Hackers take over Jeep to reveal security gaps of wireless systems in cars

Two security researchers demonstrated the ability to wrest control of a car from its driver by using remote computers, in an experiment reported by Wired on Tuesday that underscored potential cybersecurity pitfalls of vehicles that utilize Internet-connected dashboard systems.

Hacking experts Charlie Miller and Chris Valasek were able to take control of a Jeep Cherokee driven by Wired reporter Andy Greenberg, adjusting the car's air control and windshield wipers. They ultimately cut the car’s transmission and forced it off the road.

Miller and Valasek targeted a new Jeep with a Uconnect dashboard system — used by thousands of new vehicles manufactured by Fiat Chrysler, Jeep’s parent company.

The Internet-connected system allows drivers to easily control navigation, entertainment and wireless services while driving. But Miller and Valasek were able to hack into the car’s system — something they hope will highlight potential pitfalls in any automobile that uses Internet-connected operating systems.

“All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone,” said Greenberg in his article.

“From an attacker’s perspective, it’s a super nice vulnerability,” Miller told Greenberg.

The Wired article said Miller and Valasek had been working with Fiat Chrysler for months to help it try to improve it security systems.

“[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” a statement provided to Wired by a Chrysler spokesperson said. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”

Fiat Chrysler did not return Al Jazeera requests for comment.

Hours after the Wired story was published, two Democratic senators separately announced the introduction of legislation that would create federal standards to try and secure wireless technologies in cars and protect consumer privacy data associated with online car systems.

The SPY Car act (PDF), introduced by Sens. Richard Blumenthal, D-Conn., and Edward J. Markey, D-Mass., would create a ratings system, called a “cyber dashboard,” that would provide consumers with information on whether car auto manufacturers were going beyond those established regulatory minimums.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Blumenthal in a statement.

“Drivers shouldn’t have to choose between being connected and being protected,” said Markey in a statement.

Markey released a report last year (PDF) detailing how automakers allegedly failed to adequately protect wireless technology in new cars from potential hackers.

The report, based on responses by 16 automakers to questions posed by Markey, concluded that while nearly 100 percent of new vehicles on the market contain some kind of wireless communications technology, security measures to prevent hacking of vehicle electronics are "inconsistent and haphazard" across the industry.

Only two of the responding automakers said they could respond to an effort to hack on-board data systems "in real time," the Markey report found.

The report also raised concerns about privacy, noting that automakers are collecting and using large amounts of driving data, in many cases storing the data with third parties.

Customers "are often not explicitly made aware of data collection, and when they are, they often cannot opt out without disabling valuable features such as navigation," said the report.

With Reuters