[Jeep Renegade News]

Last week under the guise of “offering customers improved vehicle electronic security and communication system enhancements”, FCA quietly released a software patch for Uconnect.

This wasn't your run of the mill software update however, professional hackers Charlie Miller and Chris Valasek alerted FCA to vulnerabilities they used to exploit their Uconnect system system and worked with them to patch it.

Miller and Valasek were able to remotely take control of a bone stock 2014 Jeep Cherokee by exploiting the cellular data connection Wi-Fi hot spot equipped Uconnect (with the 8.4 inch screen) vehicles use. The duo was able to crank up the radio volume, speed up the wipers and most alarming, shut the engine off on the highway.

Later in a parking lot they took control of the Cherokee's steering, albeit only in reverse as well as killing the brakes, leaving Wired journalist Andy Greenberg helpless in a ditch.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose “how-to information” that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company said in a statement.

“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. The software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle.”

You can download the patch yourself from driveuconnect.com/software-update/ or you can contact your local dealer to schedule an appointment.

 

[Hdreserve]

I don't know how I feel about this whole thing. Relieved that there is now a patch to correct the issue, but surely this same type of issue will continue in the future. When I get my vehicle, will there be a way to minimize the function of the U-connect (not understanding the full scope of how it works) that can limit the chance of these type of issues? AND..... I don't care what kind of 'test' they thought they were doing & the journalist agreed to.... 70mph on a highway & limited visibility while his wiper fluid was on & where there are other drivers is NOT safe & others could have been easily injured with all the crazy drivers out there. That part was just stupid. They say they are concerned with saving lives & don't get me wrong - what they are doing will help, but don't think they are going about it in the best way . And why exploit in this manner & not just work with the auto companies in private to resolve these issues? Just curious....

 

[bunburry]

I don't know how I feel about this whole thing. Relieved that there is now a patch to correct the issue, but surely this same type of issue will continue in the future. When I get my vehicle, will there be a way to minimize the function of the U-connect (not understanding the full scope of how it works) that can limit the chance of these type of issues? AND..... I don't care what kind of 'test' they thought they were doing & the journalist agreed to.... 70mph on a highway & limited visibility while his wiper fluid was on & where there are other drivers is NOT safe & others could have been easily injured with all the crazy drivers out there. That part was just stupid. They say they are concerned with saving lives & don't get me wrong - what they are doing will help, but don't think they are going about it in the best way . And why exploit in this manner & not just work with the auto companies in private to resolve these issues? Just curious....

So long as you don't have a wi-fi hotspot capable renny you should be fine from the sounds of it...

 

[Hypocrite]

If he had been drivig a Trailhawk edition Cherokee he would've been able to get himself out of the ditch.

 

[rhy48848]

Just received a random marketing email from Jeep with the subject heading: "The technology-packed Jeep Renegade is engineered for adventure." The email touts the 6.5 UConnect and states that it is "Equipped to take you wherever, whenever."

All I could think about was... "yeah, even if you don't want to go there."

 

[DogsRule]

All I could think about was... "yeah, even if you don't want to go there."

Yep. This all is exactly why I cramming in an old AM pushbutton from a '65 Galaxy.

 

[firstnew1]

And why exploit in this manner & not just work with the auto companies in private to resolve these issues? Just curious....

Maybe they would not listen and needed public embarrassment. It is just unforgivable for a company in todays hackers type world to not code and test and even add firewalls to prevent this type of thing, you have to ask, where else are they cutting corners?

 

[firstnew1]

And why exploit in this manner & not just work with the auto companies in private to resolve these issues? Just curious....

Just saw this on PBS News, they did share the information with Jeep over several months, here is the interview (see the video):

Hacking researchers kill a car engine on the highway to send a message to automakers
http://www.pbs.org/newshour/bb/hacking-researchers-kill-car-engine-highway-send-message-automakers/

http://video.pbs.org/viralplayer/2365533235

 

[smithk1944]

This is the world we live in, where hackers or trouble makers are doing new things. People forget how much we use various technology linked to our "personal info". In my line of work we have to do security updates every three months and even by the time we implant them to our customers it is outdated and are going back again. At least these guys work with FCA to help assist in future updates.

 

[Foobar]

Just an FYI, this latest exploit doesn't apply to our cars as the Renegade UConnect was already updated to address vulnerabilities along with the rest of the 2015 lineup.

That said, if you are willing to live without remote control features, pull the fuse for the cellular module and that will prevent anyone from connecting to your car over the Internet, including you. So no remote start, locating, locking, etc.

 

[peragrin]

Even easier. don't sign up for or pay for the monthly uconnect option. uconnect's monthly $25 bill is basically a cell phone bill. if you aren't signed up for the monthly uconnect fees then they can't hack your system as there is no connection.

no pulling of fuses needed. just don't pay them for the right to let others hack their way in. Hopefully car manufacturers will learn about separating networks. and how to separate out reporting data from actually modifying systems.

 

[Foobar]

Even easier. don't sign up for or pay for the monthly uconnect option. uconnect's monthly $25 bill is basically a cell phone bill. if you aren't signed up for the monthly uconnect fees then they can't hack your system as there is no connection.

no pulling of fuses needed. just don't pay them for the right to let others hack their way in. Hopefully car manufacturers will learn about separating networks. and how to separate out reporting data from actually modifying systems.

Car comes with an initial 12 months for free if I'm not mistaken.

 

[curtkram]

so they are accessing the can-bus through an internet connection? that means the radio has it's own ip address, and you can remotely login through the internet to start the car when it's cold or whatever? i have the 5" radio, which certainly doesn't have this. isn't there some sort of credential like a password or something, or can i get into any car if i sniff the IP address?

i don't know, sounds like the upside to this could be a lot more than the downside if the manufactures took a basic CS101 course, or at least opened their software so smart people could fix it. you could set up logs for mileage or to keep track of when you're shifting, you could set remote alerts to let you know you need gas, remote tracking of gps, you should be able to view the rear camera remotely (and any other camera). lots of cool stuff might be available.

 

[RenegadeTech]

What they don't tell you is they took over a year with that jeep to develop the "hack" They were also running their own software on the radio from an sdk. They'd have to have physical access to the jeep in order to install their cracked software onto the radio. That also means they'd need the key. The Cherokee has four different radio versions, all with at least five different OS versions, so there's that they'd have to overcome, too. Then the hackers need to become familiar with machine language and CAN bus messages in order to know how to break out of the radio's "sandbox" and get meaningful data messages onto the vehicle's bus. This is a ton of work that almost nobody but a vehicle engineer would be able to pull off.

Bottom line is nobody is going to get hAx0R3d and die. Other than a clever PR stunt, there's no gain for the work involved.

 

[curtkram]

So renegadeTech, if i wanted to hack my own jeep so i could say display what gear i'm in or other OBD-II information on the radio screen, get an extra video in so i can play space invaders through a raspberry pi, display my phone gps on the screen, get an extra camera, or stuff like that, is there a way to do that?

 

[RenegadeTech]

So renegadeTech, if i wanted to hack my own jeep so i could say display what gear i'm in or other OBD-II information on the radio screen, get an extra video in so i can play space invaders through a raspberry pi, display my phone gps on the screen, get an extra camera, or stuff like that, is there a way to do that?

There's not currently a way, but it's apparent a way was made by those two security guys. What is viable after the patch remains to be seen.

 

[aburkho4]

as someone in the IT world and someone that deals a lot with healthcare cyber security...this should not surprise anyone at all, this stuff can be done to all of your devices that have some form of wireless signal. just keep in mind that many of these electronic features still keep you safer than not having them. in fact that same wireless signal and GPS is how you will find your car if someone ever tries to steal it or notify 911 if you are in an accident.

 

[flash75]

I just read this, it doesn't state what specific model Jeep it applies to.

Clifton

http://www.foxbusiness.com/industries/2015/07/24/fiat-chrysler-recalls-14m-vehicles-after-jeep-hack/

 

[Willy]

FCA just responded to the hack and recalled 1.4 million vehicles for the patch...

http://www.thecarconnection.com/new...dodge-jeep-ram-vehicles-over-hacking-concerns

 

[cotonymopar]

a little added info a lot of reporting agencies do not include.


http://www.torquenews.com/106/hacked-jeep-software-social-media-frenzy-caused-poor-reporting