The latest report of how hackers were able to remotely control a Jeep Cherokee is rather frightening. In their rush to Internet-enable their vehicles, some manufacturers appear to have neglected the security aspect of their systems.
In this report, it seems that Chrysler’s Uconnect system lets anyone who knows the IP address (numbers that identify it uniquely on the Internet) of a vehicle access it from anywhere! There’s a lot more to the hack than just accessing the vehicle’s system, of course, but it is astonishing that there seems to be no attempt to authenticate connection attempts! As a comparison, imagine anyone being able to log onto your PC, tablet or phone as long as they can find your IP address – something you provide to Gmail or Facebook every time you access them.
Once the hacker has logged onto the vehicle remotely, this particular hack involves a sophisticated rewrite of the entertainment system’s software. This enables commands to be sent throughout the vehicle’s computer network, including to critical components such as braking systems. Few people would be capable of writing code that can do this, but that is of little comfort – once code like this has been written and becomes widely available, almost anyone would be able to use it.
Fortunately for Chrysler, the researchers who uncovered this security flaw have been working closely with Chrysler to enable them to develop a patch before they make the details of the attack more public. This is of limited value though, as it will need to be manually applied to each affected vehicle. Inevitably, many vehicles will never receive the patch and will remain vulnerable. It seems also inevitable that at some point we will see exploits of this flaw that will eventually result in injury or death.
The lesson here for vehicle manufacturers is that when vehicle computers are connected to a network, security immediately becomes a high priority. Traditional vehicle locks, which have become increasingly effective in recent years, suddenly no longer protect the system. It is not enough to rely on “security by obscurity” – assuming that because the IP addresses of cars are not widely available that no further security measures are required to prevent unauthorized access. Vehicle manufacturers need to treat security seriously.