Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car's brakes and engine can be remotely controlled by anyone with an internet connection.
This update might not sound particularly important, but trust me, if you can, you really should install this one. pic.twitter.com/qhTCrBIho8— Charlie Miller (@0xcharlie) July 20, 2015
At next month's Black Hat hacking conference in Las Vegas, Charlie Miller and Chris Valasek – a duo who have hacked more cars than Mad Max – will show off an attack on a Jeep Cherokee that enables the remote control of the car's engine, brakes, and minor systems from miles away simply by knowing the car's public IP address.
The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car's controls, and potentially physically crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.
Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.
In short, make sure your car's software is up to date; check your manual for details on obtaining the latest firmware.
Miller and Valasek have spent years investigating car computer security, sometimes funded by the US Defense Advanced Research Projects Agency. Last year at Black Hat, the two showed off similar hacks, and they have now persuaded politicians of the need for action.
Better late than never
On Tuesday, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Security and Privacy in Your Car (SPY Car) Act, which will require motor manufacturers to get their acts together on car operating systems.
"Drivers shouldn't have to choose between being connected and being protected," said Senator Markey.
"We need clear rules of the road that protect cars from hackers, and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security, and privacy of drivers in the modern age of increasingly connected vehicles."
The legislation would require the National Highway Traffic Safety Administration and the Federal Trade Commission to establish a basic set of security standards that lock off critical systems, like steering and engine power, to ensure that they can't be remotely controlled.
These would come into effect two years after the legislation is passed and would be tested regularly by penetration experts to ensure that the security is current and practical. There would be a $5,000 fine for each violation of security standards.
In addition, the bill would require manufacturers to take reasonable steps to protect the data collected on a driver's habits from being slurped. They will also have to display a "cyber dashboard" sticker on new cars indicating what data is collected and how it is protected.
"As America's vehicles become more and more connected to the internet, and wireless vehicle to vehicle technology adds important safety to tomorrow's cars, vital security and privacy concerns need to be addressed as well," said Jack Gillis of the Consumer Federation of America.
"Senator Markey and Blumenthal's SPY Car Act will help prevent hacking attacks and ensure personal privacy as new vehicle safety and monitoring technology is introduced." ®