The technology of Internet-connected cars promises convenience and advantages for the drivers, but Kaspersky Lab warns it also brings new risks to today’s car users. It urges car manufacturers to develop better security features as investigators announced exploitation of the first ever zero-day vulnerability for Internet-connected vehicles. A zero-day vulnerability is a security flaw where the exploit appears immediately after the bug has been discovered. This leaves almost no time for any vendor to launch any defensive efforts.
Security researchers Charlie Miller and Chris Valasek recently hacked into a manned Jeep Cherokee where they found the vulnerability in the onboard computer of the car. From 10 miles away, they remotely gained access through the onboard entertainment system not only to non-critical settings but also the car’s controls like the brakes and accelerator. To start with, the air conditioner, radio and windscreen wipers went crazy and Wired journalist Andy Greenberg, the car driver, could do nothing about it.
Miller and Valasek, known in conducting government-funded research into the security of smart auto systems, then took control of the car itself. The accelerator and brakes of the Jeep responded only to the remote investigators and not to Greenberg. The attack on the unmodified Jeep Cherokee was carried out using a vulnerability in the onboard Uconnect system. Uconnect is an in-vehicle connectivity system that provides wireless Internet connection to any cars of the FCA auto-group, Chrysler, Dodge, Fiat, Jeep and Ram.
“Allegedly, the vulnerability was found in the Uconnect onboard system. If the reports are correct, the attack proves that it is enough to know the external IP of a target, in order to rewrite the code in the car’s onboard computer and gain control of the vehicle,” said Sergey Lozhkin, Senior Security Researcher at Global Research & Analysis Team (GReAT), Kaspersky Lab.
Before this experiment, a remote attack on a car’s critical systems remained a purely theoretical scenario about which experts have warned for a long time including security experts from Kaspersky Lab.
Last year, Kaspersky Lab launched the First Annual Connected Cars Study to provide an overview of the connected car market and to analyze the different vectors that could result in cyber-attacks, accidents or even fraudulent maintenance of the Internet-connected vehicle.
“Connected cars can open the door to threats that have long existed in the PC and smartphone world. For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before,” said Vicente Diaz, Security Researcher at GReAT, Kaspersky Lab.
With the risks presented by this experiment, Kaspersky Lab urges car manufacturers to think of the security of cars in the same way that the company would approach the security of corporate networks or computers.
Jeep auto company has already released a patch for Uconnect, which can be installed either at official dealers, or, for the technically minded, independently via a USB-port.
At the moment, the investigators can see a vehicle’s VIN, GPS coordinates and IP address by connecting to the Sprint network and using the 0-day exploit they found.