DANGEROUS TECHNOLOGY? Drivers could be in trouble as expert hackers have proved it possible to attack and stop a moving car via the internet. Image: Supplied
SAN FRANCISCO, California - Two veteran cyber-security researchers have shown they can use the internet to turn off a moving car's engine, sharply raising the stakes in the debate about the safety of increasingly "connected" cars and trucks.
Former National Security Agency hacker Charlie Miller, now at Twitter, and IOActive researcher Chris Valasek used a feature in the Fiat Chrysler telematics system Uconnect to break into a car being driven on the highway by a reporter for technology news site wired.com.
'CARS ARE VULNERABLE'
In a controlled test, they turned on the Jeep Cherokee's radio and activated other non-essential features before rewriting code embedded in the entertainment system hardware to issue commands through the internal network to the steering, brakes and the engine.
Miller told Reuters: "Hundreds of thousands of cars are vulnerable right now."
VIDEO: Watch how experts hack into a moving car
Fiat Chrysler said it had issued a fix for the most serious vulnerability. The software patch is available free from the company's website or through a dealer. The automaker said:
"Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the risk of unauthorised and unlawful access to vehicle systems."
Futher questions were not immediately answered.
Miller and Valasek have been probing automotive safety for years and have been among those warning that remote hacking was inevitable. An academic team had previously said it hacked a moving vehicle from afar but did not say how, or name the manufacturer, putting less pressure on the industry.
National Highway Traffic Safety Administration chief Mark Rosekind said on Tuesday (July 21 2015) that his agency was increasingly concerned about the security of vehicle control systems.
"We know these systems will become targets of bad actors," Rosekind told a conference on autonomous and connected vehicle technology in Ypsilanti, Michigan. If people don't believe that connected vehicle systems are safe and secure they will not engage it."
Members of the American Congress have also expressed concern, and on Tuesday senators Ed Markey and Richard Blumenthal, each a Democrat, introduced a bill that would direct the NHTSA to develop standards for isolating critical software and detect hacking as it occurs.
Miller and Valasek said they had been working with Fiat Chrysler since October, giving the company enough time to construct a patch to disable a feature that the men suspected had been turned on by accident.
They plan to release a paper at a Def Con security conference - Defense Condition is one of the oldest and largest continuously running hacker conventions around - in August that includes code for remote access, which will no longer work on cars that have been updated.
OPEN TO ATTACK
They said the harder problem for an attacker, moving from the entertainment system to the core on-board network, would take months for other top-tier hackers to emulate.
Many Jeeps could remain unpatched, leaving them open to attack, but the researchers said hackers would need to know the internet protocol address of a car to attack it specifically and that address changed every time the car was started.
"Otherwise," Valasek added, "you have to attack random cars."
The men stressed that it would be easy to make modest adjustments to their code to attack other types of vehicles.
They said automakers, racing to add new internet-connected features, should work much harder on creating safe and automatic over-the-air software updates, segregation of on-board entertainment and engineering networks, and intrusion-detection software to prevent improper commands.
Valasek said: "Anything that connects to the outside world is an attack."