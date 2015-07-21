By Joseph Menn
SAN FRANCISCO, July 21 A pair of veteran
cybersecurity researchers have shown they can use the Internet
to turn off a car's engine as it drives, sharply escalating the
stakes in the debate about the safety of increasingly connected
cars and trucks.
Former National Security Agency hacker Charlie Miller, now
at Twitter, and IOActive researcher Chris Valasek used a feature
in the Fiat Chrysler telematics system
Uconnect to break into a car being driven on the highway by a
reporter for technology news site Wired.com.
In a controlled test, they turned on the Jeep Cherokee's
radio and activated other inessential features before rewriting
code embedded in the entertainment system hardware to issue
commands through the internal network to steering, brakes and
the engine.
"There are hundreds of thousands of cars that are vulnerable
on the road right now," Miller told Reuters.
Fiat Chrysler said it had issued a fix for the most serious
vulnerability involved. The software patch is available for free
on the company's website and at dealerships.
"Similar to a smartphone or tablet, vehicle software can
require updates for improved security protection to reduce the
potential risk of unauthorized and unlawful access to vehicle
systems," the company said. It didn't immediately answer other
questions.
Miller and Valasek have been probing car safety for years
and have been among those warning that remote hacking was
inevitable. An academic team had previously said it hacked a
moving vehicle from afar but did not say how or name the
manufacturer, putting less pressure on the industry.
National Highway Traffic Safety Administration chief Mark
Rosekind on Tuesday said his agency is increasingly concerned
about the security of vehicle control systems.
"We know these systems will become targets of bad actors,"
he told a conference on autonomous and connected vehicle
technology in Ypsilanti, Mich. If consumers don't believe that
connected vehicle systems are safe and secure, he said, "they
will not engage it."
Members of Congress have also expressed concern, and on
Tuesday senators Ed Markey and Richard Blumenthal, both
Democrats, introduced a bill that would direct the NHTSA to
develop standards for isolating critical software and detect
hacking as it occurs.
Miller and Valasek said they had been working with Fiat
Chrysler since October, giving the company enough time to
construct a patch to disable a feature that the men suspected
had been turned on by accident. They plan to release a paper at
the Def Con security conference next month that includes code
for remote access, which will no longer work on cars that have
been updated.
They said the harder problem for an attacker, moving from
the entertainment system to the core onboard network, would take
months for other top-tier hackers to emulate.
Many Jeeps could remain unpatched, leaving them open to
attack. But the researchers said hackers would need to know the
Internet Protocol address of a car in order to attack it
specifically, and that address changes every time the car
starts.
Otherwise, "You have to attack random cars," Valasek said.
The men stressed that it would be easy to make modest
adjustments to their code and attack other types of vehicles.
They said that manufacturers, who are racing to add new
Internet-connected features, should work much harder on creating
safe capability for automatic over-the-air software updates,
segregation of onboard entertainment and engineering networks,
and intrusion-detection software for stopping improper commands.
"Anything that connects to the outside world is an attack
vector, from my point of view," Valasek said.
