Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

8/6/2015
12:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Jeep Hack 0Day: An Exposed Port

Researchers at Black Hat USA gave details on how they were able to remotely hack and control a Jeep Cherokee.

BLACK HAT USA -- Las Vegas -- In the end, it was an unnecessarily open port that led to the infamous -- and road-tested -- hack of the 2014 Jeep Cherokee by famed car hackers Charlie Miller and Chris Valasek.

Miller and Valasek here yesterday in their presentation on their remote hack of the vehicle revealed the "vulnerability" -- a wide open port 6667 -- that ultimately led to their ability to control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

After studying ways to hack via the car's optional WiFi service, the researchers discovered that the Harman uConnect infotainment system's built-in cellular connection from Sprint left Port 6667 open, which  gave them a connection to the car via their smartphones on the cellular network. The researchers employed a femtocell, and after testing various distances, found they could access the vehicle some 70 miles away via the cell connection. They were able to grab the Jeep's VIN number as well.

Miller and Valasek will publish a research paper on Monday with details on exactly what they found and how they were able to wrest control of the Jeep remotely.

But their attack is now basically history--Sprint since has locked down the exposed communications port.

"There's no way to use the attack … now," Valasek said in a press briefing. "We hope other researchers will take a look at other cards" for vulnerabilities, he said.

Miller and Valasek's groundbreaking and somewhat unnerving research and live demonstration of their hack with a driver on an open highway sent a ripple effect through the automobile industry. Fiat Chrysler last month issued a patch, and then a recall of some 1.4 million vehicles affected by the security flaw --  2013 to 2015 Dodge Vipers and Ram pickups; 2014 to 2015 Jeep Grand Cherokee, Cherokees and Dodge Durango SUVs; and 2015 Chrysler 200, Chrysler 300 and Dodge Chargers and Challengers.

Car hackers Charlie Miller and Chris Valasek 
Image Source: Black Hat Events
Car hackers Charlie Miller and Chris Valasek
Image Source: Black Hat Events

The National Highway Traffic Safety Administration (NHTSA), meanwhile, is investigating the effectiveness of the recall.

The researchers had kept Chrysler updated on their findings along the way, including in March when they were able to send their own CAN messages to the vehicle.

"Cars got recalled. That's cool -- hackers did something" to make that happen, Miller said in their presentation.

But they say the security flaws they found in the infotainment system are not just a Fiat Chrysler issue: suppliers and telecommunications companies need to work with the automakers in these cases, they said.

Meanwhile, another pair of researchers was able to hack a Tesla S, but the attack required some physical tampering with the vehicle. The researchers will present their findings here this week at DEF CON, according to a Wired report.

Black Hat USA is happening! Check it out here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
100%
0%
theb0x,
User Rank: Ninja
8/13/2015 | 9:40:37 AM
Port 6667
Now you can host your very own IRC channel on port 6667! Chat with other Jeep owners in realtime! Simply amazing!

 

Features coming soon:

 

XDCC File Transfers and Private Chat.

 
rrahmanov
50%
50%
rrahmanov,
User Rank: Apprentice
8/11/2015 | 3:49:59 PM
It only takes 1 (!!!) port
It is as simple as it sounds. One port and a person that knows what to do with it. 
It is interesting, I've just read about Tesla's Model S reporting 6 vulnerabilities related to a similar issue - old browser, outdated services (DNS proxy, HTTP Service) - basically indicating a lack of the up-to-date patching. 
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.