Pegasus Research Consortium

Thor mentioned this in another thread here:

http://www.thelivingmoon.com/forum/index.php?topic=8509.msg116575#msg116575

and I heard it on the news so of course I wanted to know about my vehicle

here's what I have found so far




look at the date..
http://www.wired.com/2014/08/car-hacking-chart/
Author: Andy Greenberg. Andy Greenberg     Security 
Date of Publication: 08.06.14.
08.06.14

Time of Publication: 6:30 am.

How Hackable Is Your Car? Consult This Handy Chart


...............................................

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Author: Andy Greenberg. Andy Greenberg     Security 
Date of Publication: 07.21.15.
07.21.15

Time of Publication: 6:00 am.

Hackers Remotely Kill a Jeep on the Highway—With Me in It

I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn't touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car's digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep's strange behavior wasn't entirely unexpected. I'd come to St. Louis to be Miller and Valasek's digital crash-test dummy, a willing subject on whom they could test the car-hacking research they'd been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker's nightmare: software that lets hackers send commands through the Jeep's entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it's being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller's laptop in his house 10 miles west. Instead, they merely assured me that they wouldn't do anything life-threatening. Then they told me to drive the Jeep onto the highway. "Remember, Andy," Miller had said through my iPhone's speaker just before I pulled onto the Interstate 64 on-ramp, "no matter what happens, don't panic."1

(http://www.wired.com/wp-content/uploads/2015/07/150701_car_hackers_12-582x388.jpg)
Charlie Miller (left) and Chris Valasek hacking into a Jeep Cherokee from Miller's basement as I drove the SUV on a highway ten miles away.  Whitney Curtis for WIRED

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That's when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

"You're doomed!" Valasek shouted, but I couldn't make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller's advice: I didn't panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.

Wireless Carjackers

This wasn't the first time Miller and Valasek had put me behind the wheel of a compromised car. In the summer of 2013, I drove a Ford Escape and a Toyota Prius around a South Bend, Indiana, parking lot while they sat in the backseat with their laptops, cackling as they disabled my brakes, honked the horn, jerked the seat belt, and commandeered the steering wheel. "When you lose faith that a car will do what you tell it to do," Miller observed at the time, "it really changes your whole view of how the thing works." Back then, however, their hacks had a comforting limitation: The attacker's PC had been wired into the vehicles' onboard diagnostic port, a feature that normally gives repair technicians access to information about the car's electronically controlled systems.

A mere two years later, that carjacking has gone wireless. Miller and Valasek plan to publish a portion of their exploit on the Internet, timed to a talk they're giving at the Black Hat security conference in Las Vegas next month. It's the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks, first sparked when Markey took note of Miller and Valasek's work in 2013.

As an auto-hacking antidote, the bill couldn't be timelier. The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I-64; After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment.

Miller and Valasek's full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep's brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they're working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep's GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

(http://www.wired.com/wp-content/uploads/2015/07/IMG_0724-582x437.jpg)
Miller attempts to rescue the Jeep after its brakes were remotely disabled, sending it into a ditch.  Andy Greenberg/WIRED

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle's entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won't identify until their Black Hat talk, Uconnect's cellular connection also lets anyone who knows the car's IP address gain access from anywhere in the country. "From an attacker's perspective, it's a super nice vulnerability," Miller says.

From that entry point, Miller and Valasek's attack pivots to an adjacent chip in the car's head unit—the hardware for its entertainment system—silently rewriting the chip's firmware to plant their code. That rewritten firmware is capable of sending commands through the car's internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They've only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

After the researchers reveal the details of their work in Vegas, only two things will prevent their tool from enabling a wave of attacks on Jeeps around the world. First, they plan to leave out the part of the attack that rewrites the chip's firmware; hackers following in their footsteps will have to reverse-engineer that element, a process that took Miller and Valasek months. But the code they publish will enable many of the dashboard hijinks they demonstrated on me as well as GPS tracking.

Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler's website that didn't offer any details or acknowledge Miller and Valasek's research. "[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions," reads a statement a Chrysler spokesperson sent to WIRED. "FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability."

If consumers don't realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone.
—Charlie Miller


Unfortunately, Chrysler's patch must be manually implemented via a USB stick or by a dealership mechanic. (Download the update here.) That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.

Chrysler stated in a response to questions from WIRED that it "appreciates" Miller and Valasek's work. But the company also seemed leery of their decision to publish part of their exploit. "Under no circumstances does FCA condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems," the company's statement reads. "We appreciate the contributions of cybersecurity advocates to augment the industry's understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety."

The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review. It also sends a message: Automakers need to be held accountable for their vehicles' digital security. "If consumers don't realize this is an issue, they should, and they should start complaining to carmakers," Miller says. "This might be the kind of software bug most likely to kill someone."

In fact, Miller and Valasek aren't the first to hack a car over the Internet. In 2011 a team of researchers from the University of Washington and the University of California at San Diego showed that they could wirelessly disable the locks and brakes on a sedan. But those academics took a more discreet approach, keeping the identity of the hacked car secret and sharing the details of the exploit only with carmakers.

Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles' security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. Earlier this month, in fact, Range Rover issued a recall to fix a software security flaw that could be used to unlock vehicles' doors. "Imagine going up against a class-action lawyer after Anonymous decides it would be fun to brick all the Jeep Cherokees in California," Savage says.

For the auto industry and its watchdogs, in other words, Miller and Valasek's release may be the last warning before they see a full-blown zero-day attack. "The regulators and the industry can no longer count on the idea that exploit code won't be in the wild," Savage says. "They've been thinking it wasn't an imminent danger you needed to deal with. That implicit assumption is now dead."

471,000 Hackable Automobiles
(http://www.wired.com/wp-content/uploads/2015/07/150701_car_hackers_17-582x388.jpg)
Miller and Valasek's exploit uses a burner phone's cellular connection to attack the Jeep's internet-connected entertainment system.  Whitney Curtis for WIRED

Sitting on a leather couch in Miller's living room as a summer storm thunders outside, the two researchers scan the Internet for victims.

Uconnect computers are linked to the Internet by Sprint's cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He's using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It's a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it's cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers' vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.

When Miller and Valasek first found the Uconnect flaw, they thought it might only enable attacks over a direct Wi-Fi link, confining its range to a few dozen yards. When they discovered the Uconnect's cellular vulnerability earlier this summer, they still thought it might work only on vehicles on the same cell tower as their scanning phone, restricting the range of the attack to a few dozen miles. But they quickly found even that wasn't the limit. "When I saw we could do it anywhere, over the Internet, I freaked out," Valasek says. "I was frightened. It was like, holy frig, that's a vehicle on a highway in the middle of the country. Car hacking got real, right then."

That moment was the culmination of almost three years of work. In the fall of 2012, Miller, a security researcher for Twitter and a former NSA hacker, and Valasek, the director of vehicle security research at the consultancy IOActive, were inspired by the UCSD and University of Washington study to apply for a car-hacking research grant from Darpa. With the resulting $80,000, they bought a Toyota Prius and a Ford Escape. They spent the next year tearing the vehicles apart digitally and physically, mapping out their electronic control units, or ECUs—the computers that run practically every component of a modern car—and learning to speak the CAN network protocol that controls them.

When they demonstrated a wired-in attack on those vehicles at the DefCon hacker conference in 2013, though, Toyota, Ford, and others in the automotive industry downplayed the significance of their work, pointing out that the hack had required physical access to the vehicles. Toyota, in particular, argued that its systems were "robust and secure" against wireless attacks. "We didn't have the impact with the manufacturers that we wanted," Miller says. To get their attention, they'd need to find a way to hack a vehicle remotely.


X

Charlie Miller.  Whitney Curtis for WIRED

So the next year, they signed up for mechanic's accounts on the websites of every major automaker and downloaded dozens of vehicles' technical manuals and wiring diagrams. Using those specs, they rated 24 cars, SUVs, and trucks on three factors they thought might determine their vulnerability to hackers: How many and what types of radios connected the vehicle's systems to the Internet; whether the Internet-connected computers were properly isolated from critical driving systems, and whether those critical systems had "cyberphysical" components—whether digital commands could trigger physical actions like turning the wheel or activating brakes.

Based on that study, they rated Jeep Cherokee the most hackable model. Cadillac's Escalade and Infiniti's Q50 didn't fare much better; Miller and Valasek ranked them second- and third-most vulnerable. When WIRED told Infiniti that at least one of Miller and Valasek's warnings had been borne out, the company responded in a statement that its engineers "look forward to the findings of this [new] study" and will "continue to integrate security features into our vehicles to protect against cyberattacks." Cadillac emphasized in a written statement that the company has released a new Escalade since Miller and Valasek's last study, but that cybersecurity is "an emerging area in which we are devoting more resources and tools," including the recent hire of a chief product cybersecurity officer.

After Miller and Valasek decided to focus on the Jeep Cherokee in 2014, it took them another year of hunting for hackable bugs and reverse-engineering to prove their educated guess. It wasn't until June that Valasek issued a command from his laptop in Pittsburgh and turned on the windshield wipers of the Jeep in Miller's St. Louis driveway.

Since then, Miller has scanned Sprint's network multiple times for vulnerable vehicles and recorded their vehicle identification numbers. Plugging that data into an algorithm sometimes used for tagging and tracking wild animals to estimate their population size, he estimated that there are as many as 471,000 vehicles with vulnerable Uconnect systems on the road.

Pinpointing a vehicle belonging to a specific person isn't easy. Miller and Valasek's scans reveal random VINs, IP addresses, and GPS coordinates. Finding a particular victim's vehicle out of thousands is unlikely through the slow and random probing of one Sprint-enabled phone. But enough phones scanning together, Miller says, could allow an individual to be found and targeted. Worse, he suggests, a skilled hacker could take over a group of Uconnect head units and use them to perform more scans—as with any collection of hijacked computers—worming from one dashboard to the next over Sprint's network. The result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.

"For all the critics in 2013 who said our work didn't count because we were plugged into the dashboard," Valasek says, "well, now what?"


x

Chris Valasek.  Whitney Curtis for WIRED

Congress Takes on Car Hacking

Now the auto industry needs to do the unglamorous, ongoing work of actually protecting cars from hackers. And Washington may be about to force the issue.

Later today, senators Markey and Blumenthal intend to reveal new legislation designed to tighten cars' protections against hackers. The bill (which a Markey spokesperson insists wasn't timed to this story) will call on the National Highway Traffic Safety Administration and the Federal Trade Commission to set new security standards and create a privacy and security rating system for consumers. "Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car," Markey wrote in a statement to WIRED. "Drivers shouldn't have to choose between being connected and being protected...We need clear rules of the road that protect cars from hackers and American families from data trackers."

Markey has keenly followed Miller and Valasek's research for years. Citing their 2013 Darpa-funded research and hacking demo, he sent a letter to 20 automakers, asking them to answer a series of questions about their security practices. The answers, released in February, show what Markey describes as "a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle." Of the 16 automakers who responded, all confirmed that virtually every vehicle they sell has some sort of wireless connection, including Bluetooth, Wi-Fi, cellular service, and radios. (Markey didn't reveal the automakers' individual responses.) Only seven of the companies said they hired independent security firms to test their vehicles' digital security. Only two said their vehicles had monitoring systems that checked their CAN networks for malicious digital commands.

UCSD's Savage says the lesson of Miller and Valasek's research isn't that Jeeps or any other vehicle are particularly vulnerable, but that practically any modern vehicle could be vulnerable. "I don't think there are qualitative differences in security between vehicles today," he says. "The Europeans are a little bit ahead. The Japanese are a little bit behind. But broadly writ, this is something everyone's still getting their hands around."

x

Miller (left) and Valasek demonstrated the rest of their attacks on the Jeep while I drove it around an empty parking lot.  Whitney Curtis for WIRED

Aside from wireless hacks used by thieves to open car doors, only one malicious car-hacking attack has been documented: In 2010 a disgruntled employee in Austin, Texas, used a remote shutdown system meant for enforcing timely car payments to brick more than 100 vehicles. But the opportunities for real-world car hacking have only grown, as automakers add wireless connections to vehicles' internal networks. Uconnect is just one of a dozen telematics systems, including GM Onstar, Lexus Enform, Toyota Safety Connect, Hyundai Bluelink, and Infiniti Connection.

In fact, automakers are thinking about their digital security more than ever before, says Josh Corman, the cofounder of I Am the Cavalry, a security industry organization devoted to protecting future Internet-of-things targets like automobiles and medical devices. Thanks to Markey's letter, and another set of questions sent to automakers by the House Energy and Commerce Committee in May, Corman says, Detroit has known for months that car security regulations are coming.

But Corman cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.) The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. "They're getting worse faster than they're getting better," he says. "If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it."

Corman's group has been visiting auto industry events to push five recommendations: safer design to reduce attack points, third-party testing, internal monitoring systems, segmented architecture to limit the damage from any successful penetration, and the same Internet-enabled security software updates that PCs now receive. The last of those in particular is already catching on; Ford announced a switch to over-the-air updates in March, and BMW used wireless updates to patch a hackable security flaw in door locks in January.

Corman says carmakers need to befriend hackers who expose flaws, rather than fear or antagonize them—just as companies like Microsoft have evolved from threatening hackers with lawsuits to inviting them to security conferences and paying them "bug bounties" for disclosing security vulnerabilities. For tech companies, Corman says, "that enlightenment took 15 to 20 years." The auto industry can't afford to take that long. "Given that my car can hurt me and my family," he says, "I want to see that enlightenment happen in three to five years, especially since the consequences for failure are flesh and blood."

As I drove the Jeep back toward Miller's house from downtown St. Louis, however, the notion of car hacking hardly seemed like a threat that will wait three to five years to emerge. In fact, it seemed more like a matter of seconds; I felt the vehicle's vulnerability, the nagging possibility that Miller and Valasek could cut the puppet's strings again at any time.

The hackers holding the scissors agree. "We shut down your engine—a big rig was honking up on you because of something we did on our couch," Miller says, as if I needed the reminder. "This is what everyone who thinks about car security has worried about for years. This is a reality."

1Correction 10:45 7/21/2015: An earlier version of the story stated that the hacking demonstration took place on Interstate 40, when in fact it was Route 40, which coincides in St. Louis with Interstate 64.

My boots aren't hackable. :)

Crazy that an iPhone6 is used as a burner phone. I would think they'd be using a cheap $29 android phone.

My Wife's van has the Uconnect system in it. I tinkered with it a few years ago because I wanted to save movies to the local HDD. It uses QNX for an OS.

I ended up purchasing a mygig LockPick to remove dealer restrictions like disabling the front screen from playing video while driving. The new Lockpick adds internal Wifi to the car. This will just be more problems since WiFi can be hacked easily.

The Jeep that was hacked had the wireless TV feature enabled. This will send video content and other services over the enabled cellular connection. If this is not paid for, the connection is dead. If you have the WiFi LockPick, it would always be on and vulnerable to attack. This lockpick is connected to the CAN Bus so imagine the possibilities.

LSWONE.

and  the other side of the conversation is


http://www.msn.com/en-us/autos/connectedcar/why-you-still-shouldnt-panic-about-car-hacking/ar-AAdr9JJ
Road & Track
Robert Sorokanich   20 hrs ago


This week, Wired published a fantastic and unsettling report on the current state of automotive hacking. Senior Writer Andy Greenberg ?put himself at the mercy of two digital security researchers as they wirelessly took over control of the Jeep Cherokee he was driving, messing with the car's climate control, stereo, windshield wipers, and eventually stalling the engine. Greenberg was left helpless, coasting nearly to a stop in the right lane of a busy highway as traffic scrambled to avoid him.

The Wired report is the most credible evidence yet that our increasingly tech-laden vehicles are ripe for hacking, with scanty security measures and an astounding lack of automaker foresight providing avenues for hackers to gain control of a car's functions from anywhere in the world. Whereas previous car hacking stories contained some pretty big caveats—like the fact that evildoers would need to disassemble a car's dashboard and physically plug in a laptop to take over the vehicle's controls—the Jeep that Greenberg was driving was unmodified from how it left the factory. And the researchers who took over its controls were 10 miles away.

That, frankly, is terrifying. Greenberg's article in Wired is nuanced and even-handed, and he carefully and purposefully avoids fearful exaggeration, but the evidence he so thoroughly presents is deeply troubling. It set off a frenzy in the automotive press, and rightly so.

But you probably don't need to panic. And here's why.

The Methodology Is Sound


Greenberg's terrifying hacker roller coaster ride was carried out by Charlie Miller and Chris Valasek, a duo that's been doggedly poking at holes in modern cars' computer systems for years. Miller and Valasek are the team behind most of the "car hacking" news stories of the past few years. In 2013, they took Greenberg (then writing for Forbes) for a thrill ride in a Toyota Prius and a Ford Escape, both wired with laptops in the back seat to take over the driver's controls. Last year, Miller, a security researcher at Twitter, and Valasek, a director at digital security firm IOActive, published a white paper naming what they thought were the most hackable new cars on the U.S. market. Not surprisingly, their number-one hackable car, the 2014 Jeep Cherokee, is the car of choice in this experiment.

Miller and Valasek's latest and most frightening exploit is completely wireless. Thanks to a vulnerability in Fiat Chrysler's Uconnect dashboard infotainment system, which offers in-car WiFi through Sprint's cellular network, a smartphone connected to Miller's laptop lets him look around the cellular network for Uconnect-equipped vehicles. Using software he and Valasek designed, Miller can see a vulnerable car's vehicle identification number, make, model, and IP address, along with its GPS location, in real-time. Once they've found a target vehicle, Miller and Valasek can worm their way into the entertainment system's firmware, implanting malicious code they designed that can transmit commands to any system connected to the car's network of computers—including the devices that control the car's steering, brakes, and engine and transmission.

Miller and Valasek say that Uconnect systems installed from late 2013 through early 2015 are vulnerable, and while they've only tried their remote-takeover techniques on their own Jeep Cherokee, they estimate that nearly 500,000 vehicles carry the compromised system. FCA issued a statement in response detailing which models of Chrysler, Dodge, Jeep and Ram vehicles are affected.

But while the Wired video that goes alongside Greenberg's Wired piece makes the hacking process look astoundingly simple—just two dudes on a couch, tapping away at their laptops, wreaking havoc on a Jeep on a highway 10 miles away—it was a long and arduous road that led up to that scene. And that's good news for drivers of potentially-vulnerable Uconnect-equipped vehicles.

The Good Guys


Miller and Valasek's methodology is a marathon, not a sprint. After first finding the one small vulnerability point that allows them to tap into a Uconnect-equipped car's electronics, it took the duo months of arduous coding to develop the code that lets them rewrite the firmware and take over the car's driving controls. And every step of the way, Miller and Valasek have gone about this the ethical way.

The slightly unsettling aspect of all this is that Miller and Valasek plan to publish their findings online, in conjunction with a talk they're giving at the Black Hat digital security conference next month. In fact, that's the best tool to protect us from the dystopian horror of a future of hackable cars.

Greenberg points out that Miller and Valasek have been sharing their findings with Chrysler for nearly nine months, allowing the automaker to devise a software update that closes the loophole that allowed the hackers entry in the first place. FCA notified affected owners on July 16th, though they did not acknowledge the hacking duo that discovered it. You can see FCA's list of affected vehicles, and download the patch to update your Uconnect-equipped car, right here. By the time the digital security community learns the details of Miller and Valasek's exploit, the fix to prevent it will be widely available, thanks to the hackers' cooperation with FCA.

Secondly, the car-hacking duo is only revealing a small portion of their findings. They won't publish the code that gives them  access to the car's engine and braking controls; neither will they identify the (now-patched) vulnerability that let them in.

In other words, armed with Miller and Valasek's published findings, a malicious hacker would still need to figure out how to hack into a Uconnect-equipped vehicle, and reverse-engineer the code that allows control of the vehicle, two tasks that took months for these expert-level security hackers. Additionally, Miller and Valasek's method requires them to know the IP address of the car they're trying to hack; as Jason Torchinsky at Jalopnik points out, that drops the likelihood of a hacker targeting one specific vehicle down to near-zero.

Why publish anything, though? Greenberg explains:


The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review. It also sends a message: Automakers need to be held accountable for their vehicles' digital security. "If consumers don't realize this is an issue, they should, and they should start complaining to carmakers," Miller says. "This might be the kind of software bug most likely to kill someone."?

?Help Is On the Way


Simply by virtue of making their findings public, Miller and Valasek helped kick off a fix that will eliminate the vulnerability that made their hack possible. FCA says it has rectified the loophole that allowed the hack in its 2015 models, and released a software update to close the vulnerability in 2013 and 2014 vehicles. When Miller and Valasek publish and discuss their findings at Black Hat, they'll be giving out an incomplete recipe that hinges on a software flaw that has since been patched. And the work of hackers like Miller, Valasek, and others is finally bringing the right kind of attention to the subject: On the same day that Greenberg published his Wired article, Senators Ed Markey and Richard Blumenthal introduced new legislation creating the first-ever automotive cybersecurity standards, which would require greater security measures to prevent malicious code from jumping from infotainment systems to vehicle controls, and establish real-time monitoring to "immediately detect, report, and stop" hacking attempts.

And as more and more cars get the capability to receive over-the-air software updates, manufacturers will be able to more quickly and efficiently patch vulnerabilities like the one that let Miller and Valasek hack into their Cherokee. That day is coming—Ford and Tesla already have systems capable of automatic over-the-air software updates, and more will soon follow.

So, should you be scared? That's up to you. Is there a hacker out there who knows your Chrysler vehicle's IP address, possesses masters-level computing skills, and has months to devote to reverse-engineering a way to take over your car? If you're not some kind of international spy, the answer is probably "no."

QuoteSo, should you be scared? That's up to you. Is there a hacker out there who knows your Chrysler vehicle's IP address, possesses masters-level computing skills, and has months to devote to reverse-engineering a way to take over your car? If you're not some kind of international spy, the answer is probably "no."

What a bunch of unmitigated horse pucker. Airplanes have been proven to be vulnerable to this technology, and what 'they' are admitting to in the preceding article is years behind what's being used on the populace today.

Here is but one example.

QuoteThe crash ended with a hellish explosion and fire. The officer, watching the video with us, was as stunned as we were. He said, "I have never seen a car explode like that."

Published on Jun 22, 2013
Modern cars can be hacked into and their brakes, accelerator, and other functions remotely controlled. Many believe this is what killed journalist Michael Hastings, who was going into hiding after writing about the NSA spying on Americans. ?




ThinkOutsideTheTV
Published on Jul 17, 2013
This needs to be seen by everyone??


?Read the full report here: http://www.globalresearch.ca/death-of-a-presidency/3523


Michael Hastings Car Hacked And Remotely Driven Into A Tree To Murder Him? [Video] (http://www.disclose.tv/action/viewvideo/143169/Michael_Hastings_Car_Hacked_and_Remotely_Driven_into_a_Tree_to_Murder_Him/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Disclosetv+(Disclose.tv+-+New+Videos))

http://www.huffingtonpost.com/entry/fiat-chrysler-recalls-14-million-cars-following-jeep-hacking-incident_55b2668fe4b0074ba5a45855?utm_hp_ref=technology

Associated Press
By Tom Krisher
Posted: 07/24/2015




DETROIT (AP) — Fiat Chrysler has decided to recall about 1.4 million cars and trucks in the U.S. just days after two hackers detailed how they were able to take control of a Jeep Cherokee SUV over the Internet.

The company will update software to insulate the vehicles from being remotely controlled, and it implied that the hackers committed a crime, saying in a statement Friday that unauthorized remote manipulation of a vehicle is a criminal act.

The recall affects vehicles with 8.4-inch touchscreens including 2013 to 2015 Ram pickups and chassis cabs and Dodge Viper sports cars. Also covered are 2014 and 2015 Dodge Durango and Jeep Grand Cherokee and Cherokee SUVs, as well as the 2015 Chrysler 200 and 300, and the Dodge Charger and Challenger.

All the vehicles have a certain type of radio, indicating that the company may have found and patched another area that's vulnerable to hackers. The recall covers about 1 million more vehicles than the company had originally believed were affected.

Fiat Chrysler says it also has taken security measures on its own vehicle network to prevent hacking. Those measures require no customer action and became effective on Thursday.

The company said it knows of no incidents involving hacking of its vehicles except for the one unveiled this week. Initially the company didn't issue a recall, but said it would contact all affected customers

The fix is a response to a recent article in Wired magazine about two well-known hackers, Charlie Miller and Chris Valasek, who remotely took control of a Jeep Cherokee through its UConnect entertainment system. They were able to change the vehicle's speed and control the brakes, radio, windshield wipers, transmission and other features.

The Jeep incident was the latest warning to the auto industry, which is rapidly adding Internet-connected features like WiFi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks. Earlier this year, BMW had to offer a software patch after hackers remotely unlocked the doors of its cars.

Miller has said he and Valasek first told FCA about their research in October and have been in touch with the company several times since then.

Owners of the recalled vehicles will get a USB drive that they can use to update the software. Fiat Chrysler says it provides added security features beyond what's been done on the company's vehicle network.

Customers can go to http://www.driveuconnect.com/software-update/ and punch in their vehicle identification number to find out if they're included in the recall.

The company, known as FCA US LLC, also said it has set up a team focused on best practices for software development and integration into vehicles.

figures he's local..bwhahahahahahaha

He grew up in Ford City,  just down the road where his parents still live, and he graduated from the University of Pittsburgh with a computer science degree in 2005.
"They said I could move anywhere in the world, and I came back here," Valasek, 33, told the Tribune-Review Wednesday. "I love it. I travel the world for my job, and I'm always glad to come home."




Valasek acknowledged that it has taken years of research for him and Miller to reach this point, and executing the hack still requires detailed knowledge of not only computers, but also how the vehicle software works



http://triblive.com/business/headlines/8787301-74/valasek-chrysler-cherokee#axzz3h7tefeD1

Shadyside man part of team that remotely controlled moving Jeep Cherokee; Chrysler issues fix

By Andrew Conte    
Wednesday, July 22, 2015, 11:18 p.m.




Chris Valasek celebrated his new-found fame as part of a two-man team that successfully hacked into a high-end Jeep Cherokee by downing a Primanti's sandwich and a 22-ounce Iron City Light.

The Shadyside resident, who works as a vehicle safety researcher, collaborated with security engineer Charlie Miller of St. Louis on a project to find whether they could take control of the vehicle by wirelessly accessing its computer system. They proved the concept by altering a Cherokee driven by a reporter for  Wired magazine in an article  that appeared Monday.

It was only natural, Valasek said, to honor the success in a hometown way. He grew up in Ford City, where his parents still live, and he graduated from the University of Pittsburgh with a computer science degree in 2005. He worked at a job in Atlanta for a few years before his employer allowed him to start working from home.

"They said I could move anywhere in the world, and I came back here," Valasek, 33, told the Tribune-Review Wednesday. "I love it. I travel the world for my job, and I'm always glad to come home."

Valasek said the hack could affect as many as 420,000 Chrysler vehicles that feature the proprietary wireless entertainment and navigation system that connects to the Internet, called Uconnect.

In response to the published findings, Fiat Chrysler Auto­mobiles on Wednesday released a free software update for vehicles with its UConnect systems: 2013-14 Chrysler, Dodge, Jeep and Ram vehicles, and some models of the 2015 Chrysler 200.

Although the company did not directly acknowledge the hacking, it said in a statement that "vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems."

Valasek said he and Miller have been working with Chrysler officials since October on a patch for the software flaw. The researchers plan to publish a 90-page white paper on their findings after the annual  Black Hat hackers conference  in Las Vegas next month. They have shared the report with Chrysler.

For the Wired article, Val­asek and Miller took the journalist through a bit of a freak-out moment by first controlling the radio, wipers and washer fluid on the Cherokee as he was driving on a St. Louis highway. Then the hackers shifted the SUV into neutral so it coasted and the engine revved without engaging.

And they did all of that remotely, with a laptop computer and a $20 throwaway, or "burner," cellphone.

The reporter was never in danger and neither was anyone else, Valasek said.

"I'd be more worried about someone texting (while driving) than what we did," he said.

(Pittsburgh baseball fans might be more disturbed that Valasek appeared in the Wired article next to Miller, who was wearing a St. Louis Cardinals T-shirt. Valasek wore a Pitt T-shirt.)

By merely typing the right series of computer commands, the researchers said they could hack into these vehicles, almost anywhere they might be driving. At low speeds, they even could control the car's steering.

No one should be overly concerned, Valasek said. His parents drive a Cherokee, although it does not have the same software system. Val­asek drives a 2006 Porsche 911.

Government and industry officials are racing to add protections before techniques demonstrated by Miller, Val­asek and other researchers join the standard tool kits of cybercriminals.

In this battle, defensive forces have one clear strength: Connected devices run many types of software, meaning that an attack on one may not work on others. Even cars from a single manufacturer can vary dramatically from one model year to the next, hindering hackers.

"They haven't been able to weaponize it. They haven't been able to package it yet so that it's easily exploitable," said John Ellis, a former global technologist for Ford. "You can do it on a one-car basis. You can't yet do it on a 100,000-car basis."

Valasek acknowledged that it has taken years of research for him and Miller to reach this point, and executing the hack still requires detailed knowledge of not only computers, but also how the vehicle software works.

"If you're concerned about someone assassinating you, then, yes, you should be concerned," Valasek said. "Otherwise, it's not to the point where it's opportunistic."



Andrew Conte is a member of the Trib Total Media investigations team. He can be reached at 412-320-7835 or andrewconte@tribweb.com. The Washington Post and The Dallas Morning News contributed to this report.

Add Andrew Conte to your Google+ circles


Read more: http://triblive.com/business/headlines/8787301-74/valasek-chrysler-cherokee#ixzz3h7ujIPSd
Follow us: @triblive on Twitter | triblive on Facebook