Attacks/Breaches
7/23/2015
06:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Car Hacking Shifts Into High Gear

Researchers now have proven you can hack a car remotely, and at Black Hat USA will share most -- but not all -- of the details on how they did it.

If a car's brakes suddenly fail and send it careening uncontrollably into a ditch, how do you know whether it was a mechanical failure or the work of a malicious hacker?

There's no foolproof way today to prove a car was hacked. Lucky for Wired journalist Andy Greenberg--who recently served as a live crash-test dummy for famed car security hackers Charlie Miller and Chris Valasek's latest car hacking research--a nerve-wracking sudden full stop of the 2014 Jeep Cherokee he was driving at 70mph on a St. Louis highway was the handiwork of the white hat hackers from their laptops some 10 miles away in Miller's living room.

The dramatic and controversial live car hack demonstration got plenty of attention this week, including from lawmakers and automakers. Fiat Chrysler issued a security update to the vulnerability found by Miller and Valasek prior to the demo going public; Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced proposed legislation for federal standards to secure cars from cyberattacks and to protect owners' privacy; and the ICS-CERT issued an alert about Fiat Chrysler's patch.

Miller and Valasek believe they are still way ahead of the bad guys when it comes to car hacking. At Black Hat USA next month, they will reveal details of the vulnerability they found and exploited in the Uconnect infotainment system, which affects up to 400,000 Fiat Chrysler vehicles. They plan to show the code and some other tools they wrote, but they won't release the firmware for the chip they reprogrammed for the hack. "It's the difference between turning up the radio loud and being able to turn the steering wheel. We feel we shouldn’t give that out," says Valasek, who heads up the vehicle security research practice at security firm IOActive.

The zero-day vulnerability in Uconnect, meanwhile, was "pretty simplistic," Valasek says, and they found it within a couple of weeks of their tinkering. "The hard part was getting firmware from the chip that interacts with the car and reverse-engineering it so we could do the next step and reprogram it" so they could send it messages via the car's internal CAN bus network, he says.

Miller and Valasek were able to control a 2014 Jeep Cherokee's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

"The important piece was getting on wirelessly, and making that lateral-wise movement to the actual controls of the car," Valasek says. He and Miller initially began hacking away via the car's WiFi, and then realized they could do the same exploits via its cellular connection. They also discovered that if an attacker knows a car's IP address, he can hack it from any location within the US.

The researchers in their Black Hat presentation also plan to release a paper on the process they underwent to hack the Jeep. But it won't be a how-to for car hacking: "This is not a step-by-step instructions on how to hack a car," Valasek says. It's instead aimed at people who want to perform security assessments of a vehicle, he says.

Fiat Chrysler's software update for the infotainment system was in response to the researchers' findings (the researchers shared their research with the carmaker in advance). But the patch is not as straightforward as it sounds: it entails a manual update via a USB stick or a visit to a dealer's service center. And the advisory also doesn't actually spell out that it's a security fix. "It says it's an improvement for your radio" but not that it's a vulnerability patch, he notes. "So a [consumer] might say, 'my radio works fine'" and not patch, he says. The flaw affects Uconnect-equipped Chrysler vehicle models in late 2013, 2014, and early 2015.

Whether car owners will actually apply the update en masse is unclear: "We are in uncharted territory," says Valasek.

Gualberto Ranieri, senior vice president of communications at Fiat Chrysler, wrote in a blog post that the company is unaware of any real-world attacks: "To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle," he said.

Shifting Gears

Miller and Valasek have been on a wild ride over the past two years exploring just how a vehicle with network connectivity can be "owned" by an attacker for nefarious purposes. In their first car hack in 2013, they cracked open the dashboards of a 2010 Toyota Prius and the 2010 Ford Escape. and reverse-engineered the electronics in the vehicles, using their own hardware hacking tools to wrest control of the brakes, steering, and acceleration, findings that they revealed at DEF CON that summer. Last year, they published a report on the most hackable vehicles -- ones that they analyzed had unprotected networking features that would allow an attacker to break in and control them from afar.

At the top of their most hackable cars list: the 2014 Jeep Cherokee, as well as the 2014 Infiniti Q50 and 2015 Escalade. Miller and Valasek took that research to the next level with the latest car hack in dramatic fashion such that it's even given the most hardcore security experts pause.

"I have to say I do think it was quite daring and it may have been pushing the boundaries. But I also believe their motivation was more to … get people's attention. It was a calculated risk they took to get some sunshine for the consumer public," says Mathew Desmond, manufacturing & heavy equipment domain subject matter expert at Cap Gemini. "But I don't think anyone would recommend [doing what they did]."

The auto industry was not amused. "Demonstrations such as what's been described are concerning, and it's uncomfortable to see the way in which this particular demonstration was done:  having a skilled test driver involved in the demonstration conducted on a closed course is one thing, but posing a risk to other drivers on open roads is clearly irresponsible.  Especially considering that there are now several forums for demonstrating ethical research in controlled settings," said Wade Newton, director of communications at the Alliance of Automobile Manufacturers, of which Fiat Chrysler, Ford, GM, BMW, Mazda, Porsche, Toyota, and Volvo are among its members.

[Sensor-based technology--with military drone roots--created to detect and automatically stop cyberattacks on cars. Read Car-Hacking Prototype Passes Crash Test.]

Miller and Valasek indeed have been the most high-profile researchers in car hacking. But other projects are under way elsewhere in the industry, including a public-private working group in the Commonwealth of Virginia that is testing how state trooper cruisers could be sabotaged via cyberattacks.

"There's no doubt cars can be attacked. Then the question is, how would we know? Today, there's nothing to collect to show a cyberattack" on a vehicle, says Barry Horowitz, chair of the Systems and Information Engineering Department at the University of Virginia, which has conducted car hacking research. UVA also is involved in the Virginia State Trooper vehicle research.

Horowitz says carmakers must build their vehicles such that the infotainment center isn't vulnerable to physical control by an attacker. "Why is the radio connected to the physical automation of the car?" he says. "There needs to be a physical gap" between systems on the car's network, he says.

Automakers also should provide a way for investigators, such as state police, to gather forensic information at the scene of an car accident or incident in order to determine whether it was caused by a cyberattack.

Car Patch Tuesday?

Meanwhile, car software patching will become more and more common, security experts say. And consumers will have to start embracing it. BMW Group in February issued an "over the air" security update to its ConnectedDrive software running on some 2.2 million of its vehicles worldwide. The fix was for a hole that could allow an attacker to hijack or manipulate remote communications in some BMW, Rolls Royse, and Mini models' SIM cards.

"The challenge for the public is to start thinking about a vehicle like they would their Windows PC's operating system. They are accustomed to getting software updates" there, Cap Gemini's Desmond says. "There's going to have to be a mind shift, or a cultural shift."

Desmond, who previously worked on the vehicle software side of the industry, says he's confident that most automakers are already testing their networked systems and software for security holes that hackers could exploit. The cybersecurity piece of car safety will "get ratcheted up," he says.

In the meantime, there's still some breathing room for carmakers now. "It isn't a malicious attack in the wild," Valasek says of his and Miller's research.  

Valasek says the gaping security holes he and Miller have found in cars haven't scared him away from networked vehicles. "I drove a 2014 Jeep Cherokee today," as a matter of fact, he says.

 

[Register now for Black Hat USA.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:06:02 PM
Re: a jump on the bad guys
I hear you. Until some bad guys cause some financial loss to Chrysler, they may not have any incentive to listen. That is how we deal with security no prevention until needed and when it is too late. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:03:37 PM
Re: The IoT: no thanks!
True. We have not come to home security yet. More and more devices at home are being connected, that seems they carry more risks now.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:01:06 PM
Re: No foolproof solution
It is probably not going to be like hack-free platform, but we can always isolate components in a way that they do not infect each other and hacker can not reach out to core system, such as turning the car engine off.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 11:57:25 AM
We knew it
 

We knew that the cares are getting smarter and nobody pays attention security aspect of it. Hopefully a few individuals are taking initiative and demonstrating us that this is real, nothing fake.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/26/2015 | 7:09:40 PM
a jump on the bad guys
The good-news takeaway here is that Miller & Valasek so far have had a jump on the bad guys with their research, as does Virginia with its research project on VA State Police car hacking. As Valasek said, Chrysler isn't responding to a malicious 0day attack right now with its patch & recall. It's the good guys calling, so they need to respond.
lancop
50%
50%
lancop,
User Rank: Apprentice
7/24/2015 | 3:11:50 PM
The IoT: no thanks!
If I've learned anything from my computer security work it is that any device with an internet connection is potentially hackable. Do I want to drive in a hackable car, or fly in a hackable airplane, or expose my loved ones to nerdy sociopaths thru my home appliances? No thanks! You can call the Internet of Things innovation if you want to, but it seems like a really creative way to make your life as risky as possible for the sake of "cool features" that are of questionable long-term value to a mature adult.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2015 | 8:51:46 AM
Re: No foolproof solution
I wanted to go to blackhat this year but had too much going on when it occurs. Next year, hopefully when car technology becomes more prevalent they will continue to display car hacking.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2015 | 8:50:06 AM
Live Test
I would be furious if someone performed a live test on me in a facet of life that is as dangerous as driving.

I think at somepoint we need to look at ourselves to solve this issue between personality types. The "skeptics" and the "believers". The "skeptics" need to be less skeptical and start believing from similar test cases that possibilities such as hacking a car are very possible. And on the flip side, the "believers" need to not go out of there way to prove a point if it is dangerous such as hacking a car at high speed.
Krenner
50%
50%
Krenner,
User Rank: Apprentice
7/24/2015 | 8:42:12 AM
Re: No foolproof solution
AND there is a Car Hacking Village at DEFCON this year!!  If youre going to Black Hat, go to Charlie's talk...then stay an extra day and go to the village!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/24/2015 | 8:41:28 AM
Re: No foolproof solution
That's not such as bad idea. But even then you still run into another avenue for which you could be attacked. IE the company providing the update. If the company is exploited even with a hardkey you could end up downloading a malicious package to your vehicle. But "what you have" should definitely minimize the risk further.
Page 1 / 2   >   >>
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.