Lessons Learned from a Jeep’s Hacked Computer

Two security researchers recently proved that automobile manufacturers may need to beef-up security for vehicles with dashboard computers.

Charlie Miller and Chris Valasek were able to manipulate a Jeep’s dash computer and remotely disable its brakes, take control of its steering wheel and shut off the engine while journalist Andy Greenberg was driving it. The experiment prompted Fiat Chrysler to recall 1.4 million vehicles.

On its website, Fiat Chrysler America seemed to imply the hack was possible only because Miller and Valasek were experts who spent months trying to access the control systems. But there’s no way to predict the number of hackers worldwide with plenty of time to burn and a desire to create havoc.

Understanding Risk

Miller and Valasek exploited a security vulnerability in FCA vehicles’ use of Sprint, which provides wireless access for the company’s UConnect “infotainment” system. Since the security vulnerability was discovered, FCA has issued a patch users can install directly into dashboard computers, via a USB port. FCA cars aren’t currently able to receive automatic software updates via Internet connections.

So, how are manufacturers able to introduce computerized vehicles to the market without ensuring those systems are safe for consumers? One explanation is that automakers don’t fully understand the various methods hackers could use to gain access to dash computers. Another explanation is that the technology is moving faster than regulators’ ability to establish guidelines.

Development of Oversight

In February 2015, U.S. Sen. Edward J. Markey, D-Mass., issued a report, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.” Markey and his staff surveyed 16 major automotive manufacturers about the security of vehicle technology. Among some of the more troubling findings were:

• Only two manufacturers were able to describe credible, real-time reactions to remotely detect the hacking of a vehicle computer; most employed technologies that would detect hacking only through inspection at a service center or dealership.

• Data collected on drivers may include previous destinations, location during transit, speed of travel and last location parked, and a majority of automakers transmit that information to third-party data centers and don’t describe an effective method for protecting it.

Mackey’s report shows that a hacker might be able to collect detailed information about a driver’s daily driving habits and whereabouts, and automakers might be unable to detect such a breach.

On July 21, 2015, Mackey and Sen. Richard Blumenthal, D-Conn., introduced legislation that would task the Federal Trade Commission and National Highway Traffic Safety Administration with developing rules for automotive cybersecurity.

Staying Ahead

It’s a mistake to assume hackers have to be experts to infiltrate sensitive systems. Given enough time and determination, hackers may be able to find that tiny hole in an organization’s security – whether that’s in a business’s relationship with a third-party vendor, or through an employee’s use of weak passwords.

Lifeline Data Centers can help businesses stay one step ahead of hackers, thanks to our physical and virtual security controls. Schedule a tour today to see how our secure solutions could work for you.

Alex Carroll

Managing Member at Lifeline Data Centers

Alex, co-owner, is responsible for all real estate, construction and mission critical facilities: hardened buildings, power systems, cooling systems, fire suppression, and environmentals. Alex also manages relationships with the telecommunications providers and has an extensive background in IT infrastructure support, database administration and software design and development. Alex architected Lifeline’s proprietary GRCA system and is hands-on every day in the data center.