StaffAllpar HomeMore NewsCarsTrucksUpcomingRepairsTest drives

Hackers Control Jeep Cherokee From 10 Miles Away

by Bill Cawthon on

A pair of researchers recently took over the controls of a Jeep Cherokee from ten miles away, demonstrating that they could hack into key systems without physically touching the car.

Chris Valasek, director of vehicle security research at IOActive, and Charlie Miller, an independent security researcher, took command of the Cherokee’s transmission and brakes, creating conditions where the driver could panic and lose control. They also controlled the sound system and windshield wipers

Jeep-Cherokee-Hacked

In an article on Wired.com, Andy Greenberg described being at the wheel of a Jeep Cherokee that was taken over by Mr. Miller and Mr. Valacek in a planned demonstration. (Mr. Greenberg worked with the team to set it up; it was not a hostile attack.)

In 2013, the same team had taken over a Ford Escape and a Toyota Prius, but that time they had physical access to the car’s OBD port first.

This hack is only valid for the UConnect Access and Via Mobile system, which let them into powertrain control through the CAN bus. However, the researchers said that any car with advanced telematics systems is vulnerable to similar attacks, given similar time and research.

While Chrysler uses the locked-down QNX operating system, the extended mobile-phone integration of the Access/Via Mobile system seems to have been key to this attack. The researchers waited for Chrysler to issue a fix before making their work public.

Miller and Valasek plan to share details of their work in a briefing at the Black Hat conference in early August. They will not release all of the software they created, they will be releasing enough that it could be backward-engineered and used by other hackers.

In a statement, Fiat Chrysler was critical of the planned briefing, saying, “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage or help enable hackers to gain unauthorized and unlawful access to vehicle systems.”

Fiat Chrysler has issued a software fix for the vulnerability and has notified vehicle owners to either download the patch from the Uconnect website or take their vehicle to an authorized FCA dealer where the update will be installed for free. Allpar has posted step by step firmware-upgrade instructions for owners, since the Chrysler process can be confusing.

Some had predicted that the rush to add more connectivity, while replacing mechanical/electrical control systems with electronic ones, would make cars vulnerable to hackers and cybercriminals.

Mr. Valasek wrote, “We feel that as cars become more connected, software security becomes more important. In addition to robust, well-tested software, technology for monitoring, logging, detecting, and possibly stopping attacks should also be implemented.”

Senators Edward J. Markey (D-MA) and Richard Blumenthal (D-CT)’s have cosponsored the Security and Privacy in Your Car (SPY Car) Act, which would order the NHTSA and the Federal Trade Commission to set standards for securing cars and protecting  privacy.

A Chrysler spokesperson said that only the following cars and trucks are vulnerable to the hack, and that a software update is available for all of them:

  • 2013-2014 Dodge Durango
  • 2013-14 Dodge Viper
  • 2014 Jeep Cherokee and Jeep Grand Cherokee
  • 2013-2014 Ram 1500, Ram 2500, and Ram 3500 Pickup and Chassis Cab

However, service bulletin 08-031-15 Revision A adds the 2015 Jeep Grand Cherokee and Cherokee; Dodge Challenger, Charger, Viper, and Durango; all Ram pickups and chassis-cabs; and Chrysler 300.

Miller and Valasek said that any Chrysler vehicle from model years 2013, 2014, and 2015 is vulnerable to hacking of its entertainment system, and that systems from other automakers are  equally at risk from similar attacks.

Bill Cawthon grew up in the auto industry in the 1950s. His Dad worked for Chrysler and Bill spent a number of Saturdays down on the plant floor at Dodge Main in Hamtramck. Bill is also the U.S. market correspondent for just-auto.com, a British auto industry publication, and a member of the Texas Auto Writers Association, which has named the Jeep Grand Cherokee the “SUV of Texas” several times and named the Ram 1500 as the “Truck of Texas” two years running.

Bill has owned five Plymouths (including the only 1962 “Texan”), one Dodge and one Chrysler and is still trying to figure out how to justify a Wrangler. He also has owned at least one of every 1:87 scale model of a Chrysler product. You can reach him directly at (206) 888-7324 or by using the form.


Features: V8, Hyundai, and Mopar

Inviolet and a new green

Tornado following the Hurricane?

More Mopar Car
and Truck News

Some popular Allpar pages





Dodge Demon

2018 Wrangler JL



Staff details/contactsTerms of ServiceInformation is presented to the best of our knowledge. Plans change and sometimes mistakes are made. Decisions or purchases made based on this site's verbiage or images are done at the reader's own risk. Also see the Allpar News archives, 1997-2008 • Copyright © 2008-2017, Allpar LLC. All rights reserved. • Mopar, Dodge, Jeep, Chrysler, HEMI, and certain other names are trademarks of Fiat Chrysler Automobiles.