We knew it was possible – conceptually. But last week, working with Wired professional hackers Charlie Miller and Chris Valasek brought vehicle cyberattack fears to real life, as they took control of a Jeep Cherokee remotely. And it wasn’t just the entertainment system this time.
In this instance, Miller and Valasek took control of the Jeep’s accelerator, braking system, and transmission. They brought the SUV to a stop – in traffic – and later crashed it in a ditch. It was a controlled experiment – in that the driver was aware of what was going on – but it happened on a real road on the edge of downtown St. Louis.
Luckily, Miller and Valasek work for the good guys. They are consultants to Fiat Chrysler Automotive (FCA). When the news of the successful hack broke, the carmaker promptly issued a recall of 1.4 million vehicles. See the news story.
In a statement, FCA said that vehicles affected by the exploit discovered by Miller and Valasek employ Chrysler's 8.4-inch touchscreen with Uconnect service. They include models of the Dodge Viper, Ram truck, Jeep Cherokee, Jeep Grand Cherokee, Dodge Durango, Chrysler 200, Chrysler 300, Dodge Charger, and Dodge Challenger.
Cyber security experts have been warning about this day for a long time. Two years ago a car was hacked through a connection to its entertainment system. But that was hard-wired. Miller and Valasek’s attack was wireless and remote. “The Wired article is not the first report of a vehicle being hacked. 60 Minutes aired an episode earlier this year in which they showed a vehicle being controlled by a hacker with remote access,” Alan Grau, president and founder of embedded and IoT security solutions provider Icon Labs told Design News.
MORE FROM DESIGN NEWS: Industrial Cyber Security Requires a Layered Approach
Grau said: “There is no question that there are security vulnerabilities in vehicles today. There is a lot of debate on how great the risk really is. Some people claim that there is a lot of FUD [fear, uncertainty, and doubt] around these threats and that the risk is very low. It's impossible to quantify the risk, but there are clearly vulnerabilities.”
Hard to Crack, But Easy to Replicate
In a written statement, FCA senior vice president Gualberto Ranieri noted that hacking into the vehicle was not a simple chore. “It took two security researchers... months to tap in and control certain systems of (the) SUV,” he wrote. “They are experts.”
The attack on the Jeep Cherokee required sophisticated skill, which might suggest attacks would be rare, but sophistication can be passed along easily enough. “One of the arguments that people make when claiming that the risk is low is that these attacks require significant skill to discover. While that is true, once someone has created the attack they can post it on the Internet, and others can then repeat the attack,” Grau said. “Embedded devices, whether vehicle ECUs, factory automation systems, or consumer devices, are mass produced and are all exactly the same. Once a vulnerability is discovered and the attack created, it can be replicated against thousands and thousands of devices.”
Protecting Against Car Hacking
FCA said it has already readied a software patch and will distribute it on USB drives being sent to owners of the 1.4 million vulnerable vehicles. It is working with the National Highway Traffic Safety Administration (NHTSA), which raised the idea of a recall to issue a ‘swift and strong response.”
The scary part of the Jeep story is that the hackers were able to reach the car’s control functions through the entertainment system. Part of the solution might be to build a wall between the functions. “Miller and Valasek took advantage of a vulnerability that allowed them to remotely connect to the vehicle and from there issue commands to the vehicle. The Internet-connected components of the entertainment systems should be completely segmented and cordoned off from components that control the vehicle,” Ken Westin, senior security analyst for Tripwire, told Design News.
MORE FROM DESIGN NEWS: Why Automotive Defect Numbers Are Soaring
“Chrysler has issued a patch for this vulnerability, but there may be more, as this is a new area of security research. To Miller and Valasek's credit, they have been working with Chrysler on patching this vulnerability for several months, which shows the importance of automakers collaborating with security researchers in this area,” Westin said.
Bringing Sound Security Practices to Vehicles
Creating a firewall between the entertainment system – which is built to interact with the outside world – and the car’s control functions will likely become standard with vehicles. “Having a properly configured firewall that only allows outgoing connections or only connections from a known good host could be one way to stop an attack against a connected system like the car,” Tobias Heer, manager of embedded software development at Belden, told Design News.
“Being restrictive and only allowing known good connections is a good start here. Also, application and protocol-specific Deep Packet Inspection (DPI) can thwart such an attack. Again, the principle of only allowing known good communication helps to exclude unexpected malicious communication,” Heer said.
MORE FROM DESIGN NEWS: Cisco and Rockwell Partner to Enhance Cyber Security
The Jeep attack brings to life the vulnerabilities that exist with IoT consumer gadgets. “HP Labs recently released a report saying that 70 percent of new IoT devices have at least one major security vulnerability,” Grau said. “Until OEMs begin investing in security, these types of stories will continue to make headlines.”
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine, Chile Pepper.
Senior technical editor Chuck Murray has been writing about technology for 31 years. He joined Design News in 1987, and has covered electronics, automation, fluid power, and autos.