lolloj - Fotolia
Jeep hack raises questions about responsibility for security
The hack of a Jeep raises the question whether users or car manufacturers should be responsible for protecting against cyber attackers
The reported hacking of a Jeep Cherokee has sparked fears that more than 470,000 cars made by Fiat Chrysler could be at risk and raised questions about who is responsible for security.
Security researchers Charlie Miller and Chris Valasek have demonstrated they are able to take control of a Jeep Cherokee and crash it by hacking into its computer systems from 10 miles away.
Miller and Vlasek have developed software that enables hackers to send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes and transmission, reported Andy Greenberg at Wired.com.
According to Greenberg, Miller and Valasek were able to control the vehicle’s air vents, windscreen wipers, apply brakes, and then disable the brakes, sending it crashing into a ditch.
The pair are perfecting their ability to take control of the vehicle’s steering, but are already able to track a compromised vehicle’s GPS co-ordinates, plot its route and measure its speed.
The hack was enabled by exploiting vulnerabilities in the Uconnect software used by Fiat Chrysler vehicles to control the entertainment system and enable features such as remote locking and starting using a smartphone app.
According to Miller and Valasek, the biggest security vulnerability is the vehicles’ ability to connect with the internet, because anyone who knows the IP address can access its computer systems.
They have previously demonstrated their ability to hack into and control other cars such as the Toyota Prius and Ford Escape.
Security experts are urging owners of affected vehicles to install the security update that has been released for vehicles fitted with a model RA3 or model RA4 radio/navigation system. Miller and Valasek have reportedly been working with Fiat Chrysler to enable them to release a patch before making the hack public.
Independent security consultant Graham Cluley pointed out in a blog post that Miller and Valasek believe that, although they have only tested it out on Jeeps, the attacks could be tweaked to work on any Fiat Chrysler car with a vulnerable Uconnect head unit.
Responsibility for security
Just like hacks into online services, this latest hack into a car control system has raised the question whether security should rest on users or the providers of IP-connected goods and services.
WhiteHat Security founder and chief technology officer Jeremiah Grossman questioned whether users should be responsible for ensuring the security of vehicles.
"With car hacking, and cars being little more than rolling computers nowadays, are we expected to install security software there as well as PCs and servers, or are manufacturers responsible for protecting their cars' occupants against a digital adversary?” he asked, calling it “an interesting fork in the digital road”.
Read more about ethical hacking
- Nick Lewis explains what an ethical hacker is and what skills such a hacker needs to besuccessful and compliant with the law
- Kevin Beaver gives detailed information about how to ethically hack into your systems toexpose security vulnerabilities
- While 96% of UK firms have been hacked, 9.1% have not acted to protect themselvesfrom hacking, a survey has revealed
Cloudmark research analyst Andrew Conway said he was shocked to discover that major car manufacturers think it is perfectly acceptable to have the brakes, steering and transmission of a automobile controlled by a network that is also connected to the internet.
“There are lots of good reasons to connect a car to the internet – navigation, entertainment, phone calls, weather forecasts and so on – but there are no good reasons to have that network connected to the drive systems except to save a buck or two in the manufacturing process,” he said.
According to Conway, the controls needed to drive the car should be completely isolated from any external-facing system without any Bluetooth, Wi-Fi, 3G or 4G connections.
“Miller and Valasek took a couple of years to completely compromise the systems of a popular car model. What if the resources of a nation state security service had been directed at the same task to cause road accidents involving targeted individuals,” he said.
Reconsidering the internet of things
Kaspersky Lab security researcher Marta Janus said everything connected to the internet is prone to attacks and is potentially hackable.
“When it comes to transportation, such as cars, trains and airplanes, the consequences of a successful breach can be infinitely more serious than a computer or mobile device hack, as people's lives are directly at stake,” she said.
In light of this recent research, Janus said there is a need to reconsider the concept of the internet of things and think carefully about which devices should be connected to each other.
While computers, smart phones and tablets would be next to useless without an internet connection, she said there is no real advantage of having a car with access to the internet.
“For navigation and remote door opening, a centralised online system isn’t necessary, and the few convenience features that would be impossible without internet connection are not really worth the dire risk of being hacked,” said Janus.
“In my opinion, transportation, together with industrial systems and other critical infrastructure, shouldn't make use of public internet at all. Instead, they should build separate networks, featuring unique and custom-made secure protocols to reduce the risk of potentially fatal hacking,” she said.
Land Rover was praised recently for its decision to recall more than 65,000 vehicles affected by a software flaw that could be exploited to unlock vehicles. The recall of Range Rover and Range Rover Sport vehicles sold in the past two years follows reports that car thieves were targeting these vehicles because of the ease of opening their electronic locking systems.
News of the Jeep hack comes just days after the UK government announced a £20m fund to research and develop driverless car technology in the UK.
The move is accompanied by the establishment of a non-statutory code of practice to help ensure public safety, which hopefully includes cyber security.