The brightest-eyed proponents of the Internet of Things often seem to envision a world where everything that can have an embedded computer and a network connection of some kind should have those things. Open the door of a modern car, for example, and you're likely to find a sophisticated computer system that's absorbed functions like navigation, entertainment, and climate control into one central interface.
Dig a little deeper, and you'll find that most every onboard system, like the accelerator, brakes, steering, and engine control, are linked together using a standard called the Controller Area Network, or CAN bus. If this sounds similar to the setup of Battlestar Galactica, it kind of is—and recent events on the automotive computing front have been almost as terrifying as the Cylon attack that sets BSG in motion. Wired broke a story earlier this week about a vulnerability in Chrysler's Uconnect onboard entertainment system that allowed a pair of security researchers to remotely take control of a Jeep Cherokee by way of its cellular data connection.
The entire article is well worth a read, but the short version is that many Uconnect-equipped vehicles across the nation could be accessed simply by connecting to Sprint's cellular network using a compatible smartphone's Wi-Fi hotspot. After picking a target, the researchers were able to remotely deploy an exploit that allows them to pass commands over the car's CAN bus, using the Uconnect system as their base of operations.
Once the exploit was in place, the researchers were able to carry out mildly dangerous and distracting attacks like turning on the car's windshield washers, tampering with its climate control system, or blasting the radio. More terrifying is that the car's brakes, steering, or transmission could be interfered with or disabled in the same way—including, as Wired's writer found out, while the car was traveling down a busy freeway.
The consequences of this news have been swift and wide-ranging. Reuters reports that Fiat Chrysler Automotive, Jeep's parent company, has been ordered to recall 1.4 million vehicles by the National Highway Traffic Safety Administration so that a patch can be installed. Reuters also says two members of Congress have introduced a bill to impose stricter security standards for embedded software like Uconnect. For its part, Chrysler says it's implemented "network-level security measures" that prevent the kind of remote access that made the hack possible in the first place.
Chrysler owners can enter their VIN on the Uconnect site to check whether an update is available. Patching the car requires the update to be copied to a USB stick, which then must be plugged into the head unit. Chrysler warns that "updates can take up to 30-45 minutes and require that your vehicle be parked throughout the software update/installation process."
The story probably won't end here: Wired consulted UCSD computer science professor Stefan Savage for his take on the hackers' findings, and he believes that other modern vehicles could be just as vulnerable as Chrysler's. The importance of security seems likely to grow in magnitude as cars become ever more sophisticated and connected—and researchers continue to pick apart this new fusion of car and computer.