470,000 Vehicles At Risk After Hackers "Take Control & Crash" Jeep Cherokee From A Sofa 10 Miles Away

Tyler Durden's picture

In what is being called "the first of its kind," Wired.com reports that hackers, using just a laptop and mobile phone, accessed a Jeep Cherokee's on-board systems (via its wireless internet connection), took control and crashed the car into a ditch from 10 miles away sitting on their sofa. As The Telegraph details, the breach was revealed by security researchers Charlie Miller, a former staffer at the NSA, and Chris Valasek, who warned that more than 470,000 cars made by Fiat Chrysler could be at risk of being attacked by similar means. Coming just weeks after the FBI claimed a US hacker took control of a passenger jet he was on in the first known such incident of its kind, the incident shows just how vulnerable we are to modern technology.

 

 

As The Telegraph reports, the hackers (security experts) worked with Andy Greenberg, a writer with tech website Wired.com, who drove the Jeep Cherokee on public roads in St Louis, Missouri...

In his disturbing account Greenberg described how the air vents started blasting out cold air and the radio came on full blast when the hack began.

 

The windscreen wipers turned on with wiper fluid, blurring the glass, and a picture of the two hackers appeared on the car’s digital display to signify they had gained access.

 

Greenberg said that the hackers then slowed the car to a halt just as he was getting on the highway, causing a tailback behind him - though it got worse after that.

 

He wrote: ‘The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.

 

‘The researchers say they’re working on perfecting their steering control - for now they can only hijack the wheel when the Jeep is in reverse.

 

‘Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.’

 

The hack was possible thanks to Uconnect, the Internet connected computer feature that has been installed in fleets of Fiat Chrysler cars since late 2013.

 

It controls the entertainment system, deals with navigation and allows phone calls.

 

The feature also allows owners to start the car remotely, flash the headlights using an app and unlock doors.

 

But according to Miller and Valasek, the on-board Internet connection is a ‘super nice vulnerability’ for hackers.

 

All they have to do is work out the car’s IP address and know how to break into its systems and they can take control.

In a statement to Wired.com Fiat Chrysler said:

"Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.

 

‘We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety."

*  *  *

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
AlaricBalth's picture

Ashley Madison clients who own Jeeps are having a really bad week!!!

Waylon Bits's picture
Waylon Bits (not verified) Xibalba Jul 21, 2015 7:41 PM

FUCK YEAH HACK TEH PLANET!!!

bunzbunzbunz's picture

Well...Chrysler makes bad cars and all, but what info from the car do they need before being able to hack it? IP address? MAC address? Both?

 

Edit: I used my brain to read more and saw IP address....so...basically don't give away your car's IP address and you are good. I don't know how Sprint IP addresses are distributed on their networks...perhaps their is a know regional pattern. I guess you could have fun with that.

neilhorn's picture

"Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.

 

Under no circumstances do we who drive cars at 70 mph on public roads believe it is appropriate for our cars to be susceptible to hackers to take control of the car and crash it. That would potentially hurt or kill us consumers and discourage us from buying your ethanol burning piece of junk.

Mentaliusanything's picture

Well that makes it McCrystal clear -RIP Micheal Hastings - never screw the Military pooch

https://en.wikipedia.org/wiki/Michael_Hastings_%28journalist%29#/media/F...

usednabused's picture

So how much is gov, er I mean the taxslaves paying for each of their cars to make them hackproof? Millions per? No Big Fucking Deal, right? Its just somebody elses money. Somebody thats not even born yet.

And you can bet thats whats happenning or they would have to ride John Kerry, er I meant a horse, to work. Because there's plenty of people, oops meant terrorists, that would love to derail their mercedes.

Manthong's picture

Well,  you cannot crash my model 2000 year rust-less garage queen Grand Cherokee with 45 k-miles on it.

..and I figure on having it for at least another 15 years.

shove that up your butt, hackers, Detroit and Fed.

 

the only problem with the idiot design is that the air dampers cycle with every ignition turn on and that it costs $1500.00 to tear out the console and replace a freaking solinoid.

so NBFD.. I don't use the air anymore.

maybe we can crowd source a people's car..  f the regulators... just sell parts.. put it together in the garage.

 


 

mkkby's picture

If your car has internet access I suggest you figure out how to disconnect the muther fucking antenna NOW.  I'll keep driving my 95 honda until the wheels fall off.  It only has 165k miles, so that could be another 20 years.

Manthong's picture

I will never own a horribly connected car.

Buy used old stuff.. there are a lot of good deals out there.

Alvin Fernald's picture

"maybe we can crowd source a people's car.. f the regulators... just sell parts.. put it together in the garage."
+1 this is an excellent idea. maybe as 3d printing tech matures, these two ideas will come together.

Manthong's picture

gimme  a printer big enough to do a steel .409... please

but.. enjoy... buy old..

https://www.youtube.com/watch?v=N5V3wcREqcI

 

Gaius Frakkin' Baltar's picture

I'm surprised this hasn't happened before now... oh wait it has.

Sounds like time for more regulations. No doubt the legislation will be written behind closed doors and force all cars to be networked for "safety" reasons.

bmr22's picture

1986 Toyota Camry here 215 thou and still going strong

bunzbunzbunz's picture

roffle....you can't get into that car with a cell network, no. But, there are other ways to hack your car from a close distance. Your anti-lock brakes for instance send a signal back to a computer that decides to prevent your brakes from clamping. Replicate that signal and focus it near your brakes...a number of other signals are their for the offering. Though a hack like this would take a lot more investment in money/time, so it is less likely.

sand_puppy's picture

http://www.huffingtonpost.com/2013/06/24/michael-hastings-car-hacked_n_3...

"The peculiar circumstances of journalist Michael Hastings' death in Los Angeles last week have unleashed a wave of conspiracy theories.

Now there's another theory to contribute to the paranoia: According to a prominent security analyst, technology exists that could've allowed someone to hack his car. Former U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke told The Huffington Post that what is known about the single-vehicle crash is "consistent with a car cyber attack."

Clarke said, "There is reason to believe that intelligence agencies for major powers" -- including the United States -- know how to remotely seize control of a car."

And this is what they are ADMITTING in public....

Wary Hanger's picture
Wary Hanger (not verified) neilhorn Jul 21, 2015 8:04 PM

fonestar got .000000000000001 bitcoin for the hack

Stackers's picture

What was the name of that reporter that died in a strange car crash a couple of years ago ?

Michael Hastings .........

http://www.huffingtonpost.com/2013/06/24/michael-hastings-car-hacked_n_3...

From 2013 ........

"What has been revealed as a result of some research at universities is that it's relatively easy to hack your way into the control system of a car, and to do such things as cause acceleration when the driver doesn't want acceleration, to throw on the brakes when the driver doesn't want the brakes on, to launch an air bag," Clarke told The Huffington Post. "You can do some really highly destructive things now, through hacking a car, and it's not that hard."

lakecity55's picture

Must not be too hard to do on Malaysian airplanes, either.

willwork4food's picture

Or on airlines headed for NYC without permission.

MontgomeryScott's picture

Research 'Boeing Uninterruptible AutoPilot' ('B.U.A.P.').

19 Arab hijackers who lacked basic piloting skills, led by a religious zealot with major health issues in a cave in Tora Bora using a laptop and a cellphone, overcame the most sophisticated air defenses in the entire world, managing to fly totally unmolested in the world's most-heavily defended airspace; crashing into the financial centers of the New West; and the most heavily-defended building on the entire GLOBE (for a period of almost TWO HOURS); hitting 75% of their targets with PINPOINT ACCURACY.

'Let us never tolerate wild conspiracy theories regarding the attacks of 9/11...' (GWBush, U.N. speech)

 

MontgomeryScott's picture

Michael Hastings .........

YES, YES, YES, YES, YES!

 

I can do it wired with my Snap-On SOLUS (equipped with European software upgrades, and updated for 2014). HELL, I only have the tool to do DIAGNOSTICS. Roll the windows up and down, up the engine RPM, run the A/C, lock the doors, kill individual cylinders, kill the fuel pump, honk the horn, stuff like that...

WIRELESS is REALLY, REALLY FUCKING VULNERABLE in a car. REALLY DANGEROUS SHIT. SERIOUS 'KILL THE OCCUPANTS' stuff.

The ONLY vehicle you want to buy/own/operate HAS to be PRE-OBD-II (at LEAST). Hard to find one that isn't 'cash-for-clunkered', or worn the fuck out...

This shit STARTED with G.M.s 'ONSTAR'.

The stuff that these amatuer hackers did to the 'jeep' (I hesitate to call it a JEEP, because it really ISN'T; it's a Cerberus/Daimler/FIAT for God's sake) ain't SHIT compared to the capabilities of the PROFESSIONALS (in various, ahem, 'sectors' of totalitarian governments around the globe).

HuffPo ain't shit. Ariana used to be pretty attractive (a long time ago).

FIAT. Fucking FIAT!

GET THIS CLEARLY, PLAINLY, AND TRUTHFULLY: In my locale, the local Dodge dealer doesn't sell FUCKING FIATS; BUT, the G.M. conglomerate DOES. WTF is THIS shit?

ONE car, ONE government...

 

boattrash's picture

M.S. I got my 90 Mercury Grand Marquis wiped out on the freeway in June, (assclown driving by a UK kid) and I'm still sick about the loss...

Proofreder's picture

I guess if you don't give (ping) out the IP address (ping)

there is NO WAY (ping) some low-life hacker (traceroute) can obtain enough information through the web to break into someone's car and control (http:/ /47.128.16.32:53341/redirect/omg) the vehicle.  Gotta be putting me on, man. (golf clap)

bunzbunzbunz's picture

Yes...if you know the IP address, you can ping and traceroute it...what is your point? You could indeed ping/tr all known Sprint mobile IP addresses until you find one that looks like a car. But you wouldn't know whose car it was.

Now if you want to talk seriously about it, if you were able to break the encryption on Sprint signals, then you could indeed go up to the car, record the encrypted data between car and tower, then decrypt it to find the IP address. I guess I haven't tried sniffing on a mobile network though. I suppose if you have a Spint phone close to the car...I don't know mobile networks well enough to know what you would see. Please enlighten me.

Libertarian777's picture

i'm not a security professional by any means but if any of the following were to occur from a big corporate it would be trivial to bypass encryption.

Encryption algorithm might be unbreakable but it means fk all if:

1. they hardcode a password in it, e.g. most webcams

2. they use a root certificate (the same one) in all the cars

3. they use older technologies (WPA, WEP, 2G, 3G) which are already trivial to brute force

4. they use generic encryption keys/passwords (do you honestly believe a CAR company knows how to manage tens of millions of individual encryption keys that they'll need to use when servicing a car?)

Luckhasit's picture

With that on board wifi, all it needs to do is drive through a neighborhood and they've got your wifi access point details (learned alot from war driving). However, unless those hackers used a rainbow table, I doubt they would have gotten access unless the victims had a terribly easy password or was just stupid and left it open.

gimme-gimme-gimme's picture

Unfortunately the IP address isn't like your phone number (that you give out)

 

It's assigned by an ISP, and assuming Chrystler uses the same ISP (kinda like onstar or something) 

 

Hackers can easily findout the IP ranges, scan them and get the IP's that way.  I have no clue how this was done, but knowing Chrystler they are probably such fucking stupid morons that the car has no software firewall or non existent access controls to that uconnect bullshit software which is wide open and accessible to the internet.

 

If this is the case and owned one of these cars I would do the following until a fix is ready:

 

Call Chrystler and have them hard cutoff whatever is connecting the car to the internet (probably some kind of LTE modem, so they should remove the sim) and make sure that Uconnect is disabled too.

 

It's actually quite insane that these shitty softwares are not sandboxed from the cars main control system.  

 

 

bunzbunzbunz's picture

Everything you said is true. My point is that the hacker would have no clue whose car they are hacking with any given IP address even if they were to determine it was a car.

I can assure you, the hackers in this situation made DAMN well sure they knew the correct IP address, MAC address, and any other hardware ID they could get so as to ensure they didn't murder some random person that day.

It is a lot easier to hack a willing participant's device than some target with unknown details.

Though it would be pointless to ask chrysler to fix the problem. You would likely just want to pull the fuse to the mobile system in the car. Just hope it isn't also in line with something useful, like headlights....or the ECU.

live free's picture

You know I have thought for a few years that this was the reason for cash for clunkers... to get everyone into trackable cars.  How paranoid is that?

 

 

 

bunzbunzbunz's picture

Nope, just stimulus for dying car manufacturers.

TheEndIsNear's picture

Both the IP address and MAC address are very easy to acquire.

omniversling's picture

RIP Michael Hastings.

Vehicle = node on inet of everything. GeoSpatial Intelligence. See how it works here. Then check out Patrick Wood on Technocracy:

JADE HELM WARNING/THE PROBE/PART 1
https://www.youtube.com/watch?v=qRJbkau93SA
Jade Helm/The Probe/Part 2
 https://www.youtube.com/watch?v=nJTNCKvvljc

Jade Helm/The Probe/Part 2 is a short clip that fills in a lot of gaps about the US military Artificial Intelligent Battlefield Command 'entity' (quantum computer). This is about knowing EVERYTHING possible about EVERYTHING that's going on in the Planetosphere ALL THE TIME.
Using obvious data mined sites like YouTube, FaceBook and Google, but also from 'smart sensors/dust (chemtrails?) to the entire internet traffic which is being recorded and stored by the NSA and other 'deep state' agencies. I believe CERN is also in on this, attempting to discover 'parallel dimensions'. Think: 3D real time interrogateable and viewable avatar/holograms, mirroring what you are doing and thinking at all times, at the touch of a screen, or 'INSIDE' your brain/senses/memory/thoughts, somewhere in cyberspace, and summonable at any designated node/terminal.

Conference and contact: http://geoint2015.com/

Open Geospatial Consortium
https://en.wikipedia.org/wiki/Open_Geospatial_Consortium

Don't overlook the announcement of the US Command considers that the whole planet is now 'US Battlespace'. Read this for insight:

Wars Are Not Fought on Battlefields - David Swanson (http://davidswanson.org/)
http://www.globalresearch.ca/wars-are-not-fought-on-battlefields/22860

USAF seeks to ‘disrupt, deny, degrade, destroy, or deceive’ adversaries via cyberwarfare

http://www.activistpost.com/2012/08/usaf-seeks-to-disrupt-deny-degrade.html

Patrick Wood - Technocracy Rising

http://www.technocracyrising.com/

http://www.redicecreations.com/radio/2015/04/RIR-150422.php

TECHNOCRACY RISING: Patrick Wood On Caravan To Midnight

http://oathkeepers.org/oktester/technocracy-rising-patrick-wood-on-carav...

 

SmokinMonkey's picture

Chrysler just issued a memo banning the following words to describe this problem...err condition

 

always, annihilate, apocalyptic, asphyxiating, bad, Band-Aid, big time, brakes like an “X” car, cataclysmic, catastrophic, Challenger, chaotic, Cobain, condemns, Corvair-like, crippling, critical, dangerous, deathtrap, debilitating, decapitating, defect, defective, detonate, disemboweling, enfeebling, evil, eviscerated, explode, failed, flawed, genocide, ghastly,grenadelike, grisly, gruesome, Hindenburg, Hobbling, Horrific, impaling, inferno, Kevorkianesque, lacerating, life-threatening, maiming, malicious, mangling, maniacal, mutilating, never, potentially-disfiguring, powder keg, problem, rolling sarcophagus (tomb or coffin), safety, safety related, serious, spontaneous combustion, startling, suffocating, suicidal, terrifying, Titanic, unstable, widow-maker, words or phrases with a biblical connotation, you’re toast

 

Miffed Microbiologist's picture

And people laugh at me for not having OnStar. Who's laughing now!

Miffed;-)

WillyGroper's picture

this luddite needs to find the fuse panel and appropriate circuitry.

doesn't matter if you use/pay for it.

it's there.

the advent of all these cameras at intersections makes me want to get an infrared penlite to mount on the RV mirror.

lakecity55's picture

"Hello, Mr Smith."
"B-B-Bathouse?? Is that you on my radio speakers?"
"Yes Mr Smith. I've overheard you say you might oppose a third term for me (Car begins to speed up).
"Well err, (getting nervouse as the speddo hits 80), all presidents are only supposed to have two terms."
(Car begins careening in and out of traffic)
"But I am not like just any president, am I, Mr SMith?"
"That's for sure."
"So you will support me in the 'speshul election?"
"S-S-Sure, please! Slow down!"
The car resumes its normal operation.
"Thanks, and good day, Mr SMith. I have other calls to make."
*Click*

disabledvet's picture

But Warsaw say ZEE GERMAN ARE SUPERIOR IN EVERY WAY!

NO SOUP FOR YOU OSTLANDER!

Waylon Bits's picture

Miffed you muff, teh we laughs at you ALWAYS!!

El Vaquero's picture

OnStar?  Shit, my vehicle has OBD1.  That's late 80s/early 90s technology.  And you know what?  It works!

Waylon Bits's picture
Waylon Bits (not verified) El Vaquero Jul 21, 2015 7:54 PM

We upgraded from OnStar to fonestar!  Make teh change today!

 

https://localbitcoins.com

large_wooden_badger's picture

I have such fond memories of reading EEC-IV codes by listening to beep counts and flashing lights, good times!

El Vaquero's picture

Yup.  Turn the key on and off rapidly several times and leave it in the on position and wait for the check engine light to start blinking at me.  55 is the "Done throwing codes" code.

logicalman's picture

People laugh at me for not having a car!

People laugh at me for not having a tracking device, I mean cell phone.

People laugh at me for not having a credit card.

People laugh at me for not having a TV.

Who gives a fuck.

 

 

bunzbunzbunz's picture

But nobody is laughing at you for using the internet. Think about it.

TheEndIsNear's picture

Yea, but he's behind 7 proxies!