Jeep Owners Liable To Cyber Attack, Hackers Take Remote Control

Fact checked

Jeep drivers are urged to update their navigation/entertainment software after hackers took control of a car

The Jeep Cherokee has a software security flaw which allows access to hackers and control of the car remotely via the internet.

A security vulnerability in the Uconnect internet-enabled software, that allows remote control, could also allow hackers to take control of the Jeep Cheroke. They could remotely apply the brakes, steer the car, turn the windscreen wipers on and take control of the engine. Owners of ‘Fiat Chrysler Automobiles’ (FCA) vehicles are being advised by security experts to update their on-board software. Unlike other cyber attacks that only target the entertainment system, the Uconnect hack affects the Jeep’s driving systems such as GPS, brakes, steering and engine management, enabling remote control of the drive via the internet.

Security experts demonstrated the hack by remotely driving a Jeep into a ditch after taking control of it using a laptop and a phone.

The Guardian reports:

The Uconnect system is installed in hundreds of thousands of cars made by the FCA group since late 2013 and allows owners to remotely start the car, unlock doors and flash the headlights using an app.

The hack was demonstrated by Charlie Miller and Chris Valasek, two security researchers who previous demonstrated attacks on a Toyota Prius and a Ford Escape. Using a laptop and a mobile phone on the Sprint network, they took control of a Jeep Cherokee while Wired reporter Andy Greenberg was driving, demonstrating their ability to control it and eventually forcing it into a ditch.

Unlike the majority of hacking attempts on cars, the vulnerability within the Uconnect system allows cybercriminals to take control of the car remotely, without the need to make physical contact with the car.

The security researchers notified Fiat Chrysler nine months ago, allowing the car manufacturer to release a security update to fix the problem, which it did on 16 July.

However the update requires users to manually update their cars by visiting the manufacturer’s site, downloading a programme on to a flash drive and inserting it into the car’s USB socket. FCA dealers can update the car for owners, but the company is apparently unable to automatically update the cars over the internet.

“This update might not sound particularly important, but trust me, if you can, you really should install this one,” Miller said on Twitter.

Independent security expert Graham Cluley added: “Note that the researchers believe that, although they’ve only tested it out on Jeeps, the attacks could be tweaked to work on any Chrysler car with a vulnerable Uconnect head unit.”

“You should consider installing a security update that Jeep has issued for cars fitted with a model RA3 or model RA4 radio/navigation system.”

It is unclear whether the vulnerability within the Uconnect system is confined to US cars, or certain models.

FCA is yet to respond to a request for comment.