Get the latest tech news How to check Is Temu legit? How to delete trackers
NEWS
Cybersecurity

Car hackers say they've hijacked Jeep brakes

Elizabeth Weise
USATODAY
This Tuesday, Dec. 2, 2014 photo shows the Jeep logo on a Cherokee vehicle at a local car dealership in Tempe, Ariz.

LAS VEGAS — The hackers who digitally hijacked a Jeep over the Internet a year ago have done it again — with a twist.

In 2015, automotive cybersecurity researchers Charlie Miller and Chris Valasek showed how they could remotely stop a car and disable its brakes when it was going below five miles per hour.

This year, they unveiled a new exploit: while in the car, plugging into the car's electronic system to hijack its steering and brake systems, while going at a much faster clip.

While they’re clear what they’ve done is difficult, time-consuming and not anything that’s going to be widely possible for years, they’re also insistent that by getting the word out now, car companies can get ahead of the problem and build systems that are safer.

“Let’s make this harder to do. Any technology system can be leveraged by attackers,” said Miller, who spoke with Valasek Thursday at Black Hat, the massive computer security conference in Las Vegas.

The pair walked a packed audience through how they broke into their 2014 Jeep Cherokee’s code, found its vulnerabilities and were then able to engage the brakes, take over the steering wheel and set the parking brake – all while the car was driving at speeds as high as 30 miles per hour.

Solar panels, vacation Wi-Fi at risk for hacking

During testing, they managed to drive their car into a ditch in the middle of a corn field near their homes. “A nice local guy towed us out for $10,” said Miller.

The new hacks work by tricking the car’s electronics systems into listening to the messages they were sending, not the ones the various computers on the car were sending. Previously they’d found that if a car was getting messages from both them and itself, it registered a conflict and shut the entire system down.

The pair both work for Uber’s Advanced Technology Center in Pittsburgh, Pa., but their car hacking research is not part of their day jobs.

“It’s all nights and weekends,” said Valasek. “We need to get another hobby.”

Chrysler: that's old software

Fiat Chrysler, which makes the Jeep that the pair hacked, said in a statement to USA TODAY: "while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."

It also said the demonstration vehicle was updated with security-enhanced software as part of a voluntary safety recall, which appears to have been altered back to an older level of software for the demonstration.

"It is highly unlikely that this exploit could be possible through the USB port if the vehicle software were still at the latest level," the statement read.

Fiat Chrysler last year launched a "bug bounty" program, or a place for cybersecurity researchers to disclose vulnerabilities, rather than showcase them publicly, which FCA said can actually harm public safety.

Fiat Chrysler hires hackers to root out software bugs

Action by automakers on bolstering security is paramount. Soon, all cars will be “sensing and entertainment platforms on wheels with an engine,” said Mike Belton, vice president for applied research with Optiv.

“I think the auto manufacturers definitely understand that if they don't get this right, they’re going to have regulatory and insurance pressures and consumer adoption issues,” said Benton. Any actual hack “would be a business-ending event,” he said.

In fact, research released this month by KPMG found that 8 out of 10 consumers were worried enough about this issue that if they knew of a brand being at risk for being hacked, it would affect their buying decisions.

Clinton fundraiser held at hacker conference in Las Vegas.

Change is coming gradually. The problem is that car companies don't start out with a clean slate. New cars are designed based on older models and have all the problems of any legacy system.

“Adding security throughout is a big effort and quite a big cost factor,” said Timo van Roermund, a senior automotive security architect with NXP, a Dutch company that supplies chips to the auto industry.

However, manufacturers are beginning to embrace security. Many premium models are adding gateways so that it’s no longer possible to talk to every network within a car independently.  Based on what he sees NXP customers doing, he believes that by 2020 all new vehicles will have that in place.

The problem is that it takes about 5 years to design a new vehicle and then it’s got a lifetime of 15 plus years. So the challenge, says van Roermund, “is to make it secure against hackers who might be working 20 years from now.”

Swan song

As for the car-hacking pair, this is their last foray, Miller and Valasek said.

Realistically it will be impossible to know whether the potential threats they have uncovered have been fixed for several years, because the release cycle for new vehicles is about four years, said Miller.

“If we don’t see change in five years, I’ll be really disappointed. It’s something that really needs to be there,” he said.

Featured Weekly Ad