Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/1/2016
09:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

This Time, Miller & Valasek Hack The Jeep At Speed

Car hacking duo accelerates -- literally -- their epic Jeep Cherokee hack.

[Updated 10:20AM with FCA USA comments]

BLACK HAT USA—Las Vegas--Famed car hackers Charlie Miller and Chris Valasek have taken their 2015 groundbreaking remote hack of a Jeep Cherokee to the next level -- controlling its accelerator, brakes, steering, and electronic parking brake at more dangerous high driving speeds.

Miller and Valasek, both security experts with Uber’s Advanced Technology Center, on Thursday here at Black Hat USA will present their latest car hacks, which basically build upon the work they demonstrated a year ago on how they could control the 2014 Jeep Cherokee’s electronic functions from afar. They’ve now advanced their hack of the very same vehicle’s electronic controls at high speeds far above the 5 miles-per-hour limit of the initial research.

“This is a new class of attacks against CAN messages,” Miller says. “It’s still very basic in the types of messages you use” to attack the car, he says. “It’s an easy attack.”

While the attacks on the CAN bus itself may be relatively rudimentary, the research it took to figure out how to do so was not. Last year’s groundbreaking Jeep hack was all about remotely attacking the vehicle. “This year, we’re fine-tuning it,” Valasek says. “It was time-consuming work. It took countless more weeks to figure out how to turn the steering wheel at speed.”

Miller and Valasek reverse-engineered the electronic control unit (ECU) firmware, which communicates via the unsecured CAN bus in short messages. In a nutshell, they tricked the Jeep’s controls by impersonating messages. They basically took the ECU offline and impersonated real traffic to force it to follow their instructions, whether it was to accelerate, or turn the steering wheel 90 degrees.

Unlike last year’s hack that the two conducted from Miller’s living room while Wired journalist Andy Greenberg drove the Jeep, this time they physically plugged into the diagnostic port of the vehicle to send their phony CAN messages, mainly for expediency reasons. “Last year, we showed you can remotely send CAN messages. This year, we sent them plugged into the car,” Miller says, and the two did the driving and hacking from the very same Jeep—patched for the zero-day flaw they found last year--this time.

Valasek says they didn’t have a new zero-day remote attack vector, so they kept it local. “But you shouldn’t have to depend on having zero-day remote vectors to solve” this, he says.

In one attack, Miller and Valasek spun the steering wheel 90 degrees at 60 mph. They also controlled the acceleration pedal, as well as the brakes. “We can permanently lock the electronic parking brake so it’s permanently immobilized. Even if you restarted the car, the parking brake would be on and you would not be able to drive anywhere,” Miller says. “We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed.”

They say it’s possible the hacks are only a problem for this model of Chrysler’s Jeep Cherokee, and they may also apply to other carmakers’ vehicles. “This isn’t only some Chrysler problem,” Miller says.

Miller and Valasek’s live road testing not surprisingly didn’t all go smoothly. During a recent test-drive on a country road outside St. Louis, their steering-wheel hack sent the Jeep into a muddy ditch, and they got stuck. A pickup truck driver traveling on the remote stretch of rural highway stopped by to help them out. (That, after a crop-duster operator spotted the disabled Jeep and called 911, sending a policeman to check it out).

“Charlie was running [the attack] in the backseat and we curved, and hit the ditch and couldn’t get out because it was super-muddy,” says Valasek, who was at the wheel.

Miller and Valasek last month provided Jeep maker FCA US LLC their new findings, and also provided the carmaker with recommendations for mitigating the attacks they executed. FCA, which issued an historic massive recall of 1.4 million vehicles in the wake of the initial Jeep hack to patch a glaring security hole, recently launched a bug bounty program via Bugcrowd to reward researchers for finding security flaws in its cars. 

FCA US said in a statement that such attacks would be difficult to execute. "Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."

The automobile company also noted that the exploits Miller and Valasek demonstrated "require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.

Miller and Valasek's latest hacks don’t exploit an urgent security flaw like last year’s, so there’s not likely to be a patch or recall this time around. There is, however, a bug in one of FCA’s ECU supplier’s firmware that eventually could be fixed, the researchers note. “At a higher level, they [Chrysler] could add more security features to the car: to detect messages that look bad or shouldn’t be there and alert” you, Miller says.

The only thing the researchers were not able to pull off was the direct hack of the Jeep’s braking system. “We never directly influenced the brakes,” Miller says, mainly because they didn’t have the firmware for the ABS module to reverse-engineer it. Instead, they were able to force the brakes to engage when the e-brake was disabled.

Hacking the Jeep driving at high speeds puts an exclamation point on an already serious concern about networked vehicles. “Now you have scary levels of control,” Valasek says of the high-speed hacks.

Video Source: Miller & Valasek

 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
8/2/2016 | 7:47:34 AM
Fingers crossed
Although I'm a big proponent of the growth of automated vehicles, hacking does worry me. While I don't see myself as being high-profile enough for someone to want to hack directly, my real concern is botnets of compromised vehicles could perform actions en masse at certain times causing huge disruption and risking lives.

All I can do though really is hope that manufacturers take this sort of threat seriously enough. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/2/2016 | 10:38:07 AM
Re: Fingers crossed
The good news is Chrysler/FCA US has a bug bounty program now through Bugcrowd. That to me seems like a good sign.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/3/2016 | 5:22:33 PM
SMH @ Jeep
"require extensive technical knowledge, extended periods of time to write code, and prolonged physical access to the demonstration vehicle," and that the Jeep the researchers used "appears to have been altered back to an older level of software," the unpatched version, the statement said.

Oh, you mean like pretty much all hackers and all major hacks?

Eyeroll goes here.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12881
PUBLISHED: 2019-06-18
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
CVE-2019-3953
PUBLISHED: 2019-06-18
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.
CVE-2019-12133
PUBLISHED: 2019-06-18
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system ...
CVE-2019-12592
PUBLISHED: 2019-06-18
A universal Cross-site scripting (UXSS) vulnerability in the Evernote Web Clipper extension before 7.11.1 for Chrome allows remote attackers to run arbitrary web script or HTML in the context of any loaded 3rd-party IFrame.
CVE-2017-8328
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery prot...