A pair of researchers recently took over the controls of a Jeep Cherokee from ten miles away, demonstrating that they could hack into key systems without physically touching the car.

Chris Valasek, director of vehicle security research at IOActive, and Charlie Miller, an independent security researcher, took command of the Cherokee's transmission and brakes, creating conditions where the driver could panic and lose control. They also controlled the sound system and windshield wipers


In an article on Wired.com , Andy Greenberg described being at the wheel of a Jeep Cherokee that was taken over by Mr. Miller and Mr. Valacek in a planned demonstration. (Mr. Greenberg worked with the team to set it up; it was not a hostile attack.)

In 2013, the same team had taken over a Ford Escape and a Toyota Prius, but that time they had physical access to the car’s OBD port first.

This hack is only valid for the UConnect Access and Via Mobile system, which let them into powertrain control through the CAN bus. However, the researchers said that any car with advanced telematics systems is vulnerable to similar attacks, given similar time and research.

While Chrysler uses the locked-down QNX operating system, the extended mobile-phone integration of the Access/Via Mobile system seems to have been key to this attack. The researchers waited for Chrysler to issue a fix before making their work public.

Miller and Valasek plan to share details of their work in a briefing at the Black Hat conference in early August. They will not release all of the software they created, they will be releasing enough that it could be backward-engineered and used by other hackers.

In a statement, Fiat Chrysler was critical of the planned briefing, saying, “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage or help enable hackers to gain unauthorized and unlawful access to vehicle systems.”

Fiat Chrysler has issued a software fix for the vulnerability and has notified vehicle owners to either download the patch from the Uconnect website or take their vehicle to an authorized FCA dealer where the update will be installed for free. Allpar has posted step by step firmware-upgrade instructions for owners , since the Chrysler process can be confusing.

Some had predicted that the rush to add more connectivity, while replacing mechanical/electrical control systems with electronic ones, would make cars vulnerable to hackers and cybercriminals.

Mr. Valasek wrote, “We feel that as cars become more connected, software security becomes more important. In addition to robust, well-tested software, technology for monitoring, logging, detecting, and possibly stopping attacks should also be implemented."

Senators Edward J. Markey (D-MA) and Richard Blumenthal (D-CT)’s have cosponsored the Security and Privacy in Your Car (SPY Car) Act, which would order the NHTSA and the Federal Trade Commission to set standards for securing cars and protecting  privacy.

A Chrysler spokesperson said that only the following cars and trucks are vulnerable to the hack, and that a software update is available for all of them:
  • 2013-2014 Dodge Durango
  • 2013-14 Dodge Viper
  • 2014 Jeep Cherokee and Jeep Grand Cherokee
  • 2013-2014 Ram 1500, Ram 2500, and Ram 3500 Pickup and Chassis Cab

However, service bulletin 08-031-15 Revision A adds the 2015 Jeep Grand Cherokee and Cherokee; Dodge Challenger, Charger, Viper, and Durango; all Ram pickups and chassis-cabs; and Chrysler 300.

Miller and Valasek said that any Chrysler vehicle from model years 2013, 2014, and 2015 is vulnerable to hacking of its entertainment system, and that systems from other automakers are  equally at risk from similar attacks.