew all foods of animal origin, suffered the most brain shrinkage. This confirms earlier research showing a link between brain atrophy and low levels of B12.

          Vegans are the most likely to be deficient because the best sources of the vitamin are meat, particularly liver, milk and fish.

          There were two other worrying aspects to this trial. The first was at the start of the trial, the biggest brain in a vegan, at 1455 ml, was already smaller than smallest brain of someone on a ‘normal diet’, at 1456 ml.

          The other aspect was even more worrying. It was that all participants had Vit B-12 which was within the ‘normal’ range. This suggests that the normal range is too low – and by quite large margin. I understand that, based on this study, the Japanese have raised their normal level.

          Confirmation of the above study was provided the following year by another study by the Oxford Project to Investigate Memory and Ageing, the Department of Physiology, Anatomy and Genetics, University of Oxford, UK.[19] Noting that vitamin B-12 deficiency is often associated with cognitive deficits, they reviewed evidence that cognition in the elderly may also be adversely affected at concentrations of vitamin B-12 above the traditional cutoffs for deficiency. Their suggestion is that the elderly in particular should be encouraged to maintain a good, rather than just an adequate, vitamin B-12 status by dietary means.”

          • 0 avatar
            ToddAtlasF1

            Predators that aren’t smarter and stronger than their prey are called prey. Vegetarians had might as well turn in their opposable thumbs before their eyes migrate to the sides of their heads.

          • 0 avatar
            Kenmore

            Hi! I’m Todd and I’m a Predator.

            Get in mah BELLY!

          • 0 avatar
            JimZ

            I don’t understand why people concern themselves with what other people eat (or don’t eat.)

          • 0 avatar
            ToddAtlasF1

            Some of us have social lives JimZ, at which point various people’s efforts at enforcing their hangups on others becomes an issue.

          • 0 avatar
            VoGo

            The study just says people should take B-12 vitamins. So?

          • 0 avatar
            VoGo

            “Predators that aren’t smarter and stronger than their prey are called prey”

            Does that Philly cheesesteak tremble in awe at your superior brainpower and strength before you eat it?

          • 0 avatar
            ToddAtlasF1

            Devolution is your choice. I know what my teeth are for.

          • 0 avatar
            heavy handle

            Q: Are We Not Men? A: We Are Devo!

          • 0 avatar
            VoGo

            I’m no vegetarian. I just take joy in noting how ridiculous the justifications have become for eating a hamburger. It appears that some people can’t even eat lunch without getting their precious sense of manhood in a hissy fit.

          • 0 avatar
            Kenmore

            “What do you want to eat, Kowalski?”

            “MEAT!”

            What do you want to drink, Kowalski?”

            “MEAT!”

          • 0 avatar
            Jagboi

            Does it invoke Goodwin’s Law to say that Hitler was vegetarian?

          • 0 avatar
            ToddAtlasF1

            Probably. He was also an animal rights activist, a progressive, a eugenicist, a socialist, a gun control advocate, an enemy of free speech, a divider, and everything else that would make him a perfect fit for the Democratic party today.

      • 0 avatar
        MBella

        If they gained access to your vehicle, you’ve already lost most of the battle. You don’t have to worry about them hacking the car.

        • 0 avatar
          Lorenzo

          Good point. And congratulations for getting the discussion back on-point. Given how many people don’t even know how to shut down the engine with keyless ignition/entry systems, a computer isn’t necessary to take control.

      • 0 avatar
        indi500fan

        Any intruders would have to deal with Lilly the Attack Golden!

      • 0 avatar

        “What If they attach one connected to a cellular modem when you run into the convenience store to grab some eggs?”

        I’ve seen at least one article where the hackers modified one of those cheap Bluetooth OBD readers to do just that. The reported hack occurred in Britain. Couple that with a Fob hack that can be done with a laptop and you’ve got access to the passenger compartment and instant chaos.

        Not a very effective hack here in the US where the FCC limits Bluetooth range to 30 feet but it’s not hard to acquire a European standard Bluetooth version that’s good for 100 meters. eBay makes all things possible.

    • 0 avatar
      pragmatist

      Indeed. If you let people muck with wiring and plumbing on a traditional car they can cause issues as well.

      Meanwhile mechanics and even owners do legitimately hook up computers to their cars for diagnosis… over reaction to these scare stories could close that important service window.

    • 0 avatar
      Superdessucke

      Where were these two around the time of Yelchin’s death?

    • 0 avatar
      Big Al From 'Murica

      The point is to show that the exploit is possible. Then you patch it before someone figures out how to make it a remote exploit. Just poo pooing it and taking no action is not the answer. The hackers have gained a fundamental understanding of how the system works. Now they will attempt to refine that knowledge into a remote exploit. The responsible thing would be to cut that off now, assuming they haven’t already done so.

      But just because they have patched the cars doesn’t make this not relevant unless all such cars have been patched. I would be curious to see the percentages of patched versus unpatched. If this could be coupled with the earlier u-connect hack on cars that were not fixed that could be problematic. Did Chrysler do enough by simply sending out USB drives to owners or should a full recall have been done. As a company you either take the most secure approach or you leave it up to trial lawyers and a jury to sort out.

  • avatar
    dukeisduke

    Maybe they can give them a Chrysler 200. I mean, they’re trying to get rid of those, right?

  • avatar
    JimZ

    screw $1,500. at this point FCA should just hire them.

  • avatar
    Jagboi

    My defeat device is a manual transmission. Hardly anyone knows how to drive one anymore.

    I had a 88 Chevy truck with a manual and it was broken into. They did everything right to steal it, but by the small footprints they left in the mud it was kids. I’m tall and had the bench seat all the way back. I don’t think they could get the clutch to the floor to trip the clutch-starter interlock, so they couldn’t steal it. Or didn’t know about that, but I kept my truck anyway.

  • avatar
    chris724

    I don’t think this counts. When I think “hacked”, it has to include unlocking the vehicle from outside. Hacking a car once you’re inside is kind of a foregone conclusion. I guess it might be technically difficult on a modern car, but it’s not a real threat to the public.

    • 0 avatar
      Big Al From 'Murica

      In the security industry, remote exploits are certainly the most dangerous but that doesn’t mean that other exploits aren’t addressed. They should pay them the 1500 bucks and fix it. Or they can let it ride and encourage others to build upon this exploit.

  • avatar
    Lorenzo

    I’m all in favor of electric steering, since a computer chip is best for speed sensitive steering effort. But does it have to be the same programmable chip that controls the ignition, fuel system, transmission shifting, anti-lock braking, and other discrete auto functions? It seems that a separate hard-wired chip for each auto function would be more secure. Most of those functions don’t need to be connected to a super-brain with wireless access.

    With chip prices today, keeping systems separate wouldn’t cost much more, if any more. Automakers just have an engine CPU and are piggy-backing every new feature onto that system, rather than create independent subsystems that would be easier to diagnose, repair and/or replace. Tying in wireless communications from the entertainment module to basic controls is further laziness.

  • avatar
    FOG

    The fact that the same two guys hacked into the same system is more than a little bit fishy.

    The first step after hacking a system is to create a way to get back in the next time. It sounds like the method used by these guys was simple code that allowed them to reflash the software back to the earlier hackable version.

    This time it was probably more like a parlor trick than a real accomplishment.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • DenverMike: At some point, it doesn’t matter except to you and your neighbors living way off the beaten path....
  • conundrum: Now wouldn’t that be Ironiq?
  • Vulpine: @DM: That’s it, DM, completely ignore what I said to push your own viewpoint. Now, try reading my...
  • ajla: Good comment. Most car dealer websites are thoroughly useless.
  • 55_wrench: Absolutely agree with MRF 95 Tbird. Having owned a ’73 LeMans Safari wagon (brown too), with a...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Matthew Guy
  • Timothy Cain
  • Adam Tonge
  • Bozi Tatarevic
  • Chris Tonn
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber