Car companies have a history of large scale recalls for their products. After all, the safety of their customers fall directly on the shoulders of automakers so why take a chance? But what about computer glitches or even hacks? When is proactive too proactive and when is it not even enough?
Some of today’s cars come equipped with the option to connect to the Internet, but are they safe from hackers? Connected cars can access wireless broadband networks via built-in cellular modems. They allow passengers to stream audio and video, access traffic information and navigate using a touchscreen on the dash. Cyber security experts worry that these connected cars lack adequate digital security and are vulnerable to malicious hackers.
Last week two white hat hackers demonstrated the ability to take control of critical functions on a 2014 Jeep Cherokee to a Wired Magazine reporter. Hackers Charlie Miller and Chris Valasek were able to disable the transmission, spray the windshield with wiper fluid and even engage and disable the brakes. The pair will be presenting details on how they accomplished the hack at next month’s Black Hat cyber security conference in Las Vegas.
The pair said the hack seems to work on any Chrysler vehicle equipped with the Uconnect entertainment system. The Unconnect uses Sprint’s network, and an attacker can scan the carrier’s network for vulnerable targets using a Sprint phone as a WiFi hotspot. Once an attacker has the vehicle’s network information, they can wirelessly overwrite the firmware in the device and take control of the vehicle’s functions from virtually anywhere. Even more alarming, a skilled hacker could program the compromised Unconnect to scan, locate and attack other vehicles through Sprint’s network like a computer worm.
Several years ago Miller and Valasek demonstrated hacking different vehicles through the diagnostic port used by mechanics. Some in the automotive industry scoffed at the potential threat because the hacker would need physical access to the vehicle and the port. Now the prospect of remote hacking has the industry spooked.
Miller and Valasek have been working with Chrysler since they discovered the vulnerability, and the automaker has issued a patch that closes the security loophole. However, the pair plan to release parts of their code at the Black Hat conference for peer review. The released code will allow potential digital carjackers to access some of the less dangerous attacks.
Chrysler has issued a recall notice for over 1.4 million vehicles urging owners to install the software update. The patch requires the vehicle’s owner to take it to the dealer or download it onto a USB thumb drive, so many vehicles will probably remain vulnerable at the time of the conference. If you own one of these vehicles and aren’t sure if it needs the patch, you can check by entering your vehicle’s VIN number into this website here.
There is no doubt that connected cars are traveling on a highway where old tech thinking and new tech thinking must eventually merge. On the one hand, obscure security holes detected in your PC’s OS usually results in an immediate and unconsented updates to your computer. This is for your own good. Malware and viruses are hardly life threatening on any PC but the same cannot be said about a connected car. The dangers have been clearly demonstrated by many car hackers past and present even if they are not an immediate threat to your ’98 Corolla.
So why hasn’t the auto industry defined and implemented procedures to auto update or at the very least, allow consumers to easily update their connected vehicles easily and securely?
On the other hand, Chrysler recalls 1.4 million vehicles based on the possible threat of a hack to those cars. No one has been injured and the hacking threat is still largely unproven but Chrysler is being very proactive here. Let’s just hope that connected car industry doesn’t shut down the entire auto industry before we can experience all the safety and conveniences that connected vehicles offer.