Hackers Remotely Attack a Jeep on the Highway

Some questions for the researchers, or anyone else who thinks this was okay:<p>1) Were public roadways and speeds of 70mph absolutely necessary to demo this?<p>2) What was the plan if the trucker approaching at 70mph hadn&#x27;t seen the Jeep stalled early and had to swerve or panic stop, possibly crashing and injuring themselves or others?<p>3) Anyone notify the Missouri State Highway Patrol about this? They may be contacting the researchers with questions about this demo if they weren&#x27;t consulted in advance.<p>4) What&#x27;s the plan if they trigger a bug in the car software of the people they had tested this with earlier? The article mentions them tracking people remotely as they attempt to learn more about the exploit.<p>I could go on but why bother? In case any of you think this was cool or even remotely (no pun intended) ethical, I&#x27;d like to know if you have a problem with letting these two test this on a loved one&#x27;s car. How about they remotely poke around your husband or wife&#x27;s car and explore, as long as they promise not to intentionally trigger anything?<p>If I ever learned this had been tested on a vehicle I was in, I&#x27;d make sure this cost the researchers dearly.<p>EDIT: I&#x27;ve just phoned &#x27;Troop C&#x27; of the Highway Patrol at their main number, +1-636-300-2800 and they seemed pretty keen to follow up. The fact that the vehicle was disabled where there was no shoulder, was impeding traffic, and the demo not cleared with them in advance has them concerned. I&#x27;m all for testing exploits and security research, but this isn&#x27;t the right way to do it. And to film it and post it to a high traffic site is nuts.

To recap the facts:<p>- Man drives car on public highway @ speeds of up to 70mph<p>- Hackers turn on windshield wipers and fluid to blur view<p>- Hackers Blare music and obscure any comms link to driver<p>- Hackers disable vehicle on Highway at location with no shoulder<p>And there are people who are not only ok with type of experiment but think there should be more of it.<p>I understand that these exploits need to get attention... but I really can&#x27;t stop thinking about my wife and kids being behind this guy while he shows how dangerous this can be.<p>I applaud the person who notified the police.

So, it&#x27;s becoming abundantly clear that vehicle companies (autos, jets...) have approximately zero knowledge how to hire software engineers. Presumably they&#x27;re somewhat more successful hiring mechanical engineers because that&#x27;s always been their &quot;thing&quot;.<p>It&#x27;s all well and good for us to chuckle at the terrifying software&#x2F;systems decisions being made by these teams, but how do we address the root of the problem? It&#x27;s very clear that entire meta-categories of horrific errors are being made at a very fundamental level. Is this a problem of outsourcing? Of confusing &quot;coders&quot; with engineers?<p>And how do we solve it? Shame the software team such that they can never get hired in a serious role again anywhere? Professionalize the job into a strictly licensed regime like other branches of engineering?<p>Whenever I read these types of articles, my main thought has always been, &quot;so who, the <i>hell</i>, wrote the code?&quot; It&#x27;d be interesting to know their story.

All the researchers and the journalist had to do was to talk to the Highway Patrol and say, &quot;We&#x27;d like to test this on a highway; what do we need to do to make that happen?&quot;<p>That&#x27;s it. Maybe the State Patrol would say, &quot;Sorry, there&#x27;s nothing you can do to test this here legally&quot;, or maybe they would have said, &quot;Pay for overtime for 10 troopers and you can do it.&quot;<p>The point is, we don&#x27;t know. We can speculate, but we don&#x27;t know.<p>The &#x27;researchers&#x27; and journalist elected instead to conduct this experiment on a state highway, in &quot;real world&quot; conditions, without any safety mechanisms in place. Not only is this unethical and dangerous, it is (and should be) illegal.<p>No one should stop these experiments from taking place; and the CFAA should be amended to allow security researchers to research issues; but the problem I have is the inherent danger in this experiment.<p>What would we be saying if the journalist had been killed, or a mother and her two kids because of this? Do you think public sentiment would support security researchers if this had turned out differently?<p>If anyone had gotten hurt, you&#x27;d be looking at legislation that strengthens penalties for security researchers; not at legislation that takes security research more seriously.<p>This was an extremely childish move that had the propensity to hurt our industry more than help it. It is incumbent upon us take safety seriously in conducting these experiments.<p>We can&#x27;t count on level heads from outside the tech industry if we aren&#x27;t willing to show that we care about people&#x27;s lives and their safety when we&#x27;re conducting these experiments.

<i>All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone.</i><p>I think this is the biggest problem. Stop making &quot;smart&quot; cars with all these unnecessary features. Even if you can&#x27;t resist adding entertainment or navigation, don&#x27;t ever physically connect those systems to the critical systems like engine and transmission computers except through a one-way (to display information) link, like it&#x27;s done on airplanes.<p>I&#x27;m happy to have a much older vehicle with none of these &quot;enhancements&quot;. It has a physical throttle, hydraulic brakes, and steering linkage for which remote hijacking is physically impossible. I can add navigation and entertainment with a smartphone mounted on the dash. It may not be as fuel-efficient or safe(?) as the cars today, but maybe the tradeoff is worth it. That also suggests there could be a market for new &quot;dumb&quot; cars which have all the modern improvements to engines and safety, but none of these &quot;smart&quot; exploitable features.<p>(I&#x27;m not so paranoid as to get a mechanical EMP-proof diesel though...)

DARPA researchers demonstrated this stuff on a &quot;60 Minutes&quot; segment a few months ago [1]. The main difference is that they were in a large empty parking lot so as to not unethically put non-participants in danger.<p>That work and earlier work (including that shown in the 2014 Black Hat presentation by the researchers in the present article) drew interest of the Senate [2]. Senator Markey&#x27;s office produced a detailed report, and has called for the NHTSA and the FTC to develop standards to deal with these issues (and also the numerous privacy issues modern cars raise) [3].<p>[1] <a href="http:&#x2F;&#x2F;www.cbsnews.com&#x2F;news&#x2F;car-hacked-on-60-minutes&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.cbsnews.com&#x2F;news&#x2F;car-hacked-on-60-minutes&#x2F;</a><p>[2] <a href="http:&#x2F;&#x2F;www.cbsnews.com&#x2F;news&#x2F;sen-ed-markey-on-safety-privacy-concerns-for-cars-vulnerable-to-remote-hacking&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.cbsnews.com&#x2F;news&#x2F;sen-ed-markey-on-safety-privacy-...</a><p>[3] <a href="http:&#x2F;&#x2F;www.markey.senate.gov&#x2F;imo&#x2F;media&#x2F;doc&#x2F;2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf" rel="nofollow">http:&#x2F;&#x2F;www.markey.senate.gov&#x2F;imo&#x2F;media&#x2F;doc&#x2F;2015-02-06_Markey...</a>

Lot of comments here are accusing the &quot;hackers&quot; of negligence, but do not forget the writer, camera crew, and editors of WIRED were fully in control of the demonstration. This happened in the context of journalism, not security research. Blame WIRED if you think they screwed up, not the folks behind the computer.<p>It was up to WIRED to ensure the safety of the demonstration, and evidently they failed given this passage,<p><i>After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp</i><p>Seems to me they should have at the very least had a chase car trailing the demo car with a sign, flashing lights, or flags to alert nearby drivers.

This discussion is going insane.<p>I see lots of people arguing about the safety of how these guys conducted the hack. Okay, sure, there is probably an issue there of some degree.<p>But it&#x27;s a very small issue compared to the fact that hundreds of thousands of vehicles are arbitrarily hackable <i>right now</i>, with more rolling off the assembly line all the time, and people are driving these around <i>right now</i>.<p>Why is most of the discussion here about the minor issue? Why is everyone so eager to derail discussion from the major issue? I thought HN was trying to be a reasonable place.

Should hackers actually kill somebody, I struggle to find a reason why the relevant automotive engineers and their managers shouldn&#x27;t be charged and convicted of negligent homicide, or worse. After all, somebody had to make the decision to connect a radio receiver to the CAN bus. Others are aware of the wireless and choose not to remove it.<p>To be a professional is to have a duty to refuse to do stupid stuff like this, even if it&#x27;s legal and even if your job depends on it. But is it legal? Why would we need any new laws for this? Connecting a wireless receiver to the same network that controls a car&#x27;s brakes and steering seems to me like reckless endangerment. No need to wait for innocent people to die.<p>If history has shown us anything, it&#x27;s that we cannot rely on software to separate two systems sharing a network. Only physics can do that. If we must have wireless for entertainment, then the entertainment and vehicle control networks must be air-gapped.<p>This seems blindingly obvious to me. What am I missing?

&quot;...whether the Internet-connected computers were properly isolated from critical driving systems, and whether those critical systems had “cyberphysical” components—whether digital commands could trigger physical actions like turning the wheel or activating brakes.&quot;<p>Shouldn&#x27;t this be the most basic design consideration for any company building autos? The liability from litigation should bankrupt any company that doesn&#x27;t prioritize this.

Given that cars get recalled all the time for &quot;this one part is kind of flimsy and might break 3% of the time&quot;, I am not sure why &quot;some guy in China can drive your car off a cliff&quot; is not grounds for an immediate and full recall.<p>If you talk to auto manufacturers in a way that they understand, they will understand.

&quot;Toyota, in particular, argued that its systems were “robust and secure” against wireless attacks.&quot;<p>That&#x27;s what they said about unintended acceleration. It turned out they were lying. <a href="http:&#x2F;&#x2F;www.edn.com&#x2F;design&#x2F;automotive&#x2F;4423428&#x2F;Toyota-s-killer-firmware--Bad-design-and-its-consequences" rel="nofollow">http:&#x2F;&#x2F;www.edn.com&#x2F;design&#x2F;automotive&#x2F;4423428&#x2F;Toyota-s-killer...</a>

Previous research on this topic from 2010:<p><a href="http:&#x2F;&#x2F;www.autosec.org&#x2F;pubs&#x2F;cars-oakland2010.pdf6" rel="nofollow">http:&#x2F;&#x2F;www.autosec.org&#x2F;pubs&#x2F;cars-oakland2010.pdf6</a><p>Experimental Security Analysis of a Modern Automobile<p>&quot;Even at speeds of up to 40 MPH on the runway, the attack packets had their intended effect, whether it was honking the horn, killing the engine, preventing the car from restarting, or blasting the heat. ... In particular, we were able to release the brakes and actually prevent our driver from braking; no amount of pressure on the brake pedal was able to activate the brakes. Even though we expected this effect, reversed it quickly, and had a safety mechanism in place, it was still a frightening experience for our driver.&quot;

Please take a moment to write the NHTSA about this hack and ask them to issue a recall for the affected vehicles.<p><a href="http:&#x2F;&#x2F;www.nhtsa.gov&#x2F;Contact" rel="nofollow">http:&#x2F;&#x2F;www.nhtsa.gov&#x2F;Contact</a>

I revisited this thread and thought: How would I go about running these tests and creating awareness for this issue?<p>A dynamometer would cover the vast majority of what they wanted to show. There was no need to create the danger they created with this vehicle. They really didn&#x27;t know how the driver would react, &quot;don&#x27;t freak out&quot; guarantees nothing. A professional driver (like a stunt driver) would have been far more appropriate.<p>The business about disabling the breaks should have been done a pile of hay bundles or something like that in front of the car.<p>For exposure they could have contacted any number of TV stations or networks who would have jumped on this immediately.<p>In all, the choices they made were reckless, stupid, dangerous and potentially criminal. I don&#x27;t doubt their tech credentials at all. They are tech-smart people, no question about that. However, they have proven, beyond a reasonable doubt, that they are poster children for that stereotype of socially clueless engineers and&#x2F;or the other stereotype of scientists&#x2F;engineers who are so into what they are doing that they are completely blind to the idea that they could seriously harm people through their careless actions or inaction.

Wow. Just because you are savvy enough to do the research does not make you a researcher. These two really need to rethink the way they are &quot;testing&quot; this and perhaps educate themselves on ethics in research.<p>Their judgement collectively was worse than a pack of 5th graders with high grade fireworks.

This is very serious, because it can be used on a large scale and has terrorism potential. This could be used to kill people or disrupt an entire city. Where&#x27;s Homeland Security on this? This is their job.<p>Meanwhile, <i></i>do not buy a Chrysler product with the &quot;connectivity group&quot;<i></i>. It&#x27;s an option that costs about $500-$600.

So if I&#x27;m understanding this correctly, the initial vulnerability is remote-exploitable and relies on a firmware patch. Why wouldn&#x27;t the manufacturer use the same exploit to patch all affected vehicles rather than calling them in for service?

I&#x27;m baffled (reporting ethics aside).<p>One would think that car industry would be the one which has learnt about road safety the hard way. That experience should have manifested into extreme caution when adopting and implementing anything new, open and complex.<p>Sadly it is starting to look that everything they learn, they do by trial and error. Not by doing those things we take for granted from engineering and IT perspective.

Every single highway crash involving a loss of control is now potentially a high-end assassination, including those that have taken place in the last few years.<p>How many people do you think will be murdered this way before investigators and the justice system catch up?

When I studied real time systems, it was clear that critical systems (in this case the brakes, accelerator, wheel) needed to be in a physically separate network from non-critical ones (music, air conditioning). I guess it must be cheaper to build all in a single network, but it sounds irresponsible.<p>Also, this test should not have been done in a public road. That was irresponsible.

&gt; <i>The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch</i><p>I was in that situation. No brakes, high rocks on one side, 100 meters cliff on other side, 20km of downhill in front off me. I guess I will not be buying Jeep anytime soon.

Does Wired really wonder why so many of their readers have ad blocking software? [1] I can&#x27;t even read the article on their website because every ad I see is covering up some sort of text of the article. None of the ads have a close, hide, or dismiss button either so I can&#x27;t just go and hide them.<p>[1]: <a href="http:&#x2F;&#x2F;i.imgur.com&#x2F;IZymUKm.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;IZymUKm.png</a> [2]: <a href="http:&#x2F;&#x2F;i.imgur.com&#x2F;C7LiA60.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;C7LiA60.png</a>

This is scary. Malice or incompetence I think it&#x27;s unacceptable for systems handling the breaks and other crucial functions of the car to be anywhere close to interacting with internet connection. I am going to stick to old style cars for a while. This is really scary.

I&#x27;m not going to comment on the question of whether or not the highway patrol should have been called or not - just say I understand where poster tombrossman was coming from.<p>However, I fully agree this was a ridiculous stunt. They could have gotten the same results by demonstrating (on the highway, if they insisted) the air conditioner going full blast, the radio, and the picture of the hackers on the screen. Anything else (cutting transmission, obscuring visibility) should have been saved for a safer environment. The point still would have been made.<p>And it&#x27;s got nothing to do with the vehicle and driver itself (though I wonder how the hackers knew the exact driving situation - was it plastered with cameras?) - what if two unrelated vehicles got in an accident for some reason and the test driver had to get out of the way, but couldn&#x27;t?<p>And to make it worse, the cranked radio made it hard for the tester to communicate with the hackers. Very dangerous stunt.<p>Also, and I know it was unrelated to this particular hack, but if the UConnect recognizes voice commands (I assume so), and sends it back for processing, then might it not also be able to bug (eavesdrop) on the car&#x27;s interior?<p>Many disturbing revelations came out of this, and I applaud them for making it known, but I criticize them harshly for the cavalier way they endangered public safety.

I feel like, public safety aside, people should be mad at these researchers because they give credibility to every ignorant politician, prosecutor, or journalist out there who says that all hackers threaten the public good. How are you supposed to draw a line between blackhat and ethical hackers when the &quot;ethical&quot; ones endanger public safety all the same?

Well luckily my Chrysler despite only being a year old does not have this connectivity. It does have Uconnect which I despise, I keep contacting Chrysler to demand that they offer the ability to use Apple Carplay or the Google equivalent. To be fair there has yet to be a vehicle that has a nice easy to use controls for radio or media.

As big of dicks as these researchers are, I just have to say, to anyone out there working on software to run cars, airplanes, robots, other mobile vehicles ... some day, within the next 5 or 25 years, it&#x27;s pretty likely some nut job is going to use an exploit take control of one or more of these vehicles and crash them&#x2F;use them as remote-controlled &#x2F; swarm weapons, possibly killing lots of people.<p>If you&#x27;re writing that software, make sure you do a really, really good job on security. Because no one wants to be the guy &#x27;git blame&#x27; shows wrote the exploitable feature that led to ??? deaths.<p>The industry really should have stringent standards that prevent ridiculous breaches like this, I would say as well as simulators (or physical demo vehicles) available online&#x2F;open source that people can pen-test against and win prize money. And maybe write all the code in Rust?

I don&#x27;t get it. Everyone seems to be either upset at the researchers for their test or defending them. Why is no one upset at car companies putting tech in our cars that allows for remote shutdown of said car. Is this what we bailed them out for?

Hopefully people selling armored cars and armored trucks have good pen testers on their teams. Run flat tires and armor-plated doors don&#x27;t help much if an attacker can shut down the engine and open the doors remotely.

I own a 2015 Jeep Cherokee and have poked around with Uconnect and the API services it exposes. Theres a whole new world of exploitation (and eventually modding) that is coming.

Hah, I found it really funny as I scrolled down there&#x27;s a big ad for a Fiat in the article: <a href="http:&#x2F;&#x2F;i.imgur.com&#x2F;rSyYPO4.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;rSyYPO4.png</a> Fiat owns Chrysler who owns Jeep... maybe not the best marketing idea to advertise your cars in an article about exploiting them with potentially catastrophic results.

Good luck trying to hack my 1971 Volskwagen.

<i>The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review.</i><p>Huh? If they have a video of their turning a care off remotely, do they really need peer review of the details?

Research can be done to drive a point without making that into a drama. you can demonstrate the science without the hollywood so to speak. I think what was done here could have been demonstrated without the risk that was taken. I think the risk that was taken was poor judgement.

I think a basic idea should be: panic stops disconnect all wireless access.<p>Which will probably result in lots of calls from people after they avoid hitting a dog. But still.

I&#x27;m willing to bet FCA wil recall all of these &quot;UConnect&quot; enabled vehicles within a month to patch this. This will blow up fast.

Anything connected on the internet is hackable. We&#x27;ve seen this time after time, so I&#x27;m not surprised.

That was a lot of uninformative text to plow though...<p>Apparently someone has found a remote exploit that affects some model of Jeep. It requires an attacker to find the IP address of the Jeep. Which implies that a Jeep has an IP address. The communication between the Jeep and the world is something called Uconnect.

There&#x27;s a patch available for this already: <a href="http:&#x2F;&#x2F;www.wired.com&#x2F;2015&#x2F;07&#x2F;patch-chrysler-vehicle-now-wireless-hacking-technique&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.wired.com&#x2F;2015&#x2F;07&#x2F;patch-chrysler-vehicle-now-wire...</a>

It&#x27;s weird that they said the demonstration wouldn&#x27;t be life threatening when it actually was.

Good research by the hackers, stupid execution.<p>Calling the police was indeed the right thing to do.<p>Maybe next time, the hackers can test on the vehicles driven by the car executives, while they are driving, have their family in the car with them, etc.<p>Can&#x27;t wait to see that comment thread...

I recall that last time they used a piece of hardware to connect to the CAN bus via cellular. Are they now able to control the CAN bus via the infotainment system? Does it have it&#x27;s own cellular transmitter?

Ok, so if the Dodge Dart and the Alfa Romeo Giulietta are built on the same platform , do they share the same vulnerability in the computer systems?<p>or is it more about the Uconnect than anything else ?

meh. cars stall all the time. if they hadn&#x27;t gone for the freakout factor with the reporter, there wouldn&#x27;t be high profile press, embarrassed automotive executives and politicians scrambling to get a handle on the issue.<p>the real issue is that the automakers are producing fundamentally dangerous vehicles and the federal government is allowing it. these vehicles could be exploited maliciously to cause serious physical harm or death.<p>this is actually a problem. not some onetime stall of a jeep on the highway.

Did anyone bother to read the full article? If so, you would find out that it was a [somewhat] controlled experiment.<p>&gt; To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west.<p>&gt; Instead, they merely assured me that they wouldn’t do anything life-threatening.<p>&gt; Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.”

Surprising the comments critical of how the test was performed publicly equate exploitation with guns:<p>&gt; How about they remotely poke around your husband or wife&#x27;s car and explore, as long as they promise not to intentionally trigger anything?<p>&gt; Calling the cops on a loud neighbor might not be acceptable, but calling the cops on a neighbor firing a gun in the general direction of your house certainly would be.<p>&gt; Anyone could shoot up a public place... should amateur researches be showing up in malls with firearms to test preparedness?<p>The lack of sound judgement _and_ arguments is astounding.

Last wired on this was kinda bullshit - they let the researchers install a system on the CAN bus. Was this a legit wireless takeover?

&gt;&gt; The attacker’s PC had been wired into the vehicles’ onboard diagnostic port, a feature that normally gives repair technicians access to information about the car’s electronically controlled systems.<p>Is this even really considered an issue?

So, a HN commentator apparently called the cops on these guys after reading the Wired article.<p>Several commentators more or less agree, arguing that performing these tests on the I-40 was criminally negligent.<p>Stop right there. Grow some balls. These guys are elite, their demo was badass, and I&#x27;ve done stupider things on I-40 <i>for no reason</i>.<p>And wtf you called the cops? <i>head in hand</i>