Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/1/2016
09:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

This Time, Miller & Valasek Hack The Jeep At Speed

Car hacking duo accelerates -- literally -- their epic Jeep Cherokee hack.

[Updated 10:20AM with FCA USA comments]

BLACK HAT USA—Las Vegas--Famed car hackers Charlie Miller and Chris Valasek have taken their 2015 groundbreaking remote hack of a Jeep Cherokee to the next level -- controlling its accelerator, brakes, steering, and electronic parking brake at more dangerous high driving speeds.

Miller and Valasek, both security experts with Uber’s Advanced Technology Center, on Thursday here at Black Hat USA will present their latest car hacks, which basically build upon the work they demonstrated a year ago on how they could control the 2014 Jeep Cherokee’s electronic functions from afar. They’ve now advanced their hack of the very same vehicle’s electronic controls at high speeds far above the 5 miles-per-hour limit of the initial research.

“This is a new class of attacks against CAN messages,” Miller says. “It’s still very basic in the types of messages you use” to attack the car, he says. “It’s an easy attack.”

While the attacks on the CAN bus itself may be relatively rudimentary, the research it took to figure out how to do so was not. Last year’s groundbreaking Jeep hack was all about remotely attacking the vehicle. “This year, we’re fine-tuning it,” Valasek says. “It was time-consuming work. It took countless more weeks to figure out how to turn the steering wheel at speed.”

Miller and Valasek reverse-engineered the electronic control unit (ECU) firmware, which communicates via the unsecured CAN bus in short messages. In a nutshell, they tricked the Jeep’s controls by impersonating messages. They basically took the ECU offline and impersonated real traffic to force it to follow their instructions, whether it was to accelerate, or turn the steering wheel 90 degrees.

Unlike last year’s hack that the two conducted from Miller’s living room while Wired journalist Andy Greenberg drove the Jeep, this time they physically plugged into the diagnostic port of the vehicle to send their phony CAN messages, mainly for expediency reasons. “Last year, we showed you can remotely send CAN messages. This year, we sent them plugged into the car,” Miller says, and the two did the driving and hacking from the very same Jeep—patched for the zero-day flaw they found last year--this time.

Valasek says they didn’t have a new zero-day remote attack vector, so they kept it local. “But you shouldn’t have to depend on having zero-day remote vectors to solve” this, he says.

In one attack, Miller and Valasek spun the steering wheel 90 degrees at 60 mph. They also controlled the acceleration pedal, as well as the brakes. “We can permanently lock the electronic parking brake so it’s permanently immobilized. Even if you restarted the car, the parking brake would be on and you would not be able to drive anywhere,” Miller says. “We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed.”

They say it’s possible the hacks are only a problem for this model of Chrysler’s Jeep Cherokee, and they may also apply to other carmakers’ vehicles. “This isn’t only some Chrysler problem,” Miller says.

Miller and Valasek’s live road testing not surprisingly didn’t all go smoothly. During a recent test-drive on a country road outside St. Louis, their steering-wheel hack sent the Jeep into a muddy ditch, and they got stuck. A pickup truck driver traveling on the remote stretch of rural highway stopped by to help them out. (That, after a crop-duster operator spotted the disabled Jeep and called 911, sending a policeman to check it out).

“Charlie was running [the attack] in the backseat and we curved, and hit the ditch and couldn’t get out because it was super-muddy,” says Valasek, who was at the wheel.

Miller and Valasek last month provided Jeep maker FCA US LLC their new findings, and also provided the carmaker with recommendations for mitigating the attacks they executed. FCA, which issued an historic massive recall of 1.4 million vehicles in the wake of the initial Jeep hack to patch a glaring security hole, recently launched a bug bounty program via Bugcrowd to reward researchers for finding security flaws in its cars. 

FCA US said in a statement that such attacks would be difficult to execute. "Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."

The automobile company also noted that the exploits Miller and Valasek demonstrated "require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.

Miller and Valasek's latest hacks don’t exploit an urgent security flaw like last year’s, so there’s not likely to be a patch or recall this time around. There is, however, a bug in one of FCA’s ECU supplier’s firmware that eventually could be fixed, the researchers note. “At a higher level, they [Chrysler] could add more security features to the car: to detect messages that look bad or shouldn’t be there and alert” you, Miller says.

The only thing the researchers were not able to pull off was the direct hack of the Jeep’s braking system. “We never directly influenced the brakes,” Miller says, mainly because they didn’t have the firmware for the ABS module to reverse-engineer it. Instead, they were able to force the brakes to engage when the e-brake was disabled.

Hacking the Jeep driving at high speeds puts an exclamation point on an already serious concern about networked vehicles. “Now you have scary levels of control,” Valasek says of the high-speed hacks.

Video Source: Miller & Valasek

 

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/3/2016 | 5:22:33 PM
SMH @ Jeep
"require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.

Oh, you mean like pretty much all hackers and all major hacks?

Eyeroll goes here.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/2/2016 | 10:38:07 AM
Re: Fingers crossed
The good news is Chrysler/FCA US has a bug bounty program now through Bugcrowd. That to me seems like a good sign.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
8/2/2016 | 7:47:34 AM
Fingers crossed
Although I'm a big proponent of the growth of automated vehicles, hacking does worry me. While I don't see myself as being high-profile enough for someone to want to hack directly, my real concern is botnets of compromised vehicles could perform actions en masse at certain times causing huge disruption and risking lives.

All I can do though really is hope that manufacturers take this sort of threat seriously enough. 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18610
PUBLISHED: 2019-11-22
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary syste...
CVE-2019-9536
PUBLISHED: 2019-11-22
Apple iPhone 3GS bootrom malloc implementation returns a non-NULL pointer when unable to allocate memory, aka 'alloc8'. An attacker with physical access to the device can install arbitrary firmware.
CVE-2013-6811
PUBLISHED: 2019-11-22
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding...
CVE-2013-6880
PUBLISHED: 2019-11-22
Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting (XSS) attacks via the HTTP Referer header.
CVE-2019-15652
PUBLISHED: 2019-11-22
The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code.