Attacks/Breaches
7/23/2015
06:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Car Hacking Shifts Into High Gear

Researchers now have proven you can hack a car remotely, and at Black Hat USA will share most -- but not all -- of the details on how they did it.

If a car's brakes suddenly fail and send it careening uncontrollably into a ditch, how do you know whether it was a mechanical failure or the work of a malicious hacker?

There's no foolproof way today to prove a car was hacked. Lucky for Wired journalist Andy Greenberg--who recently served as a live crash-test dummy for famed car security hackers Charlie Miller and Chris Valasek's latest car hacking research--a nerve-wracking sudden full stop of the 2014 Jeep Cherokee he was driving at 70mph on a St. Louis highway was the handiwork of the white hat hackers from their laptops some 10 miles away in Miller's living room.

The dramatic and controversial live car hack demonstration got plenty of attention this week, including from lawmakers and automakers. Fiat Chrysler issued a security update to the vulnerability found by Miller and Valasek prior to the demo going public; Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced proposed legislation for federal standards to secure cars from cyberattacks and to protect owners' privacy; and the ICS-CERT issued an alert about Fiat Chrysler's patch.

Miller and Valasek believe they are still way ahead of the bad guys when it comes to car hacking. At Black Hat USA next month, they will reveal details of the vulnerability they found and exploited in the Uconnect infotainment system, which affects up to 400,000 Fiat Chrysler vehicles. They plan to show the code and some other tools they wrote, but they won't release the firmware for the chip they reprogrammed for the hack. "It's the difference between turning up the radio loud and being able to turn the steering wheel. We feel we shouldn’t give that out," says Valasek, who heads up the vehicle security research practice at security firm IOActive.

The zero-day vulnerability in Uconnect, meanwhile, was "pretty simplistic," Valasek says, and they found it within a couple of weeks of their tinkering. "The hard part was getting firmware from the chip that interacts with the car and reverse-engineering it so we could do the next step and reprogram it" so they could send it messages via the car's internal CAN bus network, he says.

Miller and Valasek were able to control a 2014 Jeep Cherokee's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

"The important piece was getting on wirelessly, and making that lateral-wise movement to the actual controls of the car," Valasek says. He and Miller initially began hacking away via the car's WiFi, and then realized they could do the same exploits via its cellular connection. They also discovered that if an attacker knows a car's IP address, he can hack it from any location within the US.

The researchers in their Black Hat presentation also plan to release a paper on the process they underwent to hack the Jeep. But it won't be a how-to for car hacking: "This is not a step-by-step instructions on how to hack a car," Valasek says. It's instead aimed at people who want to perform security assessments of a vehicle, he says.

Fiat Chrysler's software update for the infotainment system was in response to the researchers' findings (the researchers shared their research with the carmaker in advance). But the patch is not as straightforward as it sounds: it entails a manual update via a USB stick or a visit to a dealer's service center. And the advisory also doesn't actually spell out that it's a security fix. "It says it's an improvement for your radio" but not that it's a vulnerability patch, he notes. "So a [consumer] might say, 'my radio works fine'" and not patch, he says. The flaw affects Uconnect-equipped Chrysler vehicle models in late 2013, 2014, and early 2015.

Whether car owners will actually apply the update en masse is unclear: "We are in uncharted territory," says Valasek.

Gualberto Ranieri, senior vice president of communications at Fiat Chrysler, wrote in a blog post that the company is unaware of any real-world attacks: "To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle," he said.

Shifting Gears

Miller and Valasek have been on a wild ride over the past two years exploring just how a vehicle with network connectivity can be "owned" by an attacker for nefarious purposes. In their first car hack in 2013, they cracked open the dashboards of a 2010 Toyota Prius and the 2010 Ford Escape. and reverse-engineered the electronics in the vehicles, using their own hardware hacking tools to wrest control of the brakes, steering, and acceleration, findings that they revealed at DEF CON that summer. Last year, they published a report on the most hackable vehicles -- ones that they analyzed had unprotected networking features that would allow an attacker to break in and control them from afar.

At the top of their most hackable cars list: the 2014 Jeep Cherokee, as well as the 2014 Infiniti Q50 and 2015 Escalade. Miller and Valasek took that research to the next level with the latest car hack in dramatic fashion such that it's even given the most hardcore security experts pause.

"I have to say I do think it was quite daring and it may have been pushing the boundaries. But I also believe their motivation was more to … get people's attention. It was a calculated risk they took to get some sunshine for the consumer public," says Mathew Desmond, manufacturing & heavy equipment domain subject matter expert at Cap Gemini. "But I don't think anyone would recommend [doing what they did]."

The auto industry was not amused. "Demonstrations such as what's been described are concerning, and it's uncomfortable to see the way in which this particular demonstration was done:  having a skilled test driver involved in the demonstration conducted on a closed course is one thing, but posing a risk to other drivers on open roads is clearly irresponsible.  Especially considering that there are now several forums for demonstrating ethical research in controlled settings," said Wade Newton, director of communications at the Alliance of Automobile Manufacturers, of which Fiat Chrysler, Ford, GM, BMW, Mazda, Porsche, Toyota, and Volvo are among its members.

[Sensor-based technology--with military drone roots--created to detect and automatically stop cyberattacks on cars. Read Car-Hacking Prototype Passes Crash Test.]

Miller and Valasek indeed have been the most high-profile researchers in car hacking. But other projects are under way elsewhere in the industry, including a public-private working group in the Commonwealth of Virginia that is testing how state trooper cruisers could be sabotaged via cyberattacks.

"There's no doubt cars can be attacked. Then the question is, how would we know? Today, there's nothing to collect to show a cyberattack" on a vehicle, says Barry Horowitz, chair of the Systems and Information Engineering Department at the University of Virginia, which has conducted car hacking research. UVA also is involved in the Virginia State Trooper vehicle research.

Horowitz says carmakers must build their vehicles such that the infotainment center isn't vulnerable to physical control by an attacker. "Why is the radio connected to the physical automation of the car?" he says. "There needs to be a physical gap" between systems on the car's network, he says.

Automakers also should provide a way for investigators, such as state police, to gather forensic information at the scene of an car accident or incident in order to determine whether it was caused by a cyberattack.

Car Patch Tuesday?

Meanwhile, car software patching will become more and more common, security experts say. And consumers will have to start embracing it. BMW Group in February issued an "over the air" security update to its ConnectedDrive software running on some 2.2 million of its vehicles worldwide. The fix was for a hole that could allow an attacker to hijack or manipulate remote communications in some BMW, Rolls Royse, and Mini models' SIM cards.

"The challenge for the public is to start thinking about a vehicle like they would their Windows PC's operating system. They are accustomed to getting software updates" there, Cap Gemini's Desmond says. "There's going to have to be a mind shift, or a cultural shift."

Desmond, who previously worked on the vehicle software side of the industry, says he's confident that most automakers are already testing their networked systems and software for security holes that hackers could exploit. The cybersecurity piece of car safety will "get ratcheted up," he says.

In the meantime, there's still some breathing room for carmakers now. "It isn't a malicious attack in the wild," Valasek says of his and Miller's research.  

Valasek says the gaping security holes he and Miller have found in cars haven't scared him away from networked vehicles. "I drove a 2014 Jeep Cherokee today," as a matter of fact, he says.

 

[Register now for Black Hat USA.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:06:02 PM
Re: a jump on the bad guys
I hear you. Until some bad guys cause some financial loss to Chrysler, they may not have any incentive to listen. That is how we deal with security no prevention until needed and when it is too late. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:03:37 PM
Re: The IoT: no thanks!
True. We have not come to home security yet. More and more devices at home are being connected, that seems they carry more risks now.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:01:06 PM
Re: No foolproof solution
It is probably not going to be like hack-free platform, but we can always isolate components in a way that they do not infect each other and hacker can not reach out to core system, such as turning the car engine off.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 11:57:25 AM
We knew it
 

We knew that the cares are getting smarter and nobody pays attention security aspect of it. Hopefully a few individuals are taking initiative and demonstrating us that this is real, nothing fake.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/26/2015 | 7:09:40 PM
a jump on the bad guys
The good-news takeaway here is that Miller & Valasek so far have had a jump on the bad guys with their research, as does Virginia with its research project on VA State Police car hacking. As Valasek said, Chrysler isn't responding to a malicious 0day attack right now with its patch & recall. It's the good guys calling, so they need to respond.
lancop
50%
50%
lancop,
User Rank: Apprentice
7/24/2015 | 3:11:50 PM
The IoT: no thanks!
If I've learned anything from my computer security work it is that any device with an internet connection is potentially hackable. Do I want to drive in a hackable car, or fly in a hackable airplane, or expose my loved ones to nerdy sociopaths thru my home appliances? No thanks! You can call the Internet of Things innovation if you want to, but it seems like a really creative way to make your life as risky as possible for the sake of "cool features" that are of questionable long-term value to a mature adult.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2015 | 8:51:46 AM
Re: No foolproof solution
I wanted to go to blackhat this year but had too much going on when it occurs. Next year, hopefully when car technology becomes more prevalent they will continue to display car hacking.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2015 | 8:50:06 AM
Live Test
I would be furious if someone performed a live test on me in a facet of life that is as dangerous as driving.

I think at somepoint we need to look at ourselves to solve this issue between personality types. The "skeptics" and the "believers". The "skeptics" need to be less skeptical and start believing from similar test cases that possibilities such as hacking a car are very possible. And on the flip side, the "believers" need to not go out of there way to prove a point if it is dangerous such as hacking a car at high speed.
Krenner
50%
50%
Krenner,
User Rank: Apprentice
7/24/2015 | 8:42:12 AM
Re: No foolproof solution
AND there is a Car Hacking Village at DEFCON this year!!  If youre going to Black Hat, go to Charlie's talk...then stay an extra day and go to the village!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2015 | 8:41:28 AM
Re: No foolproof solution
That's not such as bad idea. But even then you still run into another avenue for which you could be attacked. IE the company providing the update. If the company is exploited even with a hardkey you could end up downloading a malicious package to your vehicle. But "what you have" should definitely minimize the risk further.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.