The Chevy Corvette, hacked via a simple text message. (Photo: Yahoo UK)
Lately it feels like everybody has figured out how to hack a car.
Over the last month, two teams of security researchers have shown the world how they managed to “drive” a 2014 Jeep Cherokee via the Internet and hack into a Tesla Model S, respectively. Another team showed how they controlled the wipers and cut the brakes on a Corvette using a dongle plugged into the car’s on-board diagnostics II (OBD2) port.
Could a hacker half a world away take control of your car? Will your old clunker suddenly start driving down the road by itself or — worse — develop a mind of its own as you’re hurtling down the highway at 65 mph?
While the headlines may make you want to drive your car into a lake and bury the keys in the backyard, the reality is not as dire as it seems. Here are the facts of the matter.
How hard is it to hack a car?
Very. The teams of researchers working on each hack — yes, it took teams — spent months solving difficult problems. They had to heavily modify the software running on the in-car computer so that it would give them access to the commands necessary to interact with the car.
In other words, these were not your average script-kiddie grease monkeys.
Is my car vulnerable?
Probably not. For one thing, the car has to connect to the Internet and possess a particular flaw that allows attackers to access its internal network, or the attackers would need physical access to the car.
Security researchers Chris Valasek and Charlie Miller uncovered a flaw in Uconnect, the persistent Internet connection provided by Sprint and used by Fiat Chrysler Automobiles (FCA). The researchers then scanned the Internet for other potentially vulnerable Fiat Chrysler cars that use Uconnect, and they found a range of vehicles from the 2013 through 2015 model years, including the Dodge Durango and Viper, various models of Ram trucks, and, of course, Cherokees and Grand Cherokees. They then used that flaw as a starting point to hack the Harman International infotainment system in Miller’s 2014 Jeep Cherokee.
Last year, researchers Charlie Miller and Chris Valasek identified 16 cars that could potentially be hacked via the Internet, before settling on the Jeep Cherokee. (Photo: Andrew Brandt)
With the Tesla Model S, researchers Kevin Mahaffey and Marc Rogers had to disassemble the dashboard to reach parts of the computer’s hardware, including SD card slots and USB ports that were never meant to be accessed by anyone other than a technician. That physical access gave the researchers the ability to modify the car’s software, which in turn allowed them to remotely lock or unlock the car doors, open the trunk, start the engine, adjust the air conditioning, and even move the car by sending it commands over the Internet.
University of California San Diego researchers uncovered a vulnerability in the OBD2 dongle made by Mobile Devices and distributed by the pay-by-the-mile insurance company Metromile, among others. The dongle hackers sent specially crafted SMS messages to the device to control basic car functions such as wipers and brakes.
What if I’m driving one of the cars that got hacked?
You’re probably OK. For a hack to be successful, each car had to be elaborately prepped first. The Jeep’s operating system had to be extensively updated to include key programs to allow an attacker to remotely control the car; researchers then flashed that software into the car’s computer. The process wasn’t perfect: Miller had to take his car into the dealer twice to replace the main computer (called the ECU) after he botched the modification.
Marc Rogers (left) and Kevin Mahaffey (right) worked closely with Tesla CTO JB Straubel (middle) to resolve the bugs they discovered. (Photo: Andrew Brandt)
As noted above, the Tesla hack required direct physical access to parts of the internal network that drivers never see. If you come back to your Tesla and find its dashboard disassembled, don’t try to drive the car. (After you get it fixed, don’t park it on the street on that same block again.)
And if you look at your car’s OBD2 port (usually found under the dash near the steering wheel) and you find something plugged in that you didn’t put there, remove it immediately.
Are these cars still at risk?
No. Shortly after news of the hack appeared, Fiat Chrysler issued a recall for 1.4 million vehicles that might have been affected, and is planning to mail updated software to their owners via USB drives. Sprint, the network over which the Uconnect service communicates, has blocked the channel of communication used by the researchers so that you can’t connect to Uconnect vehicles over the Internet. Tesla’s fix was even easier: an over-the-air software update to the car. Harman International, makers of the infotainment gear that Miller and Valasek owned, says that system was 5 years old and lacked security safeguards built into newer models. Metromile says it has transmitted a security update to all dongles that were affected by the vulnerability.
So everything’s OK then?
For now. It’s likely that other cars (and dongles) are vulnerable to similar attacks we don’t know about yet. This kind of thing happens to every new technology that’s introduced; the question becomes, how quickly do companies respond with a fix?
Charlie Miller (left) and Chris Valasek reported their findings at this year’s Black Hat security conference. (Photo: Andrew Brandt)
In the case of FCA, it took months and a lot of bad publicity before the automaker issued the recall. Tesla, on the other hand, is actively engaging with the car hacker community. It has begun offering a bounty of up to $10,000 to researchers who uncover new vulnerabilities; the company even co-sponsored a “car hacking village” at the most recent DEF CON security conference, where people could sit in the vehicles and learn about how they work, in an effort to foster good relations with any other car hackers.
Now you’ll have something else to think about when you’re ready to buy a new set of wheels: How well the company responds when its cars get hacked.
Andrew Brandt spends his day learning how computers infected with nasty malware behave and communicate as the director of Threat Research for Blue Coat.
More stories about security: