Using a laptop computer and throwaway cellphone, the two researchers – who were located 10 miles away from the vehicle – first remotely took control of the moving vehicle’s climate control system, radio, and wipers, and then shifted the Jeep into neutral. Eventually they also cut the Jeep’s brakes, ultimately causing it to slowly coast into a ditch.
The hack was accomplished by exploiting a vulnerability in the SUV’s proprietary Internet-connected entertainment and navigation system, called Uconnect. By knowing the vehicle’s IP address, a hacker can gain access through the system’s cellular connection.
In this case, once inside the system, the researchers rewrote the firmware of a chip in the car’s infotainment system head unit, from which commands were sent through the vehicle’s internal network, or CAN bus, to control many of the car’s physical functions. According to the researchers, as many as 420,000 Chrysler vehicles could be affected by this vulnerability.
However, executing the hack required detailed knowledge of the vehicle software (including the car’s IP address), as well as many months of code development, so, contrary to much of the media coverage this event is receiving, it shouldn’t be overly alarming to those with affected vehicles. Chris Valasek, one of the researchers, is quoted as saying of the potential threat, "If you’re concerned about someone assassinating you, then, yes, you should be concerned. Otherwise, it’s not to the point where it’s opportunistic."
The researchers plan to publish their findings in a 90-page report timed to coincide with next month’s Black Hat conference. The researchers have also shared their results with Chrysler, which has already released a software update for vehicles containing the Uconnect system. These include 2013-14 Chrysler, Dodge, Jeep and Ram vehicles, as well as some models of the 2015 Chrysler 200.
Opinion: Of hackers and showmasters