The minute you connect a car to the internet, you’re exposing it to the risk of hacking – and even if it’s only the entertainment system that’s supposed to be online, a skilled hacker can now remotely take control of just about any electronically controlled part of your car, including the steering, throttle and brakes. And this isn't some distant thing to worry about in the future. One Wired reporter just had the terrifying experience of having his Jeep Cherokee taken over by hackers while he was on the freeway. Like a scene in a horror movie, he found himself a helpless passenger in his car as he lost control of its functions one by one.
If you drive a late model car, driver assist technology now operates an awful lot of it on your behalf. But if that car is connected to the internet as well, as a lot of them are, you could be exposing a horrifying amount of control to hackers.
A pair of Missouri-based hackers have put on an extraordinary demonstration by logging into a Jeep Cherokee remotely, while it was being driven by a Wired reporter Andy Greenberg, and systematically taking over the car’s functionality. First, they hit him with cold air through the air-con system, then they blasted Kanye West through the stereo at full volume, rendering the volume knob completely useless. They flashed up a picture of themselves on the car’s console and set the windscreen wipers going full blast, squirting cleaning fluid onto the windscreen and making it difficult to see.
But these were just warmups to the main event – next, they took over the engine and shut it off completely, leaving the driver powerless and coasting on the freeway as traffic flashed past around him. Then, once he was off the highway, they showed how they could completely disable the brakes, and take over the steering of the car – only at slow speeds and in reverse, but they’re working on unlocking new abilities every day.
If the safety implications of this kind of hack aren’t scary enough, consider the privacy angle. The pair say they can easily track the car through its on-board GPS, plotting out its course neatly on a map in real time.
Worse still, this was an unmodified car. The two hackers, Charlie Miller and Chris Valasek, had previously demonstrated similar capabilities when plugged into a car’s on-board diagnostics port, but this time they broke in from their lounge room, using an exploit they’ve found in the Jeep’s internet-enabled entertainment system – Uconnect. They believe it’s an exploit that should work on the majority of internet-connected late model Chryslers - all they need is the car’s IP address and they’re in. In fact, as reporter Andy Greenberg looked on, they located and hacked into a series of other moving cars all around the country.
Miller and Valasek are preparing to release some details of the hack at the Black Hat security conference in Vegas next month. They’ve been working with Chrysler to make sure this exploit is patched and the 471,000-odd vulnerable vehicles in the US are secured well before the Black Hat conference. Still, the whole thing is a big wake-up call for auto manufacturers: connected car cybersecurity is going to have to be absolutely paramount going forward. This goes double for anyone building an autonomous car, in which the terrified victim won’t even have access to a steering wheel when things start going skewiff. Scary stuff.