Automakers have been swapping out mechanical parts for electronic control units, setting up in-car wifi networks, and connecting infotainment systems to cloud-based services. So it was only a matter of time before these technologies got hacked.
Technology is a trade-off. Consumers want a connected vehicle with wifi, centralized controls in a fancy touchscreen infotainment system, and maybe even an app that can serve as the keys. But these technologies are vulnerable.
That’s not to say the old standards are hack-proof – keys can be copied, locks can be picked, etc. But modern technologies present a new challenge, the threat of remote access.
Cherokee Hacked in a Planned Experiment
In a planned experiment with wired.com, researchers remotely hacked a Jeep Cherokee through a cellular connection with its uConnect infotainment system as it was being driven. And things got crazy, real fast.
While the driver was aware the Jeep would be hacked, he didn’t realize the true power of the hackers until silent panic filled his mind and body.
If you watch the wired.com video, you can see how the hackers used software to monitor the vehicle’s GPS and then use software to tell the vehicle’s system to mess with the radio, take over steering, kill the engine, and even over-ride the brakes.
They had done a similar experiment in 2013, but during that hack they were directly wired into the vehicle while sitting in the back seat. In this hack, they were on a couch far away.
Now it’s important to mention that while the Jeep wasn’t modified in any way, the hackers did have access to the vehicle ahead of time. But if automakers don’t step up, it might only be a matter of time before that’s not necessary.
FCA Patches Software in 1.4 Million Vehicles
With the bad publicity rolling in, it didn’t take long for Fiat-Chrysler (FCA) to respond. The hack was through a Harmon Kardon uConnect 8.4A or 8.4AN, so for those systems:
- FCA sent out an over-the-air (OTA) update to block remote access to all vehicles systems.
- They recalled 1.4 million vehicles with those uConnects by sending owners USB drives and instructions on how to update the system.
At the time, it seemed FCA was reluctant to issue the recall. Perhaps they had felt singled out by the wired.com article, but they were adamant there was no threat and quick to point out that no real-world hacking had happened.
FCA Sued for uConnect Vulnerabilities
FCA’s actions didn’t close the book on the problem. Not long after the recall, they were accused of not fully addressing the threat in a lawsuit.
The plaintiffs claim the uConnect 3G systems in the vehicles should be physically disconnected from the controller area network bus. The CAN bus links together the electronics of the vehicle, including vital functions such as the braking system and transmission.
Two and a half years later, FCA asked the case to be dismissed. The automaker reiterated no consumer had been unwillingly hacked and their recall patched the vulnerabilities.
The plaintiffs are unconvinced and say they wouldn’t have bought their cars if they knew of the threat the uConnect system posed.