Hackers can take over your jeep

The Jeep Grand Cheroke, which is set to be made in India after the finalization of a deal between Chrysler and Maharashtra government is vulnerable to hacking. Attackers can take control of the car using a security weakness in the design giving them access to the dashboard functions, steering, brakes, and transmission without even being in the vicinity of the car.

The affected vehicles are those equipped with 8.4-inch touchscreens including 2013-2015 MY Dodge Viper specialty vehicles, 2013-2015 Ram 1500, 2500 and 3500 pickups, 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs, 2014-2015 Jeep Grand Cherokee and Cherokee SUVs, 2014-2015 Dodge Durango SUVs, 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans, 2015 Dodge Challenger sports coupes.

Sergey Lozhkin, Senior Security Researcher at GReAT, Kaspersky Lab, commented on the hacked Jeep saying "There [is] a media storm in the Information Security industry. For the first time in history, researchers reported a remote control vulnerability in connected cars. The demo remote attack was said to be performed on a Jeep Cherokee's on-board computer. Charlie Miller and Chris Valasek were reported to have found the vulnerability in the entertainment system. Through the vulnerability they not only got access to non-critical settings, they also took control over the car. First, the car driver could not control the air-conditioning system, radio and windscreen wipers. Then the car itself came under control of the researchers, rather than the owner.

Allegedly, the vulnerability was found in the Uconnect onboard system, which was operating with mobile network operator Sprint to communicate with the external world of Fiat Chrysler Automobiles (FCA). If the reports are correct, the attack proves that it is enough to know the external IP of a target, in order to rewrite the code in the car's onboard computer and gain control of the vehicle.

Vulnerabilities could be found anywhere, where there is an operating system and installed applications. To protect a car, manufacturers should think of the security of cars in the same way that we would approach the security of corporate networks or computers.

At Kaspersky Lab, we believe that to avoid such incidents, manufacturers should build the smart architecture for cars with two basic principles in mind: isolation and controlled communications. Isolation means that two separate systems cannot influence one another, for example, the entertainment system shouldn't influence the control system in the way that it did with the Jeep Cherokee. Controlled communications mean that cryptography and the authentication for transmitting and accepting information from and to the car should be fully implemented. According to the result of the experiment we witnessed yesterday, the authentication algorithms were weak or vulnerable, or the cryptography was not correctly implemented.

The patch for this issue was released last week. If you drive a FCA car, please contact your dealer and ask for all updates to be installed."

The manufacturer is conducting a voluntary safety recall to update software in approximately 1,400,000 U.S. Affected vehicles. "The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action.

Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which require no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network." said the company in a statement.