White-hat hackers Charlie Miller and Chris Valasek remotely took over a Jeep Cherokee, ran its controls, then cut the transmission as it sped at 70 mph along Interstate 64 in an experiment conducted with Wired.
They turned on the air conditioning, switched radio channels, turned on the windshield wipers, activated the windshield washer fluid pump, and transmitted a photo of themselves to the vehicle's digital display -- all from a laptop 10 miles away.
The hackers attacked through Chrysler's Uconnect infotainment system.
Uconnect is on about half a million Chrysler vehicles, including several of the automaker's brands, all of which are at risk. Miller and Valasek selected the Jeep Cherokee after several months' research, because it was the most vulnerable.
Chrysler last week posted online a notice about a patch for the Uconnect flaw but apparently didn't include any details or acknowledge the hackers' research.
Fiat Chrysler Automobiles, or FCA, "has a dedicated team," said spokesperson Alyse Tadajewski.
Among its responsibilities are "development and implementation of cybersecurity standards for all vehicle content, including on-board and remote services," she told TechNewsWorld.
"FCA released a software update that offers customers improved vehicle electronic security and communications system enhancements," Tadajewski said.
Chrysler owners can download and install the free update themselves, or bring their vehicle to a dealer who will do it at no charge.
Once Miller and Valasek hack into a vehicle through Uconnect, their software rewrites the firmware in a processor in the car's entertainment system.
They then can send commands through the car's internal computer network to its physical components.
All Chrysler vehicles with Uconnect from late 2013, all of 2014, and early 2015 are vulnerable.
Miller and Valasek will present their research at Black Hat U.S.A. 2015, to be held in Las Vegas August 1-4, although they will leave out details of how their attack rewrites the chip's firmware.
They reportedly shared their research with Chrysler for nearly nine months, which allowed the automaker to come out with the patch.
Alarums and Excursions
Automobile and cybersecurity experts have been warning of the dangers of a car hack for years.
An angry auto dealership employee in Texas disabled more than 100 vehicles remotely in 2010.
However, the Jeep hack "is a significant departure from what we have seen before and can be considered very worrisome," said Carl Leonard, principal security analyst at Raytheon|Websense.
"While the automotive industry has made consistent developments in protecting consumers with systems such as antilock brakes, traction [and] skid control systems, and airbags, time and effort must now be spent on ensuring that those systems cannot be bypassed or used as an access point into other systems," he told TechNewsWorld.
Fair enough -- but "there is a 100 percent chance that connected cars will be successfully hacked," remarked Rob Enderle, principal at the Enderle Group.
Delivering a highly connected car that OEMs know kids can hack "could land them in litigation hell, depending on who was killed and where in the nation the accident happened," Enderle told TechNewsWorld.
The worst-case scenario "would be multiple instances of a hacked car taking out a school bus or successfully ramming a school with substantial fatalities," he suggested.
Efforts at Safety Measures
Cybersecurity is among the top priorities in the auto industry, according to the Alliance of Automobile Manufacturers.
Legislation calling for implementation of intrusion-detection systems within two years has been proposed, but it's "almost guaranteed to fail, because it doesn't allow for appropriate and necessary testing, among other things," said Roger Lanctot, associate director of the global automotive practice at Strategy Analytics.
The legislation "calls for segregating critical systems at the very moment that multiple vehicle systems are converging to share processing and network resources," he told TechNewsWorld.
There are different standards for different applications, and hardware and software architectures, Lanctot said. Most of the standard "is still in the early stages."
However, cars "are a low priority target" for hackers, Lanctot pointed out, "Most doomsday scenarios are hugely exaggerated."