NEW YORK (July 22, 2015) — A flaw in several Chrysler models lets hackers remotely control them over the Internet, posing an unprecedented danger for American drivers.
Hackers can cut the brakes, shut down the engine, drive it off the road, or make all the electronics go haywire.
Jeep Cherokees, Chrysler 200s, Dodge Rams, and several other vehicles are vulnerable to such attacks, according to research revealed Tuesday.
The core problem? A flaw in the wireless service Uconnect that connects these cars to the Sprint cellphone network.
The researchers, Charlie Miller and Chris Valasek, first demonstrated the hack to Wired Magazine by remotely hijacking a Jeep Cherokee driven by a news reporter.
“Right now I could do that to every [Chrysler] car in the United States on the Sprint network,” Miller told CNNMoney on Tuesday.
The researchers have concluded that the vulnerable Chrysler models are those from late 2013, all of 2014 and early 2015 that are loaded with Uconnect and the full navigation displays.
But Miller said there could be other vehicles with this weakness that he isn’t aware of. The researchers did not test any cars made by Ford, General Motors or others — but only because they’re a tiny team that lacks the funding to keep buying cars and the time to break into them.
Chrysler acknowledged the problem to CNNMoney on Tuesday. Chrysler said it left an unused computer communication channel open that unknowingly granted outside access to car controls. It is now offering a software upgrade that it says customers should install “at their earliest convenience.”
But Chrysler didn’t refer to this as a recall — or say drivers are at risk.
“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection,” the company said.
Miller and Valasek said they presented their research to Chrysler last October, allowing the company develop a fix. Miller said the company had been “very kind and responsive.”
Explaining the hack
Modern day cars are smartphones on wheels – and just like any computer, vulnerable to hackers. As CNNMoney has investigated in the past, the computers inside cars are still pretty “dumb.”
In 2013, Miller and Valasek demonstrated how they could hack a car while sitting inside it. At the time, they had to physically connect a laptop to a car’s dashboard.
Wireless connectivity — now standard in nearly every car — has upped the risk.
In this latest experiment, Miller and Valasek used a laptop to scan for any cars on the Sprint network that also use Uconnect.
In seconds, these researchers can tap into any car’s “infotainment system.” They can turn off the air conditioner, blast the radio volume, and change the navigation screen.
Once inside, they can then penetrate what’s supposed to be a guarded layer: the computer backbone of the car. They can control the brakes, steering wheel and accelerator.
In the past, auto suppliers and car makers have assured CNNMoney this crossover — from infotainment to core controls — was impossible.
The researchers noted that Sprint, as the network operator, is also in the position to block this kind of attack. Sprint did not tell CNNMoney whether it would do that on its own, but the company said it is “working with Chrysler to help them secure their vehicles.”
What’s next? On Tuesday, two U.S. senators introduced legislation to establish national safety and privacy standards for automobiles — and a rating system that tells you how safe a car is from cyberattacks.
Senators Edward Markey, of Massachusetts, and Richard Blumenthal, of Connecticut, call it the Security and Privacy in Your Car Act.
Next month, Miller and Valasek will reveal exactly how they hacked into the infotainment system, though not how they hijacked car controls.
Miller noted that it took him and his buddy nearly a year to figure this out. That should keep your average punk from figuring out how to do this — but only for a short while.
“It shouldn’t be possible,” Miller said. “I’m scared because you should not be able to attack cars remotely like this.”