When you're driving down the highway, there's nothing scarier than losing control of your vehicle. Hackers may soon make that situation a lot more common. However, instead of this happening because of something in the road, you could lose control because of something in your car's onboard computer.
Cybersecurity researchers Charlie Miller and Chris Valasek proved just how possible this scenario could be when they literally took over a vehicle while it was driving down a highway outside of St. Louis, Missouri. The researchers were demonstrating the existence of a severe vulnerability in the onboard computer of their Jeep Cherokee.
The flaw in the vehicle's computer allowed Miller and Valasek to wirelessly send commands to the steering, transmission, and braking systems as well as more minor things like the air conditioning unit and the radio. It also let them track the vehicle's speed, route, and location, which added a surveillance aspect to the hack.
In a July 2015 article by Wired writer Andy Greenberg, the two experts explained that the hack would work on any Jeep, Chrysler, Fiat or Dodge vehicle with a built-in Uconnect computer system that was manufactured in late 2013, all of 2014, or early 2015. By their estimate, this equaled as many as 471,000 vulnerable vehicles.
The hack works by accessing these vehicles via their connection to the local mobile phone network. With only his laptop and a cheap disposable (burner) phone, Miller was able to home in on possible targets that were located in places across the US. The lack of any real range limitation highlights the massive scope of this hacking technique.
Miller and Valasek contacted Fiat Chrysler Automobiles months before they unveiled the flaw, and the company released a patch for the security hole in July 2015. However, the patch was not sent out wirelessly and can only be deployed at a dealership or through the use of a USB drive. To ensure that vehicles receive the patch, the multinational corporation issued a recall of approximately 1.4 million cars. Fiat Chrysler customers should visit Chrysler's DriveConnect update page to see if their vehicles were recalled.
This was not the first time that Miller and Valasek had broken into a vehicle's computer system. In 2013, they successfully hacked a Ford Escape and a Toyota Prius. At the time, critics were quick to claim that the cybersecurity experts were only able to accomplish this feat by creating a wired connection to the vehicles' onboard computers.
In response to that criticism, Miller and Valasek said that wireless attacks were already a reality, and pointed to research done in 2010 by a group of academics at the University of Washington and the University of California, San Diego. The researchers were able to wirelessly infiltrate the same systems that Miller and Valasek targeted in their 2013 efforts. In Valasek's words, the point of their endeavor wasn't to show that a hacker could get inside a car's system, but rather that they could "do a lot of crazy things once inside."
Nevertheless, the criticism sparked their desire to hack a car wirelessly. Before settling on the Jeep Cherokee as their target, the two experts investigated and rated the cybersecurity measures of 24 vehicles. While the Jeep was determined to be the weakest, other popular brands like the Cadillac Escalade and the Infiniti Q50 were also considered to be remarkably vulnerable to digital threats.
At the moment, there are very few things that people can do to protect their cars from cyberattacks, aside from updating their Fiat Chrysler vehicles with the necessary patches. The lack of options on an individual level doesn't mean that the issue is going unaddressed, since there has been a notable governmental effort in this area. Legislators and national authorities around the world have begun researching ways in which they can mandate better cybersecurity practices in the automotive industry. Standards on the subject aim to govern how car manufacturers defend vehicles from cyberattacks and protect customers' personal information, such as the location records gathered by their GPS-equipped vehicles.
The world's automobile market is rapidly filling up with vehicles that feature more and more digital functionalities. There are even some cars that are entirely computer-controlled, as is the case with driverless vehicles currently being developed by companies like Google, Mercedes-Benz, and General Motors. The increasing use of onboard computers emphasizes the need to improve cybersecurity parameters in vehicles. If this need isn't met, society could soon find itself facing a new generation of hackers capable of taking over cars from thousands of miles away.
Here's a tough truth: Everything is hackable. If technology has wireless features, it's especially hackable. If it's connected to the internet, it's the most hackable. So any car with a key fob, onboard wifi, and a built-in 4G antenna? Very, very hackable - and from thousands of miles away.