NEW YORK (CNNMoney) – Modern cars are increasingly controlled by computers. And where there are computers, there are hackers.
A report shared exclusively with CNNMoney shows that the 2014 Jeep Cherokee, 2015 Cadillac Escalade and 2014 Toyota Prius were the most ‘hackable’ of 20 car models reviewed by automotive security researchers. The 2014 Dodge Viper and 2014 Audi A8 were the least hackable.
Security researchers Charlie Miller and Chris Valasek did their analysis by looking at the technical configurations of different models; they did not actually remotely hack any of the cars in the report.
Miller and Valasek say their goal was to show which vehicles would most tempt hackers, and to encourage the auto industry to make changes.
According to the report, both the 2014 Jeep Cherokee and the 2015 Escalade have an inherent security flaw: The cars’ apps, Bluetooth and telematics — which connects the car to a cellular network like OnStar — are on the same network as the engine controls, steering, brakes and tire pressure monitor system.
In the 2014 Prius, the AM/FM/XM radio and Bluetooth are on the same network as the steering, brakes and tire pressure monitor.
The problem: A car’s networked systems could become a gateway for hackers. If critical functions like steering are on the same network as features that connect the car to the Internet, that can put the vehicle at risk, Miller and Valasek say.
A flaw in any of those Internet-connected features could put a hacker only a step away from communicating with the features directly controlling the driver’s safety.
Let’s say a driver accidentally downloaded a virus onto his phone and connected it to his car via Bluetooth. If the car’s Bluetooth is running on the same network as the brakes, hackers could potentially make the car come to a screeching halt.
“Once they have code running on the Bluetooth computer [in your car], they can then do things like send out messages to tell the other components of the car to do stuff, like engage the brakes,” Miller said.
Some cars were deemed to be less hackable than others. The Audi A8’s computers that control its high-tech features (like adaptive cruise control and active lane assist) are on different networks than its wireless communications. The Dodge Viper was among the least vulnerable of those tested because it has fewer computer-driven functions — its main sales point is speed.
In a statement, Jeep manufacturer Chrysler responded, “Our vehicles are equipped with security systems that help minimize the risk from real-world threats…Chrysler Group will endeavor to verify these claims and, if warranted, we will remediate them.”
Chrysler added that they invite Miller and Valasek to share their findings with the company first so that they can find a solution together.
Spokesmen for Cadillac said “the report does not mention many new security features and mechanisms installed in the Escalade, and its description of the vehicle’s electronic system is not fully accurate.”
Cadillac’s statement emphasized that Miller and Valasek’s report used publicly available data, while the company’s vehicles were also equipped with elements “that are private and not accessible to researchers (or thieves).”
Toyota did not immediately respond to a request for comment.
Despite the car’s potential vulnerabilities, the researchers admit that the tradeoff may be well worth it.
“An iPhone is way more hackable than a cell phone from the 1980s,” Miller said. “However, I’d still rather have an iPhone than an ancient cell phone. The same is true with the cars, for the most part.”