Internet connected cars may offer a number of advantages and smart features, but there are also risks inherent, as is the case with anything online – and those risks have just been proven by a pair of cyber security experts.
Charlie Miller, a former NSA hacker, and Chris Valasek, a researcher at IOActive, successfully demonstrated the hacking of a Jeep Cherokee via the Fiat Chrysler telematics system Uconnect in what was described by Reuters as a controlled test.
The experts hacked into the vehicle being driven by a Wired.com reporter, and turned on the radio, as well as other features – but then moved to more serious matters, managing to control the steering and brakes, and even switch the engine off (to pull these feats off, though, they had to rewrite code in the entertainment system, not a trivial matter by any means).
This is certainly a worrying development, and Fiat Chrysler has already patched up the most serious vulnerability which the researchers used to break into the vehicle's systems.
How many other flaws are in various car systems out there, though, ready to be exploited? And perhaps next time by a malicious party…
Fiat Chrysler issued a statement to say: "Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems."
The difference is, however, a hacked smartphone can only cause detriment to personal finances at the worst, generally speaking, whereas a hacked car… That's quite another matter in terms of the danger involved to the car itself, and other road users.
Jeremiah Grossman, Founder and CTO of WhiteHat Security commented: “We protect our PCs and servers from being hacked using special configuration settings, security software, and ‘best-practice' behaviours. The overall effectiveness of all this ’security’ is, at best, so-so... but fortunately no one dies when a system gets hacked.
"With car hacking, and cars being little more than rolling computers nowadays, are we expected to install security software, etc there too!? Or, are manufacturers responsible for protecting their car's occupants against a digital adversary? An interesting fork in the digital road.”
Note that gaining access to the entertainment system, and from there moving to the core controls of the vehicle, are two very different aims, with the latter being a much, much harder task fortunately – the experts said it would take "months" for even top rate hackers to emulate them.
That's unlikely to help the perception of the safety of the connected car in the view of the public, though – and indeed the fully self-driving car. The FBI has already aired concerns about the latter being used by terrorists with bombs on board…
UPDATE: Marta Janus, security researcher at Kaspersky Lab, has provided the following comment: "This story only proves the point, that everything connected to the Internet is prone to attacks and is potentially hackable. When it comes to transportation, such as cars, trains and airplanes, the consequences of a successful breach can be infinitely more serious than a computer or mobile device hack, as people's lives are directly at stake.
"In light of this recent research, we should definitely reconsider the concept of the Internet-of-Things, and think carefully about which devices should be a connected to one another. Obviously, computers, smart phones and tablets would be next to useless without an Internet connection, with their main purpose being to keep us connected in this digital world. But what is the real advantage of having a car with access to the Internet? For navigation and remote door opening, a centralised online system isn’t necessary. Even for the few convenience features that would be impossible without Internet connection, are they really worth the dire risk of being hacked?
"In my opinion, transportation, together with industrial systems and other critical infrastructure, shouldn't make use of public Internet at all. Instead, they should build separate networks, featuring unique and custom-made secure protocols to reduce the risk of potentially fatal hacking."