Vulnerabilities / Threats

8/1/2016
09:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

This Time, Miller & Valasek Hack The Jeep At Speed

Car hacking duo accelerates -- literally -- their epic Jeep Cherokee hack.

[Updated 10:20AM with FCA USA comments]

BLACK HAT USA—Las Vegas--Famed car hackers Charlie Miller and Chris Valasek have taken their 2015 groundbreaking remote hack of a Jeep Cherokee to the next level -- controlling its accelerator, brakes, steering, and electronic parking brake at more dangerous high driving speeds.

Miller and Valasek, both security experts with Uber’s Advanced Technology Center, on Thursday here at Black Hat USA will present their latest car hacks, which basically build upon the work they demonstrated a year ago on how they could control the 2014 Jeep Cherokee’s electronic functions from afar. They’ve now advanced their hack of the very same vehicle’s electronic controls at high speeds far above the 5 miles-per-hour limit of the initial research.

“This is a new class of attacks against CAN messages,” Miller says. “It’s still very basic in the types of messages you use” to attack the car, he says. “It’s an easy attack.”

While the attacks on the CAN bus itself may be relatively rudimentary, the research it took to figure out how to do so was not. Last year’s groundbreaking Jeep hack was all about remotely attacking the vehicle. “This year, we’re fine-tuning it,” Valasek says. “It was time-consuming work. It took countless more weeks to figure out how to turn the steering wheel at speed.”

Miller and Valasek reverse-engineered the electronic control unit (ECU) firmware, which communicates via the unsecured CAN bus in short messages. In a nutshell, they tricked the Jeep’s controls by impersonating messages. They basically took the ECU offline and impersonated real traffic to force it to follow their instructions, whether it was to accelerate, or turn the steering wheel 90 degrees.

Unlike last year’s hack that the two conducted from Miller’s living room while Wired journalist Andy Greenberg drove the Jeep, this time they physically plugged into the diagnostic port of the vehicle to send their phony CAN messages, mainly for expediency reasons. “Last year, we showed you can remotely send CAN messages. This year, we sent them plugged into the car,” Miller says, and the two did the driving and hacking from the very same Jeep—patched for the zero-day flaw they found last year--this time.

Valasek says they didn’t have a new zero-day remote attack vector, so they kept it local. “But you shouldn’t have to depend on having zero-day remote vectors to solve” this, he says.

In one attack, Miller and Valasek spun the steering wheel 90 degrees at 60 mph. They also controlled the acceleration pedal, as well as the brakes. “We can permanently lock the electronic parking brake so it’s permanently immobilized. Even if you restarted the car, the parking brake would be on and you would not be able to drive anywhere,” Miller says. “We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed.”

They say it’s possible the hacks are only a problem for this model of Chrysler’s Jeep Cherokee, and they may also apply to other carmakers’ vehicles. “This isn’t only some Chrysler problem,” Miller says.

Miller and Valasek’s live road testing not surprisingly didn’t all go smoothly. During a recent test-drive on a country road outside St. Louis, their steering-wheel hack sent the Jeep into a muddy ditch, and they got stuck. A pickup truck driver traveling on the remote stretch of rural highway stopped by to help them out. (That, after a crop-duster operator spotted the disabled Jeep and called 911, sending a policeman to check it out).

“Charlie was running [the attack] in the backseat and we curved, and hit the ditch and couldn’t get out because it was super-muddy,” says Valasek, who was at the wheel.

Miller and Valasek last month provided Jeep maker FCA US LLC their new findings, and also provided the carmaker with recommendations for mitigating the attacks they executed. FCA, which issued an historic massive recall of 1.4 million vehicles in the wake of the initial Jeep hack to patch a glaring security hole, recently launched a bug bounty program via Bugcrowd to reward researchers for finding security flaws in its cars. 

FCA US said in a statement that such attacks would be difficult to execute. "Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."

The automobile company also noted that the exploits Miller and Valasek demonstrated "require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.

Miller and Valasek's latest hacks don’t exploit an urgent security flaw like last year’s, so there’s not likely to be a patch or recall this time around. There is, however, a bug in one of FCA’s ECU supplier’s firmware that eventually could be fixed, the researchers note. “At a higher level, they [Chrysler] could add more security features to the car: to detect messages that look bad or shouldn’t be there and alert” you, Miller says.

The only thing the researchers were not able to pull off was the direct hack of the Jeep’s braking system. “We never directly influenced the brakes,” Miller says, mainly because they didn’t have the firmware for the ABS module to reverse-engineer it. Instead, they were able to force the brakes to engage when the e-brake was disabled.

Hacking the Jeep driving at high speeds puts an exclamation point on an already serious concern about networked vehicles. “Now you have scary levels of control,” Valasek says of the high-speed hacks.

Video Source: Miller & Valasek

 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/3/2016 | 5:22:33 PM
SMH @ Jeep
"require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.

Oh, you mean like pretty much all hackers and all major hacks?

Eyeroll goes here.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/2/2016 | 10:38:07 AM
Re: Fingers crossed
The good news is Chrysler/FCA US has a bug bounty program now through Bugcrowd. That to me seems like a good sign.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
8/2/2016 | 7:47:34 AM
Fingers crossed
Although I'm a big proponent of the growth of automated vehicles, hacking does worry me. While I don't see myself as being high-profile enough for someone to want to hack directly, my real concern is botnets of compromised vehicles could perform actions en masse at certain times causing huge disruption and risking lives.

All I can do though really is hope that manufacturers take this sort of threat seriously enough. 
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.