Imagine you're driving on the highway and your radio changes stations. You try to turn it off but nothing happens. Then, your wipers start flipping without you doing anything.
This was what Wired security and privacy reporter Andy Greenberg experienced as two hackers took control of the Jeep Cherokee he was driving 70 mph down a St. Louis highway.
Though these examples of what hackers can do if they get in through your vehicle's wireless system might seem pretty minor, it doesn't take much to imagine how people with ill intentions could put motorists at real risk.
Greenberg lets go of the wheel of the Jeep Cherokee as security researchers take control, demonstrating how they've been able to exploit a vulnerability in the car's Internet-connected entertainment system to hack other elements. (Image source: Wired video)
Greenberg wouldn't have to imagine how much worse it could get for long.
"Remember, Andy, no matter what happens, don’t panic," Charlie Miller, one of the hackers, told Greenberg, who wrote an extensive piece of his experience driving a car that was being overtaken remotely.
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.
"This is what everyone who thinks about car security has worried about for years," Miller told Greenberg. "This is a reality.”
Watch Greenberg's video for Wired:
In addition to this scary trick, Greenberg reported that Miller, a security researcher for Twitter, and vehicle security researcher Chris Valasek could control his brakes, track the car's coordinates and speed, and more, all thanks to a vulnerability in the Uconnect system in Chrysler cars. For now, if it's any comfort, they only can control the vehicle's steering while it's in reverse, but Greenberg reported that they're working it.
Systems like OnStar have already demonstrated the remote ability to shut down cars. Miller and Valasek's experiment with Greenberg builds on their car hacking expertise from the last couple of years and shows how they could hijack the vehicle wirelessly. Greenberg noted that they plan to report their latest findings at the Black Hat security conference in August.
The two security researchers controlled Greenberg's car remotely. They hope their research helps spur the automotive industry to fix these flaws and take preventative measures to find them before they're exploited for nefarious purposes. (Image source: Wired video)
Last year, these same researchers also compiled a list of the most hackable cars. In addition to the Jeep Cherokee, Cadillac Escalade and Infiniti Q50 were named as the ones with systems that could be accessed and controlled with the most ease.
As more manufacturers are rolling out vehicles with Internet connectivity, the hacking scene for the automotive industry is getting more dangerous and experts say the fixes for identified vulnerabilities aren't necessarily quick.
"They’re getting worse faster than they’re getting better," Josh Corman with the security organization I Am the Cavalry told Greenberg. "If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it."
Greenberg noted that on Tuesday two legislators — Sen. Ed Markey and Sen. Richard Blumenthal — plan to introduce legislation to establish automotive security standards from a digital standpoint.
"Drivers shouldn’t have to choose between being connected and being protected," Markey wrote in a statement to Wired for a separate article. "Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers."
Read Greenberg's full report in Wired.