Charlie Miller and Chris Valasek conducted an experiment earlier this month that ended up with a Jeep in a ditch, although the driver didn't drive it there. The two remotely hijacked the car, controlling it through a laptop and a cell phone.
How did they hijack a car?
Mr. Miller, a former National Security Agency employee, and Mr. Valasek, the director of vehicle security research for security company IOActive, found several weak points in the car’s system due to Chrysler's Uconnect software, which controls the vehicle’s entertainment and navigation, enables phone calls, and offers a Wi-Fi hot spot. These innovative features unfortunately provide access points for the vehicle to be hijacked, according to a report in Wired. The Internet capability is particularly susceptible; if a hacker is able to identify the IP address of the car, then, “From an attacker’s perspective, it’s a super nice vulnerability,” said Miller to Wired.
To test the hijacking software, the two researchers worked with Andy Greenberg, a writer with Wired, who drove the car on a St. Louis highway until he could no longer control the vehicle.
“Immediately my accelerator stopped working," writes Mr. Greenberg. "As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”
What can you do to protect your vehicle from hijackers?
Chrysler posted a notice on its website informing customers of a “Software Update to Improve Vehicle Electronic Security,” saying that a car, like a phone or computer, needs software updates to ensure security.
The software update provided by Fiat Chrysler Automobiles, is free of charge and can be downloaded by the user onto a USB drive, and then inserted into the USB port in the vehicle dashboard. A Chrysler dealer can also install the Uconnect update for the car at no charge, according to the press release.
The Uconnect software update is available here.
The hijacking duo has only tested the system-control software so far on Jeep Cherokees and has found that it works on models from late 2013 through early 2015. The team has yet to try other makes and models of automobiles. The car manufacturer has said that it appreciates Miller and Valasek’s work, but the company cautions “advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.” The research team plans to unveil its full findings at the Black Hat conference, an information security event in Las Vegas this August.