A pair of hackers have compromised their Jeep Cherokee, fooling the car into doing dangerous things like turning the steering wheel or activating the parking brake at highway speeds. It’s the same pair that hacked their Jeep remotely last year. But, because this version of the hack requires physical access to the car — in this case, through a laptop connected to the OBD II engine diagnostic port — it may not be quite as scary, except for the fact that they’re controlling way more vehicle systems.
A year ago, the two cybersecurity researchers, Charlie Miller and Chris Valasek, remotely compromised a Jeep Cherokee. They were able to disable the car’s transmission and brakes, and, while the vehicle was in reverse, take over the steering wheel. These were all possible by abusing existing functionality in the car like the self-parallel parking feature, and commanding the vehicle to do things within the vehicle’s limitations.
For example, the steering wheel could only be controlled while the car was going in reverse below a certain speed. That’s because the car’s central computer had checks to ensure that the car would only steer itself when it was in the auto-park mode. Chrysler later issued a patch to fix the vulnerability.
After last year’s hack, Valasek and Miller went to work at Uber’s Advanced Technology Center in Pittsburgh.
The new hack, while being more difficult to execute — the hackers were physically in the car at the time — nonetheless illustrates the dangers of connected cars. They were able to update the electronic control unit’s (ECU) firmware to disable those checks and balances, allowing them to take control of the steering at any time, not just when the car was going in reverse. They could turn the steering wheel at any speed, activate the parking brake, or adjust the cruise control settings. Theoretically, that sort of manipulation could cause someone to veer off the road or rear-end someone.
"It’s not like I can take control of the car and drive you to my house and you can’t stop me," said Miller to Wired. "But if you’re not paying attention, it’s definitely dangerous."
What’s even more concerning is that, while the hack in this case required the researchers to be physically in the car, it could be possible for other OBD II-connected dongles like those from Automatic, the Verizon Hum, or the sensors issued by some insurance companies to be compromised in a similar manner.
Miller and his partner Chris Valasek will present their findings at the Black Hat security conference later this week. For its part, Fiat Chrysler (FCA) issued a statement to Wired saying, "While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles." FCA also pointed out that the hack was performed on a vehicle with an older version of its software, something that Valasek and Miller confirmed.
Regardless, the more connected — and autonomous — our cars get, the more on guard we will need to be.