A real attack by hackers using a security flaw in Fiat Chrysler’s cars is “slim”, according to IT security experts.
The manufacturer issued a safety recall affecting 1.4 million vehicles in the US after security researchers Charlie Miller and Chris Valasek demonstrated how hackers could take control of a Jeep Cherokee by using the car’s entertainment system.
The demonstration for a Wired magazine article saw the Jeep Cherokee which was being driven by reporter Andy Greenberg forced off the road.
A security hole in Fiat Chrysler’s on-board internet-enabled software allowed Miller and Valasek to affect everything from windscreen wipers and GPS, to steering and braking.
The system, which is called Uconnect, has been installed in vehicles since late 2013, and is designed to allow the doors to be unlocked and the car to be started with the tap of an app.
However, the successful hack due to this particular flaw should not be overstated, according to Ken Westin, senior security analyst at Tripwire. “Although the hacking of the Jeep by Miller and Valasek seems quite scary, the actual possibility of this vulnerability being used in a real attack is slim,” he told Fleet News.
“As the researchers in this case worked closely with Chrylser to provide detailed information regarding the vulnerability, they were able to develop a patch to fix the security vulnerability in the vehicle systems.”
Fiat Chrysler said exploiting the flaw “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code”.
It added that manipulating its software “constitutes criminal action”.
Nevertheless, it has announced a voluntary recall to update the software in affected vehicles, while Miller and Valasek are due to reveal further details about their work at the Def Con hacker conference this month.
Westin warned: “As this is still a relatively new area of security research, we will begin to see more vulnerabilities in vehicle systems. Car manufacturers will need to develop safe and secure methods of updating software in these systems, either through dealerships or possibly even remotely, however the latter could introduce more vulnerabilities into these systems.”
The risks of the connected car lie in the ability to affect the operations of the vehicle from the outside world.
However, Tim Erlin, director of security and product management at Tripwire, says the good news is that secure software development isn’t a novel concept.
“There are known best practices that can be applied to automotive software as well,” he said. “Fiat Chrysler has an opportunity to use this incident to pioneer software security for the automotive industry.”
Fiat Chrysler said that no vehicles sold in the UK were affected, but a separate piece of research from the UK’s NCC Group has shown how it could be possible to hack a car’s control systems through its digital radio.
Andy Davis, NCC’s research director, explained that an attack rig could be put together using cheap components connected to a laptop.
The infotainment system of a targeted car, once compromised, could be used as a stepping stone to attack more critical systems, including steering and braking.
“If you had a vulnerability within a certain infotainment system in a certain manufacturer’s vehicle, by sending one stream of data you could attack many cars simultaneously,” he told the BBC.
Davis has previously hacked into a real vehicle’s automatic braking system through manipulating its infotainment system. A similar approach could be replicated through a digital radio broadcast, he suggested.
Westin concluded: “The automotive industry understands the importance of security and they are not only working with researchers, but also each other to help develop standards and best practices for more secure vehicles. “The work that researchers like Miller and Valasek are doing is actually helping to make our vehicles more secure in the future.”