Researchers reported a remote control vulnerability in connected cars. The demo remote attack was said to be performed on a Jeep Cherokee onboard computer.
Charlie Miller and Chris Valasek from Wired.com were reported to have found the vulnerability in the entertainment system. Through the vulnerability they not only got access to non-critical settings, they also took control over the car.
First, the car driver could not control the air-conditioning system, radio and windscreen wipers. Then the car itself came under control of the researchers, rather than the owner.
Allegedly, the vulnerability was found in the Uconnect onboard system, which was operating with mobile network operator Sprint to communicate with the external world of Fiat Chrysler Automobiles (FCA). If the reports are correct, the attack proves that it is enough to know the external IP of a target, in order to rewrite the code in the car’s onboard computer and gain control of the vehicle.
Vulnerabilities could be found anywhere, where there is an operating system and installed applications. To protect a car, manufacturers should think of the security of cars in the same way that we would approach the security of corporate networks or computers.
At Kaspersky Lab, we believe that to avoid such incidents, manufacturers should build the smart architecture for cars with two basic principles in mind: isolation and controlled communications. Isolation means that two separate systems cannot influence one another (for example, the entertainment system shouldn’t influence the control system in the way that it did with the Jeep Cherokee). Controlled communications mean that cryptography and the authentication for transmitting and accepting information from/to the car should be fully implemented. According to the result of the experiment we witnessed yesterday, the authentication algorithms were weak/vulnerable, or the cryptography was not correctly implemented.
The patch for this issue was released last week. If you drive a FCA car, please contact your dealer and ask for all updates to be installed.
By Sergey Lozhkin, Senior Security Researcher at GReAT, Kaspersky Lab