Hackers demonstrate zero-day exploit that can remotely commandeer Chrysler vehicles

By Shawn Knight ยท 17 replies
Jul 21, 2015
Post New Reply
  1. A pair of hackers have demonstrated a zero-day exploit involving the infotainment system of a Jeep Cherokee. As Wired’s Andy Greenberg found out the hard way, the attack can be carried out remotely with devastating consequences.

    Greenberg trekked to St. Louis for a live demonstration of the attack. Sitting behind the wheel of a Jeep Cherokee, he was instructed to take the vehicle onto the highway. The attackers didn’t tell him what they had planned – just that he shouldn’t panic, regardless of what happens.

    It started out innocently enough. The hackers remotely turned on the air conditioning system. Then the radio, followed by the windshield wipers. Nothing too serious right?

    What came next was downright frightening as Greenberg said the transmission was rendered ineffective (likely put into neutral), causing the RPMs to climb as he mashed the accelerator. The vehicle slowed to a crawl before stopping just as Greenberg reached an uphill overpass with no shoulder to pull over onto.

    Keep in mind that all of this was taking place on a busy highway.

    That's just a fraction of what's possible as the hack can also kill the engine, apply the brakes and even disable them completely. The latter attack, demonstrated in an empty parking lot, sent Greenberg's Cherokee into a ditch.

    The team behind the attack, security researchers Charlie Miller and Chris Valasek, said they plan to publish portions of the exploit on the web to coincide with their presentation at the Black Hat security conference next month in Las Vegas.

    All images courtesy Wired

    Permalink to story.

  2. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    Autonomous vehicles at their finest.
  3. davislane1

    davislane1 TS Grand Inquisitor Posts: 4,736   +3,757

    Reason #2,348 why you should buy used (pre-networking).
    trgz likes this.
  4. stewi0001

    stewi0001 TS Evangelist Posts: 1,681   +1,080

    This is basically the same issue with having a smart house connected to the internet, but with wheels.
  5. Fiat/Chrysler

    was a real bad idea.
  6. Nero7

    Nero7 TS Maniac Posts: 273   +104

    Software does not belong into cars and anything like it. Then they're all surprised when it all gets hacked. Who cares about a radio they can put software into that thing and make it all online but a car or nuclear plants???
    trgz likes this.
  7. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,719   +3,697

    Remote connections should only supply information not be in a position where they can control the vehicle. Allowing a remote connection to control the vehicle is a recipe for disaster. The vehicle can process any information, without giving information channels access to taking over control.
    damnthereaper and trgz like this.
  8. agb81

    agb81 TS Booster Posts: 78   +38

    Isn't this the case of onstar?

    I wouldn't know since I don't live in the US, but still, I find it very dangerous for someone to get full access to the whole catalog of functions in a car.

    I remember calling BS on a part of Fast and Furious 182 where the baddies shot an electric/hacking/magical harpoon to a car and getting access to the car functions and slamming just the brake of one tire... I guess they weren't too far from reality.

    Imagine doing that in a car going 60+ mph...

    Still, I guess the core functions of a car shouldn't be accessible from the outside.
  9. Steve

    Steve TechSpot Editor Posts: 2,868   +2,035

    Admiral Adama would never captain that car.
  10. Why on earth would you allow remote control of the braking system??? Almost as bad as the flight control software on airliners being on the same network as the in flight WiFi.
    trgz and cliffordcooley like this.
  11. Adhmuz

    Adhmuz TechSpot Paladin Posts: 1,828   +633

    "What came next was downright frightening as Greenberg said the transmission was rendered ineffective (likely put into neutral), causing the RPMs to climb as he mashed the accelerator." Oh No what are you to do??? Panic like most Americans? Why not just let off the gas, signal and slowly pull over and stop the vehicle in a controlled manner... Don't keep coasting until you reach a part of the road where you can not pull over safely.

    But seriously, I'd never buy a car with such technology, it doesn't benefit me in any way possible, I'm an attentive driver, don't use my distracting electronic devices while I drive. If ever, the first thing I did would be to find a way to block any signal coming in to my vehicle, probably just remove the wireless receiver, Problem Solved!
  12. agb81

    agb81 TS Booster Posts: 78   +38

    This, core functions should be accessible only through cable scanner
  13. wiyosaya

    wiyosaya TS Evangelist Posts: 1,923   +756

    I am willing to bet that the only reason the entertainment system is connected to critical systems in the vehicle is because some company exec was drooling over how much money the company would make because it has all these entertainment systems in the car and that whoever was given the task of integrating it into the car was instructed to do it as cheaply as possible, and doing it as cheaply as possible meant that only one intra-vehicle network was affordable in terms of production costs.

    Whenever any brain-dead company does something like this, there is only one reason - to con as much money out of the pockets of their customers as is humanly possible. No exec at a company like this gives a you know what about anything other than making as much money for their shareholders as possible.

    As I see it, control systems like the ones hacked should be on isolated networks that cannot be controlled from an external source unless that external source is wired to the vehicle and complies with some sort of encrypted key access - I.e., a service port.
  14. You are all missing the point. This isn't a hack, this is an installed police control.

    "Hold on while add more foil to my hat.", said no one wise enough to never trust the government.
  15. Cycloid Torus

    Cycloid Torus Stone age computing. Posts: 3,013   +658

    One positive thing - the tires never lost contact with the ground.
  16. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,719   +3,697

    ^^^ Now that is looking at the bright side of charcoal.
  17. JamesSWD

    JamesSWD TS Addict Posts: 174   +126

    Best reply of the week.
  18. JamesSWD

    JamesSWD TS Addict Posts: 174   +126

    I concur. I don't think the car companies are doing this for any benefit of their own, but are being quietly pushed by govt. & other businesses, such as the insurance industry. Just think about it. The 'black boxes' and other monitoring & control aspects of current vehicles are for a reason that are not obviously profitable to a car manufacturer (with the exception of crash data to analyze to better engineer cars). Manufacturers don't do something that isn't profitable. So...are they doing it because the feds, law enforcement, and insurance companies would have an easy way to track & disable your vehicle for unpaid tickets, registrations, insurance bills, and many other reasons?

    The monitoring of your driving habits are already being happily introduced as a 'progressive' way to adjust your insurance premiums under the auspice of promising to lower your premiums for good driving (or more likely raise them for any number of stupid reasons). It's all BS...it's meant to slowly get people comfy with the idea of vehicle monitoring for profitable reasons. I'd bet money that all the monitoring being built into vehicles is a preclude to insurance companies eventually lobbying for mandates of real time monitoring of all vehicles to scam more money out of customers. And if mandated, insurance company monitoring would become a requirement built into obtaining insurance.

    From a LE standpoint, the fed & local govts. would also love real-time monitoring tied into your DMV file, because it would be an autonomous way to send you tickets for any driving violations, since they're always looking for any reason to collect fines from drivers. Say 'Hi' to even more Big Brothering.

    The physical command & control of the vehicle is a little more nebulous: Is it to allow for safely disabling & controlling a vehicle in motion to prevent accidents when LEOs suspect a vehicle used in a crime...and/or also a preclude to autonomous vehicle control in order to return a car to a creditor or impound yard for unpaid bills & fines?

    There are so many ways this tech is going to be used against us for monetary reasons. Just watch. The solution? We either reject any proposals for such laws or refuse to buy new cars with such tech. But that's a tough nut considering that govt. & business disregard the will of the people regularly. So we buy old cars that don't have & can't use any of that tech. But that supply will dwindle with each passing year.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...