Hackers Remotely Kill a Jeep on the Highway—With Me in It

[BananaDan]

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/?mbid=social_fb

This is a good read regarding the security vulnerabilities in modern cars. Unfortunately for Fiat Chrysler, the article centers around the UCONNECT system problems however the problem definitely affects most manufacturers.  I'm planning on buying a Durango, likely a 2013 or 2014 in the next 6-12 months. I never sign up for the remote maintenance/concierge services on my cars. Does anyone know if it is possible/easy to disable the cellular radio they use so your car isn't connected to the internet if you don't plan to use those services?

[66FBCharger]

Pretty scary stuff!

[myk]

I'll stick with my "dumb" cars; cassette players and all...

[wingcar]

I'll stick with my "dumb" cars; cassette players and all...

"Dumb" cars could just be the "smart" cars of the future.....

[DixieRestoParts]

Wow.

[Mike DC]

   
I'm calling it now:  The industry will spend years trying to fight this problem with more complexity & integration & remote accessing, not less.

The solution is stupid-ass-obvious.  They need to firewall the relevant vehicle control systems at the vehicle hardware itself.  No remote access to any of it, period.  But this is such an elegant & simple & obvious solution that there's no way the industry will do it.  Not voluntarily.  Not before they have exhausted every other possible alternative and spent more money on other methods than this one would cost in the first place.   

[draftingmonkey]

Just think what will happen on our roads when there are millions of self driving vehicles on the road and then somebody hacks their drive systems. Pretty scary thought.

[Troy]

There's a limit to what it can and can't control. The reason has to do with the way these systems are integrated. This hack centers on the entertainment system - but in most cars that's also somewhat connected to mechanical systems. In my new Charger I can control the steering assist and transmission shift points through the center display. The cruise control can manipulate the throttle position. Other cars have adaptive cruise control and collision avoidance which can apply the brakes and even bring the vehicle to a complete stop. I can start my car or lock the doors from my desktop computer in my office or even my cell phone. Is that necessary. No, not to me. Unhooking all this stuff isn't as easy as you'd think because manufacturers have spent years integrating it all. Consumers demand their cars work like their smart phones and they don't much care about security - until something goes wrong (usually through their own fault). As a software developer I'm always hearing about how we shouldn't allow a user make a mistake - but the second we limit the user's ability to do everything they deem necessary we're told the software isn't flexible enough.

If you read the whole article, Chrysler has already plugged the hole in their software. That doesn't meant there won't be another. Plus, the Sprint cell network apparently needs a little work.

Troy

[Baldwinvette77]

Cool, Looks like there was some truth to the hacked BMW's in fast and furious 6 

[Mike DC]

There's a limit to what it can and can't control. The reason has to do with the way these systems are integrated. This hack centers on the entertainment system - but in most cars that's also somewhat connected to mechanical systems. In my new Charger I can control the steering assist and transmission shift points through the center display. The cruise control can manipulate the throttle position. Other cars have adaptive cruise control and collision avoidance which can apply the brakes and even bring the vehicle to a complete stop. I can start my car or lock the doors from my desktop computer in my office or even my cell phone. Is that necessary. No, not to me. Unhooking all this stuff isn't as easy as you'd think because manufacturers have spent years integrating it all. Consumers demand their cars work like their smart phones and they don't much care about security - until something goes wrong (usually through their own fault). As a software developer I'm always hearing about how we shouldn't allow a user make a mistake - but the second we limit the user's ability to do everything they deem necessary we're told the software isn't flexible enough. eyes

If you read the whole article, Chrysler has already plugged the hole in their software. That doesn't meant there won't be another. Plus, the Sprint cell network apparently needs a little work.

It doesn't matter how difficult it would be to unhook the crucial stuff.  It NEEDS unhooking and that's all there is to it.  They can unhook all the safety-related systems, or they can find their cars on the news, settle a bunch of wrongful death suits out of court, hurt their company's image for the next 15+ years .  .  .  and then finally admit defeat & unhook it all anyway.  (That will probably be about 10 years after the Japanese & European brands have already done it.)   

If the demands of firewalling the safety issues cause the in-dash-everything screen to literally be two different screens, then so be it.  It will only hurt sales briefly until the rest of the industry gets its head out of its collective ass and does the same.  

[ws23rt]

There's a limit to what it can and can't control. The reason has to do with the way these systems are integrated. This hack centers on the entertainment system - but in most cars that's also somewhat connected to mechanical systems. In my new Charger I can control the steering assist and transmission shift points through the center display. The cruise control can manipulate the throttle position. Other cars have adaptive cruise control and collision avoidance which can apply the brakes and even bring the vehicle to a complete stop. I can start my car or lock the doors from my desktop computer in my office or even my cell phone. Is that necessary. No, not to me. Unhooking all this stuff isn't as easy as you'd think because manufacturers have spent years integrating it all. Consumers demand their cars work like their smart phones and they don't much care about security - until something goes wrong (usually through their own fault). As a software developer I'm always hearing about how we shouldn't allow a user make a mistake - but the second we limit the user's ability to do everything they deem necessary we're told the software isn't flexible enough. eyes

If you read the whole article, Chrysler has already plugged the hole in their software. That doesn't meant there won't be another. Plus, the Sprint cell network apparently needs a little work.

It doesn't matter how difficult it would be to unhook the crucial stuff.  It NEEDS unhooking and that's all there is to it.  They can unhook all the safety-related systems, or they can find their cars on the news, settle a bunch of wrongful death suits out of court, hurt their company's image for the next 15+ years .  .  .  and then finally admit defeat & unhook it all anyway.  (That will probably be about 10 years after the Japanese & European brands have already done it.)    

If the demands of firewalling the safety issues cause the in-dash-everything screen to literally be two different screens, then so be it.  It will only hurt sales briefly until the rest of the industry gets its head out of its collective ass and does the same.  

 Shame on the car manufacturers.

It's hard to believe that this sort of vulnerability has not been brought up at meetings within the car companies.

((Excuse me sir for speaking up, but our system is not secure enough for public safety).-- I hear your observation and will take it under consideration. Thank you for speaking up. )

What we are left to surmise is --it was brought up-- and  decisions were made that the potential for hacking was low enough to forgo a financial investment to deal with it considering the time pressures for production.

These sort of gambles (I'm sure) go on all the time in every industry. ---Cost vs risk---

In my mind the bottom line person/persons in charge at a corporation inherit the blame for this sort of stuff.  They get paid mega bucks and should accept mega responsibility.

[Dino]

Crazy stuff...I'd like to get a new car one day but I can get a lot more years out of this one.  My wife should have a new one in the near future though but neither of us wants to drive a computer.

All these gadgets make people even less attentive and now this.  Yeah those car companies really have our best interests at heart.   

[myk]

Crazy stuff...I'd like to get a new car one day but I can get a lot more years out of this one.  My wife should have a new one in the near future though but neither of us wants to drive a computer.

All these gadgets make people even less attentive and now this.  Yeah those car companies really have our best interests at heart.   

That WS6 you guys got is as modernized as a car ever needs to be.  Anything beyond that car is just technological vanity and ambition...

[Troy]

There's a limit to what it can and can't control. The reason has to do with the way these systems are integrated. This hack centers on the entertainment system - but in most cars that's also somewhat connected to mechanical systems. In my new Charger I can control the steering assist and transmission shift points through the center display. The cruise control can manipulate the throttle position. Other cars have adaptive cruise control and collision avoidance which can apply the brakes and even bring the vehicle to a complete stop. I can start my car or lock the doors from my desktop computer in my office or even my cell phone. Is that necessary. No, not to me. Unhooking all this stuff isn't as easy as you'd think because manufacturers have spent years integrating it all. Consumers demand their cars work like their smart phones and they don't much care about security - until something goes wrong (usually through their own fault). As a software developer I'm always hearing about how we shouldn't allow a user make a mistake - but the second we limit the user's ability to do everything they deem necessary we're told the software isn't flexible enough. eyes

If you read the whole article, Chrysler has already plugged the hole in their software. That doesn't meant there won't be another. Plus, the Sprint cell network apparently needs a little work.

It doesn't matter how difficult it would be to unhook the crucial stuff.  It NEEDS unhooking and that's all there is to it.  They can unhook all the safety-related systems, or they can find their cars on the news, settle a bunch of wrongful death suits out of court, hurt their company's image for the next 15+ years .  .  .  and then finally admit defeat & unhook it all anyway.  (That will probably be about 10 years after the Japanese & European brands have already done it.)   

If the demands of firewalling the safety issues cause the in-dash-everything screen to literally be two different screens, then so be it.  It will only hurt sales briefly until the rest of the industry gets its head out of its collective ass and does the same. 

As I mentioned, they already fixed this issue (ahead of the conference where they show the world how they did it). Just adding encryption to the signal would make it exponentially harder to intercept/hack. I don't really have a problem with one computer controlling everything. You just need to limit who/what has permission to send certain commands.

And don't forget, this technology exists on purpose. Sure, people *say* the police/government can't track or control your car but you'd have to be awfully trusting to actually believe it.

Troy

[440]

I struggle as to how the braking system could be disabled? Are new cars "brake by wire"?

I think I'll stick to my dumb cars......

[Troy]

I struggle as to how the braking system could be disabled? Are new cars "brake by wire"?

I think I'll stick to my dumb cars......

The ABS is all electronic. To a non-car guy, shutting off the assist could be interpreted as "disabled". You know, it's like when your booster springs a leak on your classic (like mine did on the way to St Louis) and you're standing on the pedal with both feet just to get it to start slowing down.

For the record, I updated the "firmware" on my car using a USB hard drive. If a hacker really wanted to target *you* specifically they wouldn't need a cell signal.

Troy

[RoscoePColtrain]

There's a limit to what it can and can't control. The reason has to do with the way these systems are integrated. This hack centers on the entertainment system - but in most cars that's also somewhat connected to mechanical systems. In my new Charger I can control the steering assist and transmission shift points through the center display. The cruise control can manipulate the throttle position. Other cars have adaptive cruise control and collision avoidance which can apply the brakes and even bring the vehicle to a complete stop. I can start my car or lock the doors from my desktop computer in my office or even my cell phone. Is that necessary. No, not to me. Unhooking all this stuff isn't as easy as you'd think because manufacturers have spent years integrating it all. Consumers demand their cars work like their smart phones and they don't much care about security - until something goes wrong (usually through their own fault). As a software developer I'm always hearing about how we shouldn't allow a user make a mistake - but the second we limit the user's ability to do everything they deem necessary we're told the software isn't flexible enough. eyes

If you read the whole article, Chrysler has already plugged the hole in their software. That doesn't meant there won't be another. Plus, the Sprint cell network apparently needs a little work.

It doesn't matter how difficult it would be to unhook the crucial stuff.  It NEEDS unhooking and that's all there is to it.  They can unhook all the safety-related systems, or they can find their cars on the news, settle a bunch of wrongful death suits out of court, hurt their company's image for the next 15+ years .  .  .  and then finally admit defeat & unhook it all anyway.  (That will probably be about 10 years after the Japanese & European brands have already done it.)    

If the demands of firewalling the safety issues cause the in-dash-everything screen to literally be two different screens, then so be it.  It will only hurt sales briefly until the rest of the industry gets its head out of its collective ass and does the same.  

 Shame on the car manufacturers.

It's hard to believe that this sort of vulnerability has not been brought up at meetings within the car companies.

((Excuse me sir for speaking up, but our system is not secure enough for public safety).-- I hear your observation and will take it under consideration. Thank you for speaking up. )

What we are left to surmise is --it was brought up-- and  decisions were made that the potential for hacking was low enough to forgo a financial investment to deal with it considering the time pressures for production.

These sort of gambles (I'm sure) go on all the time in every industry. ---Cost vs risk---

In my mind the bottom line person/persons in charge at a corporation inherit the blame for this sort of stuff.  They get paid mega bucks and should accept mega responsibility.

Can't forget the: "Johnson!  Who was the engineer who spoke regarding our system not secure enough for public safety?  Replace him (or fire/demote) and get someone else more pliable".

Unfortunately, action will only occur reactively, once an accident(or a bunch) happens.  Good thing they fixed the issue though.

[Mike DC]

As I mentioned, they already fixed this issue (ahead of the conference where they show the world how they did it). Just adding encryption to the signal would make it exponentially harder to intercept/hack. I don't really have a problem with one computer controlling everything. You just need to limit who/what has permission to send certain commands.

And don't forget, this technology exists on purpose. Sure, people *say* the police/government can't track or control your car but you'd have to be awfully trusting to actually believe it.

Troy

My feeling still comes down to this:  Possible wireless access to anything safety-related = FAIL

It's really simple.  I don't think any amount of security efforts makes that basic premise acceptable.  Easy manual access with plug-ins is bad enough.  Wireless access is ridiculous. 



I agree on the tracking issue.  No huge govt like ours is going to have the capability to track people and not do it.  

[Troy]

You can't protect anything by just taking away access from one source. In the old days people put moats around castles and the bad guys just used ladders or tunnels (or starved them out!). I think that's partially the issue here - no one really planned ahead for an attack because they thought they were safe already (who would hack a moving car any way!). You need locks on interior doors in case someone manages to breech the exterior. You need safes within the locked interior doors for anything that needs extra protection. It's a ring of security that shouldn't be compromised when one tiny hole shows up in the outermost layer. In this case, it's software. It's easy to change and doesn't even require a wrench.

Behind the dashboard of these cars is basically a 1 GHz laptop. The code running these systems is reasonably mature and fairly stable. It's the "new" stuff that got piled on that is vulnerable. Like everything else these days, products get rushed to market to satisfy customer demands and then a "fix" comes out when they finally get it right. We, as consumers, just expect it. You'd think that cars would be relatively secure as the biggest security hole (the human) is mostly taken out of the equation.

Troy

[440]

With self driving cars set to be trialed on our roads one can only hope the technology is secure enough. It's a pretty scarey thought. If someone hacks into the port where cars receive data such as speed limits and such, it could be catastrophic as it would likely affect all vehicles that are receiving that information. Not only is one car hacked, it could be hundreds. Imaging telling all cars to stop at the next waypoint or data update..

http://mobile.abc.net.au/news/2015-07-21/driverless-car-trials-held-in-adelaide/6636334

[tan top]

with all this computer controlled stuff , & everthing going or already gone computerised  in this world ,  nothing will come good of it  , heading for a disaster imo  one day 

[Mike DC]

 
Self-driving cars + wireless remote vehicle hacking.  A perfect storm is coming together .  .  . 

 

[Pete in NH]

Well, this story made the national news last night on the PBS News Hour where they interviewed the author. I'm betting someone at Chrysler/Fiat is going to have a really bad day today.

I really believe this is not the first case of an engine controller gone wrong. My opinion is we saw it with the Toyota unintended acceleration problem a few years back. As a retired electronics engineer I thought at the time it had all the fingerprints of an engine control computer running away. These controllers look at multiple inputs and execute millions of instructions. I don't think anyone can guaranty that there won't be some combination inputs and software execution that won't screw up some how. If you think about millions of cars on the road using this technology and the billions of computer operations going on, I think it's statistically impossible not to have something go seriously wrong on occasion. But, I think the real issue in the Toyota case was outside Radio Frequency Interference from a radio transmitter close to the vehicle. A year or two after the Toyota problems I had a chance meeting with a fellow engineer who was a engine controller designer for a major US car manufacturer. I asked him what he thought of the Toyota problem. What he told me was very surprising. He said they routinely took apart competitors controllers looking for ideas. They found the Toyota controller lacked the filter components one would expect to find to keep external Radio energy out of the controller. He felt based on what he saw, and I certainly agreed with him, that this was quite possibly the cause of Toyota's problems. I think if Toyota ever admitted to a faulty design they would be forced to replace who knows how many controllers not to mention the avalanche of law suits. I think they literally swept the problem under the carpet and came up with the trapped carpet under the gas pedal. I never bought that explanation and I'm not sure why our government did.

Any way, I think these systems have all the built in potential to screw up all by themselves. They certainly don't need the addition of external malware inserted into them. I think to allow external wireless connection into the heart of the system is dangerously STUPID. I don't think there is any way to make these systems hack proof. I believe any software code written by human beings can be hacked by other human beings with enough time and effort. I don't think anyone can say they are 100% secure and safe.

Like I said someone at Chrysler/Fiat is going to have a really bad day. The pubic is well aware of hacking due to all the recent data breeches of all kinds of government and commercial systems. Now Jeep in the public mind has been labeled as hackable. I don't think saying the loop hole has been closed will buy them much. There will always be another loop hole to be exploited down the road. I don't think anyone can write perfect software.

[myk]

My techno phobia keeps me a fan of late 90's to mid 2000 muscle cars and everything before them.  We don't need all of the fancy processing wizardry running our cars.  The best control device a car will ever need is the one that holds the steering wheel and with both eyes on the road.

Don't get me wrong though, I still think Troy's Scat Pak Charger is an awesome machine...

[Ghoste]

The pubic is well aware of hacking due to all the recent data breeches of all kinds of government and commercial systems. Now Jeep in the public mind has been labeled as hackable. I don't think saying the loop hole has been closed will buy them much. There will always be another loop hole to be exploited down the road. I don't think anyone can write perfect software.

And if I read you correctly, you are pointing out the impact to Jeep from a consumers point of view so to that I would add that not only consumers are well aware but now so are other hackers and as we all know they love to out-hack one another.
So it could be "game on" now.

[skip68]

Here's my    
Ignition, throttle, brakes and steering should ALWAYS be manually and mechanically controlled by the driver with NO computer.   You will never justify or convince me that having a secondary source that can take control of my vehicle outweighs my need for full control.   Now, if the auto makers want to have control on tuning, suspension, radio or whatever that's fine.   But that's it.   If you really want and need a car that drives itself then hire a limo or call a cab.   

[myk]

Here's my    
Ignition, throttle, brakes and steering should ALWAYS be manually and mechanically controlled by the driver with NO computer.   You will never justify or convince me that having a secondary source that can take control of my vehicle outweighs my need for full control.   Now, if the auto makers want to have control on tuning, suspension, radio or whatever that's fine.   But that's it.   If you really want and need a car that drives itself then hire a limo or call a cab.   

Yup.  If someone needs all of the nanny devices then they shouldn't be driving in the first place...

[Ghoste]

And yet just this week I read another lengthy article stating that not only should driverless cars be legal, they should be mandatory. 

[Mike DC]

                    
                 
                           

The auto industry has gotten the idea that it can do aviation-level computer controlling.  



But they aren't willing to do what that really demands:

Pricing everything much higher.  
Going years between releasing each new model.  
Doing HUGE amounts of rigorous testing.  
Minimizing bells & whistles.
Continuing to take responsibility for problems all the way to the end of the product's life cycle.  

[Pete in NH]

The pubic is well aware of hacking due to all the recent data breeches of all kinds of government and commercial systems. Now Jeep in the public mind has been labeled as hackable. I don't think saying the loop hole has been closed will buy them much. There will always be another loop hole to be exploited down the road. I don't think anyone can write perfect software.

And if I read you correctly, you are pointing out the impact to Jeep from a consumers point of view so to that I would add that not only consumers are well aware but now so are other hackers and as we all know they love to out-hack one another.
So it could be "game on" now.

Yes, unfortunately I'm afraid the hackers are now alerted to a new target and as you say I fear the games will begin. Can you imagine a hacker planting ransomware in your vehicle, pay up or you won't be able to start your car.

[Pete in NH]

                   
                 
                           

The auto industry has gotten the idea that it can do aviation-level computer controlling.  



But they aren't willing to do what that really demands:

Pricing everything much higher.  
Going years between releasing each new model.  
Doing HUGE amounts of rigorous testing.  
Minimizing bells & whistles.
Continuing to take responsibility for problems all the way to the end of the product's life cycle.  

Yes. absolutely. I think in the end they are going to pay quite a price for that mistaken attitude.

[Ghoste]

Or we will. 

[myk]

And yet just this week I read another lengthy article stating that not only should driverless cars be legal, they should be mandatory. 

That's what "they" want: to take personal choice, volition, action and freedom out of our hands...

[440]

Has anyone seen the movie "Demolition Man" ? Our society is headed that way.

[Mike DC]

    
We only think the push for safety has gone too far when it's not a military or terrorism issue.

[Ghoste]

Not necessarily.  My daughter is applying for a student visa in another country at the moment and had to answer a battery of ridiculous questions such as "are now or have you ever been a terrorist?"  WTF?  Like a real terrorist would answer that truthfully.  Just issue the damned visa.

[Dino]

Not necessarily.  My daughter is applying for a student visa in another country at the moment and had to answer a battery of ridiculous questions such as "are now or have you ever been a terrorist?"  WTF?  Like a real terrorist would answer that truthfully.  Just issue the damned visa.

I posed the same question to an immigration officer at Amsterdam airport once; do people actually answer yes to any of these questions?  With a straight face the guy told me: you wouldn't believe how many do.

Don't underestimate the stupidity of human beings.

[Ghoste]

Fair enough.

[6spd68]

http://www.bloomberg.com/news/articles/2015-07-24/fiat-chrysler-recalls-1-4-million-autos-to-defend-against-hacks

[myk]

Yeah.  A LOT of people are going to lose their jobs over this one...

[Pete in NH]

http://www.bloomberg.com/news/articles/2015-07-24/fiat-chrysler-recalls-1-4-million-autos-to-defend-against-hacks

Right, here we  go. This will plug the existing known hole in the current software. The problem is what are the other as yet unknown ones waiting for the hackers to find and exploit. Ask Microsoft how many security patches they've issued over the years for their systems. They have patches on the patches by now. It's  never ending game.

[Mike DC]

  
Exactly.  

They can either build the important systems physically separated, or else its, "Our new version of Windows works perfectly."  

[tan top]

Has anyone seen the movie "Demolition Man" ? Our society is headed that way.

  yeah  demolition  man been saying that for a few years  , the world over is going that way or trying to !  by the looks of it 

[Mike DC]

 
If the govt ever puts one of those bad language ticketing machines in my garage it would pay off the national debt in 2 years.

[myk]

http://www.bloomberg.com/news/articles/2015-07-24/fiat-chrysler-recalls-1-4-million-autos-to-defend-against-hacks

Right, here we  go. This will plug the existing known hole in the current software. The problem is what are the other as yet unknown ones waiting for the hackers to find and exploit. Ask Microsoft how many security patches they've issued over the years for their systems. They have patches on the patches by now. It's  never ending game.

Does anyone think that this may spark a movement to go back to "dumb" cars? 

[bakerhillpins]

For those of you that downloaded the update and are doing it yourselves..  The download is a self extracting executable. (.exe file) You need to execute the file which results in a disc image file (swdl.iso). This file, swdl.iso is what you need to put on a thumb drive and plug into the device port, not to be confused with the dumb charging only port next to it.  Well it's next to it in my RAM anyhow.

It takes a few seconds for the system to open the file and start the process.  I was a tad too impatient at this step. 

They have apparently updated their online documentation to include the unzipping of the ISO image file.... because it don't work unless you do that.  I downloaded the instructions a few minutes before I called and it didn't have anything about unzipping the file even though the nice young lady said they just made the change.     I'd say it took a good 20 minutes for my update.

[myk]

And now your truck will turn into Optimus Prime...

[tcs69rt]

If you got to the uconnect website and enter your Vin# it will tell you what system you have and if your vehicle is affected. My 2011 Challenger has the sweet system with DVD player and navigation and it's not affected. The wife's 2015 Durango SXT is a concern now even though it is low optioned and has the low end stereo in it. The website gives you the option to d/l the files onto a thumb drive to upload into your system. But after 2 attempts the low end stereo does not accept the files so the dealership gets to try it this week. 

[Aero426]

All I could think of are the machines taking over.

[tcs69rt]

Aero426 = Love it! Gotta love Stephen King