In the computer game Watch Dogs, developed by French video game developer Ubisoft, protagonist Aiden Pearce is able to use a highly specialised mobile device to gain access to the operating system of a hyper-connected future Chicago, enabling him to hack directly into moving vehicles and take control of their electrical systems using Wi-Fi.
While this may seem a little far-fetched and something that is a long way off in terms of our own technological achievements, it has in fact, already happened. Cyber attacks are now no longer confined to computer networks and mobile devices.
In July of this year, cyber security researchers Charlie Miller of Twitter and Chris Valasek of IOActive used the latest hacking techniques to hack in to the electrical systems of a Jeep Cherokee. They were able to do this without direct physical access to the vehicle.
Using the Internet they were able to gain wireless control of the Jeep Cherokee giving them access to the Jeep’s entertainment system, enabling them to relay commands to its dashboard functions, steering, brakes and transmission, and they were able to do all of this remotely 10 miles away from the vehicle's location.
Miller and Valasek have been hacking motor vehicles for years, but they had always required direct access to the vehicle to do so, with auto industry representatives playing down their accomplishments but this time they have been able to do this wirelessly from any location in the world.
So how is all this possible?
Well, because vehicle manufacturers like Crysler are now building cars in such a way that makes their electrical systems and computer networks act like smartphones that are connected to the Internet, this opens up a whole host of possibilities for hackers, allowing them to gain access to critical systems remotely using wireless connections.
It’s not just Crysler vehicles that are vulnerable either. While the Jeep Cherokee was highlighted as the most vulnerable by Miller and Valasek’s research, other models from various other manufacturers also ranked highly as possible targets.
The duo rated 24 cars, SUVs, and trucks based on three factors that they thought may determine their vulnerability to hackers.
- Number and type of radios that connected the vehicle's systems to the Internet
- Whether onboard computers were properly isolated from the vehicle's critical driving systems
- Whether digital commands could trigger physical (cyberphysical components) actions
Miller and Valasek developed software that was able to exploit these vulnerabilities. Their software was able to silently rewrite the firmware for the Uconnect’s entertainment system (or head unit) allowing them to plant their code and send commands through the vehicle's internal computer network.
The pair believes that these hacks will work on any Crysler vehicle that uses Uconnect versions from late 2013 onwards but they have only tested these exploits on a Jeep Cherokee so far.
So, without further ado, here are:
9 Terrifying Ways Hackers Can Control Your Car!
1. We Know How to Find You!
Because Uconnect computers are linked to the Internet via Sprint’s mobile network, hackers can use a Sprint mobile device as a Wi-Fi hot spot, along with a laptop, to scan for possible vulnerable targets on the Internet. Once an appropriate target has been found, they are then able to retrieve information about that vehicle, such as its vehicle identification number, make, model, IP address, and most scarily, its GPS coordinates.
Once the hacker has the GPS coordinates of the target vehicle, they can then input this data into Google Maps and track its general location by placing markers onto the map as the vehicle travels.
While the targets are seemingly random vehicles and no personally identifiable information is currently available to the hacker, Miller and Valasek have stated that pinpointing a vehicle belonging to a specific person, while not easy, isn’t impossible.
If a hacker used multiple connected devices, all scanning simultaneously, it could enable an individual person to be found and tracked. Even scarier is the fact that a very skilled hacker could use the vulnerability to take control of multiple Uconnect head units in multiple vehicles, enabling them to establish a wirelessly controlled mobile botnet, encompassing hundreds of thousands of vehicles. Such a network is a frightening idea.
2.We Control the Airwaves!
Imagine you found yourself driving down the motorway at night alone when suddenly the radio switched on at full volume, seemingly changing stations with you unable to control it or switch it off, I think you’d be forgiven for thinking you were about to be abducted by aliens, but this is one of the many ways that hackers can manipulate your vehicle via this exploit.
Try turning the volume down, or switching the radio off and you’ll soon find it impossible to do so.
Apart from the obvious distraction issues, these types of attacks could be used to harass and intimidate people and when you are not aware of who is controlling the radio this could becomes quite frightening for some people.
3.Cool Your Jets!
While not the most terrifying aspect of this hack, it’s also possible to control the vehicles air-conditioning system by remotely pumping air at full blast in to the target vehicle. Again, this would be something of a distraction to drivers, especially when travelling at high speed.
This may not seem all that scary but imagine driving on a very cold winters day, early in the morning and being blasted by cold air with no ability to stop it. Not a very nice experience, I think you’d agree.
4.Slow Your Horses!
It’s a beautifully sunny day and your travelling at 70mph down the motorway when suddenly your washer fluid starts to continuously spray your windscreen while your wipers swish from left to right uncontrollably at full speed.
While struggling to see through your windscreen, all confused and a little jumpy (and possibly quite cold from all the cold air being pumped in to your vehicle via the air-conditioning vents), that’s when your transmission unexpectedly cuts out and your vehicle stops responding to your accelerator.
As the vehicle begins to lose speed rapidly, you’re terrified to see in your rear view mirror cars, lorries and other motor vehicles beginning to rapidly pile up behind you, swerving and honking their horns when trying to avoid your sudden speed decrease.
Well, using this vulnerability, this is exactly what could happen if a hacker gained control of your vehicle.
5. Cut It Out!
While your vehicle is in motion, hackers also have the ability to completely and fully kill the engine. Leaving you unable to control your vehicle safely without restarting the engine.
If this command was given at a critical moment during your journey, this could cause a dangerous incident.
Imagine being on a busy motorway roundabout when this hack kicks in. Scary!
6. This Has to Stop!
If you’re not already a little worried, then imagine a hacker being able to abruptly engage the breaks of your vehicle while you’re in motion?
This is where things begin to get really dangerous. Having the ability to track a vehicle on the move and then suddenly engage the braking system is quite terrifying.
Speeding down the motorway at 70mph when your brakes unexpectedly and violently kick in is an extremely dangerous prospect for you and other motorists.
7. Life in the Fast Lane!
This part of the hack is probably the scariest of the lot and it’s a horrifying thought that a compromised vehicle could have its brakes completely disabled by some anonymous hacker miles away in a remote location while the driver is helpless to stop it.
This scenario is all too real though and Miller and Valasek have demonstrated this with chilling precision.
Once the hacker has control of the system, there’s nothing to stop them causing a major incident.
8. Can You See Me?
Miller and Valasek have also been able to send images remotely to the in-car digital display. You can certainly see how this could be abused and cause issues for the occupants of the vehicle.
9. Show Me the Way to Go Home (Backwards)
While travelling at slower speeds and only while reversing, the hack allows for the control of the vehicles steering.
Even though this hack only works at slower speeds, this is still a dangerous prospect for both the occupants and pedestrians.
Those Added Extras
The list of commands a hacker can issue when in control of a compromised vehicle is not limited to those listed above. They are also able to manipulate digital readouts for speed and fuel consumption, honk the horn, query the vehicle for information and unlock it.
As hacking techniques get more sophisticated and pervasive, and as vehicle systems become more integrated in to the ‘Internet of Things’, it doesn’t become difficult to imagine that future hacks could gain more and more control over a vehicles functions.
Miller and Valasek aren’t the only ones working on pointing out these vulnerabilities.
There has been other research conducted, such as that undertaken by researchers at the University of Washington and the University of California who were able to wirelessly disable locks and brakes on a Sedan.
There’s even a ‘Car Hackers Handbook’ out there.
These types of attacks are only likely to get more varied and sophisticated and with some 470,000 plus estimated Crysler vehicles already vulnerable to these types of attack, not to mention the very real possibility of other manufacturers models also being vulnerable to similar exploits it’s extremely important that both the auto industry and customers take note.
Crysler has issued a security patch which can be downloaded at their website by entering your Vehicle Identification Number (VIN) but this is a manual process that requires you to download the patch and update your Uconnect System via a USB drive. Alternatively, you can take your car to a dealer to get the update.
This type of patching requires that the customer be aware of the vulnerability though, which means that moving forward, the responsibility for updating the security of the vehicles electronic system lies with customers. There needs to be a better, more secure way of automating vehicle updates on these types of systems.
Crysler has now issued a recall for around 1.4 million vehicles and blocked this wireless hack on Sprint’s network.
In a hyper connected world, cyber attacks and cyber threats are an ever-growing concern for businesses and consumers alike and the research conducted by Miller and Valasek highlights the need for more individuals to be working in IT security jobs, specifically cyber security.
Axelos’s latest cyber security courses include RESILIA® Foundation and RESILIA® Practictioner. These courses represent the latest best practice framework for cyber resilience and the best in cyber security training.