Hacked Jeep Exposes Weak Underbelly of High-Tech Vehicles
The Jeep Cherokee brought to a halt by hackers exposed wireless networks as the weakest link in high-tech vehicles, underscoring the need to find fast over-the-air fixes to block malicious intrusions.
Features that buyers now expect in most modern automobiles, such as driving directions and restaurant guides, count on a constant connection to a telecommunications network. But that link also makes cars vulnerable to security invasions like those that threaten computers in homes and businesses.
"The Jeep case was a great example of how it’s not about the vehicle itself, but the network," said Thilo Koslowski, an automotive-technology analyst at Gartner Inc. "Once these systems are connected to the outside and start talking to each other, that's when the problems start."
The hack forced Fiat Chrysler Automobiles NV to recall 1.4 million vehicles and ask Sprint Corp. to issue a temporary fix over its network. In that controlled demonstration, two security experts accessed the Jeep’s Uconnect infotainment system via Sprint's network, hijacking basic functions and stopping the vehicle from miles away. The duo are scheduled to show their feat again at the Black Hat USA 2015 hackers conference.
PHOTO GALLERY: Freightliner's Self-Driving Truck
While previous hacking demonstrations took place with a direct cable link into cars’ diagnostics ports, the over-the-airwaves hack by Charlie Miller and Chris Valasek, conducted for Wired magazine, required no physical access to the Jeep to shut it down.
Miller and Valasek informed Chrysler of the flaws they exploited, giving engineers time to make fixes. When they discuss the car hack again at Black Hat on Aug. 5 in Las Vegas, security professionals will get a look at the duo's discoveries, while automakers and telecom companies will get a peek into a possibly unpleasant future.
PHOTO GALLERY: Peterbilt's Self-Driving Prototype
After the initial hack, Sprint pushed out a network-level fix to block this specific attack, although the researchers said they could still access the Jeep in different ways, leaving open the possibility for other attacks. Fiat Chrysler said it's not aware of any real-world unauthorized remote hacks into any of its automobiles.
General Motors Co. has a team working on cybersecurity and has hired Harris Corp.'s Exelis and other firms to develop anti-hacking systems, according to Mark Reuss, the Detroit automaker’s executive vice president for global product development. GM has also worked with the U.S. military and with Boeing Co. on securing systems, he said.
Sprint's fix appears to work by blocking access to the specific port used to penetrate the Jeep's computer systems, which means the attack can now only work over Wi-Fi connections, significantly limiting its usefulness, said Valasek, who is director of vehicle security research for IOActive, a Seattle-based computer security consultancy.
RELATED: 400-Ton Driverless Trucks Headed to Alberta Oil Fields
"This matter was related to software in certain vehicles equipped with 8.4-inch touchscreens and not to Sprint, the carrier providing connectivity to the touchscreens," said Sprint spokeswoman Stephanie Vinge Walsh. "At the automaker’s direction, we provided assistance by developing and implementing a network-level measure to prevent unauthorized remote network access to the software in the touchscreens."
Unlike Internet service providers, which have more limited technical ability to manipulate users' machines to block security threats, wireless operators have a great deal of control over what happens on devices on their networks. The tools for adding or removing software, blocking ports or banning certain software are baked into the design of mobile networks and the devices that run on them.
As a result, smart cars end up sharing many attributes with mobile phones, which require that hardware and software makers work closely with wireless operators to make sure devices work flawlessly. Google Inc. and Apple Inc. have "kill switches" embedded in their mobile software that allows the companies to reach in and remove malicious or unauthorized programs from their devices, a little-known and little-used tool.
A kill switch in a car would be more problematic, because of the potential for causing accidents or leaving passengers stranded.
Still, auto and telecom companies have to make sure security updates can be pushed out immediately, Gartner's Koslowski said. "The automotive industry will be very much at risk if it doesn’t implement a mechanism to do that wirelessly going forward," he said.
At Verizon Communications Inc., the company has had to develop technologies for parsing different types of wireless traffic to help deflect car-hacking attempts, an executive said. Verizon's automaker clients include Toyota Motor Corp., Hyundai Motor Co. and Volkswagen AG.
"We've been working with our clients on this—everyone in the industry is very sensitized to security, said Mark Bartolomeo, the global leader for the so-called Internet of things at Verizon "It is probably the number-one issue to be cared for and it can be the most brand-damaging."
Ian King in San Francisco contributed to this story.