A Blog by Jonathan Low

  

Jul 25, 2015

Hackers Can Stop Your Car Over the Web - While You're Driving It

Connectivity connects us all. And frequently in ways we didnt anticipate. But it is beginning to raise questions about the meaning of ownership when those who created the electronics that increasingly dominate your car's operations claim that they retain control.

And just imagine what will happen in the not too distant future when your refrigerator and your driverless car start feuding over who is first in your affections. JL

Russell Brandom reports in The Verge:

Chrysler's UConnect system uses Sprint's cellular network for connectivity, so researchers were able to remotely locate cars by scanning for devices using that particular spectrum band.
A new vulnerability in the Uconnect system gives attackers frightening remote powers over Chrysler vehicles, revealed in a Wired exclusive report. In a live demo, attackers used the vulnerability to cut out a Jeep Cherokee's transmission and brakes and, when the car is in reverse, commandeer the steering wheel — all without physical access to the vehicle. "This might be the kind of software bug most likely to kill someone," said Charlie Miller, one of the researchers behind the exploit. The full vulnerability will be presented next month at Defcon, although the researchers plan to withhold crucial details so that the bug cannot be exploited at scale.
Chrysler's UConnect system uses Sprint's cellular network for connectivity, so researchers were able to remotely locate cars by scanning for devices using that particular spectrum band. Chrysler has been including UConnect in cars since late 2013, and any cars that use the system are likely to be vulnerable to the attack. There's no apparent firewall, so once attackers have located the device's IP, they can deploy previously developed exploits to rewrite Uconnect's firmware and control the car as if they had physical access. The result is that once an attacker has a car's IP address, she can target it from anywhere in the country.
The good news for Chrysler drivers is, there's already a patch — but it probably hasn't reached your car yet. Chrysler released a patch on the 16th, but it has to be installed manually, either by a dealership mechanic or manually via USB. It can be downloaded here. The vulnerability has also inspired government action, as a new automotive security bill is being introduced in the Senate alongside the report.
Save And Share : Tweet This ! Share On Facebook ! Share On Reddit ! Share On LinkedIn ! Share On Google Buzz ! Share On Digg ! Post To Blogger ! Share On Google Reader ! Google Bookmark ! Send An Email ! Blog Feed !

0 comments:

Post a Comment