Hack takes new turn on steering & cruise control

jeepcherokeeIf you are automaker, whatever you do, don’t sell a car to Charlie Miller or Chris Valasek. Owners of a Jeep Cherokee, they like to hack into it and enjoy the process. Since their remote hack last year they are continuing to be a bug buster for Jeep Cherokee. This time a notebook computer is connected to a 2014 Jeep Cherokee to show off at the Black Hat Security conference. From the computer, they can steer and speed up the car.

The dashing hacking duo connected a notebook to the OBD port to take over the steering wheel by connecting directly to two ECUs and knocking one out.

“You have one computer in the car telling it to do one thing and we’re telling it to do something else,” says Miller. “Essentially our solution is to knock the other computer offline.

They claim they can stop the car and digitally turn the wheel themselves at any speed.

When they tried their tricks out they drove into a ditch and had to call a tow truck.
If the driver had both hands on the steering wheel he could have compensated immediately for the turn.

In a separate attack they took over the cruise control and could speed up the vehicle quickly.

FCA said in a satement “This demonstration required a computer to be physically connected into the vehicle’s onboard diagnostic (OBD) port and present in the vehicle, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.”

[The vehicle] appears to have been altered back to an older level of software and It is highly unlikely that this exploit could be possible…if the vehicle software were still at the latest level, reported FCA.

In the paper they plan to publish during Black Hat, Miller and Valasek suggest that automakers take more steps to prevent the CAN hacks they executive.

They say that automakers shouldn’t allow potentially dangerous diagnostic tests unless a physical switch is flipped on the car by the mechanic. They also contend that something should monitor the CAN network for signs of the kind of ECU-silencing attacks.