A duo of cyber-security researchers has remotely turned off an engine of a car travelling on an American highway in a demonstration that raises concerns about safety of increasingly Internet-connected cars.
Former NSA cyber-security expert Charlie Miller and IOActive hacker Chris Valasek demonstrated the technique to a Wired reporter, who was driving the attacked car at 70mph.
The hackers used the car’s telematics feature Uconnect that primarily manages entertainment and communication systems of the car through an Internet-connected interface to access the engine.
In the controlled test, they turned on the Jeep Cherokee's radio and activated other inessential features before rewriting code embedded in the entertainment system hardware to issue commands through the internal network to steering, brakes and the engine. During the attack, the hackers were sitting ten miles away from the targeted car.
"There are hundreds of thousands of cars that are vulnerable on the road right now," Miller told Reuters.
The two have been putting car safety to the test for years and were among the first to have warned about the risks of Internet connectivity in cars.
They have been using a Fiat Chrysler since October and informed the car-maker about the vulnerability, which Fiat said had since been fixed.
"Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems," the company said, adding that a software patch is available for free to owners of cars equipped with Uconnect on the company’s website or at dealerships.
Miller and Valasek said the attack was not an easy one to carry out and would require months of work for the potential hackers to emulate, working their way from the entertainment system to the core on-board network. Moreover, the hackers would need to know the Internet Protocol address of the car, which may be quite difficult to obtain, as it changes with every start of the car. Otherwise, the hackers would be attacking completely random cars.
However, they stressed the demonstration should provide a warning to car-makers racing to add more and more fancy interconnected features to their vehicles in order to attract customers.
"Anything that connects to the outside world is an attack vector, from my point of view," Valasek said, adding the method could be used to target other types of vehicles with just a modest adjustment to their code.
They called for the car-makers to focus on segregation of on-board entertainment and engineering networks and develop intrusion-detection software that would prevent unauthorised access to the systems.
The full details of the demonstration will be released at the Def Con security conference next month.