Security researchers Chris Valasek and Charlie Miller uncovered potentially vulnerable cars that use Uconnect

The car has to connect to the Internet and possess a particular flaw that allows attackers to access its internal network, or the attackers would need physical access to the car.

Security researchers Chris Valasek and Charlie Miller uncovered a flaw in Uconnect, the persistent Internet connection provided by Sprint and used by Fiat Chrysler Automobiles (FCA). The researchers then scanned the Internet for other potentially vulnerable Fiat Chrysler cars that use Uconnect, and they found a range of vehicles from the 2013 through 2015 model years, including the Dodge Durango and Viper, various models of Ram trucks, and, of course, Cherokees and Grand Cherokees. They then used that flaw as a starting point to hack the Harman International infotainment system in Miller’s 2014 Jeep Cherokee.

Last year, researchers Charlie Miller and Chris Valasek identified 16 cars that could potentially be hacked via the Internet, before settling on the Jeep Cherokee. (Photo: Andrew Brandt)

With the Tesla Model S, researchers Kevin Mahaffey and Marc Rogers had to disassemble the dashboard to reach parts of the computer’s hardware, including SD card slots and USB ports that were never meant to be accessed by anyone other than a technician. That physical access gave the researchers the ability to modify the car’s software, which in turn allowed them to remotely lock or unlock the car doors, open the trunk, start the engine, adjust the air conditioning, and even move the car by sending it commands over the Internet.

University of California San Diego researchers uncovered a vulnerability in the OBD2 dongle made by Mobile Devices and distributed by the pay-by-the-mile insurance company Metromile, among others. The dongle hackers sent specially crafted SMS messages to the device to control basic car functions such as wipers and brakes.

Marc Rogers (left) and Kevin Mahaffey (right) worked closely with Tesla CTO JB Straubel (middle) to resolve the bugs they discovered. (Photo: Andrew Brandt)

As noted above, the Tesla hack required direct physical access to parts of the internal network that drivers never see. If you come back to your Tesla and find its dashboard disassembled, don’t try to drive the car. (After you get it fixed, don’t park it on the street on that same block again.)

And if you look at your car’s OBD2 port (usually found under the dash near the steering wheel) and you find something plugged in that you didn’t put there, remove it immediately.

Are these cars still at risk?
No. Shortly after news of the hack appeared, Fiat Chrysler issued a recall for 1.4 million vehicles that might have been affected, and is planning to mail updated software to their owners via USB drives. Sprint, the network over which the Uconnect service communicates, has blocked the channel of communication used by the researchers so that you can’t connect to Uconnect vehicles over the Internet. Tesla’s fix was even easier: an over-the-air software update to the car. Harman International, makers of the infotainment gear that Miller and Valasek owned, says that system was 5 years old and lacked security safeguards built into newer models. Metromile says it has transmitted a security update to all dongles that were affected by the vulnerability.

No comments

blogmytuts. Powered by Blogger.