A pair of hackers have demonstrated a zero-day exploit involving the infotainment system of a Jeep Cherokee. As Wired’s Andy Greenberg found out the hard way, the attack can be carried out remotely with devastating consequences.
Greenberg trekked to St. Louis for a live demonstration of the attack. Sitting behind the wheel of a Jeep Cherokee, he was instructed to take the vehicle onto the highway. The attackers didn’t tell him what they had planned – just that he shouldn’t panic, regardless of what happens.
It started out innocently enough. The hackers remotely turned on the air conditioning system. Then the radio, followed by the windshield wipers. Nothing too serious right?
What came next was downright frightening as Greenberg said the transmission was rendered ineffective (likely put into neutral), causing the RPMs to climb as he mashed the accelerator. The vehicle slowed to a crawl before stopping just as Greenberg reached an uphill overpass with no shoulder to pull over onto.
Keep in mind that all of this was taking place on a busy highway.
That’s just a fraction of what’s possible as the hack can also kill the engine, apply the brakes and even disable them completely. The latter attack, demonstrated in an empty parking lot, sent Greenberg’s Cherokee into a ditch.
The team behind the attack, security researchers Charlie Miller and Chris Valasek, said they plan to publish portions of the exploit on the web to coincide with their presentation at the Black Hat security conference next month in Las Vegas.
Update: Chrysler quietly issued a Technical Service Bulletin for a software update last week designed to “improve vehicle electronic security.” Owners of late-model Chrysler vehicles with the Uconnect entertainment system are encouraged to download and manually install the update ASAP.