Having state-of-the art cyber-security and protection for your car will get more and more crucial, with having more and more cars connected to the Internet. Obviously, your car’s connection to the Internet is there for for various reasons such as telemetry data or value added services, but will get even more integral for solutions of autonomous driving.
Previous attempts to control cars over the CAN bus were rather clumsy and required physical access to the CAN to be possible.
Back then, however, their hacks had a comforting limitation: The attacker’s PC had been wired into the vehicles’ onboard diagnostic port, a feature that normally gives repair technicians access to information about the car’s electronically controlled systems.
However, as usual in this topic, it is always just a matter of time until somebody finds a better exploit for easier access and more control. A report from wired.com seems to indicate that two researchers – Charlie Miller and Chris Valasek -have found a way into at least one of the common connected car solutions – Uconnect from Fiat Chrysler. The report states that Miller and Valasek were able to remotely get control of the head unit of affected cars, install patches to the firmware, and subsequently are able to communicate with the CAN bus. With far reaching options from turning on the wipers to disengaging the transmission or brakes.
And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.
We still have to see proof and validation of the exploit, though. Miller and Valasek are going to present during the next Black Hat Conference, and I guess (and hope!) that they will have some attentive automotive guys in the audience.