Jeep Uconnect vulnerability
07/27/2015
D he security experts Charlie Miller and Chris Valasek have one to hijack the jeep Vulnerability in the infotainment system UConnect used. The hackers gained access to the vehicle via the IP address of the infotainment system. Then they installed software they had developed themselves and were able to control some of the vehicle's functions from outside via the Internet. The takeover attempt was made together with the US technology magazine 'Wired'.
Steering and braking by remote control
The air conditioning, radio, transmission, windshield wipers and central locking could all be manipulated. In addition, Miller and Valasek were able to turn off the engine, turn off the brakes and take over the steering.
Miller and Valasek want parts of their software code at the hacker conference 'Black Hat' in August 2015 in The results of their tests are also being shared with the automakers. There is evidence that the connection of the UConnect system to the general vehicle CAN bus, over which all information and control signals run, was the gateway for the hackers. All they had to do was obtain the so-called IP address of the data module with which the system establishes Internet access via mobile communications.
Fiat-Chrysler has now responded and offers a total of 1.4 million models a software update that is supposed to close the security gap, the update can be downloaded directly from a UConnect service site in the US Rumor has it that the update will improve the networking of the UConnect system ems can be restricted via the CAN bus, so hackers can only manipulate functions that are controlled directly via the UConnect system - for example radio reception or air conditioning. The software update is available for the models Viper, Ram pickups, Jeep Cherokee and Grand Cherokee, Dodge Durango, Chrysler 200 and 300 and Dodge Challenger. In general, the UConnect entertainment system is used throughout the group in Fiat-Chrysler vehicles.
German models allegedly not affected
As we were able to learn from corporate circles, the hack described does not affect any Fiat-Chrysler models that have been delivered in Germany to this day. TheReason: the internet-enabled UConnect Live has not yet been offered here.
The case, however, highlights a certain carelessness with which manufacturers are promoting the internet connection of their cars. Because Miller and Valasek are no beginners in this field: as early as 2013 they demonstrated on a Toyota Prius and a Ford Escape how they can manipulate safety-critical functions from steering to vehicle brakes. The difference: at that time, they still required physical access to the respective car in order to be able to connect to the on-board electronics via the diagnostic system. With the increasingly widespread internet-enabled vehicles, this manual break-in no longer appears to be necessary; a laptop and the IP address of the GSM module installed in the car are sufficient. Awaken the default. This stipulates that from 2018 every newly registered car in the EU must have the eCall automatic emergency call system. That, as the name suggests, means an installed GSM module with mobile data access for every new car. Numerous models from various manufacturers are already on the road with this system. Another fact is not very reassuring: Miller and Valasek's car hacking project is funded by DARPA, the US Department of Defense.
