Car Hacking: Researchers Remotely Hack Jeep Cherokee
**Update July 24th*: Reports show Fiat-Chrysler will be recalling 1.4 million vehicles
Yesterday, Wired.com broke the story of how two security researchers remotely hacked into a Jeep Cherokee that was driven by one of their journalists. The journalist agreed to test drive this motor vehicle while the security researchers wirelessly connected to the vehicle and began controlling various components of the vehicle from miles away. The security researchers have been conducting research in this area for several years. In 2013, the same journalist test drove a Ford Escape and Toyota Prius in South Bend, Indiana, and researchers were able to disable the vehicle’s brakes, honk the horn, pull on the seatbelt, and even steer the vehicle in a parking lot. You can read the full current story on Wired.com.
In summary, the security researchers were over ten miles away when they remotely connected (via Sprint’s cellular network to the vehicle’s uConnect system) to the Jeep Cherokee. They began blasting the air conditioner and radio, turning the windshield wipers on, and then appeared on-screen of the vehicle’s display. Before the “test drive” was complete the researchers had managed to stop the Jeep Cherokee in heavy St. Louis traffic, remotely disable the brakes, and send the Jeep Cherokee into a ditch. The researchers were also able to demonstrate how other vulnerable vehicles could not only be tracked by plugging coordinates into Google Maps, but they could also remotely carry-out the attack due to this vulnerability. All of this may be frightening, considering an innocent driver could be driving anywhere in America and an attacker could remotely connect to his/her vehicle and commandeer the vehicle from miles, or hundreds of miles, away.
This story has received and earned a lot of publicity in the past 24 hours. Two U.S. Senators are proposing legislation that will require protection standards against digital attacks and privacy for the automotive industry. According to and prior to the story publishing, these researchers have been communicating privately with the automotive industry regarding these vulnerabilities. The security researchers will be presenting their research in a few weeks at Black Hat USA 2015.
Only July 16th Fiat Chrysler Automobiles posted a news release notifying vehicle owners of this vulnerability, and offered a patch to address this exploit. Here is a direct link to the uConnect site for the software update. This patch must be manually deployed via a USB thumb/ removable drive, or by a Chrysler mechanic at an authorized dealership.
The notoriety of this highly-publicized story is a reminder of public safety and the human factor in our ever increasingly connected world. From telecommunications and home automation to UAVs (aka drones), and automobiles, our daily lives are tied to technology. Technology is a good thing and has advanced societies since the beginning of time. People using technology for illegal and/or unethical purposes is the underlying problem, not the technology. Many industries are looking into ways to seamlessly integrate phones, cars, and homes with technology into our daily lives now. You are or may be using home automation to remotely control your thermostat, or check your home security system from the comfort your mobile device.
From a digital forensics perspective, the motor vehicle is just another data source available for business or legal communities to answer a question. Motor vehicles’ black boxes previously only recorded several data points, such as air bags, brake threshold, speed, etc. Today’s motor vehicles are computerized and contain a wealth of data. When is the last time you rented a vehicle and synced your mobile device over Bluetooth? Do you know what contacts, text messages, call history, and other data was sent and stored inside the car’s infotainment system? During an investigation or inquiry, if you are not pulling data from the motor vehicle you could be missing the “smoking gun” to cracking your case or investigation.
Whether it’s directly or indirectly putting the person in front of a keyboard, a touch screen, a radio controller, or even a steering wheel, digital forensics will continue to be called upon to answer these and other questions in complex digital investigations.
The Kemper Forensics Advantage: See what happens when traditional investigative techniques partner with digital technology. Contact us today!
Source: Wired. (2015). Hackers Remotely Kill A Jeep On The Highway- With Me In It. Retrieved July 22, 2015 from http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/