Wired shows Fiat’s Uconnect hacked on the road

In an exposé that has been years in the making, Fiat Chrysler’s Jeep Cherokee was experimentally hacked by two computer programmers and featured Tuesday on Wired’s website. Using laptops, cyber-security experts Charlie Miller and Chris Valasek remotely accessed the Cherokee’s entertainment system through the Fiat’s Uconnect feature (an internet connection with WiFi) to manipulate command codes.

The new codes re-written by the pair were then sent through the Cherokee’s computer network to control everything from electronics (A/C, radio, windshield wipers, headlights), to the vehicle’s mechanics.

In the on-road test conducted along I-64 in Missouri, the transmission, brakes, and steering were all controlled from Miller’s residence 10 miles away. The duo can also track a Uconnect vehicle’s GPS coordinates, speed, and route, using a similar programming technique.

According to Miller and Valasek, all Chrysler’s made from late 2013 through early 2015 with Uconnect are vulnerable to unauthorized entry of its board software. The good news is that they have been sharing their cyber exploits directly with Fiat-Chrysler, which has since released a software patch fix that is available on the company’s website.

Also on Tuesday, Sens. Markey (D-MA) and Blumenthal (D-CT) introduced a bill which calls for the National Highway Traffic Safety Administration to set security standards on connected vehicles’ software systems. The proposed legislation would also require car manufacturers to disclose their vehicle’s data-collecting technology, and allow buyers to opt-out of sharing information used for advertising.

In 2014, Miller and Valasek conducted a study of the vulnerability of cars, trucks, and SUVs to a cyber attack by downloading technical manuals and wiring diagrams directly from manufacturer websites. Analysis of 24 internet-connected vehicles’ radio connection, software isolation from driving system, and protection from remote control of mechanics, found that the Jeep Cherokee, Cadillac Escalade, Infiniti Q50, to be the most prone to a potential cyber attack.

Miller and Valsek plan to reveal the details of their Jeep Cherokee hacking experiment (including programming codes) next month at the Blackhat conference in Las Vegas.