If you drive a Fiat Chrysler vehicle, listen up: Your car may have a gaping security flaw. Uconnect, the Internet-connected software installed in newer Fiat Chrysler models, can be hacked remotely due to a vulnerability in its cellular capabilities.
In a Wired story published today, senior writer Andy Greenberg explains that he signed up to be a guinea pig for security researchers Charlie Miller and Chris Valasek. He was strapped into a Jeep and directed to head onto the highway. From 10 miles away, Miller and Valasek proceeded to hack into his car’s software, toggling the windshield wipers, blasting the radio, and, eventually, cutting the transmission:
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
Later, the hackers also managed to take over the brakes and sent the Jeep into a ditch:
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
The Uconnect software manages a Chrysler vehicle’s entertainment and navigation systems, provides a Wi-Fi hotspot, and allows drivers to make phone calls. It’s the cellular connection that gives hackers an in: Anyone who knows the car’s IP address can hijack the car, regardless of where they are.
To prevent against car hacking, Miller and Valasek informed Chrysler of the issue months ago. The carmaker released an updated version of the software–but owners have to manually download it and upgrade their cars through a USB drive.
Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) announced legislation on Tuesday that will ensure automobile companies meet specific privacy measures to protect against cyberattacks, Wired reports. A spokesperson told Wired that the move was not related to their article.