HACK THE PLANET
The week of August 2, 2015
car-console

Your car might be susceptible to hacking

By Mike Wehner

As one Wired writer recently found out firsthand, not having complete control over a vehicle as it speeds down the highway can be downright terrifying.

With a pair of hackers remotely manipulating many of a car’s features, including the radio, windshield wipers, and even the ignition, a Jeep Cherokee driver turns into a hostage behind the wheel. It’s shocking and unsettling, but what might be even more worrisome is the fact that the Jeep in the test is just one of many different makes and models that have demonstrated some form of remote vulnerability in recent years.

Less than a year ago, Charlie Miller and Chris Valasek, the same hacker duo who recently demonstrated their handiwork on the aforementioned Jeep, published an extremely detailed paper on the various vulnerabilities of newer automobiles. They warned that with Internet connections, wireless remote entry, Bluetooth, and a patchwork of other technologies, there were windows open for exploitation.

As the preeminent authorities in car hacking, the pair also ranked the vehicles they researched on their overall hackability, based on the potential of each car’s subsystems to be breached and what controls would be given to a hacker if they achieved entry.

Here are the top five most hackable vehicles:

1) 2014 Jeep Cherokee

2014_jeep_cherokee_4dr-suv_limited_fq_oem_6_717Chrysler LLC

It probably shouldn’t come as a surprise that the vehicle the hacker team prefers to fiddle with is also the most vulnerable to outside attack. Virtually every system of the Cherokee has been shown to be controllable via remote exploit, including the brakes, transmission, and steering assist.

Software update process: Chrysler finally got around to rolling out a software update for the company’s Uconnect platform last week, which appears to have sealed the hole used by Miller and Valasek. Unfortunately, the software update isn’t automatic or mandatory, and requires the owner to download the new version to a USB drive and then upload it via the in-dash USB port, which means there will still be plenty of unsecured Jeeps cruising the road for years to come.

2) 2015 Cadillac Escalade

asdfasdfGeneral Motors Corporation

Though not quite as hackable as the 2014 Cherokee, the 2015 Escalade is still vulnerable through a variety of interfaces, including Bluetooth, cellular, Wi-Fi, and remote keyless entry. The vehicle features automatic collision preparation, automatic braking, and adaptive cruise control, which means that if the digital controls are remotely breached, a hacker could gain control of the car’s ability to stop itself, just as was demonstrated in the case of the 2014 Cherokee.

Software update process: A search revealed nothing in the way of any software security updates for the 2015 Escalade, and the manual is absolutely no help in this regard. Under the heading “Software Updates” in the vehicle’s documentation, there’s just a short blurb directing the owner to the front page of the Cadillac website. Good luck.

3) 2014 Infiniti Q50

asdfasNissan Motors Corporation

Infiniti’s proprietary radio and Infiniti Connection systems, alongside cellular and Bluetooth connections, make the Q50 a potential target for hackers. The vehicle also features a steer-by-wire system, which means the wheels aren’t directly controlled by the steering wheel, but instead by software that interprets and relays the movements of the steering wheel and then manipulates the vehicle’s wheels accordingly. This feature has not been demonstrated to be controllable remotely, but the possibility of its exploitation remains.

Software update process: Despite having all the wireless communication options in the world, Infiniti’s vehicle software cannot be updated remotely, or even by the owner whatsoever. Instead, Infiniti owners need to take their vehicles to an Infiniti dealership in order to have any crucial software updates applied.

4) 2010 & 2014 Toyota Prius

wrehtrwhtToyota Motor Sales, USA, Inc.

The gentle Prius has been around the block a few times, but its Bluetooth and radio are both potential points of entry for anyone trying to gain access to the vehicle’s braking and steering systems.

Software update process:  Toyota has already voluntarily recalled almost 2 million Prius vehicles, from 2010 to 2014, for a fault in the controller unit responsible for various motor and generator functions. This issue wasn’t related to any exploitation, remote or otherwise, but it demonstrated clearly that Toyota has no remote update procedure in place, so software updates without a dealership visit are likely out of the question.

5) 2014 Ford Fusion

6jeFord Motor Company

Bluetooth, Wi-Fi, cellular, proprietary radio, and Ford’s own SYNC systems combine to put the 2014 Fusion near the top of the target list for would-be hackers. Active park assist and lane-keeping assist features could give a hacker control over vehicle movements during an attack, which would be a nightmare for whoever is behind the wheel.

Software update process: Ford is one of the better companies when it comes to software updates and has a website dedicated to rolling out tweaks and easy-to-use guides on how to perform the updates. Should a widespread vulnerability occur, and if Ford rolls out the appropriate patch, all a 2014 Fusion owner would need is a USB drive and an Internet connection in order to block the threat.

 

A version of this story was originally published on the Daily Dot July 22, 2015.

The Conmunity/Flickr (CC BY 2.0) | Remix by Jason Reed