
Black Hat USA 2015: The full story of how that Jeep was hacked - mzs
https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/
======
twrkit
Has there been a consensus reached on whether or not this could have been a
factor in the death of Michael Hastings? [0]

[0]
[https://en.wikipedia.org/wiki/Michael_Hastings_(journalist)#...](https://en.wikipedia.org/wiki/Michael_Hastings_\(journalist\)#Death)

------
wkcamp
I'm sure many engineers overlook the "guy who knows a guy" situation. The
whole car itself is one giant system that works in unison; practically
everything in that car IS connected. Which obviously means everything is
accessible one way or another. Isolation is not really isolation as isolation
more than likely _depends_ on _something_.

------
hmmmmmmmmm
Could this have happened in a Mercedes as well?
[http://www.occupy.com/article/exclusive-who-killed-
michael-h...](http://www.occupy.com/article/exclusive-who-killed-michael-
hastings)

~~~
krupan
well, there's this:
[https://www.youtube.com/watch?v=k_o-H1j4zZs](https://www.youtube.com/watch?v=k_o-H1j4zZs)

------
retrogradeorbit
Vintage cars have never been more appealing!

~~~
Corrado
This whole story reminds me of the Battlestar Galactica reboot a couple of
years ago. The premise was that the shiny, new spaceships were all susceptible
to hacking and virus injection while the old, "vintage" ones were unhackable.

------
lelandbatey
> This is the thing that all the manufacturers always refer back to when it
> comes to IT-security of cyber-physical systems: there is an isolation they
> say, the air gap between connected and physical parts of these systems.

> [the] multimedia system’s controller itself can’t communicate directly with
> CAN bus, it actually can communicate with another component which is
> connected to CAN bus, the V850 controller

That... that's not what an air gap is. Usually I'm forgiving about security
that's fudged, since it's hard and marketing and higher-ups rarely understand.
That's the _entire point_ of an air gap: there isn't anything to understand,
it's a physical disconnection. It's either plugged in or it's not.

When asked "is there an air gap", if the answer is _no_ and you answer _yes_
then you're lying in the most blatant and bare-faced way I can imagine. It's
like saying "that car is four wheel drive" when it's only two wheel drive, or
saying "that car has an 18 gallon tank" when it has a 7 gallon tank.

~~~
jMyles
It's really shocking how blatant and dramatic an official corporate or
government statement has to be before we're prepared to call it a lie.

~~~
sitkack
Basically if you are high up enough, the only way to get caught in a lie to to
admit that it was a lie, and that you meant to lie.

------
antoinealb
A lot of automotive manufacturers are migrating to FlexRay
([https://en.wikipedia.org/wiki/FlexRay](https://en.wikipedia.org/wiki/FlexRay))
and Ethernet so hopefully they will use the extra bandwith to implement a bit
more of message authentication to their protocol.

------
ImJasonH
Remote control of steering wheel, engine, breaks? Free OTA driverless car
update!

~~~
x0054
Wow, that's some good spin! Not sure what you are doing now, but I am sure
Chrysler can use you in their PR department!

------
jessaustin
From this point forward we should make very few assumptions about electronic
systems.

I'll just leave these here: [http://jalopnik.com/why-its-unlikely-someone-
killed-michael-...](http://jalopnik.com/why-its-unlikely-someone-killed-
michael-hastings-by-hac-584806047)

[http://jalopnik.com/aols-story-about-terrorist-carhacking-
is...](http://jalopnik.com/aols-story-about-terrorist-carhacking-is-
fearmongering-514344885)

~~~
AgentME
Those articles say that the idea of a remotely exploitable vulnerability in a
car is ridiculous (therefore so is the murder idea), but is that not exactly
what happened with Jeep here?

~~~
jessaustin
Yeah that was my point. There are always "experts" to be found who can't
imagine a particular exploit working. Reality is not limited to some dude's
imagination, so we should have read the initial articles for what they were:
"nothing to see here, move along." If we knew then what we know now, such
articles would have piqued our curiosity. Therefore, the fact that they were
published _does_ pique my curiosity.

~~~
PhantomGremlin
_Reality is not limited to some dude 's imagination_

I love that quip.

It reminds me a little of something we say, more or less: "this device does
not read its data sheet". It comes up a lot when a physical device does not
behave the way you might expect from reading its accompanying documentation.

------
morsch
_Employing this trick you can find all of Chrysler’s cars equipped with this
kind of head unit. Over a million of them were actually recalled by Fiat
Chrysler. After that all you need is to choose the right one. Funny thing is
that it’s rather hard to do, “it’s much easier to hack all the Jeeps than the
certain one,” as the researchers say.

However, picking the wanted Jeep is doable as well, thanks to the option of
the GPS tracker._

Better double check that you're not crashing another Jeep which is in the
wrong place at the wrong time...

~~~
Thriptic
If you're doing it for nefarious purposes, all you need to know is that the
target vehicle in is on the road. You could have every active vehicle crash at
the same time. While doing so blows the hack for good, it would make the
motive incredibly difficult to determine.

------
sprite
This is the recall text from Jeep:

Safety Defect/Non Compliance Description and Safety Risk:

SOME 2013-2015 MY VEHICLES EQUIPPED WITH SPECIFIC RADIOS HAVE CERTAIN SOFTWARE
SECURITY VULNERABILITIES WHICH COULD ALLOW UNAUTHORIZED THIRD-PARTY ACCESS TO
SOME NETWORKED VEHICLE CONTROL SYSTEMS. A SUCCESSFUL EXPLOIT OF THIS SECURITY
VULNERABILITY COULD RESULT IN UNAUTHORIZED REMOTE MODIFICATION AND CONTROL OF
VEHICLE SYSTEMS. FCA US HAS NOT MADE A DETERMINATION THAT THIS SECURITY
VULNERABILITY CONSTITUTES A DEFECT. ALTHOUGH FCA US HAS NOT DETERMINED THAT A
DEFECT EXISTS, IT HAS DECIDED TO CONDUCT A REMEDIAL CAMPAIGN AS A SAFETY
RECALL IN THE INTEREST OF PROTECTING ITS CUSTOMERS. EXPLOITATION OF THE
SOFTWARE SECURITY VULNERABILITIES COULD LEAD TO EXPOSING THE DRIVER, THE
VEHICLE OCCUPANTS OR ANY OTHER INDIVIDUAL OR VEHICLE WITH PROXIMITY TO THE
AFFECTED VEHICLE TO A POTENTIAL RISK OF INJURY.

Repair Description:

CUSTOMERS AFFECTED BY THE RECALL WILL RECEIVE A USB DRIVE WHICH THEY MAY USE
TO UPGRADE VEHICLE SOFTWARE, PROVIDING ADDITIONAL SECURITY FEATURES
INDEPENDENT OF THE NETWORK-LEVEL MEASURES. ALTERNATELY, CUSTOMERS MAY VISIT
HTTP://WWW.DRIVEUCONNECT.COM/SOFTWARE-UPDATE/ TO INPUT THEIR VEHICLE
IDENTIFICATION NUMBERS (VINS) AND DETERMINE IF THEIR VEHICLES ARE INCLUDED IN
THE RECALL. IF SO, THEY MAY DOWNLOAD THE SOFTWARE THEMSELVES, OR VISIT THEIR
DEALERS, WHERE TECHNICIANS WILL PERFORM THE INSTALLATION. THERE IS NO CHARGE
FOR THE SOFTWARE OR, IN THE CASE OF DEALER VISIT, INSTALLATION.

I'm getting a 404 on the update page [nevermind it's case sensitive and needs
to be downcased]. Does anyone know if this update actually fixes the issue?
From reading the exploit details it seems more like a systems design issue
that can't easily be patched in software.

~~~
prothid
Chrysler worked with the guys that discovered the vulnerability and no doubt
simply patched the current known bug allowing exploit from the cellular
uplink. The system could be vulnerable again if a new exploit is discovered. I
updated my Jeep a week or so ago and haven't had any issues -- yet.

Edit: After reading the paper it looks like the update from Chrysler blocks
inbound tcp/ip now, and Sprint is also filtering traffic more aggressively.

------
im3w1l
Software can not be trusted. It is too complicated and people get things
wrong.

If something really needs to be be read only, enforce it with physical diodes
or similar.

------
rndmind
I'm going to just ride my honda ruckus moped and forget buying a new car.

------
satyajeet23
Why would someone who knows how to use a computer want a Jeep?

------
retrogradeorbit
If you can hack a car like this, what about a Boeing?

~~~
exo762
[http://www.runwaygirlnetwork.com/2015/05/17/boeing-ife-
exper...](http://www.runwaygirlnetwork.com/2015/05/17/boeing-ife-experts-hit-
back-at-hacker-claims-in-fbi-report/)

------
aembleton
I'm not so worried about hackers gaining access to change radio stations, but
writing to the CANBus is concerning.

It sounds like the weak point in this was the ability to rewrite the firmware
of the V850 controller. If that could somehow signed then I'd feel safer.

~~~
cryptoz
Even changing radio stations could be very dangerous, especially if access is
also granted to audio controls (which it is). Attackers could easily cause
accidents by creating distractions like rapidly changing, loud radio stations.

~~~
Asbostos
Don't forget an FM radio signal itself is trivial to hack. I did this when I
was a kid so that's not a new problem at all, and probably not a danger. If
the driver is going to crash because of a sound on the radio, they probably
aren't safe to be driving in the first place.

~~~
mikeash
All you can do with an FM signal is override the audio. The volume is still
limited to whatever the driver set, and they can always turn it off.

Turning the volume to maximum and preventing the driver from lowering it or
turning off the sound would be much worse.

As for "probably aren't safe to be driving in the first place," that may be
so, but I would estimate that about 80% of people on the road aren't really
safe, and just muddle through by luck and generous margins. Causing unsafe
drivers to crash when they otherwise wouldn't have is still bad.

~~~
joosters
In the security paper, they highlight that the entertainment system displays
radio station images that are broadcast over the air (not sure if this was FM
or satellite). So it's conceivable that an FM transmitter could broadcast a
corrupt JPEG, causing a buffer overrun in some crappy image decoding software,
and pwn your car...

------
joshu
> They were able to control steering wheel

This seems unlikely.

~~~
akira2501
Why?

[https://en.wikipedia.org/wiki/Power_steering#Electric_system...](https://en.wikipedia.org/wiki/Power_steering#Electric_systems)

Plus, the vehicle can park for you. Clearly it has the raw hardware to allow
for this.

~~~
joshu
Generally cars cannot control their steering. But obviously this one does have
that ability. Interesting.

------
stevecalifornia
A simple fix would be to allow me, the owner, to turn off the wifi device and
the connection to Sprint. I am not using those features and don't wish to have
them.

~~~
adrianb
The connection is probably at least used to crowd-source live traffic
information. Most people would like this feature.

~~~
mhurron
That doesn't justify not giving the option to disable it.

------
mzs
Remote Exploitation of an Unaltered Passenger Vehicle

Dr. Charlie Miller

Chris Valasek

August 10, 2015

[http://illmatics.com/Remote%20Car%20Hacking.pdf](http://illmatics.com/Remote%20Car%20Hacking.pdf)

~~~
ghuntley

        While some of the research could proceed without the diagnostic equipment, many
        active tests and ECU unlocking require an analysis of the mechanic’s tools.
        After both authors of this paper sold plasma for several weeks, we were finally
        able to afford the system required to do diagnostics on the Jeep Cherokee (and
        all other Fiat-Chrysler vehicles)

~~~
rasz_pl
Its a joke. Miller is loaded, and alibaba is full of cheap clones of
diagnostic tools (and 'special' dongles that do magical things like cloning
BMW keys, or bypassing Mazda 6 security in 4 seconds)

~~~
mzs
Yep, lots of amazing bitsy things for sale from Asia. I liked the very helpful
strings output, it's so nice when programers are thoughtful like that and give
helpful -h output.

------
NeutronBoy
You're sorely mistaken if you think Jeep is the only car manufacturer with
this setup. I'd bet that most cars produced within the last few years don't
have airgapped CANBus systems. By definition, any car with 'drive' settings
you can adjust by the headunit console (suspension, sport modes, charging
status, etc) is not airgapped. I mean, in a Tesla you have the option _to
change suspension settings based on location from a Google Maps -based GPS
system_. It also _can drive itself from your garage to your front door based
on meetings scheduled in your calendar_.

We literally have the same information for any auto manufacturer that we have
from Jeep - empty assurances that 'we design our cars with the utmost cyber-
security protections, trust us'.

~~~
bliti
Car nut here: Your assumption is correct. The system is not air gapped. Even
racing control systems suffer from this (except some really expensive ones,
although they use commonly sourced sensors with various form of shielding).

~~~
jessaustin
Hmmm this could lead to some unconventional race techniques.

~~~
nissehulth
Race conditions would have a totally new meaning.

~~~
nickpsecurity
That's awesome

------
ChuckMcM
The sad thing for me, and I see this way too often, is that someone,
somewhere, no doubt said "Of course its secure, you can only READ the CANbus,
the software doesn't even HAVE a write capability!" and everyone in the room
nodded and went on with the rest of the review.

Manufacturers and engineers have to get it through their head that _IF_ you
can change the firmware _ANYONE_ can change the firmware. If the firmware is
SECURITY CRITICAL then the only way to change it can be through physical
presence, loading encrypted and and signed firmware, with external validation.
(something like the car asking for a third party to authenticate the operation
ala nuclear launch codes). You can still get screwed but it will be hard
enough to do that otherwise low value targets will remain relatively safe.

~~~
csours
And when manufacturers start doing that, people will complain that they don't
"own" their cars anymore. [1]

1: [http://boingboing.net/2015/05/21/gm-says-you-dont-own-
your-c...](http://boingboing.net/2015/05/21/gm-says-you-dont-own-your-ca.html)

Disclaimer: I work for GM.

~~~
krasin
There's still the right and secure way to go:

1) By default the cat is "locked", and uses a manufacturer-issued public key
to verify the signature of updates

2) A car owner can "unlock" the car, by creating a key pair, and asking the
manufacturer to add / replace (debatable) the new public key to the car. Right
after that, the owner has an ability to modify the firmware, but everything is
still secure. And it's up to the adult owners to manage their private keys and
be careful with updates.

3) There should be a simple way to factory-reset the car (with either the
owner, or the manufacturer signature).

~~~
teraflop
Under this model, if you buy a used car, how can you be sure it doesn't have
keys that are controlled by someone else? You can follow the "factory-reset"
procedure, but how do you know the reset mechanism hasn't been tampered with?

~~~
tzs
They can design it so that the firmware is in two parts.

The first part does minimal initialization and then gives control to the
second part, which is where most of the functionality is.

The first part is also the part responsible for implementing the firmware
update protocol and the reset procedure. The first part would either not allow
any update to replace the first part, or it would only allow the first part to
replace with factory signed firmware.

Alternatively (or in addition) they could have a diagnostic connector that
lets external hardware read the firmware memory. You could then do the factory
reset on your used car, and then hook something up to that diagnostic
connector and have it compute a hash of the firmware that you can check to
make sure it is the right firmware. An Arduino should be sufficient as the
thing to read and hash the firmware.

~~~
btown
The second approach is likely preferable - with the first approach, FOSS
Stalwarts will still complain that there's non-free software in the system.

~~~
dlubarov
They could still open source the first system's firmware code. FOSS doesn't
imply easily modifiable, does it?

E.g., rms says he used a Lemote Yeeloong because of its free BIOS, but AFAIK
he couldn't have reprogrammed it unless he removed the BIOS chip from the
motherboard.

