The duo that hacked a Jeep Cherokee a year ago is back. The hacks can now take over more of the car, but only via physical access, such as via a laptop connected physically to the car’s OBD-II (on-board diagnostics) port. This time around, the hackers were able to mess with the ECU (engine control unit), work the steering wheel at speed, increase cruise control settings, or activate an electronic parking brake. The hacks of 2015 were less dangerous, but they were accomplished remotely. Still, there’s cause for concern here, which we’ll explain shortly.
A year ago, online-security researchers Charlie Miller and Chris Valasek attached themselves remotely to a Jeep Cherokee. They were able to disable the transmission and brakes and — only with the car in reverse, at low speed — take over the Jeep’s steering. The hack worked because the car’s steering can be controlled when the car thought it was automatically parallel parking. Scary, but fortunately there’s not a lot of damage you can do at 5 mph. Jeep has since patched that vulnerability.
But the hackers weren’t done. The same researchers, now working at Uber’s Advanced Technology Center, switched to attacking the car via the OBD-II connector and access to the car’s CAN bus (controller area network), with provides links many of the car’s microcontrollers. Depending on what’s considered a microcontroller (a seat adjuster has one, so does the electric window lift), a car might have 100 of them.
Part of the ECU’s job is to look for spurious or conflicting signals and tell the car to ignore them. But with access to the CAN bus, it’s possible to update the ECU firmware in a way that it doesn’t reject oddball signals, such as making a sharp turn at high speed. Among the things that became possible, now going forward as well as reverse, and also at higher speeds:
Miller, in an interview with Wired cautioned, “It’s not like I can take control of the car and drive you to my house and you can’t stop me. But if you’re not paying attention, it’s definitely dangerous.”
Told of the 2016 hacks, Chrysler issued a statement that read, “While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.” Chrysler also said the software on the hacked car was not Chrysler’s most recent.
There is a possible way to do this wirelessly, though. While the new hacks required physical access to OBD-II, it’s believed possible that OBD-II driving monitors such as from Progressive Insurance, the Automatic phone app with adapter, or the Verizon Hum, all with wireless interfaces, could be compromised. Then hackers would or could be back in business.