Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/23/2015
06:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Car Hacking Shifts Into High Gear

Researchers now have proven you can hack a car remotely, and at Black Hat USA will share most -- but not all -- of the details on how they did it.

If a car's brakes suddenly fail and send it careening uncontrollably into a ditch, how do you know whether it was a mechanical failure or the work of a malicious hacker?

There's no foolproof way today to prove a car was hacked. Lucky for Wired journalist Andy Greenberg--who recently served as a live crash-test dummy for famed car security hackers Charlie Miller and Chris Valasek's latest car hacking research--a nerve-wracking sudden full stop of the 2014 Jeep Cherokee he was driving at 70mph on a St. Louis highway was the handiwork of the white hat hackers from their laptops some 10 miles away in Miller's living room.

The dramatic and controversial live car hack demonstration got plenty of attention this week, including from lawmakers and automakers. Fiat Chrysler issued a security update to the vulnerability found by Miller and Valasek prior to the demo going public; Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced proposed legislation for federal standards to secure cars from cyberattacks and to protect owners' privacy; and the ICS-CERT issued an alert about Fiat Chrysler's patch.

Miller and Valasek believe they are still way ahead of the bad guys when it comes to car hacking. At Black Hat USA next month, they will reveal details of the vulnerability they found and exploited in the Uconnect infotainment system, which affects up to 400,000 Fiat Chrysler vehicles. They plan to show the code and some other tools they wrote, but they won't release the firmware for the chip they reprogrammed for the hack. "It's the difference between turning up the radio loud and being able to turn the steering wheel. We feel we shouldn’t give that out," says Valasek, who heads up the vehicle security research practice at security firm IOActive.

The zero-day vulnerability in Uconnect, meanwhile, was "pretty simplistic," Valasek says, and they found it within a couple of weeks of their tinkering. "The hard part was getting firmware from the chip that interacts with the car and reverse-engineering it so we could do the next step and reprogram it" so they could send it messages via the car's internal CAN bus network, he says.

Miller and Valasek were able to control a 2014 Jeep Cherokee's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

"The important piece was getting on wirelessly, and making that lateral-wise movement to the actual controls of the car," Valasek says. He and Miller initially began hacking away via the car's WiFi, and then realized they could do the same exploits via its cellular connection. They also discovered that if an attacker knows a car's IP address, he can hack it from any location within the US.

The researchers in their Black Hat presentation also plan to release a paper on the process they underwent to hack the Jeep. But it won't be a how-to for car hacking: "This is not a step-by-step instructions on how to hack a car," Valasek says. It's instead aimed at people who want to perform security assessments of a vehicle, he says.

Fiat Chrysler's software update for the infotainment system was in response to the researchers' findings (the researchers shared their research with the carmaker in advance). But the patch is not as straightforward as it sounds: it entails a manual update via a USB stick or a visit to a dealer's service center. And the advisory also doesn't actually spell out that it's a security fix. "It says it's an improvement for your radio" but not that it's a vulnerability patch, he notes. "So a [consumer] might say, 'my radio works fine'" and not patch, he says. The flaw affects Uconnect-equipped Chrysler vehicle models in late 2013, 2014, and early 2015.

Whether car owners will actually apply the update en masse is unclear: "We are in uncharted territory," says Valasek.

Gualberto Ranieri, senior vice president of communications at Fiat Chrysler, wrote in a blog post that the company is unaware of any real-world attacks: "To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle," he said.

Shifting Gears

Miller and Valasek have been on a wild ride over the past two years exploring just how a vehicle with network connectivity can be "owned" by an attacker for nefarious purposes. In their first car hack in 2013, they cracked open the dashboards of a 2010 Toyota Prius and the 2010 Ford Escape. and reverse-engineered the electronics in the vehicles, using their own hardware hacking tools to wrest control of the brakes, steering, and acceleration, findings that they revealed at DEF CON that summer. Last year, they published a report on the most hackable vehicles -- ones that they analyzed had unprotected networking features that would allow an attacker to break in and control them from afar.

At the top of their most hackable cars list: the 2014 Jeep Cherokee, as well as the 2014 Infiniti Q50 and 2015 Escalade. Miller and Valasek took that research to the next level with the latest car hack in dramatic fashion such that it's even given the most hardcore security experts pause.

"I have to say I do think it was quite daring and it may have been pushing the boundaries. But I also believe their motivation was more to … get people's attention. It was a calculated risk they took to get some sunshine for the consumer public," says Mathew Desmond, manufacturing & heavy equipment domain subject matter expert at Cap Gemini. "But I don't think anyone would recommend [doing what they did]."

The auto industry was not amused. "Demonstrations such as what's been described are concerning, and it's uncomfortable to see the way in which this particular demonstration was done:  having a skilled test driver involved in the demonstration conducted on a closed course is one thing, but posing a risk to other drivers on open roads is clearly irresponsible.  Especially considering that there are now several forums for demonstrating ethical research in controlled settings," said Wade Newton, director of communications at the Alliance of Automobile Manufacturers, of which Fiat Chrysler, Ford, GM, BMW, Mazda, Porsche, Toyota, and Volvo are among its members.

[Sensor-based technology--with military drone roots--created to detect and automatically stop cyberattacks on cars. Read Car-Hacking Prototype Passes Crash Test.]

Miller and Valasek indeed have been the most high-profile researchers in car hacking. But other projects are under way elsewhere in the industry, including a public-private working group in the Commonwealth of Virginia that is testing how state trooper cruisers could be sabotaged via cyberattacks.

"There's no doubt cars can be attacked. Then the question is, how would we know? Today, there's nothing to collect to show a cyberattack" on a vehicle, says Barry Horowitz, chair of the Systems and Information Engineering Department at the University of Virginia, which has conducted car hacking research. UVA also is involved in the Virginia State Trooper vehicle research.

Horowitz says carmakers must build their vehicles such that the infotainment center isn't vulnerable to physical control by an attacker. "Why is the radio connected to the physical automation of the car?" he says. "There needs to be a physical gap" between systems on the car's network, he says.

Automakers also should provide a way for investigators, such as state police, to gather forensic information at the scene of an car accident or incident in order to determine whether it was caused by a cyberattack.

Car Patch Tuesday?

Meanwhile, car software patching will become more and more common, security experts say. And consumers will have to start embracing it. BMW Group in February issued an "over the air" security update to its ConnectedDrive software running on some 2.2 million of its vehicles worldwide. The fix was for a hole that could allow an attacker to hijack or manipulate remote communications in some BMW, Rolls Royse, and Mini models' SIM cards.

"The challenge for the public is to start thinking about a vehicle like they would their Windows PC's operating system. They are accustomed to getting software updates" there, Cap Gemini's Desmond says. "There's going to have to be a mind shift, or a cultural shift."

Desmond, who previously worked on the vehicle software side of the industry, says he's confident that most automakers are already testing their networked systems and software for security holes that hackers could exploit. The cybersecurity piece of car safety will "get ratcheted up," he says.

In the meantime, there's still some breathing room for carmakers now. "It isn't a malicious attack in the wild," Valasek says of his and Miller's research.  

Valasek says the gaping security holes he and Miller have found in cars haven't scared him away from networked vehicles. "I drove a 2014 Jeep Cherokee today," as a matter of fact, he says.

 

[Register now for Black Hat USA.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/28/2015 | 12:06:02 PM
Re: a jump on the bad guys
I hear you. Until some bad guys cause some financial loss to Chrysler, they may not have any incentive to listen. That is how we deal with security no prevention until needed and when it is too late. :--))
<<   <   Page 2 / 2
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.