Andy Greenberg was minding his own business, driving a Jeep Cherokee on the highway in St. Louis when the SUV’s air vents suddenly started blasting cold air. Then the radio switched stations and began blaring hip hop at full volume. Spinning the radio control knobs did nothing. Soon, the windshield wipers turned on and wiper fluid obscured Greenberg’s view.
Then things started getting really interesting.
Let’s stop the story for a moment. Greenberg is a senior writer for Wired and he knew he was taking part in a demonstration by Charlie Miller and Chris Valasek. For years, the two researchers have been hacking cars’ onboard computers to show that modern autos are vulnerable to various cyber exploits.
You may remember that NPR’s Steve Henn reported on their experiments in 2013. Back then, Miller and Valasek demonstrated that they could jerk the wheel of a Prius or kill the brakes of a Ford Escape — using laptops wired to the cars’ computer systems.
This time, though, they didn’t have to be in the car — or anywhere near it — to wreak havoc on the controls. From miles away, the researchers were able to use a cellular connection to access the Jeep with Greenberg behind the wheel.
Now, back to Greenberg’s 70 mph drive from hell:
“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun… .
“Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror.
Greenberg didn’t end up in an ambulance. He was able to roll the Jeep down an exit ramp and regain full control after turning the ignition off and on.
Miller and Valasek had taken over the Jeep after detecting a vulnerability in Uconnect, the computer system Chrysler uses. Greenberg explains in his Wired report:
“Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot.”
Chrysler has issued a notice on its website that a free patch for the vulnerability is available for download or through dealers. “The security and confidence of our customers is important.,” the company says. “Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems.”
And on Tuesday, Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced legislation that would require the National Highway Traffic Safety Administration and the Federal Trade Commission to “establish federal standards to secure our cars and protect drivers’ privacy.” Their bill would also establish a rating system to let consumers know how well their cars protect drivers’ security and privacy.
Earlier this year, Markey issued a report warning of wireless vulnerabilities similar to those that Miller and Valasek demonstrated.