CyberjackingHackers take remote control of a Jeep, forcing it into a ditch

Published 22 July 2015

Security experts have called on owners of Fiat Chrysler Automobiles vehicles to update their onboard software to make their vehicles better protected against hackers. The call comes after researchers demonstrated they could hack and take control of a Jeep over the Internet. The researchers disabled the engine and brakes and crashed the Jeep into a ditch – while the driver was sill behind the wheel.

Security experts have called on owners of Fiat Chrysler Automobiles vehicles to update their onboard software to make their vehicles better protected against hackers. The call comes after researchers demonstrated they could hack and take control of a Jeep over the Internet. The researchers disabled the engine and brakes and crashed it into a ditch.

Cyber experts say that FCA’s Uconnect Internet-enabled software has a vulnerability which allows hackers remotely to take control of the car. Cars’ computerized systems have been hacked before, but earlier demonstrations of such attacks on involved gaining control of the vehicle’s entertainment system. The Uconnect hack took control over the car’s driving systems — from the GPS and windscreen wipers to the steering, brakes, and engine control.

The Guardian reports that the Uconnect system is installed in hundreds of thousands of cars made by FCA group since late 2013. The system allows car owners remotely to start the car, unlock doors, and flash the headlights.

Andy Greenberg reported in Wired that security researchers Charlie Miller and Chris Valasek — who had earlier demonstrated attacks on a Toyota Prius and a Ford Escape — used a laptop and a mobile phone on the Sprint network to take control of a Greenberg’s Jeep Cherokee while he was driving it. The two researchers demonstrated how they could take control of the Jeep away from the driver behind the wheel and force it into a ditch.

Miller and Valasek informed FCA about the vulnerability, and on 16 July the manufacturer issues a security patch.

Owners must update their cars manually by visiting FCA Web site to download a program onto a USB flash drive. The drive must then be inserted into the car’s USB socket.

Graham Cluley, an independent security expert, added that although the researchers demonstrated the Uconnect vulnerability on a Jeep, “the attacks could be tweaked to work on any Chrysler car with a vulnerable Uconnect head unit.”

“You should consider installing a security update that Jeep has issued for cars fitted with a model RA3 or model RA4 radio/navigation system,” Cluley writes.