A year after Charlie Miller and Chris Valasek disclosed a major security vulnerability that could allow hackers to remotely hijack your Jeep, the infamous auto hackers are at it again.
The duo, who now work at Uber, again teamed up with Wired writer Andy Greenberg to publicize “a new arsenal of attacks” against the same 2014 Jeep Cherokee they hacked last year.
“By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed,” Greenberg writes.
The researchers plan to present their findings at the Black Hat conference later this week. Check out the video below for a peek at what they can do.
On the plus side, this new round of attacks isn’t quite as menacing as last year’s, as they can’t be carried out remotely over the Internet. At this time, the hackers can only perform the attacks with a laptop plugged into the Jeep, though researchers cited in Greenberg’s story say it’s only a matter of time before another remote vulnerability, like the one Jeep patched last year as a result of Miller and Valasek’s work, is discovered.
In a statement sent to PCMag, Jeep parent company Fiat Chrysler Automobiles said that Miller and Valasek were using an old version of the car’s software, and it’s “highly unlikely” the exploit could be possible on the latest version. The company also reiterated that the attack requires a computer to be connected to the vehicle’s onboard diagnostic port.
“While we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles,” the company said.
The hack comes after Fiat Chrysler Automobiles just last month launched a bug bounty program on the Bugcrowd platform, offering cold hard cash for information about security flaws in its vehicles and connected services. The company said its goal with this new program is to “foster a collaborative relationship with researchers” and encourage the practice of responsible disclosure.