A Jeep Cherokee hack causes a massive recall by Fiat Chrysler in America
Risk Level: Safety Critical
In July of 2015 two professional white-hat hackers, Charlie Miller and Chris Valasek , announced that they had successful remotely hacked a 2014 Jeep Cherokee. In order to prove their assertions Miller and Valasek teamed up Andy Greenberg, a journalist with technology magazine “Wired”, to produce a video in which they demonstrate the affects and possibilities of their hack. In the video Miller and Valasek remotely hack a 2014 Jeep Cherokee, which Greenberg is driving. They proceed to take control of various vehicle controls including the air conditioning, the centre console, the wipers. Most worryingly was their ability to switch the engine off while the vehicle is moving and their ability to disable the braking system.
- Uconnect- is an infotainment system, which allows users to integrate their smartphone with the vehicle’s hands-free communication capabilities. It also offers users a number of purpose built communication and entertainment applications, as well providing WIFI connectivity through an in in-built cellular connection.
- CAN bus- The Controller Area Network (CAN bus) is a central networking system used in the automotive sector that allows communication between various individual systems or modules within a vehicle.
The Uconnect system employs an always-on Internet connection that allows it to reply to information requests and also accept certain commands that are sent to it. Once Miller and Valasek had identified the IP address of a vehicle they were then able to exploit a weakness in security of this connection. After they had exploited this vulnerability they then introduced there own code into the system, which in turn allowed them to communicate with the CAN bus. Using the CAN bus and CAN bus commands there were effectively able to take control of the systems connected to the CAN bus.
Fiat Chrysler Recall Notice
Fiat Chrysler were forced to develop a system patch for all of the vehicles produced with the Uconnect system, this lead to a recall of 1.4 million vehicles in North America including:
- 2013-2015 Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep® Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
Miller and Valasek had informed Fiat Chrysler of the security flaw before they went public with their accomplishments. This allowed Fiat Chrysler the opportunity to develop a software patch to fix the venerable feature. Fiat Chrysler then offered owners of the affected veichle’s 3 possible remedies:
- The made the patch available to owners through there web site, allow owners the ability to install the patch themselves.
- They set all affect owners by post, a USB which contained the patch.
- They contacted all of the affected owners and offered to install the patch at the nearest dealership.
As a result of various cyber security concerns in the American automotive sector, which the Fiat Chrysler software failure highlighted in a very public way, legalisation has been introduced to the U.S Senate in the form of the SPY Act. This legalisation is intended to introduce cyber security standards for the automotive industry as well as forcing manufactures to display a rank for their security and privacy protections based on the new standards. This legalisation is still awaiting approval.
This failure highlights the importance of non-functional testing. This system functioned and executed as it was design and intended. It was a failure of a non-functional attribute that caused the overall system failure. In my opinion this software failure could have been avoided or identified at various stages of the development process.
If there were an official review of the requirements developed for this system, the standards that were set to measure the cyber-security capabilities of the system would have been examined. This could have and should have ensured that the correct level and standards of cyber-security were employed.
If testers were involved in the initial design phase of the system they could have and should have been able to identify that any functionality that called for Internet connectivity would need to rigorously tested for cyber-security issues. Also at the design phase a review and testing of the overall system design could have highlighted the possibly ability of a non-safety critical module to communicate and affect a safety critical module.
The developers and testers could have employed black-box testing of the Uconnect system’s connectivity. This would have allowed them to test the valid and non-valid commands in order to examine the effects of of non-valid command code injection .
How to be avoided in the future
In our opinion one of the main ways to avoid a security breach in any software system is the employment of white-hat hackers as testers and asking them to vigorously test the security of the system. Had Charlie Miller and Chris Valasek been consultants on this project and tested the security of the system for the company rather than as self appointed regulators, this failure could have been avoided.
Also the implementation of a testing process on how non-safety critical module can possible connect to and affect a safety critical module. This testing must start at the design phase of the project.