Hackers demonstrate zero-day exploit that can remotely commandeer Chrysler vehicles

Shawn Knight

Shawn Knight

Posts: 15,289   +192
Staff member

A pair of hackers have demonstrated a zero-day exploit involving the infotainment system of a Jeep Cherokee. As Wired’s Andy Greenberg found out the hard way, the attack can be carried out remotely with devastating consequences.

Greenberg trekked to St. Louis for a live demonstration of the attack. Sitting behind the wheel of a Jeep Cherokee, he was instructed to take the vehicle onto the highway. The attackers didn’t tell him what they had planned – just that he shouldn’t panic, regardless of what happens.

It started out innocently enough. The hackers remotely turned on the air conditioning system. Then the radio, followed by the windshield wipers. Nothing too serious right?

What came next was downright frightening as Greenberg said the transmission was rendered ineffective (likely put into neutral), causing the RPMs to climb as he mashed the accelerator. The vehicle slowed to a crawl before stopping just as Greenberg reached an uphill overpass with no shoulder to pull over onto.

Keep in mind that all of this was taking place on a busy highway.

That's just a fraction of what's possible as the hack can also kill the engine, apply the brakes and even disable them completely. The latter attack, demonstrated in an empty parking lot, sent Greenberg's Cherokee into a ditch.

The team behind the attack, security researchers Charlie Miller and Chris Valasek, said they plan to publish portions of the exploit on the web to coincide with their presentation at the Black Hat security conference next month in Las Vegas.

Update: Chrysler quietly issued a Technical Service Bulletin for a software update last week designed to "improve vehicle electronic security." Owners of late-model Chrysler vehicles with the Uconnect entertainment system are encouraged to download and manually install the update ASAP.

All images courtesy Wired

Permalink to story.

https://www.techspot.com/news/61458-hackers-demonstrate-zero-day-exploit-can-remotely-commandeer.html

 
Software does not belong into cars and anything like it. Then they're all surprised when it all gets hacked. Who cares about a radio they can put software into that thing and make it all online but a car or nuclear plants???
 
  • Like
Reactions: trgz
Remote connections should only supply information not be in a position where they can control the vehicle. Allowing a remote connection to control the vehicle is a recipe for disaster. The vehicle can process any information, without giving information channels access to taking over control.
 
  • Like
Reactions: damnthereaper and trgz
Isn't this the case of onstar?

I wouldn't know since I don't live in the US, but still, I find it very dangerous for someone to get full access to the whole catalog of functions in a car.

I remember calling BS on a part of Fast and Furious 182 where the baddies shot an electric/hacking/magical harpoon to a car and getting access to the car functions and slamming just the brake of one tire... I guess they weren't too far from reality.

Imagine doing that in a car going 60+ mph...

Still, I guess the core functions of a car shouldn't be accessible from the outside.
 
Why on earth would you allow remote control of the braking system??? Almost as bad as the flight control software on airliners being on the same network as the in flight WiFi.
 
  • Like
Reactions: trgz and cliffordcooley
"What came next was downright frightening as Greenberg said the transmission was rendered ineffective (likely put into neutral), causing the RPMs to climb as he mashed the accelerator." Oh No what are you to do??? Panic like most Americans? Why not just let off the gas, signal and slowly pull over and stop the vehicle in a controlled manner... Don't keep coasting until you reach a part of the road where you can not pull over safely.

But seriously, I'd never buy a car with such technology, it doesn't benefit me in any way possible, I'm an attentive driver, don't use my distracting electronic devices while I drive. If ever, the first thing I did would be to find a way to block any signal coming in to my vehicle, probably just remove the wireless receiver, Problem Solved!
 
Guest said:
Why on earth would you allow remote control of the braking system??? Almost as bad as the flight control software on airliners being on the same network as the in flight WiFi.
Click to expand...

This, core functions should be accessible only through cable scanner
 
Guest said:
Why on earth would you allow remote control of the braking system??? Almost as bad as the flight control software on airliners being on the same network as the in flight WiFi.
Click to expand...
I am willing to bet that the only reason the entertainment system is connected to critical systems in the vehicle is because some company exec was drooling over how much money the company would make because it has all these entertainment systems in the car and that whoever was given the task of integrating it into the car was instructed to do it as cheaply as possible, and doing it as cheaply as possible meant that only one intra-vehicle network was affordable in terms of production costs.

Whenever any brain-dead company does something like this, there is only one reason - to con as much money out of the pockets of their customers as is humanly possible. No exec at a company like this gives a you know what about anything other than making as much money for their shareholders as possible.

As I see it, control systems like the ones hacked should be on isolated networks that cannot be controlled from an external source unless that external source is wired to the vehicle and complies with some sort of encrypted key access - I.e., a service port.
 
You are all missing the point. This isn't a hack, this is an installed police control.

"Hold on while add more foil to my hat.", said no one wise enough to never trust the government.
 
Guest said:
You are all missing the point. This isn't a hack, this is an installed police control.

"Hold on while add more foil to my hat.", said no one wise enough to never trust the government.
Click to expand...

I concur. I don't think the car companies are doing this for any benefit of their own, but are being quietly pushed by govt. & other businesses, such as the insurance industry. Just think about it. The 'black boxes' and other monitoring & control aspects of current vehicles are for a reason that are not obviously profitable to a car manufacturer (with the exception of crash data to analyze to better engineer cars). Manufacturers don't do something that isn't profitable. So...are they doing it because the feds, law enforcement, and insurance companies would have an easy way to track & disable your vehicle for unpaid tickets, registrations, insurance bills, and many other reasons?

The monitoring of your driving habits are already being happily introduced as a 'progressive' way to adjust your insurance premiums under the auspice of promising to lower your premiums for good driving (or more likely raise them for any number of stupid reasons). It's all BS...it's meant to slowly get people comfy with the idea of vehicle monitoring for profitable reasons. I'd bet money that all the monitoring being built into vehicles is a preclude to insurance companies eventually lobbying for mandates of real time monitoring of all vehicles to scam more money out of customers. And if mandated, insurance company monitoring would become a requirement built into obtaining insurance.

From a LE standpoint, the fed & local govts. would also love real-time monitoring tied into your DMV file, because it would be an autonomous way to send you tickets for any driving violations, since they're always looking for any reason to collect fines from drivers. Say 'Hi' to even more Big Brothering.

The physical command & control of the vehicle is a little more nebulous: Is it to allow for safely disabling & controlling a vehicle in motion to prevent accidents when LEOs suspect a vehicle used in a crime...and/or also a preclude to autonomous vehicle control in order to return a car to a creditor or impound yard for unpaid bills & fines?

There are so many ways this tech is going to be used against us for monetary reasons. Just watch. The solution? We either reject any proposals for such laws or refuse to buy new cars with such tech. But that's a tough nut considering that govt. & business disregard the will of the people regularly. So we buy old cars that don't have & can't use any of that tech. But that supply will dwindle with each passing year.
 
You must log in or register to reply here.

Similar threads

D
New LogoFAIL exploit leaves Windows and Linux users vulnerable to remote attacks
Replies
1
Views
283
Gezzer
G
A
Russian state-sponsored hackers compromised Microsoft source code repositories
Replies
16
Views
376
ZedRM
ZedRM
Daniel Sims
Ethical hackers show how to open millions of hotel keycard locks
Replies
16
Views
264
waclark
W

Latest posts

Back