IoT In The News: Uconnect Hack
In July, it was revealed that two researchers, Charlie Miller and Chris Valasek, were able to successfully connect to a vehicle’s computer remotely, over the Internet, and control the car’s mobility by disabling the brakes, or issuing a kill command to stop the engine. Scary. The vehicle was a Jeep Cherokee and it was outfitted with an onboard computer and control system known as Uconnect.
Uconnect allows the driver to control features of the vehicle using voice control, allowing a hands-free driving experience. According to the Uconnect online registration website, there are several makes that have Uconnect, including:
- Chrysler
- Dodge
- Fiat
- Jeep
- Ram
- SRT
The hack, referred to as a yet unnamed 0-day exploit, could allow a remote attacker to control features of the vehicle including dashboard functions, entertainment system, brakes, transmission, engine, and steering. Once connected to the vehicle remotely, the attacker could gain access to the CAN-bus, an interface to the vehicle’s onboard diagnostic system.
The two researchers plan to reveal a portion of their Uconnect hack to an audience at Black Hat, a security conference held in Vegas, in August.
The hack has prompted Fiat-Chrysler to issue a technical service bulletin (TSB) and a software update. According to the FCA press release:
Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.
Customers with questions may call Vehicle Care at 1–877–855–8400.
The link to check for an update is here: http://www.driveuconnect.com/software-update/. To verify update availability, select your make and model, then you need to enter your VIN.
If you own one of the mentioned car models, and you have Uconnect, we urge you to update your vehicle’s software.
0xID Labs
