On the same day lawmakers introduced legislation intended to secure connected cars from hacking and protect drivers' privacy, Wired published a report on how hackers were able to take advantage of an existing car's in-car technology system that relies on Sprint's (NYSE: S) cellular network.
In fact, the two hackers who worked with a Wired reporter to demonstrate their prowess are credited for sparking Sen. Ed Markey's (D-Mass.) interest in setting new digital security standards for cars. Markey, along with Sen. Richard Blumenthal (D-Conn.), introduced the legislation on Tuesday.
Hackers Charlie Miller and Chris Valasek showed how they were able to almost completely control a Jeep Cherokee by taking advantage of a vulnerability in Chrysler/Fiat's Uconnect infotainment and in-car technology system, Wired reports. The Uconnect Access platform uses the Sprint Connected Vehicle Platform architecture.
Miller and Valasek plan to publish a portion of their exploit on the Internet, timed to coincide with a talk they're giving at the Black Hat security conference in August, which Wired also wrote about back in April. Black Hat 2015 runs Aug. 1-6 in Las Vegas.
Wired reporter Andy Greenberg, who has worked with the hackers on previous demonstrations, described a harrowing experience whereby the hackers cut his Jeep Cherokee's transmission while he was driving on Interstate 64--he was immobilized as a semi-trailer approached from behind, "narrowly" averting death. He managed to roll the Jeep down an exit ramp and lived to tell about it. Critics pointed out the dangers of the stunt.
In his article, Greenberg points out that Chrysler uses Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs and trucks. It controls the vehicle's entertainment and navigation, enables phone calls and offers a Wi-Fi hot spot. "Thanks to one vulnerable element, which Miller and Valasek won't identify until their Black Hat talk, Uconnect's cellular connection also lets anyone who knows the car's IP address gain access from anywhere in the country," he wrote, quoting Miller as saying it's a "super nice vulnerability" from an attacker's perspective.
Fiat Chrysler said Wednesday that "after becoming aware of the vulnerabilities in some 2013 and 2014 vehicles equipped with the 8.4-inch touchscreen systems, FCA and several suppliers worked to fix the vulnerabilities in model year 2015 vehicles," Bloomberg reported.
The hackers' work presumably would trigger the broader auto industry to double down on security, but lawmakers are not waiting for them to act. Markey and Blumenthal's proposal would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers' privacy. The Security and Privacy in Your Car (SPY Car) Act also establishes a rating system--or "cyber dashboard"--that informs consumers about how well the vehicle protects drivers' security and privacy beyond those minimum standards.
Last year, Markey released the report Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, which detailed major gaps in how auto companies are securing connected features in cars against hackers. According to the report, only two of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time.
"Drivers shouldn't have to choose between being connected and being protected," Markey said in a release. "We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century."
Security researchers plan to show how to wirelessly hack car
Hacked traffic lights highlight perils within the Internet of Things
GSMA: Every new car will be a 'connected car' in 2025