This Time, Miller & Valasek Hack The Jeep At Speed
Car hacking duo accelerates -- literally -- their epic Jeep Cherokee hack.
[Updated 10:20AM with FCA USA comments]
BLACK HAT USA—Las Vegas--Famed car hackers Charlie Miller and Chris Valasek have taken their 2015 groundbreaking remote hack of a Jeep Cherokee to the next level -- controlling its accelerator, brakes, steering, and electronic parking brake at more dangerous high driving speeds.
Miller and Valasek, both security experts with Uber’s Advanced Technology Center, on Thursday here at Black Hat USA will present their latest car hacks, which basically build upon the work they demonstrated a year ago on how they could control the 2014 Jeep Cherokee’s electronic functions from afar. They’ve now advanced their hack of the very same vehicle’s electronic controls at high speeds far above the 5 miles-per-hour limit of the initial research.
“This is a new class of attacks against CAN messages,” Miller says. “It’s still very basic in the types of messages you use” to attack the car, he says. “It’s an easy attack.”
While the attacks on the CAN bus itself may be relatively rudimentary, the research it took to figure out how to do so was not. Last year’s groundbreaking Jeep hack was all about remotely attacking the vehicle. “This year, we’re fine-tuning it,” Valasek says. “It was time-consuming work. It took countless more weeks to figure out how to turn the steering wheel at speed.”
Miller and Valasek reverse-engineered the electronic control unit (ECU) firmware, which communicates via the unsecured CAN bus in short messages. In a nutshell, they tricked the Jeep’s controls by impersonating messages. They basically took the ECU offline and impersonated real traffic to force it to follow their instructions, whether it was to accelerate, or turn the steering wheel 90 degrees.
Unlike last year’s hack that the two conducted from Miller’s living room while Wired journalist Andy Greenberg drove the Jeep, this time they physically plugged into the diagnostic port of the vehicle to send their phony CAN messages, mainly for expediency reasons. “Last year, we showed you can remotely send CAN messages. This year, we sent them plugged into the car,” Miller says, and the two did the driving and hacking from the very same Jeep—patched for the zero-day flaw they found last year--this time.
Valasek says they didn’t have a new zero-day remote attack vector, so they kept it local. “But you shouldn’t have to depend on having zero-day remote vectors to solve” this, he says.
In one attack, Miller and Valasek spun the steering wheel 90 degrees at 60 mph. They also controlled the acceleration pedal, as well as the brakes. “We can permanently lock the electronic parking brake so it’s permanently immobilized. Even if you restarted the car, the parking brake would be on and you would not be able to drive anywhere,” Miller says. “We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed.”
They say it’s possible the hacks are only a problem for this model of Chrysler’s Jeep Cherokee, and they may also apply to other carmakers’ vehicles. “This isn’t only some Chrysler problem,” Miller says.
Miller and Valasek’s live road testing not surprisingly didn’t all go smoothly. During a recent test-drive on a country road outside St. Louis, their steering-wheel hack sent the Jeep into a muddy ditch, and they got stuck. A pickup truck driver traveling on the remote stretch of rural highway stopped by to help them out. (That, after a crop-duster operator spotted the disabled Jeep and called 911, sending a policeman to check it out).
“Charlie was running [the attack] in the backseat and we curved, and hit the ditch and couldn’t get out because it was super-muddy,” says Valasek, who was at the wheel.
Miller and Valasek last month provided Jeep maker FCA US LLC their new findings, and also provided the carmaker with recommendations for mitigating the attacks they executed. FCA, which issued an historic massive recall of 1.4 million vehicles in the wake of the initial Jeep hack to patch a glaring security hole, recently launched a bug bounty program via Bugcrowd to reward researchers for finding security flaws in its cars.
FCA US said in a statement that such attacks would be difficult to execute. "Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."
The automobile company also noted that the exploits Miller and Valasek demonstrated "require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.
Miller and Valasek's latest hacks don’t exploit an urgent security flaw like last year’s, so there’s not likely to be a patch or recall this time around. There is, however, a bug in one of FCA’s ECU supplier’s firmware that eventually could be fixed, the researchers note. “At a higher level, they [Chrysler] could add more security features to the car: to detect messages that look bad or shouldn’t be there and alert” you, Miller says.
The only thing the researchers were not able to pull off was the direct hack of the Jeep’s braking system. “We never directly influenced the brakes,” Miller says, mainly because they didn’t have the firmware for the ABS module to reverse-engineer it. Instead, they were able to force the brakes to engage when the e-brake was disabled.
Hacking the Jeep driving at high speeds puts an exclamation point on an already serious concern about networked vehicles. “Now you have scary levels of control,” Valasek says of the high-speed hacks.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
5 Emerging Cyber Threats to Watch for in 2019Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Enterprise Vulnerabilities From DHS/US-CERT's National Vulnerability DatabaseCVE-2015-6461 PUBLISHED: 2019-03-21
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result i...
Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, ...
A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V14), SICAM A8000 CP-802X (All versions < V14), SICAM A8000 CP-8050 (All versions < V2.00). Specially crafted network packets sent to port 80/TCP or 443/TCP could allow an unauthenticated remote attacker to cause a D...
Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...