Security experts detail Jeep hacking at Black Hat conference


With both Wi-Fi and cellular access vulnerabilities in the 2014 Jeep Cherokee's internal computer system, hacking the car and changing everything from its radio volume to speed could be done in a matter of seconds, speakers at this week's Black Hat conference in Las Vegas said.

"Please just stop saying whatever you have and whatever thing you make is unhackable, because you're going to look silly," said Chris Valasek, director of Vehicle Security Research at IOActive, who spent the last year working with Twitter security engineer Charlie Miller to develop code to hack the vehicle.

The annual conference at the Mandalay Bay Convention Center has nearly 200 speakers and 10,000 participants from more than 70 countries. The show concludes Thursday.

On Wednesday, for the first time in the expo's 18-year history, the show featured a car hacking tutorial, with Valasek and Miller demonstrating to more than 1000 attendees how they shut down a Jeep's brakes in a viral video posted last month on Wired.com.

With internal computer systems becoming increasingly common in automobiles — offering wireless Internet access and other features like Bluetooth and satellite radio — vehicles are more susceptible than ever to hackers. Valasek and Miller said their goal with the experiment was to help car companies identify the problems and become more secure.

"Car companies say they're getting more secure and working harder," Valasek said. "But from some data points, they're not doing that good."

Within the Chrysler company alone, the duo discovered nearly two dozen vulnerable models from 2013 to 2015, including the Jeep Cherokee and other popular models like the Dodge Viper, Ram trucks and the Chrysler 300.

The fault for the digital security lapses goes beyond the car manufacturers, Miller explained, as multiple companies are involved in the assembling and development of internal systems. Without proper security encryption, the networks are left open to anyone who can access them.

"There's really not much you can do," Miller said. "You're really at the mercy of the car company."

In a response to the viral video demonstration of the hacking last month, Chrysler recalled over 1.4 million vehicles on July 24, while cellular company Sprint closed Port 6667, one of the gateways used by the hackers to access the Jeep.

Valasek and Miller said the recall and subsequent security measures by both Chrysler and Sprint, was validation for their work. The two said they're looking into other projects to expose additional loopholes in vehicle security.

"It was better than we could have hoped for," Miller said. "Now certain cars are not vulnerable to that."

Contact Chris Kudialis at ckudialis@reviewjournal.com or 702-383-0283. Find him on Twitter: @kudialisrj.