Chrysler jeeps have a major security vulnerability that allows hackers to hijack them remotely. The American carmaker has released quietly a software update to fix the issue.
The security flaw was called Nextcar art The Bug by security experts Chris Valasek and Charlie Miller. It can affect Uconnect, a dashboard's Internet-connected computer feature. This comes as an optional upgrade which is not standard in Chrysler vehicles.
The team of security experts demonstrated recently how easy could be to leverage the flaw in order to remotely hack into a Jeep. Andy Greenberg, a writer for Wired took part in an experiment that ended for him in a ride he won't forget soon.
Greenberg willingly got behind the wheel of a Jeep Cherokee to be the security team's "digital crash-test dummy". The test took place on St. Louis' public roads. For the Wired's writer things turned getting weird. He reported after the test that the vents in the Jeep Cherokke started blasting cold air without him touching the dashboard.
In his account of the incident he also wrote that the next thing happing was the radio switching to the local hip hop station. Even when he tried to hit the power button his actions were to no avail to turn off the radio. Then the wiper fluid blurred the glass and the windshield wipers turned on.
All these actions were remotely controlled by the hackers, from the couch in Miller's basement. They were 10 miles away from the car. The two security researchers flashed an image of themselves on the jeep's display. Greenberg did not panic much, since the hackers assured him that nothing life threatening will happen. But then, the two cut the transmission on the jeep.
Greenberg reported that his accelerator stopped working and the RPMs climbed as he was frantically pressing the pedal. Soon after, the Chrysler Jeep lost half of its speed, and then slowed down even more to a barley moving speed. Greenberg wrote that the experiment was far from being fun.
Greenberg called the hackers from his iPhone, asking them to stop the experiment. But before the test was over, the security experts tried a last trick. They cut the car's breaks in a most disturbing maneuver from the entire experiment. The 2-ton Chrysler SUC slid uncontrollably into a ditch.
The hackers declared after the experiment that they are still working on "perfecting steering control". For now they can only hijack the car's wheel when the vehicle is in reverse. They can also track the jeep's speed, and its coordinates.
The hacker's attack is especially worrisome since it was performed wirelessly. They did not need to be in any way physically connected to the car with a laptop, unlike others car hacks carried out in the past. Valasek and Miller declared that they will reveal more details about the Chrysler jeeps security flaw next month, at the Black Hat Conference.
Chrysler released a software update soon after the hack. Owners of all Chrysler jeeps featuring Uconnect are recommended to install the update as soon as possible.The patch could be installed by a Chrysler dealership mechanic or it could be manually installed via USB stick by the car owner. It is reported that the security flaw affects 2013-2014 models of Dodge Ram; 2013-2014 models of Dodge Viper, the 2014 Dodge Durango, Jeep Grand Cherokee, and Jeep Cherokee, the 2015 Jeep Cherokee and Jeep Grand Cherokee, as well as the 2015 Chrysler 200s.
The American automaker Chrysler didn't seem thrilled at all about the way the security researchers disclosed the flaw in their software. The company declared in an official press communicate that under no circumstances would be appropriate to disclose "how-to information" that could potentially enable hackers to gain unlawful and authorized access to car systems. However, the company spokesperson declared for Wired that they "appreciate" cyber-security advocates Valasek and Miller's work that is helping to augment the car industry's take on potential vulnerabilities.