In light of the recent revelation that certain vehicles running FCA’s Uconnect software are susceptible to remote hacking, we should take a moment to break down what this actually means, and how much are you at risk if you own one of these vehicles?
The remote hack made public by Charlie Miller and Chris Valasek through an article in Wired does appear to portray a doomsday scenario. By using a laptop connected to the Internet, Miller and Valasek can take control many of the computer-controlled functions of the vehicle, including the steering, brakes, transmission, and infotainment system.
In the wrong hands, the hackers claim, a person could remotely kill your vehicle causing a serious accident that would put you and your family’s lives at risk. But how exactly are they doing it?
Miller and Valasek won’t publicly say exactly what they’re doing. They are going to expose the hole at the upcoming security conference, which allows their work to be peer-reviewed. But they vow to not release an extremely important part of the hack that would allow people to copy their work.
By utilizing the Sprint wireless network in Uconnect vehicles, the hackers are able to gain access to the firmware of the infotainment system. They can re-write the code to take over other systems in the vehicle. Modern day vehicle electronics are linked together using something called a CAN bus, and once that is broken it’s fairly easy to gain access to other systems.
To illustrate easily how much information is readily available without hacking, just plug an OBD-II scanner into your car’s port and see what information comes out. They are popular selling items on Amazon, and connect to your phone to show you a litany of information. They can be used to get better fuel economy or monitor vehicle performance.
Of course, this hack is much deeper and the hacker doesn’t need physical access to the vehicle to take control.
The Wired article details how Miller and Valasek just need to plug a Sprint phone into their laptop and they can begin scanning for cars that have the vulnerability. Since every connected device to the Internet has an IP address, they are searching for IP addresses associated with Uconnect vehicles.
Being able to remotely hack a vehicle is a bad thing, and I think we can all agree on that. Miller and Valasek are security researchers, and have been sharing their research with FCA throughout the process. FCA has already developed a fix for the problem, and it is available for download and install by the end user, or the end user can schedule an appointment with a dealer where the patch will be performed free of charge.
Because FCA’s Uconnect system isn’t capable of over-the-air updates like BMW or Tesla, owners will have to take an active role in getting their car patched. Presumably, dealerships will be checking cars that come in and proactively applying the patches, but there has been no formal announcement at this time of that occurring.
But how big of a threat is this actually? Back in the glory days of hacking, when movies were made about the evil hackers and murdering multinational computer companies, hackers hacked for the fun of hacking. There’s a certain appeal in breaking something that should be unbreakable.
Today, however, hackers hack for money. If you’ve ever had a computer virus, you’ve been hacked. Many viruses today don’t cause death and destruction to your computer, they hold your files for ransom until you turn over a few hundred dollars using a Green Dot card.
On an individual basis, there’s really no financial benefit to taking over your car. It’s hard to pay a ransom to let your car go if you’re careening down the highway.
If, at a large scale, a hacking group could be in a position to take over hundreds or thousands of cars, it’s possible that that hacking ground would use that power to extort money out of an automobile manufacturer, but this particular hack doesn’t seem to scale up that easily.
So the final question is, if you have a vehicle that’s vulnerable to attack, what are the odds of you actually being attacked?
Scanning for a list of IP addresses is a fairly easy process. Hackers do it all the time to find vulnerable computers on the Internet. But once the hacker has an IP address, they really don’t know who that IP address belongs to.
At this point, it would take a hacker a serious amount of work to look through IP addresses, find the GPS location of them, verify that GPS coordinates match where you should be, and then take over your vehicle. The truth of the matter is, you’re probably not that important for a hacker spending his or her time trying to find you.
I’m not trying to make light of these vulnerabilities. They are a big deal, and it’s important for them to be discovered and fixed. Not every hacker is an ethical hacker, so it’s a good thing that this vulnerability was discovered by a group of guys who shared their work with FCA. FCA worked with the hackers to develop a patch and the hole is now plugged.
Car companies are starting to take vehicle hacking more seriously, and hackers will continue to try to break these systems. We aren’t done with seeing stories like this, but before we all panic, let’s put it all into context so we can rationally solve the problem.
Join The Discussion