Jeep breach: Scared? You should be, it could be you next

Why the hell connect cars to the net anyway?


Other vehicles may be at risk from hacking following the Jeep Cherokee incident, according to one of the two researchers who pioneered the spectacular auto exploit.

Renowned car security researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee over a mobile network and found a way to control critical systems, after gaining entry through its connected infotainment system, Uconnect.

The duo previously hacked a Toyota Prius and a Ford Escape, although those hacks relied on taking over a vehicle's systems by plugging directly into a car's network via a port under the dashboard.

The latest hack allowed the duo to take over a Jeep from 10 miles away, meaning they could take over, turn on the AC, blast music, disable the transmission and even disable the brakes. The researchers demonstrated how skilled hackers might be able to hack into vulnerable cars simply by knowing the the vehicle's IP address.

The researchers previewed an upcoming Black Hat talk by demoing the hack to Wired journalist Andy Greenberg who describes what it was like to become a passenger in the Jeep car he was driving after the hackers hijacked it.

The Jeep ended up in a ditch after its brakes were remotely disabled at the climax of the hack.

Fiat: No 'real world' incidents, but patch anyway

Fiat Chrysler Automotive – manufacturers of the Jeep Cherokee – were aware of the hack before it was demonstrated and had already released firmware patches for vulnerable vehicles.

Only cars sold in the US were ever vulnerable due to the way the connectivity for the technology works, as a blog post by Fiat Chrysler (containing a full list of vulnerable models running previously hackable navigation/entertainment systems) explains.

The car maker is understandably keen to play down motorists’ potential fears when learning of the alarming demo hack. “To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorised remote hack into any FCA vehicle,” Fiat Chrysler said.

A total of ten models of Fiat Chrysler vehicles (Ram, Durango, and Jeeps) equipped with the vulnerable 8.4-inch touchscreen Uconnect system are exposed to potential hacking unless patched, Fiat Chrysler said, adding that it’s working with suppliers to implement additional protocols to block remote access.

Next page: Cyber carjacking

Similar topics


Other stories you might like

  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Ubuntu releases Core 22: Its IoT and edge distro
    A tougher nut to crack than the regular flavor, some will find it very tasty

    Canonical's Linux distro for edge devices and the Internet of Things, Ubuntu Core 22, is out.

    This is the fourth release of Ubuntu Core, and as you might guess from the version number, it's based on the current Long Term Support release of Ubuntu, version 22.04.

    Ubuntu Core is quite a different product from normal Ubuntu, even the text-only Ubuntu Server. Core has no conventional package manager, just Snap, and the OS itself is built from Snap packages. Snap installations and updates are transactional: this means that either they succeed completely, or the OS automatically rolls them back, leaving no trace except an entry in a log file.

    Continue reading

Biting the hand that feeds IT © 1998–2022