Screenshot via ZDNet
Car hackers Charlie Miller and Chris Valasek have once again set their sights on a Jeep Cherokee — and this time, they are taking full control of the brakes.
In this attack, the hackers need physical access to the car to tap into the Jeep’s systems through the CAN bus, giving attackers the opportunity to compromise the vehicle and either control or completely kill the vehicle’s braking system.
However, the team says that other, more remote methods could be used, such as a concealed device or remote attacks through a wireless link.
As noted by The Register, the local attack could be re-engineered remotely for targeted attacks, although it would take far more effort and tailing on the hacker’s part to achieve.
On Twitter, Miller said such attacks were “most definitely” possible.
In a proof of concept (PoC) video, the duo made themselves comfortable in the Jeep, and Miller connected his laptop to the CAN bus above the dashboard.
While CAN buses are legitimately used to feed and display detailed data such as fuel consumption and the state of an engine, the team were also able to use this connection to aggressively control the car.
As shown in the PoC below, Miller’s tampering resulted in the brakes being yanked out of the driver’s control — and the attack at 25mph was almost enough to fully tip over the Jeep.
The duo hit the spotlight in 2015 after demonstrating an attack against a 2014 Jeep Cherokee. The researchers exploited a vulnerability in the Uconnect infotainment dashboard system and were able to remotely control the vehicle — including tampering with the brakes, switching the windshield wipers on and turning off the engine.
While this attack is not potentially as serious as the 2015 attack against Uconnect — as it must be performed with a physical connection to the Jeep and cannot be immediately launched remotely — the techniques used do highlight a burgeoning problem.
Automakers may have expertise in creating stylish, powerful cars, but when it comes to IT security, outside help is needed. When you’re offering consumers a product which, if compromised, could cause injury or even fatalities, security cannot be an afterthought.
A paper detailing the techniques used in the attack is due to be presented at Black Hat USA. Miller and Valasek have created an anti-intrusion system which detects their attacks but recommends that automakers start clamping down and tightening up security if they have any CAN buses installed.