How they hacked and crashed a Jeep
St Louis, Missouri - The triumphant shout of “You’re doomed!” came in an iPhone call from the hacker who had remotely hijacked a Jeep Cherokee on a motorway, cutting the transmission and leaving its driver powerless.
The accelerator stopped working and the Jeep slowed to a crawl on a flyover where there was no hard shoulder to pull over and the traffic was moving at a steady 115km/h.
In the mirror, the driver could see a lorry bearing down on his paralysed Jeep. Holding his mobile with a clammy hand, he begged the hackers: “Make it stop.”
In one sense the driver, Andy Greenberg, was lucky. He managed to roll his Jeep down an exit ramp and got it going again by turning the ignition off and on. The hackers could have killed the engine altogether, slammed on the brakes or, worse, disabled them - as they did later.
“The most disturbing manoeuvre came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the two-ton vehicle slid uncontrollably into a ditch,” he says.
Greenberg, a writer on the technology magazine Wired, had agreed to be the guinea pig driver for two US tech wizards, Charlie Miller and Chris Valasek, whose exploits hacking cars’ entertainment, telephone and navigation systems have sent tremors through the motor industry.
HEADS IN THE SAND
From his terrifying account, it would appear that Miller and Valasek have worked out how to control a car remotely, over the internet, without having physical access to the vehicle in any shape or form. If that sounds scary, it is.
Cars are already under attack as never before as the gadgetry they contain grows more complex and thus more vulnerable to would-be thieves. Modern cars typically contain 50 low-powered computers - enabling services such as wifi, Bluetooth, satnav and even the information screen - which can offer tempting entry points to criminals.
In Britain, tens of thousands of cars are stolen or broken into every year by thieves using electronic hacking equipment bought from websites based mainly in Bulgaria. Instead of smashing windows or forcing door locks, the criminals arm themselves with equipment that can intercept signals from key fobs to get into cars or that plugs into onboard computers remotely.
This month, Range Rover issued a recall to fix a software security flaw that could be used to unlock its vehicles’ doors.
Technology researchers, seeking to push the frontiers of their knowhow - and force the motor industry to take its head out of the sand over the issue - have for several years been seeking ways to hack cars’ computers and bypass their security systems.
But Miller and Valasek have gone much further. The duo proved this week that they can wirelessly carjack Jeep Cherokees via the internet, armed with just a basic mobile phone and a laptop loaded with their own software, from just about anywhere. In theory, they could engineer any number of nightmare scenarios.
In Greenberg’s Jeep, the attack began when freezing air came coursing through vents at the maximum setting. The voice of pop star Kanye West erupted from the radio at top volume and Greenberg couldn’t switch him off.
The windscreen wipers started up and screenwash squirted across the screen. Then Miller and Valasek disabled the engine.
It could get worse. According to Greenberg, the hackers are “perfecting their steering control - for now, they can only hijack the wheel when the Jeep is in reverse”.
So, how exactly is it done? And what are car manufacturers doing to stop it?
TWO WAYS TO HACK A CAR
At present, there are two ways to hack a car. The first and easier method involves procuring a small box of electronic tricks the size of a credit card called a CANtact, which can be bought online from the US for just $60 (R755). The manufacturer also supplies instructions on how to build your own, which makes it even cheaper.
This device must be physically connected to a car, via one of the connection points on the vehicle’s Controller Area Network (CANbus): this is the maze of wires and computers that forms your car’s electronic brain and is normally accessed by a garage mechanic, who plugs in a laptop to diagnose any faults.
Similarly, a would-be hacker must connect the CANtact and then attach it, either with a cable or wirelessly, to a computer, which is then used to control your vehicle.
Last summer, a 14-year-old schoolboy stunned delegates at a conference of car engineers and computer security experts in the US when he controlled a car with his iPhone and a mere R200 worth of electronics similar to a CANtact.
He was able to lock the doors, turn on the windscreen wipers, flash the headlights and even start the engine.
And at a computer security conference in Asia in March, Eric Evenchick, a systems developer, demonstrated how he had hacked into a Chevrolet and, keeping the car in neutral, revved the engine to the maximum.
On a recent edition of the US TV news programme 60 Minutes, two boffins from the military’s Defense Advanced Research Projects Agency (Darpa) controlled a car being driven by the show’s presenter, who smashed through some traffic cones after they disabled her brakes.
All these methods, however, required the hacker physically to access the car. Until this week, the chances of that happening were considered to be slight.
Enter Miller and Valasek, who will showcase their research in a demonstration next month at a computer security conference in Las Vegas. On Twitter, Valasek put it succinctly. “[Miller] and I will show you how to hack a car by remote control,” he tweeted. “No wires. No mods [modifications]. Straight off the showroom floor.”
The pair spent three years working on their technology, helped by an $80 000 (R1m) research grant from Darpa.
They ripped cars apart to study their electronics and pored over manufacturers’ data.
In 2013, they demonstrated an attack on a Toyota Prius and a Ford Maverick, using electronic components to take control of the cars’ smart steering, braking, acceleration, engines and lights.
They urged the makers to take notice of what they had done, pointing out that “drivers and passengers are strictly at the mercy of the code running in their automobiles and, unlike when their web browser crashes or is compromised, the threat to their physical well-being is real”.
The makers rebuffed the research, pointing out that the pair had needed physical access to the vehicles.
NO ACCESS NEEDED
This time round, no access was needed. And while they have so far experimented only on Jeeps, they believe most of their attacks could be tweaked to work on any Chrysler vehicle equipped with Uconnect, an internet-connected computer feature found in more than 400 000 Fiat Chrysler cars, SUVs and trucks. They also believe that Cadillac’s Escalade model and Infiniti’s Q50 rate high on the scale of ‘hackability’.
As Valasek says: “For all the critics who said our work didn’t count because we were plugged into the dashboard, well, now what?”
According to Wired magazine, they have identified a vulnerable element of the Uconnect mobile phone connection that lets anyone who knows the car’s IP address (a unique string of numbers that identifies each computer) to gain access from anywhere in the country. “From an attacker’s perspective, it’s a super-nice vulnerability,” says Miller.
From that entry point, they concentrate on a chip in the entertainment system, rewriting its memory to insert their own code. This means they can send commands through the car’s computer network to its physical parts, such as the engine and wheels.
Greenberg watched the two researchers scan the internet for vehicles to ‘carjack’ from Miller’s living room in Missouri.
Uconnect computers are linked to the internet by a US mobile network called Sprint, and only other Sprint devices can talk to them. Miller used a Sprint mobile phone in his search for targets.
Cars’ GPS co-ordinates would appear on the screen, plus their vehicle identification number, make, model and IP address, be it a Dodge Ram being driven in Texas, a Jeep Cherokee in Ohio or a Dodge Durango in Michigan. Each vehicle would potentially be vulnerable to a remote attack.
CHRYSLER RELEASES PATCH
Miller and Valasek have been sharing their research with Fiat Chrysler for nine months, enabling the company to release a ‘patch’ last week to close the security loopholes.
FCA said that it was “committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability” and lamented Miller and Valasek’s decision to go public with their findings.
The company said: “Under no circumstances does FCA condone or believe it appropriate to disclose ‘how-to’ information that would potentially encourage or help enable hackers to gain unauthorised and unlawful access to vehicle systems.
“We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they [do] not, in fact, compromise public safety.” In the
US, two senators are set to introduce an automotive security Bill that would set digital security standards for cars and lorries.
There have also been calls for Congress to pass laws insisting car manufacturers adopt the tightest cyber-security measures possible.
PROGRESS BEING MADE
Some progress is being made, with the House Committee on Energy and Commerce questioning all major car makers to see what they are doing to thwart hackers.
In the UK, the issue was addressed in a speech last year by the Home Secretary Theresa May. “We can now work with industry to improve electronic resilience to include this kind of resilience in the vehicle’s overall security ratings and work out the extent to which the same threat applies to other physical assets such as building security systems,” she said.
Many British car manufacturers, such as Ford, say they are taking the issue ‘very seriously’ and doing all they can to ensure that new cars are as hack-proof as possible. Of course, we only have their word for it.
The problem is that no system can be completely secure. And with consumers demanding ever more complex gadgetry, such as touchscreen web browsers, the security risk is further increased. “Once you add a web browser to a car, it’s over,” Charlie Miller said recently, pointing out that many people know how to hack into a web browser.
In the future, it is likely that car makers will introduce vehicle-to-vehicle (V2V) communication, in which our cars would be able to talk to each other electronically, sending warnings of an accident or a build-up of traffic.
Some developers envisage that our cars will be slowed down automatically when danger is ahead or even re-routed to avoid traffic. This means they will need to be connected to the internet all the time, which in turn will make them even more accessible to hackers.
Unfortunately, there is little we drivers can do to protect ourselves from remote hacking. Some people might be able to spot an unexpected electronic gizmo, but most of us barely look under the bonnet, let alone investigate the wiring.
All we can do is ensure that the Government keeps pressing car manufacturers to make their vehicles as safe as possible. It’s either that or buy an old banger.