Photo

Some cars can now be hacked.

Over the last two years, two well-respected security researchers, Charlie Miller and Chris Valasek, have been hacking away at various cars, trying to find a way to control them remotely.

At the annual Black Hat and Def Con hacking conferences in Las Vegas in August, Mr. Miller and Mr. Valasek plan to demonstrate how, after two years of research, they have discovered a way to control hundreds of thousands of vehicles remotely. From the Internet, they were able to track cars down by their location, see how fast they were going, turn their blinkers and lights on and off, mess with their windshield wipers, radios, navigation and, in some cases, control their brakes and steering.

Their discovery is several years in the making. In 2013, they described how they were able to control a Ford and a Toyota by plugging into a diagnostic port that could control the vehicle’s steering and speed. But the hack was of limited use to car manufacturers, who told them that anyone with physical access to the vehicle could just as easily cut the brakes.

So for the last year, Mr. Miller and Mr. Valasek have been tinkering with a Jeep, trying to find a way to control the car remotely. What they did not realize at the time was that their discovery would extend far beyond the Jeep and impact hundreds of thousands of other vehicles sold by Fiat Chrysler Automobiles.

Their research is likely to be one of the first discoveries in a new chapter of vulnerabilities and attacks directed at the so-called Internet of Things, the billions of products, machinery and infrastructure expected to come online over the next five years. A report from Verizon found that 14 car manufacturers accounted for 80 percent of the worldwide auto market, and each one had a connected-car strategy.

Last year, the researchers bought a Jeep that came with a car stereo head unit, which offers a radio display, traffic and navigation system, and in this case, connected to the Internet through a hardware chip that provides a wireless and a cellular network connection.

Mr. Miller and Mr. Valasek discovered a vulnerability in that chip that allowed them to scan the Internet for affected vehicles, hack into the car stereo head unit and run their own code. In the process, they were able change the radio station and adjust the air-conditioning but not too much more.

It took another few months, but they found a way to crawl from the vulnerable wireless access chip to another chip within the same head unit that controlled the car’s electronics. Once they did that, they could control the car’s locks, windshield wipers, speedometer, lights, blinkers and even engage and disengage the brakes and steering, so long as the car was driving at sufficiently slow speeds (around six miles an hour or less ) — all from the Internet.

“I have done a lot of research, but this is the first time I’ve been truly freaked out,” Mr. Miller said in a phone interview. “When I could hack into a car in Nebraska driving down the freeway, I had that feeling, ‘I shouldn’t be able to do this.'”

It was not just Jeeps they could access, but any car with the same head unit made by Fiat Chrysler. This included most newer models with the head unit, sold from late 2013 to 2015. The researchers scanned the Internet for vulnerable vehicles, took down their vehicle identification numbers and worked backward from there.

Mr. Miller and Mr. Valasek have been short on details regarding the specific vulnerabilities they discovered in the head unit, or how exactly they were able to access the firmware — instructions that are coded into a computer’s memory rather than its software — that allowed them to control the vehicles’ electronics.

Mr. Miller and Mr. Valasek notified Fiat Chrysler, which developed and released a patch last week.

Alyse Tadajewski, a spokeswoman for Fiat Chrysler, said that the company did not believe it was responsible for the researchers to disclose the vulnerability to the public. “Under no circumstances does F.C.A. condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” she said.

Ms. Tadajewski said Fiat Chrysler routinely monitored and tests its systems to identify and eliminate security vulnerabilities and had an embedded system quality engineering team dedicated to developing and implementing cybersecurity standards for all its vehicles, including its on-board and remote services.

She said the company released a free software patch for the vulnerability. “Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.”

The end goal, Mr. Miller said, was to hack something tangible that most people could understand. “I’ve been in security for more than 10 years, and I’ve worked on computers and phones. This time, I wanted to do something that my grandmother would understand. If I tell her, ‘I can hack into your car,’ she understands what that means.

“Also, I drive cars,” Mr. Miller added. “I would like them to be safe.”