Hackers Take Control of a 2014 Jeep Cherokee, Again

Hackers make 2014 Jeep Cherokee take sharp turns, hit a ditch and all without driver input.

Posted in News

— A Jeep Cherokee hack is back on track, at least according to the same hackers who took control of a 2014 Jeep Cherokee in July 2015.

Back then, Chris Valasek and Charlie Miller performed a controlled experiment where the Cherokee driver knew Valasek and Miller were sitting in a basement with laptops ready to attack.

During the 2015 hack, the driver quickly felt the accelerator pedal stop working, then pushing the pedal caused the RPM to climb even though the Jeep lost half its speed and then slowed to a crawl. The friendly hackers also found they could control the air conditioning and heating system, wipers, radio and brakes.

The fiasco led to Fiat Chrysler recalling 1.4 million vehicles to secure the wireless connections and separately the government investigated the radios used in the hack. That was followed by a class-action lawsuit alleging Fiat Chrysler was aware of the hacking risk 18 months before the recall

Those same hackers appeared at the Las Vegas Black Hat hacker conference where they showed more examples of hacking the same Jeep Cherokee. Valasek and Miller this time took control of the Jeep not by remote control, but by connecting directly into the Jeep and overriding correct data by sending false messages to the internal CAN bus network.

Miller and Valasek say the 2015 hacking attempt couldn't do certain things if the Jeep was traveling over 5 mph, so the men wanted to know how to get around that wall. After a lot of time and effort, the men found a way to get around the obstacles by more-or-less reverse engineering the Jeep's system.

The men were able to make the Cherokee perform maneuvers that no driver would want to do, including making the Jeep make sharp turns so fast skid marks were left on the road. Another turn of the wheel caused the Jeep Cherokee to take an unplanned detour into a ditch.

The hackers also caused the Jeep to brake suddenly and speed up without driver input.

Much of their work was very time consuming and not something an amateur could do, something the automaker pointed out and the two hackers admitted.

Chrysler also argued because of its previous fixes to the Jeeps, there is no way the hackers could have taken control remotely. However, Valasek and Miller disagreed and believe they could have pulled it off from anywhere.

The security researchers say automakers need to do more to block access to the CAN bus, such as making a vehicle accessible to diagnostic ports by using a switch on the vehicle. The switch could be used by a mechanic to do perform maintenance and testing on a vehicle.

In addition, the hackers say they built their own device that could be used to warn a driver of any suspicious activity and it could have stopped all the attacks they used on the Jeep Cherokee. In other words, if they could do that, why can't an automaker?