Hackers hijack Jeeps once more, your brakes belong to them
[Update 14.40GMT: FCA statement]
Car hackers Charlie Miller and Chris Valasek have once again set their sights on a Jeep Cherokee -- and this time, they are taking full control of the brakes.
Black Hat USA
In this attack, the hackers need physical access to the car to tap into the Jeep's systems through the CAN bus, giving attackers the opportunity to compromise the vehicle and either control or completely kill the vehicle's braking system.
However, the team says that other, more remote methods could be used, such as a concealed device or remote attacks through a wireless link.
As noted by The Register, the local attack could be re-engineered remotely for targeted attacks, although it would take far more effort and tailing on the hacker's part to achieve.
On Twitter, Miller said such attacks were "most definitely" possible.
In a proof of concept (PoC) video, the duo made themselves comfortable in the Jeep, and Miller connected his laptop to the CAN bus above the dashboard.
While CAN buses are legitimately used to feed and display detailed data such as fuel consumption and the state of an engine, the team were also able to use this connection to aggressively control the car.
As shown in the PoC below, Miller's tampering resulted in the brakes being yanked out of the driver's control -- and the attack at 25mph was almost enough to fully tip over the Jeep.
The duo hit the spotlight in 2015 after demonstrating an attack against a 2014 Jeep Cherokee. The researchers exploited a vulnerability in the Uconnect infotainment dashboard system and were able to remotely control the vehicle -- including tampering with the brakes, switching the windshield wipers on, and turning off the engine.
While this attack is not potentially as serious as the 2015 attack against Uconnect -- as it must be performed with a physical connection to the Jeep and cannot be immediately launched remotely -- the techniques used do highlight a burgeoning problem.
Automakers may have expertise in creating stylish, powerful cars, but when it comes to IT security, outside help is needed. When you're offering consumers a product which, if compromised, could cause injury or even fatalities, security cannot be an afterthought.
A paper detailing the techniques used in the attack is due to be presented at Black Hat USA. Miller and Valasek have created an anti-intrusion system that detects their attacks but recommends automakers start clamping down and tightening up security if they have any CAN buses installed.
In a statement to ZDNet, the Fiat Chrysler Automobiles (FCA) said:
"Charlie Miller and Chris Valasek recently shared a draft copy of their 2016 automotive cybersecurity paper with FCA US LLC. Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."
In addition, the FCA stressed that conducting this attack takes "extensive technical knowledge", and as part of a voluntary recall, the security flaws present in the 2015 attack should have been patched.
"Under no circumstances does FCA US condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or enable individuals to gain unauthorized and unlawful access to vehicle systems," the firm said. "The company [FCA] continues to caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.