Vehicle Cybersecurity | How hackable are today's cars? | LMG Security
Security researchers recently discovered and exploited a zero-day vulnerability in Fiat Chrysler vehicles, allowing them to remotely disable a car’s brakes, control its steering wheel in reverse, track its GPS coordinates, blast the radio, and more. The vehicle cybersecurity vulnerability was found in Fiat Chrysler’s Uconnect system, which connects vehicles to the Internet, powers their hands-free phone and navigation systems, and allows users to remotely start their engines or honk their horns. Uconnect is installed in as many as 471,000 Fiat Chrysler vehicles, from late 2013 through 2015, including Jeep Cherokees (the vehicle on which the exploit was demonstrated).
For affected owners, Fiat Chrysler has released a software patch that users can install themselves via USB drive, or have installed at a dealership.
This is not the first time the researchers, IOActive Director of Vehicle Security Research Chris Valasek and Twitter researcher Charlie Miller, have made the news for hacking cars. They hijacked Toyota Priuses and Ford Escapes in 2013 by plugging their laptops into the vehicles’ diagnostic ports. In 2015, however, they are remotely controlling vehicles wirelessly – not the first time this has been done, but evidence that the threat of this type of attack is growing.
Researchers generally agree that it is important to demonstrate their findings in order to put pressure on manufacturers to patch vulnerabilities and create more secure products. However, some researchers were disturbed by the format of Valasek’s and Miller’s latest demonstration, which, according to Wired, took place on a live highway.
Whether the researchers’ methods are responsible or not, lawmakers are starting to take notice. Two senators recently proposed the Security and Privacy in Your Car Act (SPY Car Act), which provides guidelines for manufacturing more secure vehicles in the U.S. The bill proposes that cars’ internal networks should be segmented (if implemented properly, this means an attack on a car’s sound system will not give easy access to the car’s brakes). According to the bill, all cars should be equipped with an intrusion detection system “with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle” (§30129(a)(4)). The bill also suggests that cars should be “evaluated for security vulnerabilities following best security practices” (§30129(a)(2)(C)) which include third-party vulnerability assessments and penetration testing.
For drivers with networked vehicles, it is important to stay vigilant. Immediately update your vehicle’s software whenever a patch is released. Pay attention to notifications issued by your manufacturer and general vehicle security news. No malicious vehicle attacks have been reported to date, and hopefully, with an increased focus on vehicle security, it will stay that way.