Hackers Can Remotely Kill A Jeep On The Highway

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If you own a Chrysler vehicle, you might want to read this article. Download the patch for your car while you are there.

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl.
 
Last edited:
Well it's actually any Chrysler product using UConnect. You could do the same thing with a Hellcat Challenger.
 
To add to my comment above. I could see it now. That guy in the Shelby GT500 only won because he hacked my Hellcat. LOL
 
Ugh... add this to my list of questions like "Why the fuck are nuclear power plants and other 'critical' pieces of infrastructure accessible via the internet?"

Seriously, why? I can understand remote diagnostics, but not changing of anything remotely.
 
Because, dumb as it can be to allow remote control, sometimes it makes more sense from an economic standpoint to allow remote control than to have to employ a highly trained technician for each and every site. Or even putting a dumb clicky-monkey onsite and having the technician talk them through it.

Seriously, do you want Joe Luddite trying to take telephone directions for a nuclear reactor?

Tech: Do A, B, C, D, E and G, but not F.

Joe: Okay, A, B, C, D, E, F, G

*KLAXON*
 
Massive class actions and new laws in

3...
2...
1...
 
sfsuphysics said:
Ugh... add this to my list of questions like "Why the fuck are nuclear power plants and other 'critical' pieces of infrastructure accessible via the internet?"

Seriously, why? I can understand remote diagnostics, but not changing of anything remotely.
Click to expand...

Because power substations have to be sync'd to 1000th of a second or less sometimes. This is so multiple power plants can shunt power to substations where there is a shortage. But to do so they have to be in phase.

The best thing they can do is put a non re writable firmware on every node point and run a checksum on it and the data coming in, in a custom 1024 bit encrypted format using simple data types only. (Hard to overflow a buffer when there are no arrays or strings)
 
bpmurrGT said:
Well it's actually any Chrysler product using UConnect. You could do the same thing with a Hellcat Challenger.
Click to expand...

So it's only the internet enabled Uconnect systems, right? I have an old on from 2011 that's one step up from basic so it only has BT and Sirius on top the usual CD / AM / FM.
 
Chas said:
Because, dumb as it can be to allow remote control, sometimes it makes more sense from an economic standpoint to allow remote control than to have to employ a highly trained technician for each and every site. Or even putting a dumb clicky-monkey onsite and having the technician talk them through it.

Seriously, do you want Joe Luddite trying to take telephone directions for a nuclear reactor?

Tech: Do A, B, C, D, E and G, but not F.

Joe: Okay, A, B, C, D, E, F, G

*KLAXON*
Click to expand...
For something on the order of a nuclear power plant... yes I fucking want a highly trained technician at every site regardless of the cost.

DigitalGriffin said:
Because power substations have to be sync'd to 1000th of a second or less sometimes. This is so multiple power plants can shunt power to substations where there is a shortage. But to do so they have to be in phase.
Click to expand...
Then they should have some dedicated lines set up between them, something that can only be accessed from secure locations. Or if they need to use the internet sue the company owning said nuclear plant for a bazillion dollars if they're running WindowsXP with Norton Firewall :D
 
... How the hell did those two get him to agree with this testing? It's extremely unsafe, if what he actually said in his article happened. I mean they literally almost killed him.

I didn't quite realize the issue was so dire in the automotive software branch that you could remotely hack into a car and utterly destroy the thing. This is really bad. I'm glad my new Subaru only has access to the internet if I use my cell's wifi tethering. Even then, it probably doesn't have any access to critical systems.

This is something that is definitely going to pose a challenge to automatic cars like Google's. When (I say when, not if; the fully automated car is definitely the way of the future) they finally roll out in large numbers. They will need to be free of any security errors like this. I believe that's fully possible, and honestly I'm not surprised that these automotive companies' fresh dabblings in the complex software field is backfiring. Luckily right now it's just two very determined individuals doing it as a proof of concept.
 
Why would they have those systems connected in the first place?

I do know Onstar does track your car's location, even if you do not have an active Onstar account.

Disconnected it. None of GM's business where I am driving. Wondering how long before the lawyers say, "Hmm. Wasn't the defendant driving a Buick? Let's subpoena the tracking info from GM."
 
So these idiots tested this on a highway where they could have killed someone? I hope they all get jail time for that stupidity.
 
But more seriously, Fiat has a serious problem here. This level of insecurity is criminally negligent.
 
I have some association with the 2018 Jeep. One of my clients is working on a major component for that model year. He is currently in Detroit and will soon be going to China. I've built maybe 6 or 7 Workstations for his company.
 
DigitalGriffin said:
Because power substations have to be sync'd to 1000th of a second or less sometimes. This is so multiple power plants can shunt power to substations where there is a shortage. But to do so they have to be in phase.

The best thing they can do is put a non re writable firmware on every node point and run a checksum on it and the data coming in, in a custom 1024 bit encrypted format using simple data types only. (Hard to overflow a buffer when there are no arrays or strings)
Click to expand...

Don't need to be on the internet to do this.

Point to point private leased line. Done. If this is too expensive then private MPLS.
Run your own stratum 1 NTP server for ~ $1k ea.
 
AMD T-type said:
Sorry, clickbait was the wrong term, but that video wasn't accurate as they had the Grand Cherokee overloaded.
Click to expand...

In the video they did the same test with a couple of other SUV's and didn't have this problem. No mention of it being overloaded but you would think the load wouldn't be cause this problem. Newer Jeeps have too high of a center of gravity.
 
This is rogue IT at its finest. Somebody, probably in marketing, said, "Connect it all together! We can sell it as a feature!".
 
Koolthulu said:
So these idiots tested this on a highway where they could have killed someone? I hope they all get jail time for that stupidity.
Click to expand...

Testing it on the highway was stupid yes....However the worse thing they did (according to the article) was disconnect the transmission. So nothing that much worse off than you having to slowdown and stop someplace because of a blown tire, overheating, etc..

Hardly likely to "kill someone".
 
Quix said:
But more seriously, Fiat has a serious problem here. This level of insecurity is criminally negligent.
Click to expand...

The article did note the hackers have been working with FCA for the past 9 months and there is a patch now. Now all they need is to actually recall the vehicles to get the damn patch done.
 
carlbme said:
Testing it on the highway was stupid yes....However the worse thing they did (according to the article) was disconnect the transmission. So nothing that much worse off than you having to slowdown and stop someplace because of a blown tire, overheating, etc..

Hardly likely to "kill someone".
Click to expand...

All it takes is the driver behind them to be texting while driving and BAM.
 
StoleMyOwnCar said:
... How the hell did those two get him to agree with this testing? It's extremely unsafe, if what he actually said in his article happened. I mean they literally almost killed him.

I didn't quite realize the issue was so dire in the automotive software branch that you could remotely hack into a car and utterly destroy the thing. This is really bad. I'm glad my new Subaru only has access to the internet if I use my cell's wifi tethering. Even then, it probably doesn't have any access to critical systems.

This is something that is definitely going to pose a challenge to automatic cars like Google's. When (I say when, not if; the fully automated car is definitely the way of the future) they finally roll out in large numbers. They will need to be free of any security errors like this. I believe that's fully possible, and honestly I'm not surprised that these automotive companies' fresh dabblings in the complex software field is backfiring. Luckily right now it's just two very determined individuals doing it as a proof of concept.
Click to expand...

I guess in his defense last time it was done "safely" this time on a highway, but still crazy as hell.

But yes, new cars are tying in more and more with the internet. They can email you when it is time for an oil change, when tires are getting low, when some other part is having issues....
 
StoleMyOwnCar said:
This is something that is definitely going to pose a challenge to automatic cars like Google's. When (I say when, not if; the fully automated car is definitely the way of the future) they finally roll out in large numbers.
Click to expand...

This is one of the reasons I don't want anything like Uconnect, on-star, etc. in my cars. If I ever end up buying a car with something like this, one of the first things I'll do is disconnect it.

The was an interesting scene in the season premier of Extant.
One of the characters is killed when his self driving car stops on the railroad track. He was resisting some government cover-up, and it appeared that someone hacked the AI on the car.

The car stops, and when asked tells him they are stopped for a traffic light. When he points out they are on the railroad tracks, the car replies that the railroad trackis 15 yard away.
When he tries to override and manually drive the car, the manual mode is unavailable. He then tells it to unlock the car, and the car politely tells him the doors are locked for his safety :)

Meanwhile the train horn keeps getting louder, and the train headlight closer....
 
sfsuphysics said:
For something on the order of a nuclear power plant... yes I fucking want a highly trained technician at every site regardless of the cost.
Click to expand...

Even when it makes no sense and can't deliver the necessary tolerances of an automated system...
 
Robstar said:
Don't need to be on the internet to do this.

Point to point private leased line. Done. If this is too expensive then private MPLS.
Run your own stratum 1 NTP server for ~ $1k ea.
Click to expand...

Unless they completely PHYSICALLY isolate the network, they'll pretty much always be vulnerable to pivot-type attacks.
 
sfsuphysics said:
Ugh... add this to my list of questions like "Why the fuck are nuclear power plants and other 'critical' pieces of infrastructure accessible via the internet?"
.
Click to expand...

A lot of them don't, and there have been cases in the past where an ad-hoc wireless network has been setup to gain exterior access to these "secured" off the internet systems.
 
Full steam ahead on keeping my 85 mr2. I'm still debating a car computer somehow. Maybe something rasberry pi
 
And now we have a case for needing regulation because the automakers won't do it themselves. I hate this crap. So desperate to add features that common-sense safety issues are ignored completely.

The problem is, we won't get the kind of regulation that makes sense. Which would be that life-critical systems be physically isolated from wireless communication of any kind and internet connections of any kind.

Your car's primary computer should have a physical moat. No wireless data port. Physical connection only for diagnostic. And absolutely, positively no physical way for external internet communication to interact with any primary system.

I don't give a flying monkey what the factory wants to do with real-time info gathering. The risks make it unacceptable from the word go. It will never be safe enough. Never. We have proven in today's world that any connection that can be accessed can eventually be compromised.

The solution? No connection. It has worked for a hundred years of automobiles until now.

People's personal cellphones and handheld computers already do what needs doing. And the cars can have isolated entertainment computers that handle hands-free and wireless audio/video or control of the phone. The rest of the car stays physically isolated.
 
You must log in or register to reply here.
Back
Top