Jump to content

UConnect Hack... Taking Control of Vehicles


Recommended Posts

Uconnect security flaw can be patched by owners

Your new Jeep Cherokee can be taken over remotely by hackers thanks to an exploit in its Uconnect infotainment system, according to a report from Wired.

In a demonstration, a pair of hackers compromised a Cherokee’s onboard systems with writer Andy Greenberg in the driver’s seat. They were able to do everything from control the HVAC (mildly annoying) to kill the engine (potentially deadly) from miles away.

We’ve known today’s vehicles were vulnerable to electronic attack for a while now. In 2013, Greenberg sat helplessly in a Toyota Prius as the same hackers -- Charlie Miller and Chris Valasek -- commandeered the controls. That time, however, the pair was sitting in the back seat; they needed a hard-line connection to the car to interfere with its operations. Today, vehicles’ increasingly prevalent onboard cellular systems can provide the link attackers need to seize control.

jp015_039ch_0.jpg?itok=w5S2cJL3

The Fiat Chrysler Uconnect system, shown here in a 2015 Jeep Cherokee, may have security flaws that leave vehicles vulnerable to hackers.PHOTO BY JEEP

Before you freak out, know that a software patch is available to fix the problem. Like every other vehicle recall or technical service bulletin ever issued, however, Fiat Chrysler’s fix -- which comes in the form of a user-installable update -- will only improve your vehicle ownership experience/keep you safe from computer-savvy teenagers with malicious intent if it is actually performed on your vehicle.

Unlike every other recall/TSB we can think of, however, you can install the upgrade yourself without ever popping the hood. Truly, we are entering a brave new world of vehicle ownership.

To install the patch:

- Jot down your vehicle’s 17-digit vehicle identification number (VIN) -- you'll need it to see if the software update applies in your situation.

- Visit the software update section of the Uconnect website here and input that VIN. From there, you’ll be able to download the relevant update and extract it to a removable USB flash drive. The Uconnect site will guide you through the process if you’re having trouble. There are also a number of helpful, owner-contributed online video tutorials that cover the subject, like this one herefor a Uconnect-equipped Dodge Dart (the update process is the same).

- Connect that flash drive into your vehicle via its onboard USB port and, when prompted, confirm that you want to install the update. That’s basically it.

- If you don’t feel comfortable performing the procedure yourself, you can take it to a dealership and they’ll perform the update at no cost to you.

- If you have any questions, you can call the Fiat Chrysler vehicle care center at (877) 855-8400.

A note to all of you feeling smug about not buying a Uconnect-equipped Cherokee: This Jeep may be one of the first vehicles to have its software flaws exposed, but it certainly won’t be the last; in the near future, no automaker, except maybe Morgan, will be totally invulnerable to hackers. Consider it the price we pay for lavish, complicated onboard technology and infinite in-car connectivity, and be prepared to get proactive when it comes to keeping up with emerging threats.

Read more: http://autoweek.com/article/car-news/your-jeep-cherokee-vulnerable-hackers-heres-how-fix-it#ixzz3gd6MNPIl

Link to comment
Share on other sites

It shouldn't have any added costs. This is a software bug - a flaw left over from programmers who either didn't notice it, didn't think about it, didn't have enough time to test it completely, or lacked the imagination to attempt hacking into a car through a cellular network and attempt to take over the major vehicle systems through an open port accessible to the radio. Software code maintenance should be expected whenever you release an operating system (and let's be realistic here - UConnect is an operating system). If for no other reason than to allow continued compatibility with new phone software, UConnect should be getting periodic updates.

The hackers in question did not do this with malicious intent. This is not their first hacked car, and it won't be their last. I'd rather the flaws be identified and the manufacturer notified quietly so they have time to develop a patch to fix the flaw than to find out it's possible as the result of a deadly wreck.

The lesson learned by vehicle owners is that we are driving mobile computers. You patch them when updated software comes out - the manufacturer doesn't do things just because they feel like it. This is only slightly different than Microsoft or Apple releasing a patch regarding known flaws in their own software that would allow for the theft of personal data (name, Social Security numbers, date of birth, etc.) - and only different in the potential for immediate effect.

The lesson that should be learned by EVERY vehicle manufacturer is to pay external consultants to attempt break into your stuff. If they can, they need to provide full documentation as to how they did it, and they get put under a non-disclosure agreement until the patch has been out for at least a few weeks (to allow time for current owners to update their own vehicles).

Edited by bfurth
Link to comment
Share on other sites

  • 3 weeks later...

Not a Uconnect hack, but beware of those tracking devices from GEICO and other insurance companies!

Car hackers have struck again, this time stopping a Chevrolet Corvette in its tracks, then not letting it stop at all.

The vehicle was fitted with a dongle from Metromile that plugs into a car’s OBD2 port to provide a stream of data that the company uses to charge insurance rates based on how a person drives. Such "by-the-mile" and "safe driver" plans are becoming increasingly popular across the United States, and this particular company provides the service to some Uber drivers.

Wired reports that researchers at the University of California at San Diego (UCSD) reverse engineered the cellular-connected device, discovered several security flaws, and developed a way to use it to control several of the 2013 Corvette’s systems by simply sending it text messages.

In a video demonstrating the exploit, they operated the windshield wipers and both applied and deactivated the brakes at low speeds. Although they only attacked the one car under controlled circumstances, they claim they would’ve been able to do similar things to just about any vehicle using one of the dongles, including taking control of the steering or transmission.

The researchers notified Metromile about the flaw in June before they publicized it, and the company says that it’s sent out a patch to fix it. However, the dongles, which were made by Mobile Devices of France, are used by other insurance providers and fleet management firms around the world, and the UCSD team says it has spotted thousands of still-vulnerable vehicles via the Internet.

Mobile Devices has yet to comment on the hack.

Link to comment
Share on other sites

I have said from the get go when they started flogging these

units here in Canada that I'll pay the extra 10 bucks a month

for insurance before plugging one of these units in to my vehicle.

I have no control over idiots that cause me to accelerate or brake

in emergency situations and I refuse to deal with them.

Link to comment
Share on other sites

As was noted, Journey has no wireless connection to the world (terrestrial and sat-radio/nat notwithstanding) and are in no danger, however it is important for consumers to know and understand the darker side of these fabulous new technologies the automakers are peddling (Chevrolet touts the fact that all of its models have available 4G LTE connectivity to keep spawn entertained so mom/dad can keep some resemblance of sanity on trips).

I tried to use those dongles when I had Progressive a few years ago on my Charger and my Special. I don't drive my Special often, so if I didn't have it on the Battery MINDer, it would be flat within a few days and I'd have to jump the car to go for a ride. Although they were courteous to tell me the car was flat when by emailing me to say that they detected the device was no longer reachable. I wonder why... On my Charger, I was refused any discounts after the 30-day data-collection period due to many aggressive accelerations and decelerations. Sorry, I can't help it if PA drivers are horrible and cause me to hit the brakes frequently, and if normal NJ driving is considered "aggressive".

That said, it's just another point in favor of older cars. My Special is a good in-between in that it's easy to operate with the computer doing all the tuning adjustments and no need to perform the old tune-ups of the 60s, yet all steering, gear selection, and accelerator/decelerator input is still mechanically controlled by cables at both ends and no servos or drive-by-wire systems involved. The autostick is controlled by by electronic sensors/buttons in the gearshift assembly, which isn't a big deal. If a wireless dongle for a Snap-On Verus is connector, the wielder of the Verus can control my lights, turn signals, wipers, horn, and possibly HVAC and radio (I still had a radio instead of a tablet). That's it. I don't think it has the programming to touch the airbags or seats.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...