NPR logo The Ghost In The Car May Be A Hacker

Privacy & Security

The Ghost In The Car May Be A Hacker

Chris Valasek (left) and Charlie Miller talk about hacking into vehicle computer systems during the Black Hat USA 2014 hacker conference in Las Vegas last August. Steve Marcus/Reuters/Landov hide caption

toggle caption
Steve Marcus/Reuters/Landov

Chris Valasek (left) and Charlie Miller talk about hacking into vehicle computer systems during the Black Hat USA 2014 hacker conference in Las Vegas last August.

Steve Marcus/Reuters/Landov

Updated 1:39 p.m. ET July 24: NHTSA Investigating Chrysler Recall

Andy Greenberg was minding his own business, driving a Jeep Cherokee on the highway in St. Louis when the SUV's air vents suddenly started blasting cold air. Then the radio switched stations and began blaring hip-hop at full volume. Spinning the radio control knobs did nothing. Soon, the windshield wipers turned on and wiper fluid obscured Greenberg's view.

Then things started getting really interesting.

Let's stop the story for a moment. Greenberg is a senior writer for Wired and he knew he was taking part in a demonstration by Charlie Miller and Chris Valasek. For years, the two researchers have been hacking cars' onboard computers to show that modern autos are vulnerable to various cyber exploits.

You may remember that NPR's Steve Henn reported on their experiments in 2013. Back then, Miller and Valasek demonstrated that they could jerk the wheel of a Prius or kill the brakes of a Ford Escape — using laptops wired to the cars' computer systems.

This time, though, they didn't have to be in the car — or anywhere near it — to wreak havoc on the controls. From miles away, the researchers were able to use a cellular connection to access the Jeep with Greenberg behind the wheel.

Now, back to Greenberg's 70 mph drive from hell:

"As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That's when they cut the transmission.

"Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun... .

"Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror.

Greenberg didn't end up in an ambulance. He was able to roll the Jeep down an exit ramp and regain full control after turning the ignition off and on.

Miller and Valasek had taken over the Jeep after detecting a vulnerability in Uconnect, the computer system Chrysler uses. Greenberg explains in his Wired report:

"Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle's entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot."

Chrysler posted a notice on its website that a free patch for the vulnerability is available for download or through dealers. "The security and confidence of our customers is important," the company says. "Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems."

Updated 11:16 a.m. ET July 24: Chrysler Recalls 1.4 Million Vehicles

On Friday, Fiat Chrysler Automobiles issued a voluntary safety recall to update the software in about 1.4 million U.S. vehicles. "The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action," the company said.

The automaker said it has also applied "network-level security measures to prevent the type of remote manipulation demonstrated" in the Wired article. "These measures — which required no customer or dealer actions — block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015."

The company added that no defect has been found and that it's "conducting this campaign out of an abundance of caution."

Also on Friday, the National Highway Traffic Safety Administration opened an investigation to assess the "effectiveness of the remedy" proposed by the automaker.

On Tuesday, Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced legislation that would require the National Highway Traffic Safety Administration and the Federal Trade Commission to "establish federal standards to secure our cars and protect drivers' privacy." Their bill would also establish a rating system to let consumers know how well their cars protect drivers' security and privacy.

Earlier this year, Markey issued a report warning of wireless vulnerabilities similar to those that Miller and Valasek demonstrated.