A pair of cybersecurity researchers in the United States have remotely hacked a car, taking hold of the Jeep Cherokee's engine, steering and brakes.
It has raised concerns over the safety of vehicles that are increasingly connected to the internet.
The 2014 Jeep Cherokee was driving on the open road, while hackers 15 kilometres away in their lounge room took control.
Former National Security Agency hacker Charlie Miller, now at Twitter, and IOActive researcher Chris Valasek used a feature in the Fiat Chrysler telematics system Uconnect to break into a car being driven on the highway by a reporter for technology news site Wired.com.
In the controlled test, they turned on the Jeep Cherokee's radio and activated other inessential features before rewriting code embedded in the entertainment system hardware to issue commands through the internal network to steering, brakes and the engine.
"There are hundreds of thousands of cars that are vulnerable on the road right now," Miller said.
Fiat Chrysler said it had issued a fix for the most serious vulnerability involved. The software patch is available for free on the company's website and at dealerships.
"Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorised and unlawful access to vehicle systems," the company said. It didn't immediately answer other questions.
Miller and Valasek have been probing car safety for years and have been among those warning that remote hacking was inevitable. An academic team had previously said it hacked a moving vehicle from afar but did not say how or name the manufacturer, putting less pressure on the industry.
Chrysler Australia said its vehicles outside the US were not at risk.
"No vehicles in Australia nor any international market outside of the USA were affected by this issue... as it is an American-only system not present in Australian vehicles," Chrysler Australia said.
But some technology commentators say that's short-sighted.
"Car companies are always developing new systems, connected systems; computers are going to be part of our life whether it's in our car or any other type of appliances we are running. Whenever there is a computer, a connection, there is a risk there can be an intruder," Stephen Fenech, Editor of techguide.com.au, told SBS.
Members of US Congress have also expressed concern. Senators Ed Markey and Richard Blumenthal, both Democrats, introduced a bill this week that would direct the NHTSA to develop standards for isolating critical software and detect hacking as it occurs.
Miller and Valasek said they had been working with Fiat Chrysler since October, giving the company enough time to construct a patch to disable a feature that the men suspected had been turned on by accident. They plan to release a paper at the Def Con security conference next month that includes code for remote access, which will no longer work on cars that have been updated.
They said the harder problem for an attacker, moving from the entertainment system to the core onboard network, would take months for other top-tier hackers to emulate.
Many Jeeps could remain unpatched, leaving them open to attack. But the researchers said hackers would need to know the Internet Protocol address of a car in order to attack it specifically, and that address changes every time the car starts.
Otherwise, "You have to attack random cars," Valasek said. The men stressed that it would be easy to make modest adjustments to their code and attack other types of vehicles.
They said that manufacturers, who are racing to add new Internet-connected features, should work much harder on creating safe capability for automatic over-the-air software updates, segregation of onboard entertainment and engineering networks, and intrusion-detection software for stopping improper commands.
-With Reuters
Share
