This Time, Miller & Valasek Hack The Jeep At Speed
Car hacking duo accelerates -- literally -- their epic Jeep Cherokee hack.
[Updated 10:20AM with FCA USA comments]
BLACK HAT USA—Las Vegas--Famed car hackers Charlie Miller and Chris Valasek have taken their 2015 groundbreaking remote hack of a Jeep Cherokee to the next level -- controlling its accelerator, brakes, steering, and electronic parking brake at more dangerous high driving speeds.
Miller and Valasek, both security experts with Uber’s Advanced Technology Center, on Thursday here at Black Hat USA will present their latest car hacks, which basically build upon the work they demonstrated a year ago on how they could control the 2014 Jeep Cherokee’s electronic functions from afar. They’ve now advanced their hack of the very same vehicle’s electronic controls at high speeds far above the 5 miles-per-hour limit of the initial research.
“This is a new class of attacks against CAN messages,” Miller says. “It’s still very basic in the types of messages you use” to attack the car, he says. “It’s an easy attack.”
While the attacks on the CAN bus itself may be relatively rudimentary, the research it took to figure out how to do so was not. Last year’s groundbreaking Jeep hack was all about remotely attacking the vehicle. “This year, we’re fine-tuning it,” Valasek says. “It was time-consuming work. It took countless more weeks to figure out how to turn the steering wheel at speed.”
Miller and Valasek reverse-engineered the electronic control unit (ECU) firmware, which communicates via the unsecured CAN bus in short messages. In a nutshell, they tricked the Jeep’s controls by impersonating messages. They basically took the ECU offline and impersonated real traffic to force it to follow their instructions, whether it was to accelerate, or turn the steering wheel 90 degrees.
Unlike last year’s hack that the two conducted from Miller’s living room while Wired journalist Andy Greenberg drove the Jeep, this time they physically plugged into the diagnostic port of the vehicle to send their phony CAN messages, mainly for expediency reasons. “Last year, we showed you can remotely send CAN messages. This year, we sent them plugged into the car,” Miller says, and the two did the driving and hacking from the very same Jeep—patched for the zero-day flaw they found last year--this time.
Valasek says they didn’t have a new zero-day remote attack vector, so they kept it local. “But you shouldn’t have to depend on having zero-day remote vectors to solve” this, he says.
In one attack, Miller and Valasek spun the steering wheel 90 degrees at 60 mph. They also controlled the acceleration pedal, as well as the brakes. “We can permanently lock the electronic parking brake so it’s permanently immobilized. Even if you restarted the car, the parking brake would be on and you would not be able to drive anywhere,” Miller says. “We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed.”
They say it’s possible the hacks are only a problem for this model of Chrysler’s Jeep Cherokee, and they may also apply to other carmakers’ vehicles. “This isn’t only some Chrysler problem,” Miller says.
Miller and Valasek’s live road testing not surprisingly didn’t all go smoothly. During a recent test-drive on a country road outside St. Louis, their steering-wheel hack sent the Jeep into a muddy ditch, and they got stuck. A pickup truck driver traveling on the remote stretch of rural highway stopped by to help them out. (That, after a crop-duster operator spotted the disabled Jeep and called 911, sending a policeman to check it out).
“Charlie was running [the attack] in the backseat and we curved, and hit the ditch and couldn’t get out because it was super-muddy,” says Valasek, who was at the wheel.
Miller and Valasek last month provided Jeep maker FCA US LLC their new findings, and also provided the carmaker with recommendations for mitigating the attacks they executed. FCA, which issued an historic massive recall of 1.4 million vehicles in the wake of the initial Jeep hack to patch a glaring security hole, recently launched a bug bounty program via Bugcrowd to reward researchers for finding security flaws in its cars.
FCA US said in a statement that such attacks would be difficult to execute. "Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."
The automobile company also noted that the exploits Miller and Valasek demonstrated "require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.
Miller and Valasek's latest hacks don’t exploit an urgent security flaw like last year’s, so there’s not likely to be a patch or recall this time around. There is, however, a bug in one of FCA’s ECU supplier’s firmware that eventually could be fixed, the researchers note. “At a higher level, they [Chrysler] could add more security features to the car: to detect messages that look bad or shouldn’t be there and alert” you, Miller says.
The only thing the researchers were not able to pull off was the direct hack of the Jeep’s braking system. “We never directly influenced the brakes,” Miller says, mainly because they didn’t have the firmware for the ABS module to reverse-engineer it. Instead, they were able to force the brakes to engage when the e-brake was disabled.
Hacking the Jeep driving at high speeds puts an exclamation point on an already serious concern about networked vehicles. “Now you have scary levels of control,” Valasek says of the high-speed hacks.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Enterprise Vulnerabilities From DHS/US-CERT's National Vulnerability DatabaseCVE-2018-14337 PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
TeamViewer through 13.1.1548 stores a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters, which might make it easier for attackers to obtain sensitive information by leveraging an unattended workstation on which TeamViewer has ...
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766.