Charlie Miller and Chris Valasek grabbed headlines last year by showing how they could kill a Jeep Cherokee's engine while it was traveling down a highway. The news prompted an embarrassing recall of 1.4 million Jeeps and other vehicles by parent company Fiat Chrysler.
In front of a packed lecture hall at the Black Hat hacker conference on Thursday in Las Vegas, the pair demonstrated how they could again take control of the same 2014 Jeep Cherokee they hacked the year before. This time they sent false messages to its internal network, overriding the correct ones.
That allowed them to do new - and scarier - things, such as making the vehicle turn sharply while it was speeding down a country road. They also were able to make the vehicle unintentionally speed up, or remotely slam on its brakes.
"If you can steer a car at any speed, that's pretty dangerous," Miller said, as video showed the Jeep turning so hard and fast it left skid marks. Another turn sent it into a ditch alongside a Midwestern cornfield.
The pair's previous hack only allowed them to do similar things if the Jeep was moving slower than 5 mph, making for a much less dangerous scenario.
This time, it was more about reverse engineering than actual hacking. They dissected why the vehicle's safety systems prevented remote attempts to yank the car's steering wheel or slam on its brakes if it was moving at more than 5 mph, but not at lower speeds, then looked for a way around that.
Fiat Chrysler said that while the company admired the pair's creativity, Thursday's presentation didn't show any new ways to breach the Jeep remotely. It also argued that the attack couldn't have been carried out remotely because of fixes made after the previous hack, which is something Miller and Valasek dispute.
The automaker added that the methods Miller and Valasek used were costly, time consuming and required extensive technical expertise.
The pair acknowledged that they did put quite a bit of time and effort into their hack and that it's not something the average person needs to worry about falling victim to.
For their part, Miller and Valasek, who now work for the ride-hailing service Uber, said that after four years of hacking cars together, they've decided to move on. They encouraged other hackers to pick up where they left off.
"There's no reason to think that this car company, or just American cars, is the only one that could be hacked," Miller said.