Currently reading: Car hacking: manufacturers must improve security following Jeep hack

Car manufacturers should reconsider how quickly they bring new technology to market, according to the Institute of Electric and Electronics Engineers

Car manufacturers need to step back and reconsider the digital security of their products following the most recent case of vehicle hacking in the US. 

That’s according to Professor Kevin Curran, a senior member of the Institute of Electric and Electronics Engineers.

Speaking to Autocar, Professor Curran said car manufacturers appeared to be more concerned with beating the competition to market with new technology, rather than fully testing its security. "I have a feeling they are rushing out features, and every industry can be guilty of that," he said. "I’d say there’s a rush to market and security is almost an afterthought."

Citing a lack of regulation in the automotive arena over the introduction of connected technology, Professor Curran said car makers should be following the example of the airline industry, where there are far more stringent security checks. "On planes, we have to rely on the airline manufacturers knowing better and erring on the side of safety," he said. "Why can the same not be true of car manufacturers?

"I would urge manufacturers to think, and I would hope there would be a think tank or body which can oversee the security of these devices. We’ve never been in the position before where someone can cause so much destruction to a car from such a great distance."

Hackers take control of Jeep Cherokee

Professor Curran’s comments on digital security come just weeks after two hackers in the US were able to successfully gain access to and control a Jeep Cherokee driving along a public road from a distance of 10 miles away.

The experiment, conducted for Wired magazine, showed how a car could be wirelessly hacked and controlled without the hacker being in close proximity. In the experiment, hackers Charlie Miller and Chris Valasek used what’s been described as a flaw in Fiat Chrysler Automobiles' UConnect infotainment system to hack the vehicle.

Once the duo had access, they were able to activate the car’s windscreen wipers, alter its climate control settings, play different music through the infotainment system and - most worryingly - deactivate the accelerator while the car was travelling at motorway speeds. At lower speeds, the pair could also apply the brakes - or deactivate them - and kill the engine completely.

Miller and Valasek were also able to monitor vulnerable vehicles from a laptop - showing the location and speed of vehicles connected to the UConnect system. The system is vulnerable as, like many others, it uses a mobile data network connection to access connected services. Miller and Valasek’s hack lets them infiltrate the car’s infotainment system and then issue commands which are spread to other areas of the vehicle via the CAN bus network.

Speaking to Wired, Valasek said: “From an attacker’s perspective, it’s a super-nice vulnerability.

Advertisement

Read our review

Car review

Can Italian tech put this once-rugged off-roader ahead of the pack, or is the Cherokee lost in an increasingly large crowd of superior family SUVs?

Back to top

“If consumers don’t realise this is an issue, they should, and they should start complaining to car makers. This might be the kind of software bug most likely to kill someone.”

Both hackers have been sharing their data with FCA for the past nine months, notifying the firm of potential flaws in its system. Late last month FCA issued an official recall for the 1.4 million vehicles that were vulnerable. A spokesman has confirmed to Autocar that the recall does not affect any cars in the UK.

The company said: “The hack published in Wired magazine was conducted through embedded cellular connectivity (Connected Vehicle), a feature that is not available in vehicles sold outside of the US, since international markets are currently not offering the same connectivity feature as the US-market vehicles. 

“Under no circumstances does FCA condone or believe it’s appropriate to disclose 'how to' information that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.”

Previous car hacking successes

This isn’t the first time the Miller and Valasek have successfully hacked a vehicle. In 2013 they were able to take control of a Toyota Prius - although at the time the hack could only be achieved via a physical connection to the car. It’s taken another two years of research to conduct the hack wirelessly.

Miller and Valasek have previously published a paper in the US, identifying the systems and vehicles most susceptible to hacking. Of the many connected systems in modern cars, the duo said the keyless entry and tyre pressure monitoring systems (TPMS) now common to most vehicles would be significantly vulnerable to attack.

The survey also ranked 24 vehicles on the ease of which they could be hacked. Among the cars that were deemed ‘most hackable’ were the  Jeep Cherokee and Infiniti Q50.

Although Miller and Valasek’s hack has become one of the most high-profile cases of car hacking, other cases have previously highlighted the vulnerability of connected systems. In 2014 a group of Chinese students were able to hack a Tesla Model S as part of a competition at the Syscan conference in Beijing.

Back to top

A prize of $10,000 was on offer to anyone who could gain access to the Model S while it was locked, with the students managing to open the car’s doors and bonnet. While not officially endorsing the project, Tesla issued a statement saying: “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities.”

Swiss hacker Boris Danev has also been able to successfully hack vehicles, by utilising a flaw in the keyless entry systems used by many premium manufacturers. His hack, which works by amplifying the signal sent by a car’s key fob to be detected by a vehicle, allowed him to gain entry to and drive off in multiple cars from different manufacturers.

Danev’s method is a more high-tech version of the hack used by criminals to reprogram car keys here in the UK - something that has already prompted concern from many car makers.

Danev has developed a silicon chip that ends this vulnerability and is in discussions to incorporate the technology in several manufacturers' key fobs, but it’s not expected to be on sale until at least 2018.

New legislation to rate cars for digital security

Authorities in the US are in the process of drafting an automotive security bill that could involve introducing a digital security rating system for cars. As part of research into the bill, US senators asked 20 car makers to outline their digital security procedures.

Out of the 16 that responded, just seven said they worked with independent companies to identify and fix flaws in their systems, and only two have monitoring systems that actively search for potential attacks.

In the UK, where a number of early-stage studies are under way to create autonomous vehicles, a new code of practice issued by the Department for Transport has set out the rules for bringing driverless cars to fruition in this country.

As part of the code of practice, a section on ‘cyber security’ states: “Manufacturers providing vehicles, and other organisations supplying parts for testing will need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.” 

Back to top

In a statement, the Society of Motor Manufacturers and Traders (SMMT) said: "Vehicle manufacturers invest billions of pounds to keep vehicles as secure as possible, and work tirelessly to stay one step ahead of criminals. As a result, overall thefts in the UK have decreased by more than 75% over the past 10 years and continue to fall.

“The industry is working closely with the European Commission to ensure that motorists can experience the many benefits of connected technologies with minimal risk to vehicle security. The law must also provide severe penalties to deter criminals.”

Get the latest car news, reviews and galleries from Autocar direct to your inbox every week. Enter your email address below:

Join the debate

Comments
8
Add a comment…
eseaton 4 August 2015

Ok, who prefers electronic

Ok, who prefers electronic hand breaks to traditional ones? And if so why?
Adrian987 5 August 2015

Fine so far

eseaton wrote:

Ok, who prefers electronic hand breaks to traditional ones? And if so why?

Count me in as one who prefers. Cabin looks neater. Ease of use. I've had a year's worth of it on a Golf. It can be set to be fully automatic all the time, which is handy and that is how I use it. Works well as a compliment to the DSG. Got used to it within first day or so, and it is now forgotten.

pjwind 4 August 2015

Newsflash - car makers more concerned with profit than security

Its not really a newsflash is it? If we car buyers become concerned and a rating system is developed then the car manufacturers will do something about their security. Now that just about every car achieves a 5 star crash rating from NCAP maybe they could start looking at other issues like this one. Who would buy a car with a 1 star security rating?

So how about this for a doomsday scenario. The terrorists run out of kids willing to blow themselves up. So they work out how to hack cars with driverless technology. They then fill these cars or vans with explosives, punch the address they want to bomb into the sat nav and hey presto a suicide bomber without the suicide. Thank you car industry.

Maybe one day we will go back to cars where the main features are 3 pedals, a gearshift, a steering wheel and god forbid a handbrake that you actually need to use muscle to apply. You cannot hack those.

catnip 4 August 2015

I don't really understand

I don't really understand this stuff, but an 'expert' speaking on BBC radio said vehicles could be hacked through DAB systems too? Professor Curran is dead right that motor manufacturers seem only concerned with being the first to market: Its all about being fashionable and getting sales, not only it seems at the expense of security, but also in many cases taking precedence over driver ergonomics and ease of use.