Hacked Jeep: Whom to Blame?
MADISON, Wis. — So, where, exactly, did hackers find a crack in the firewall of a 2014 Jeep Cherokee? How did they infiltrate it and who’s at fault for failing to foresee the breach?
The failure apparently occurred in not one, but multiple places in the connected car’s system architecture. Blame, according to multiple automotive industry analysts, could also extend to parties beyond Fiat Chrysler Automobiles (FCA). They include Sprint — a system integrator — with whom Chrysler contracted for secure vehicle network access via the telematics control unit, and Harman Kardon, who designed an in-vehicle infotainment system.
Since two hackers revealed a week ago their handiwork of wirelessly hacking into a 2014 Jeep Cherokee, first reported by Wired, the issue of cyber security in vehicles has come into sharp focus. Until this incident, the conventional wisdom among engineers was that it’s “not possible” to hack into a car without a physical access.
The revelation by the hacker team, Charlie Miller and Chris Valasek, set in motion a sweeping recall, on July 24th, of 1.4 million vehicles by Fiat Chrysler. U.S. Senators Ed Markey and Richard Blumenthal also introduced last week legislation to require U.S.-sold cars to meet certain standards of protection against digital attacks.
The hackers were reportedly able to control a 2014 Jeep Cherokee's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. Most important, they did all this mischief remotely and wirelessly.
Neither Miller nor Valasek is giving details of the attack. They’re planning a presentation at the upcoming Black Hat conference in Las Vegas next month.
However, Roger Lanctot, associate director, global automotive practice at Strategy Analytics, is the first analyst to publicly implicate Sprint. He wrote in his latest blog:
FCA’s Chrysler division is taking the fall for Sprint’s failure to properly secure its network and the Jeep in question – which was subjected to some comical and terrifying remote control in real-time on the highway thanks to an IP address vulnerability.
Contacted by EE Times, Lanctot said: “The reason we are in the predicament that we are in is because we are building in electronic control of acceleration and braking in support of self-parking and other ADAS-related technologies.”
Breakdown of security vulnerability
Asked to break down the security vulnerability of the hacked car,
Lanctot said: “Step one is control of braking, acceleration and steering
accessible on the vehicle CAN bus.
“Step two is remote wireless connectivity to the car via cellular.
“Step three is providing for remote access to the CAN bus via the telematics control unit interface. Clearly, the FCA systems were configured in such a way as to allow for CAN bus access via the telematics control unit.”
Lanctot added, “There is nothing wrong with that as long as you provide for appropriate security.”
Lanctot, however, pointed out, “It appears that the IP address was too easily identified” by the system used by Jeep Cherokee and “the telematics control unit lacked basic software upgrading capability.”
Lanctot isn’t alone in fingering the IP address issue. Egil Juliussen, director research & principal analyst at IHS Automotive Technology, also told us that the hackers appear to have found “a simple way to get the IP address of a car.” Juliussen explained that once the hackers located the car, they sent code to the infotainment system -- built by Harman Kardon –via the ill-gotten IP address.