A few months ago, researchers Charlie Miller and Chris Valasek hacked a car. Yes, hacked a Jeep, to be precise— as a guy (Andy Greenberg) was driving down the interstate at 70 mph. A few minutes later, Andy was stuck on the interstate with a disabled engine, courtesy of Miller and Valasek. Poor guy.
The impressive — and scary — part of this hack is that Miller and Valasek didn’t tamper with the car beforehand. Furthermore, they did the entire hack over Wi-Fi, sitting in Miller’s house a comfortable 10 miles away. After their live performance, the question on everyone’s mind was: how did they do it?
The answer lies in poorly designed technology. Technology has become an integral part of cars today. From integrated GPS systems to automatic parking, many cars use technology to control essential aspects of a car’s performance. While most people don’t think of cars as “computers,” the prevalence of technology in cars essentially allows cars to be just as hackable as computers are.
By gaining the access to the CAN bus, Miller and Valasek were able to control virtually every component of the car—the steering wheel, engine, braking system and more.
In their research, Miller and Valasek focused on the 2014 Jeep Cherokee. They began by gaining access to the car’s entertainment system. To do this, the duo exploited a design flaw related to the Jeep Cherokee’s D-Bus service, which is responsible for sending messages between the different processes in a car. On the Jeep Cherokee, the D-Bus service on the entertainment system was bound to a port, meaning that it could be contacted via Wi-Fi. This design in itself is not terrible; most services bound to ports use a form of authentication, such as a password, to make sure that the people trying to use it are allowed to. However, for some reason the Jeep Cherokee’s D-Bus could be accessed anonymously — no authentication was necessary. This flaw allowed Miller and Valasek to wirelessly tap into the Jeep Cherokee’s D-Bus.
What made hacking the Jeep Cherokee’s D-Bus so dangerous was that the D-Bus had “root” access. Having “root” access in a computer gives you the highest level of privilege and access in the computer. This privilege meant that Miller and Valasek could run arbitrary pieces of code. Thus after hacking the D-Bus, Miller and Valasek had a lot of immediate access to the car — getting the GPS coordinates of the car, blasting the radio, and even displaying a nice photo of themselves on the dashboard.
However, Miller and Valasek weren’t done. Through some extra effort, the duo used their access to the entertainment system to tap into the car’s CAN bus. The CAN bus is a vehicle’s internal network responsible for communicating electronically with various components of the car. By gaining the access to the CAN bus, Miller and Valasek were able to control virtually every component of the car — the steering wheel, engine, braking system and more.
For those who own a Jeep Cherokee, there is some good news. First, Chrysler released an update to their software to address this issue and recalled about 1.4 million vehicles that were vulnerable to the hack. If you happen to own one of those vehicles, I would highly recommend getting it fixed. Second, Miller and Valasek kept certain aspects of their research under wraps and shared their research with Chrysler for nearly nine months before they publicly announced their findings.
As Miller and Valasek have demonstrated, remotely hacking a car is possible. With the increasing presence of technology in cars and rising interest in self-driving cars, cars are becoming more and more vulnerable to such attacks, and their software security is becoming more important than ever.
A fun video of the researchers in action