News

Jeep Cherokee Hackers Reveal More Security Vulnerabilities

They find new ways to hack a Cherokee even after the security patch

Last year, two experimenters wirelessly took control of a Jeep Cherokee in a set of tests. In that run, they were able to cut the Cherokee’s transmission while it was driving on a highway and disable the brakes at low speeds. Although Fiat Chrysler later issued software updates to correct certain vulnerabilities demonstrated in the hack, the Cherokee isn’t immune to future attacks. Now, the two men are back to prove just that, showing off new, even more dangerous hacks.

Instead of attacking the vehicle wirelessly, Charlie Miller and Chris Valasek plugged into the vehicle’s CAN network in the latest round of attacks, reports WIRED. They paralyzed the electronic control unit that sends good commands to a vehicle system by putting it in “bootrom” mode. This cleared the way for them to send malicious commands to a target component.

“You have one computer in the car telling it to do one thing and we’re telling it to do something else,” Miller said. “Essentially our solution is to knock the other computer offline.” In many cases, this resulted in a more powerful hack.

Thanks to the hacks, they were able to bring the vehicle to a stop in a matter of seconds—from any speed. In the previous hack, the drivers were only able to take control of steering while the vehicle was in reverse. This time, they were able to turn the wheel at any speed, or disable the steering and try and prevent drivers from being able to turn it. In separate attacks, the hackers were able to induce unintended acceleration.

Keep in mind this new batch of attacks required the hackers to sit inside the vehicle and hook up their laptops to the car’s onboard diagnostics port. And that’s one reason why Fiat Chrysler doesn’t seem too worried about it. “While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles,” FCA told WIRED in a statement. FCA also notes that the Cherokee had older software, although the hackers say that has no effect on the hack’s success, considering the hack didn’t deal with the infotainment system. Although they weren’t able to perform their latest attacks remotely, Miller and Valasek stress that future attackers will find new ways to wreak havoc on cars.

This isn’t the latest cybersecurity issue we’ve seen recently. In June, a British security company managed to hack into an Outlander PHEV SUV through its Wi-Fi system. Nissan had to shut down its mobile app for the Leaf for a time after a resarcher discovered a security flaw. Fiat Chrysler has even launched a reward program for hackers able to uncover vulnerabilities on its Uconnect software.